WO2017210914A1 - 传输信息的方法和装置 - Google Patents
传输信息的方法和装置 Download PDFInfo
- Publication number
- WO2017210914A1 WO2017210914A1 PCT/CN2016/085384 CN2016085384W WO2017210914A1 WO 2017210914 A1 WO2017210914 A1 WO 2017210914A1 CN 2016085384 W CN2016085384 W CN 2016085384W WO 2017210914 A1 WO2017210914 A1 WO 2017210914A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication
- server
- user
- credential
- authentication credential
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Definitions
- the present invention relates to the field of the Internet and, more particularly, to a method and apparatus for transmitting information.
- the Internet provides more and more services to the masses of users in various industries (for example, shopping, video, email, taxi, ordering, and corporate information management, etc.).
- users Before using the services provided by the Internet application, users generally need to log in to complete identity authentication.
- the most commonly used identity authentication mechanism is the account plus password.
- the mobile communication network has further developed and improved the mobile terminal with a relatively complete authentication mechanism (including the network authentication of the mobile phone SIM card and the real-name authentication of the signing user), and more and more Internet applications are used by mobile phone numbers.
- a relatively complete authentication mechanism including the network authentication of the mobile phone SIM card and the real-name authentication of the signing user
- Internet applications are used by mobile phone numbers.
- Auxiliary to complete the user's identity authentication improve the security of the system and the convenience of users.
- Even some applications in order to simplify the operation, further enhance the user experience, no longer use a separate password to protect the security of the user account, but completely use the mobile phone short message delivery verification code to complete the user authentication and login.
- some applications retain the password authentication method, when the user forgets the password, the user can perform the user authentication through the “retrieve password” function provided by the Internet application, and complete the user authentication by resetting the password. log in. In other words, the way the mobile phone short message passes the verification code is almost the only way for users to authenticate.
- the application server may also enhance the authentication of the user identity being operated by sending a short message verification code to the user's mobile phone.
- the way to authenticate users through the short message delivery verification code of the mobile phone simplifies the operation and improves the user experience.
- there are also security holes For example, when the original user does not want to continue using the mobile phone number, and requests the network operator to stop and cancel the mobile phone number, since the mobile phone number is a limited network resource, the mobile phone number after the stop sales number is not permanently sealed, and the network operator is usually Freeze the mobile phone number for a period of time, resell it, and assign it to the new user.
- the present application provides a method and apparatus for transmitting information, which can improve the security of information transmission.
- the application provides a method for transmitting information, where the method includes: an authentication server receiving an authentication request message sent by an application server, where the authentication request message includes a first authentication credential; and the first authentication credential and the authentication server When the authentication credentials are matched, the authentication server allows the application server to transmit information to the user; or, when the first authentication credential does not match the authentication credential on the authentication server, the authentication server prohibits the application server from transmitting information to the user. .
- the method before the authentication server receives the first authentication credential sent by the application server, the method further includes: the authentication server generating the first authentication credential associated with the user identifier, and saving the first authentication credential As the authentication credential on the authentication server; the authentication server sends the first authentication credential to the application server.
- the method before the authentication server receives the first authentication credential sent by the application server, the method further includes: the authentication server generating the first authentication credential associated with the user identifier and the application identifier of the application server, And saving the first authentication credential as the authentication credential on the authentication server; the authentication server sends the first authentication credential to the application server.
- the authentication request message includes user identification information, and the first authentication credential matches the authentication credential on the authentication server, and the authentication server obtains the user in the authentication request message. Identification information; the authentication server determines that the authentication credential corresponding to the user identification information matches the first authentication credential.
- the authentication request message includes the user identifier information and an application identifier of the application server, and the first authentication credential matches the authentication credential on the authentication server, including: the authentication server obtains The user identification information in the authentication request message and the application identifier of the application server; the authentication server determines that the authentication identifier corresponding to the user identifier and the application identifier of the application server matches the first authentication credential.
- the method further includes: the authentication server obtaining an clear user authentication credential instruction, where the clear user authentication credential instruction is used to indicate the The authentication server invalidates the first authentication credential; the authentication server invalidates the first authentication credential in the authentication credential on the authentication server according to the clear user authentication credential instruction.
- the method further includes: the authentication server generates a second authentication credential associated with the user identifier, and saves the second authentication credential as the Authentication credentials on the authentication server.
- the method further includes: the authentication server generates a second authentication credential associated with the user identifier and the application identifier of the application server, and saves The second authentication credential acts as an authentication credential on the authentication server.
- the method further includes: the authentication server sending, to the application server, refresh indication information, where the refresh indication information is used to indicate that the application server refreshes the first authentication credential.
- the authentication server prohibits the application server from transmitting information to the user, including: the authentication server sends the authentication to the application server. Failure information.
- the authentication server communicates with the application server by using an authentication gateway and/or a third-party device, where the authentication gateway and/or the third-party device are combined with the authentication server, or The authentication gateway and/or the third party device are separated from the authentication server.
- the authentication server when the first authentication credential matches the authentication credential on the authentication server, the authentication server allows the application server to transmit information to the user, including: the authentication server sends the authentication pass to the application server.
- the information is sent to the user server to send the first information to the user; or the authentication server sends the authentication pass information to the authentication gateway, so that the authentication gateway sends the first information sent by the application server to the user.
- the application provides a method for transmitting information, the method comprising: an application server receiving a first authentication credential sent by an authentication server; the application server saving the first authentication credential; and when the application server needs to transmit information to a user
- the application server sends an authentication request message to the authentication server, where the first authentication credential is included in the authentication request message.
- the authentication request message includes user identification information.
- the authentication request message includes an application identifier of the application server; or the application server performs a login operation, and the application identifier of the application server is provided to the authentication server in the login information.
- the method further includes: the application server receiving the authentication failure information sent by the authentication server, where the authentication failure information is when the first authentication credential does not match the authentication credential on the authentication server, The authentication server sends to the application server.
- the application server communicates with the authentication server through an authentication gateway and/or a third-party device, where the authentication gateway and/or the third-party device are combined with the authentication server, or the authentication The gateway and/or the third party device are separated from the authentication server.
- the method further includes: the application server receiving the authentication pass information sent by the authentication gateway, and sending the first information to the authentication gateway; or the application server sending the authentication request message to the authentication gateway
- the authentication request message includes the first information, so that the authentication gateway sends the first information to the user when the authentication gateway receives the authentication pass information sent by the authentication server, where the first information is that the application server includes And sending the authentication information to the authentication gateway, or the first information is sent by the application server to the authentication gateway after receiving the authentication pass message sent by the authentication gateway.
- the present application provides a method for transmitting information, where the method includes: a third-party device receives a user registration authentication credential redirection request sent by an application server; the third-party device acquires a user identifier; and the third-party device identifies the user identifier Sending to the authentication server; the third-party device receives the first authentication credential sent by the authentication server; the third-party device sends the first authentication credential to the application server.
- the application provides a method for transmitting information, the method includes: an authentication gateway receiving an authentication request message sent by an application server, where the authentication request message includes a first authentication credential, where the authentication request message is required by the application server The user sends the information to the authentication gateway; the authentication gateway determines the authentication server; the authentication gateway sends the authentication request message to the authentication server.
- the authentication request message includes routing information
- the authentication gateway determines the authentication server, and the authentication gateway determines the authentication server according to the routing information.
- the method before the authentication gateway receives the authentication request message sent by the application server, the method further includes: the authentication gateway receiving the first authentication sent by the authentication server Credentials; the authentication gateway sends the first authentication credential to the application server.
- the method further includes: the authentication gateway receiving the authentication failure information sent by the authentication server, where the authentication failure information is when the first authentication credential does not match the authentication credential on the authentication server,
- the authentication server sends the authentication gateway to the authentication server;
- the authentication gateway sends the authentication failure information to the application server.
- the method further includes: the authentication gateway receiving the authentication pass information sent by the authentication server, where the authentication pass information is when the first authentication credential matches the authentication credential on the authentication server, The authentication server sends the first information to the user; the first information is included in the authentication request message sent by the application server; or the first information is that the application server receives the authentication
- the authentication sent by the gateway is sent to the authentication gateway after passing the message.
- the authentication gateway receives the authentication pass information sent by the authentication server, and the method further includes: the authentication pass information carries the user identifier; the authentication gateway, according to the user identifier, the first information The user corresponding to the user ID is sent.
- the present application provides an apparatus for transmitting information for performing the method of the first aspect or any possible implementation of the first aspect.
- the apparatus comprises functionality for performing the method of the first aspect or any of the possible implementations of the first aspect.
- the device can be an authentication server.
- the functions may be implemented by hardware or by corresponding software implemented by hardware.
- the hardware or software includes one or more units or modules corresponding to the functions described above.
- the present application provides an apparatus for transmitting information for performing the method of any of the second aspect or the second aspect.
- the apparatus comprises functionality for performing the method of any of the second aspect or any of the possible implementations of the second aspect.
- the device can be an application server.
- the functions may be implemented by hardware or by corresponding software implemented by hardware.
- the hardware or software includes one or more units or modules corresponding to the functions described above.
- the present application provides an apparatus for transmitting information for performing the method of the third aspect.
- the apparatus comprises functionality for performing the method of the third aspect.
- the device can be a third party device.
- the functions may be implemented by hardware or by corresponding software implemented by hardware.
- the hardware or software includes one or more units or modules corresponding to the functions described above.
- the present application provides an apparatus for transmitting information for performing the method in any of the possible implementations of the fourth aspect or the fourth aspect.
- the apparatus comprises functionality for performing the method of any of the possible implementations of the fourth aspect or the fourth aspect.
- the device can be a authentication network turn off.
- the functions may be implemented by hardware or by corresponding software implemented by hardware.
- the hardware or software includes one or more units or modules corresponding to the functions described above.
- the authentication request message includes routing information
- the processing unit is specifically configured to determine an authentication server according to the routing information.
- the receiving unit before the receiving unit receives the authentication request message sent by the application server, the receiving unit is specifically configured to receive the first authentication credential sent by the authentication server; and the sending unit is specifically configured to: The first authentication credential is sent to the application server.
- the receiving unit is specifically configured to receive the authentication failure information sent by the authentication server, where the authentication failure information is that the first authentication credential does not match the authentication credential on the authentication server.
- the server sends the device to the device; and the sending unit is specifically configured to send the authentication failure information to the application server.
- the receiving unit is specifically configured to receive the authentication pass information sent by the authentication server, where the authentication pass information carries the user identifier, where the authentication pass information is the first authentication credential and the authentication When the authentication credential on the server matches, the authentication server sends the authentication server to the device; and the sending unit is specifically configured to send the first information to the user corresponding to the user identifier, where the first information is that the application server includes And sent to the device in the authentication request message, or the first information is sent by the application server to the device after receiving the authentication pass message sent by the device.
- the present application provides an apparatus for transmitting information, the apparatus comprising a receiver, a transmitter, a processor, a memory, and a bus system.
- the device can be an authentication server.
- the receiver, the transmitter, the processor and the memory are connected by a bus system, the memory is used for storing instructions, and the processor is configured to execute instructions stored in the memory to control the receiver to receive signals and control the transmitter to send signals.
- the processor executes the instructions stored in the memory, the method of causing the processor to perform the first aspect or any of the possible implementations of the first aspect is performed.
- the present application provides an apparatus for transmitting information, the apparatus comprising a receiver, a transmitter, a processor, a memory, and a bus system.
- the device can be an application server.
- the receiver, the transmitter, the processor and the memory are connected by a bus system, the memory is used for storing instructions, and the processor is configured to execute instructions stored in the memory to control the receiver to receive signals and control the transmitter to send signals.
- the processor executes the instructions stored in the memory, the method of causing the processor to perform the second aspect or any of the possible implementations of the second aspect is performed.
- the application provides a device for transmitting information, where the device includes a receiver and sends Transmitter, processor, memory, and bus system.
- the device can be a third party device.
- the receiver, the transmitter, the processor and the memory are connected by a bus system, the memory is used for storing instructions, and the processor is configured to execute instructions stored in the memory to control the receiver to receive signals and control the transmitter to send signals.
- the processor executes the instructions stored in the memory, the method of causing the processor to perform the third aspect or any of the possible implementations of the third aspect is performed.
- the present application provides an apparatus for transmitting information, the apparatus comprising a receiver, a transmitter, a processor, a memory, and a bus system.
- the device can be an authentication gateway.
- the receiver, the transmitter, the processor and the memory are connected by a bus system, the memory is used for storing instructions, and the processor is configured to execute instructions stored in the memory to control the receiver to receive signals and control the transmitter to send signals.
- the processor executes the instructions stored in the memory, the method of causing the processor to perform any of the possible implementations of the fourth aspect or the fourth aspect is performed.
- the present application provides a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
- the present application provides a computer readable medium for storing a computer program comprising instructions for performing the method of any of the second aspect or any of the possible implementations of the second aspect.
- the present application provides a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of any of the third aspect or any of the possible implementations of the third aspect.
- the present application provides a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of any of the fourth aspect or any of the possible implementations of the fourth aspect.
- an embodiment of the present invention provides a communication system, where the system includes the authentication server and the application server of the foregoing aspect; or the system further includes the third-party device and/or the authentication gateway described in the foregoing aspect.
- the authentication server allocates and saves an authentication credential for each user, and sends the authentication credential to the application server.
- the application server sends information to the user (for example, a short message including a verification code)
- the authentication server will authorize the communication network to send the information that the application server needs to send to the user, otherwise the authentication server will not authorize the communication network to send the information to the user, and the security risk caused by the incorrect transmission of the information can be avoided.
- the security of the application server when transmitting information to the user can be improved.
- FIG. 1 is an application scenario when information is transmitted in the prior art.
- FIG. 2 shows a schematic flow chart of a method of transmitting information according to an embodiment of the present invention.
- FIG. 3 shows a schematic interaction diagram of a method of transmitting information according to an embodiment of the present invention.
- FIG. 4 shows a schematic interaction diagram of a method of transmitting information according to another embodiment of the present invention.
- FIG. 5 shows a schematic interaction diagram of a method of transmitting information according to still another embodiment of the present invention.
- FIG. 6 shows a schematic diagram of an authentication credential database in accordance with yet another embodiment of the present invention.
- FIG. 7 shows a schematic block diagram of an apparatus for transmitting information according to an embodiment of the present invention.
- FIG. 8 shows a schematic block diagram of an apparatus for transmitting information according to another embodiment of the present invention.
- FIG. 9 shows a schematic block diagram of an apparatus for transmitting information according to still another embodiment of the present invention.
- FIG. 10 shows a schematic block diagram of an apparatus for transmitting information according to still another embodiment of the present invention.
- FIG. 11 shows a schematic structural diagram of an apparatus for transmitting information according to an embodiment of the present invention.
- FIG. 12 shows a schematic structural diagram of an apparatus for transmitting information according to another embodiment of the present invention.
- FIG. 13 shows a schematic structural diagram of an apparatus for transmitting information according to still another embodiment of the present invention.
- FIG. 14 shows a schematic structural diagram of an apparatus for transmitting information according to still another embodiment of the present invention.
- FIG. 1 is an application scenario when information is transmitted in the prior art. As shown in FIG. 1 , a mobile communication network, an internet application server, and a user are included in the application scenario. The following interaction process is included between the three.
- the Internet application authenticates the user A by sending a short message containing the verification code to the mobile phone number MSISDNA when the user A performs a login or payment operation.
- User A handles the shutdown number of the mobile phone number to the mobile communication network.
- the mobile communication network freezes the mobile phone number MSISDNA for a period of time and then resells the sales. Assume that at the time of resale, User B obtains the mobile phone number MSISDNA.
- the Internet application authenticates the user B by sending a short message containing the verification code to the mobile phone number MSISDNA when the user B performs a login or payment operation.
- the short message including the verification code is sent to a mobile phone number through the mobile communication network, as long as the user can provide the verification code transmitted in the short message of the mobile phone to the Internet application.
- Identity authentication can be passed regardless of who is currently holding the terminal device (eg, mobile phone). If the new user B attempts to perform the operation such as login or payment to the Internet application by the original user A, the short message containing the verification code is sent to the new user B who currently holds the mobile phone number, so that the new user B can complete the identity authentication. Successfully perform operations such as user login or payment.
- the original user stops the sales number in the mobile communication network, and the mobile phone number is reassigned to the new user.
- This mobile number holder has changed information and has not been synchronized to the Internet application.
- the Internet application still sends verification information to the registered mobile phone number, so that the new user can receive the verification information that is actually sent to the original user, and there is a risk of identity spoofing.
- new users can take the original user’s identity and bring the original user Come to lose. Therefore, in the prior art, there is a security hole in information transmission between the application server and the user.
- FIG. 2 shows a schematic flow chart of a method 100 of transmitting information in accordance with an embodiment of the present invention. This method can be performed by an authentication server. As shown in Figure 2, the method includes:
- the authentication server receives an authentication request message sent by the application server, where the authentication request message includes first authentication credential information.
- the first authentication credential is an identifier assigned by the authentication server to uniquely identify the identity of a user.
- the authentication credentials associated with the user identifier also change.
- the authentication credentials can be a certain length of electronic data (eg, a 10-byte long binary code).
- the first authentication credential is associated with the user identifier or with the user identifier and the application identifier of the application server.
- the user identifier can be a user's mobile phone number, an email account, and the like.
- the first authentication credential is generated by the authentication server before receiving the authentication request message sent by the application server, and is sent to the application server for saving. Moreover, after the first authentication credential is generated, the authentication server also saves the first authentication credential in the authentication credential database, so as to subsequently authenticate the identity of the user.
- the application server when the application server needs to send information to the user identified by the user identifier, the authentication credential of the user needs to be provided to the authentication server.
- the sending, by the application server, the first authentication credential information to the authentication server may be the first authentication credential itself, or a transformed form of the first authentication credential, or the like.
- the authentication server allows the application server to transmit information to the user;
- the authentication server prohibits the application server from transmitting information to the user.
- the authentication credential of the user needs to be first provided to the authentication server. Thereafter, the authentication server confirms (or determines) whether there is an authentication credential matching the first authentication credential in the authentication credential database. If there is an authentication credential in the authentication credential database that matches the first authentication credential, the authentication server allows the application server to send information to the user. If the certificate credentials database does not exist with the first authentication According to the matching authentication credentials, the authentication server prohibits the application server from sending information to the user.
- the authentication credential database is the authentication credential (or identity credential) used to store multiple users on the authentication server. Since each user can be uniquely identified by the user identification, it can also be said that the authentication server stores the correspondence between the user identification and the authentication credentials.
- the authentication server allows the application server to transmit information to the identified user of the user identity.
- the authentication server If there is no authentication credential matching the first authentication credential in the authentication credential database, after the authentication server generates the first authentication credential according to the user identifier, after the authentication server receives the first authentication credential sent by the application server, the user The holder of the identity has changed and no authentication credentials matching the first authentication credentials are found. Or, the authentication credential corresponding to the user ID does not exist in the authentication credential database. Or, the user ID may not be used temporarily. Or, other possible situations. Regardless of the possible situation, at this time, it is forbidden for the application server to transmit information to the user. Otherwise, it may appear that the information is originally sent to the user A, and the result is received by the terminal device held by the user B, causing the information to be sent incorrectly, so that the information of the user A is leaked.
- the record of the corresponding user is not found in the authentication credential database; or the corresponding identifier is found in the authentication credential database.
- User record but there is no record of the corresponding authentication credentials in the record; or the corresponding user record is found in the authentication credential database, and the corresponding authentication credential exists in the user record, but does not match the first authentication credential provided by the application server, etc. Wait.
- the application server sends the information to the user, that is, the application server sends the information to the user by sending the information to the terminal device held by the user.
- one authentication credential is a form of transformation of another authentication credential, etc., which will be described in detail later.
- the application server when the application server sends information (for example, a short message including a verification code) to the user, it needs to send the authentication of the user to the authentication server (or the network element in the network that is responsible for matching the authentication credentials). Credentials, the authentication server authorizes the communication only if there is an authentication credential in the authentication credential database that matches the user's authentication credentials provided by the application server.
- the network sends the information that the application server needs to send to the user to the user, otherwise the authentication server does not authorize the communication network to send the information to the user.
- the security of the application server when transmitting information to the user can be improved.
- FIG. 3 shows a schematic interaction diagram of a method of transmitting information according to an embodiment of the present invention. As shown in FIG. 3, the method includes:
- the user registers a user identifier with the Internet application.
- the user identification is used to uniquely identify a user in a communication system or application server.
- the user identifier may be a Mobile Subscriber International ISDN/PSTN number (MSISDN), a mailbox account, or the like.
- MSISDN Mobile Subscriber International ISDN/PSTN number
- mailbox account or the like.
- the user can generally register with the application through an application client, a web browser, etc., and register a user identifier, such as a mobile phone number.
- the application server obtains the user's authentication credentials from the authentication server.
- the authentication server allocates authentication credentials to the user and saves them.
- the authentication server may allocate and store the authentication credentials when the user obtains the user identity (or, referred to as an identity). For example, the mobile communication network allocates and stores authentication credentials for the user when the user signs up to obtain the mobile phone number. Alternatively, the authentication server may also assign authentication credentials to the user when the application server first requests authentication credentials and save.
- the user identity or, referred to as an identity
- the mobile communication network allocates and stores authentication credentials for the user when the user signs up to obtain the mobile phone number.
- the authentication server may also assign authentication credentials to the user when the application server first requests authentication credentials and save.
- the authentication server returns the user's authentication credentials to the application server.
- the authentication server sends the assigned authentication credentials to the application server.
- the authentication server sends the authentication credentials of the user to the application server when the application server requests the authentication credentials of the user.
- step 205 and step 206 are included.
- the authentication device acquires an instruction for clearing the user authentication credential.
- the clear user authentication credential instruction is used to instruct the authentication server to set the first authentication credential to be invalid.
- the clearing the user authentication credential command may be for the user identifier, that is, the authentication credential corresponding to the user identifier is all set to be invalid. Or, it may be for the application identifier, that is, only the authentication credential corresponding to a certain user identifier and one or several application identifiers is set to none. effect.
- the authentication server assigns the authentication credential #1 to the mobile phone number #1 for authenticating the identity of the user A.
- the application server #1 an example of the application server
- the authentication server transmits the authentication credential #1 to the application server #1 for storage.
- User A handles the shutdown sales number service and requests to invalidate the authentication credentials #1 (Scenario 1).
- user A handles the stop number service, and temporarily stops using mobile number #1 (scene 2) for a period of time.
- the communication network detects a potential security risk, for example, when the application server repeatedly provides incorrect authentication credentials, the user's authentication credentials are actively locked (Scenario 3).
- the authentication server assigns the authentication credential #1 to the application identification #1 for authenticating the user A using the application #1 identity. Further, when the application server #1 (an example of the application server) requests to acquire the authentication credential corresponding to the application ID #1 of the mobile phone number #1, the authentication server transmits the authentication credential #1 to the application server #1 for storage. After that, if the application #1 has a message harassment or other irregularity to the user A, the mobile communication network operator may invalidate the authentication credentials corresponding to the application #1 according to the legal norms or the agreement with the user and the application (Scene 4) ).
- the authentication server may be connected to the operation and maintenance system of the operator network, and the operation and maintenance system generates the clearing request when the user performs the operation of the shutdown number, or the shutdown security number, etc., which requires invalid existing authentication credentials. Send to the authentication server for processing.
- the authentication server may also invalidate the authentication credential according to the request of the user. If an application has a behavior such as pushing advertisements to harass the user, the user may request invalidation of the authentication credential corresponding to the application.
- the authentication server sets the authentication credential of the user to be invalid.
- the authentication server invalidates authentication credentials #1.
- the authentication server invalidates the authentication credential #1.
- it can be understood as permanent invalidation.
- the authentication server invalidates the authentication credential #1.
- it can be understood as temporarily invalid.
- the authentication server may set the authentication credential to be invalid.
- the authentication server may delete the corresponding authentication credential, or set an invalid flag for the corresponding authentication credential, or the authentication server deletes the user information record, or the authentication server records the user information.
- the corresponding record of the application is deleted.
- steps 205 and 206 are optional steps after the authentication server sends the first authentication credential to the application server (step 204). That is, after the first authentication credential is sent to the application server, the authentication server may obtain an instruction to clear the user authentication credential, and invalidate the first authentication credential saved by itself. Optionally, the authentication server may further generate a second authentication credential associated with the user identifier, or generate a second authentication credential associated with the user identifier and the application identifier of the application server, and save the second authentication credential in the authentication. On the server.
- step 204 proceeds to step 207.
- the application server receives the authentication credential sent by the authentication server, and saves the certificate.
- the application server sends the authentication credential and the information that needs to be sent to the user to the authentication server.
- step 208 when the application server needs to send information to the user, the application server sends the information (ie, the first information) that needs to be sent to the user and the authentication credential information of the user to the authentication server, so as to facilitate the authentication server. It is determined whether there is an authentication credential in the authentication credential database that matches the authentication credential (ie, the first authentication credential) provided by the application server. In addition, when the application server needs to send information to the user, it first sends an authentication request message to the authentication server to request the authentication server to perform matching authentication on the authentication credential of the user.
- the application server needs to send information to the user, it first sends an authentication request message to the authentication server to request the authentication server to perform matching authentication on the authentication credential of the user.
- the scenario in which the application server needs to send information to the user may be that the application server sends a short message including the verification code to the mobile phone number, or sends a verification email to the email account, or notifies the user of the verification code through the voice message, to perform the user on the user.
- the application server sends an authentication message to the authentication server, where the message carries the authentication credentials of the user acquired in step 207 and the information that the application server needs to send to the user, for example, a short message including a verification code, a verification email, and the like.
- the authentication server generates the first authentication credential and saves the first authentication credential. Afterwards, the authentication server sends the first authentication credential to the application server for saving when the application server requests to obtain the authentication credential of the user ID. After that, when the application server needs to send information to the user, it is necessary to provide the authentication server with the authentication credentials of the user. It is easy to think that the application server can directly send the saved first authentication credentials to the authentication server. Alternatively, the application server may also send a transformation form of the first authentication credential to the authentication server. formula.
- the authentication request message includes user identification information.
- the user identification information may be a user identifier or a user index.
- the authentication request message includes user identification information and an application identifier of the application server.
- the authentication server may query the authentication credential database for the authentication credential associated with the user identifier according to the user identifier information or according to the user identifier information and the application identifier of the application server.
- the application server sends the first authentication credential to the authentication server
- the first authentication credential information may be sent instead of the user identifier.
- the communication network may be routed to the service by using the information contained in the first authentication credential.
- the user's authentication server locates the authentication credential record of the corresponding user.
- the authentication server performs matching authentication on the authentication credential sent by the application server and the authentication credential saved by the application server.
- the authentication server considers that the request of the Internet application is invalid, and does not authorize the communication network to forward the information sent by the application server to the user.
- the application server may send the first authentication credential to the authentication server, or may also be a transformed form of the first authentication credential.
- the authentication server can directly perform matching authentication.
- the authentication credential sent by the application server is a transformed form of the first authentication credential, the authentication server performs matching authentication with the authentication credential saved by itself according to the same transformation rule.
- step 208 if the application server simultaneously sends the first authentication credential and the user identification information (which may be a user identifier or a user index), the authentication server first searches for the user corresponding to the user identifier in the authentication credential database according to the user identifier or the user index. recording. If the user ID does not exist, it indicates that the user ID may have been logged out or is in a frozen state, so the authentication server may directly determine that there is no authentication credential matching the first authentication credential. If the user identifier exists, the authentication server determines whether the authentication credential corresponding to the user ID at the current moment matches the first authentication credential.
- the user identification information which may be a user identifier or a user index
- the authentication server may send the authentication failure information to the application server if the matching authentication fails, to indicate that the matching authentication of the authentication credential of the user of the application server does not pass.
- the application server may temporarily lock the registered user account and display a warning message to the currently operated user on the application client, so as to avoid possible damage caused by user counterfeiting.
- the information that the application server needs to send to the user can be sent to the authentication server together with the authentication credentials. After the authentication server matches the authentication credentials of the user, the authentication server forwards the information to the user through the communication network.
- the application server may first send the authentication credential of the user to the authentication server, and send the authentication pass information to the application server after the authentication server passes the authentication authentication of the authentication credential of the user. After receiving the authentication pass information, the application server sends the information that needs to be sent to the user to the network element in the communication network that is responsible for transmitting the information with the terminal device, and the network element that transmits the information sends the information to the user. This embodiment of the present invention does not limit this.
- step 210 If the matching authentication is passed, go to step 210.
- the authentication server authorizes the communication network to send information to the user.
- the user provides a verification code to the Internet application to complete the identity verification.
- the user receives the information sent by the authentication server through the terminal device (or the communication terminal), and can provide the verification code to the application server to complete the verification of the application layer.
- the user fills in the verification code in the obtained short message in the application verification page and submits it to the application server.
- the user replies with a short message to the phone number specified by the application server, where the short message carries the verification code specified by the application server through the voice call.
- the embodiment of the present invention does not limit the authentication mode, and the user only needs to complete the identity authentication according to the instruction of the application server.
- the authentication server when the application server sends the verification code and the like to the user, the authentication server needs to provide the correct authentication credential. Since one authentication credential is valid only for one user, the user expires after the user stops the sales number. After the new user gets the same mobile phone number, he/she cannot receive the verification code of the application registered by the original user, and cannot log in to the original user's account to impair the original user.
- the authentication server allocates and saves an authentication credential for each user, and sends the authentication credential to the application server.
- the application server needs to send information to the user, it needs to provide the authentication server with the authentication credential of the user.
- the authentication server only authorizes the authentication credential in the authentication credential database that matches the authentication credential provided by the application server.
- the communication network will send information to the user that the application server needs to send to the user. Sent to the user, otherwise the authentication server will not authorize the communication network to send the information to the user. Thereby, the security risk caused by the erroneous transmission of information can be avoided, and the security of information transmission is improved.
- the embodiment of the invention not only ensures that the verification code and the like are not sent to the mobile terminal of the new user, but also ensures that any information related to the original user is not erroneously transmitted to the mobile terminal of the new user. From another perspective, it can also ensure that after the new user gets the mobile phone number, he will not receive some information (such as advertising information, etc.) subscribed by the original user, thereby protecting the new user from irrelevant information.
- the structure of the network for communication between the authentication server, the application server and the terminal device may be more complicated and diverse, that is, there are many different types of networks.
- the processing of completing a process inside the network is very complicated, involving many network elements. Therefore, the implementation details of the method of transmitting information according to an embodiment of the present invention in different networks are not described in detail.
- the function of the method for implementing the method for transmitting the information of the authentication server in the embodiment of the present invention can be implemented. The scope of protection of the embodiments.
- FIG. 4 shows a schematic interaction diagram of a method of transmitting information according to another embodiment of the present invention.
- some functions of the authentication server described in the foregoing embodiments are respectively configured on different network elements, and the different network elements may be: a communication network element and an authentication gateway. These network elements are used in mobile communication networks.
- the communication network element is used to send a message to the user, or send a message sent by the user through the terminal device to the application server.
- the communication network element may include multiple subnet elements, which are not expanded here.
- Authentication server used to generate the user's authentication credentials and provide them to external applications. It is also used to manage the lifecycle of a user's authentication credentials. For example, the user's existing authentication credentials are considered invalid when the user shuts down the pin number. For another example, it is verified whether the authentication credential provided by the application server matches the authentication credential of the current user, and returns a matching result or the like.
- Authentication Gateway Used to provide a unified interface with multiple external applications.
- the authentication gateway may be combined with the user authentication server, and may be a unified node or a user authentication server, and may be a separate node.
- Steps 301 to 312 are to be included.
- User A registers a user identifier (for example, mobile number #1) with the application server.
- the user A (an example of the user) registers the user identification with the application server through the application client on the terminal device (for example, a mobile phone, a notebook computer, or the like). Also, assume that user A's mobile number is mobile number #1.
- a method for transmitting information according to an embodiment of the present invention is described by taking a user identifier as a mobile phone number as an example.
- the application server verifies whether user A actually holds mobile phone number #1.
- the application server obtains the mobile phone number of the user A (ie, the mobile phone number #1)
- the user A can verify whether the mobile phone number #1 is actually held.
- the application server may send a short message to the mobile phone number #1, where the short message carries a verification code, and the user A is required to fill in the correct verification code on the application page after receiving the short message.
- user A is required to edit a short message of a specified format and send it to the designated number according to the prompt in the received short message, and so on. If the verification code matches, the application server assumes that User A is indeed holding the mobile number #1 it provides.
- the short message sent by the application server to the user through the communication network element is an ordinary short message, that is, It does not carry the authentication credentials of user A, nor does it require the authentication server to perform matching authentication, and can directly forward it to user A.
- the specific implementation can be implemented by using the prior art, and details are not described herein again.
- the application server requests to obtain the authentication credentials of user A.
- the application server After the application server confirms that the user A holds the mobile phone number #1, the application server sends a request message to the authentication gateway in the mobile communication network, where the request message carries the mobile phone number of the user A, that is, the mobile phone number #1. It should be understood that the request message is used to request the mobile communication network to obtain the authentication credentials of the user A.
- the authentication gateway sends the request message to the authentication server of the mobile service network internal service user A.
- the authentication gateway may be routed to the corresponding authentication server according to the prefix of the mobile phone number #1.
- the authentication server can be registered with the Home Subscriber Server (HSS) in the communication network, or the user's home location registration.
- HSS Home Subscriber Server
- HLR Home Location Register
- the embodiment of the present invention does not limit this.
- the authentication server returns the authentication credentials of user A.
- step 304 For the specific implementation of step 304, refer to the description of step 204 described above. For the sake of brevity, no further details are given here.
- the authentication server may also return routing information to the application server. Specifically, when the authentication server generates the authentication credential, the authentication credential includes routing information to the authentication server, or the authentication server returns the routing information to the application through a separate cell. server.
- the authentication server may also periodically refresh the authentication credentials to improve security.
- the authentication server may specify a valid period of the authentication credential when returning the user's authentication credentials to the application server. For example, XXXX is valid before 0:00 on X X. Before the expiration time (for example, 7 days), the application server is required to carry the original authentication credentials and request to refresh the authentication credentials. During the refresh cycle, the new and old authentication credentials are valid at the same time. After the expiration time expires, the original authentication credentials are invalid, and only the new authentication credentials are valid. Alternatively, the authentication server may separately send the refresh indication information to prompt the application server to refresh the user's authentication credentials.
- the application server sends an authentication message to the authentication gateway, where the verification message carries the verification code and the authentication credentials of user A.
- the application server determines to perform mobile phone verification code authentication for the user B.
- the application server sends an authentication message to the authentication gateway, where the verification message carries the verification code and the authentication credentials of user A.
- the application server may carry the mobile phone number #1 in the verification message at the same time, or may not carry it.
- User B here may or may not be User A.
- the application server and the mobile communication network do not verify the identity of the user, the application server directly sends the short message including the verification code to the user B through the communication network element. Therefore, user B may enter user A's application account by filling in the verification code in the short message through the application verification page.
- User A privacy may be revealed, or Money loss, even more serious consequences.
- the user A may be the original user who uses the mobile phone number #1. After the user A handles the shutdown sales number, the user B signs up the account on the mobile communication network to obtain the mobile phone number #1 and becomes the mobile phone number. #1 new user. Alternatively, the user A may lose the mobile phone, be picked up by the user B, and the like, and the user B may log in to the application account registered by the user A.
- the application server when the application server sends the information (including the short message including the verification code) to the user, the application server needs to send the authentication credential of the user to the authentication device (or the network element in the mobile communication network that is responsible for the authentication credential matching).
- the authentication device authorizes the communication network to forward the information sent by the application server to the user to the user only when the authentication device determines that there is an authentication credential matching the authentication credential of the user sent by the application server. Otherwise the authentication device will not authorize the forwarding of information to the user.
- the security of the application server when transmitting information to the user can be improved.
- the authentication gateway sends an authentication request to the authentication server, where the authentication request carries the authentication credentials of user A.
- the authentication gateway can be routed to the appropriate authentication server according to the mobile phone number. If the authentication short message carries only the authentication credential, when the authentication server generates the authentication credential, the authentication credential contains the routing information to the authentication server. For example, some bits in the authentication credentials are used to indicate the route to the authentication server, so that the authentication gateway can route to the authentication server corresponding to the mobile phone number according to the routing information contained in the authentication credentials. If the verification message carries the routing information and the authentication credential, the routing information is an independent cell, and the authentication gateway can be routed to the authentication server corresponding to the mobile phone number according to the routing information.
- the authentication server performs matching authentication on the authentication credentials.
- the authentication server matches and authenticates the authentication credentials of the user A sent by the application server with the authentication credentials of the user corresponding to the mobile phone number #1 saved by itself.
- the manner of matching may be different according to different security schemes.
- the following is an example.
- the authentication server compares the authentication credentials provided by the application server with the authentication credentials stored by itself, and if they are the same, it is considered to be a match.
- the match is considered. For example, some bits in the authentication credential contain the timestamp information when the authentication credential was previously generated. If the timestamp information is earlier than the current user's account opening time, the authentication credential is not allocated for the user who currently holds the mobile phone number. That is, the authentication result is a mismatch, or the authentication does not pass.
- the application server obtains the user authentication credentials in step 304, the authentication credentials are not directly passed in step 305, but some transformation of the authentication credentials is passed.
- all or part of the information of the user authentication credential is combined with the date and time information of the day for hash conversion.
- the hash conversion algorithm used may be a Secure Hash Algorithm (SHA), a Message Digest Algorithm 5 (MD5), an Advanced Encryption Standard (AES), and a hash message authentication code.
- One-way hash algorithm such as Hash Message Authentication Code (HMAC).
- HMAC Hash Message Authentication Code
- the application server may send the transformed authentication information to the authentication server through the authentication gateway, and the authentication server compares the authentication information provided by the application server with the authentication information saved by itself according to the same algorithm rule.
- the user authentication credentials can be directly transmitted on the network element interface, which can prevent replay attacks and further improve security.
- the matching of the authentication credential may also adopt the transformation of the foregoing manner or other manners, which should fall within the protection scope of the embodiment of the present invention.
- step 307 if the result of the determination by the authentication server of the authentication credentials provided by the application server is a mismatch, then go to step 308. If the result of the determination is a match, optionally, go to step 309.
- the authentication server If the authentication credentials do not match (or do not match), the authentication server returns an authentication failure message.
- the authentication server sends the authentication failure information to the application server through the authentication gateway.
- the authentication server and the application server perform corresponding processing according to their own policies.
- the authentication server records an event log of the authentication failure, including the application name or code number requesting authentication, the mobile phone number requesting authentication, the authentication credential information, the time of occurrence, and the like.
- application server It is judged that the user who is currently trying to operate the account may not be the original user when the mobile phone number is ranked, and there is a risk of counterfeiting, and the user account may be locked. Switching to other authentication methods that do not rely on mobile phone numbers requires users to authenticate. Further, a prompt or warning message or the like can be sent to the user who currently has a counterfeit behavior.
- the authentication server If the authentication credentials match (or match), the authentication server returns the authentication pass information to the authentication gateway.
- step 305 if the application server sends the verification code and the authentication credential of the user A, the verification message is sent to the authentication gateway. After step 309, go to step 312. In step 305, if the application server only sends the authentication credentials of the user A, but does not send the verification code, after step 309, step 310 and step 311 are further included. Then, go to step 312.
- the authentication gateway sends the authentication pass information returned by the authentication server to the application server.
- the application server sends a verification code to the authentication gateway.
- the application server after receiving the authentication pass information sent by the authentication gateway, the application server sends a verification code to the authentication gateway.
- the authentication gateway sends a short message including the verification code to the terminal device.
- the authentication gateway sends a short message including the verification code to the user A through the communication network element.
- the authentication gateway may also be used only for processing the authentication message, and the short message containing the verification code may be directly sent by the application server to the communication network element by means of the original point-to-point sending message. Without going through the authentication gateway.
- the terminal device provides verification code information to the application server, and completes identity authentication.
- User A receives the short message containing the verification code sent by the application server, and provides verification code information to the application server to complete the verification of the application layer.
- user A fills in the verification code information in the obtained short message in the application verification page and submits it to the application server.
- the user A replies with a short message to the phone number specified by the application server, and the short message carries the specified verification code information and the like, and details are not described herein again.
- the user when the user first registers the mobile phone number, or needs to replace the user's authentication credentials, in addition to the short message and email authentication, the user may be required to provide an enhanced authentication mode.
- the user is required to input an operation password reserved by the operator at the mobile phone number, or an answer to the secret question, and the like.
- the authentication credential matching authentication corresponding to the mobile phone number is temporarily locked, and the authentication credential is resumed after the mobile phone number of the user terminal is unlocked. Match the authentication function.
- the communication system in the embodiment of the present invention may assign identity information to a user for a mobile communication network, an email system, or an instant messaging system, and provide services such as voice, short message, mail communication, or instant messaging. system.
- the method for transmitting information in the embodiment of the present invention is described in detail in the method for transmitting information in a communication system including a plurality of network elements, that is, an authentication server, a communication network element, and an authentication gateway, and an application server.
- the application party is a partner, that is, the application itself has the appeal and driving force for identifying the user identity spoofing and protecting the user from loss, which is consistent with most current Internet services. real situation.
- the mobile phone number serves as the user's important private information, and the user does not necessarily want to provide it to the Internet application for storage. For example, the current spam messages and sellers’ harassment of buyers are also endless.
- the authentication credential of the user described in the embodiment of the present invention may be further enhanced, so that the application party may send the verification code information to the user without obtaining the mobile phone number of the user, so as to protect the privacy of the user.
- FIG. 5 shows a schematic interaction diagram of a method of transmitting information according to still another embodiment of the present invention.
- an authentication credential generation portal ie, an example of a third-party device.
- the authentication credential generation portal acts as a third-party device and can be operated by an operator of the mobile communication network or other trusted third-party partners.
- authentication credential generation portal is separated from the application server by deployment.
- the method for transmitting information in the embodiment of the present invention mainly includes steps 401 to 412.
- the application server requests the user to provide mobile phone number binding with privacy protection.
- the number binding with privacy protection means that the application promises not to collect and save the mobile phone number of the user.
- the user confirms the binding action.
- the application server redirects the binding page to the authentication credential generation portal.
- the authentication credential generation portal requests user A to provide a mobile phone number.
- step 403 since the authentication credential generation portal is deployed in isolation from the application server, the application server does not obtain the mobile number of the user A.
- the authentication credential generation portal verifies whether the user A actually holds the mobile phone number.
- the authentication credential generation portal sends a short message containing the verification code to the mobile phone number, and asks the user to carry the verification code information in the reply message returned to the authentication credential generation portal.
- the authentication credential generation portal confirms that the user actually holds the mobile phone number, it proceeds to step 405.
- whether the user actually holds the mobile phone number means that the user who provides the mobile phone number in step 403 actually holds the mobile phone number. In order to avoid, the mobile phone number is held by other users, resulting in incorrect registration.
- the authentication credential generation portal requests to obtain the authentication credential of user A.
- the authentication credential generation portal sends an acquisition request to the authentication server through the authentication gateway, and the acquisition request is used to request the authentication server to obtain the authentication credential of the user A.
- the acquisition request carries the mobile phone number of the user A (hereinafter referred to as the mobile phone number #1 for convenience of description), so that the authentication gateway routes the acquisition request to the authentication server corresponding to the user A according to the mobile phone number #1.
- the authentication server returns the authentication credentials of the user A to the authentication credential generation portal.
- the authentication credential generation portal returns the authentication credentials of the user A to the application server.
- the application server only obtains the authentication credential of the user A, but does not obtain the mobile phone number of the user A.
- the application server may associate the authentication credential returned by the authentication server with the account created by the user on the application.
- the application server may also assign an identifier to the user when the user applies for an account on the application, and associate the authentication credential with the identifier after obtaining the authentication credential of the user returned by the authentication server.
- the application server can match (or match) the plurality of authentication credentials to the user one by one.
- the application server sends an authentication message to the authentication gateway, where the authentication message carries the authentication credential and the verification code of the user A.
- the authentication gateway learns the corresponding authentication server by using the routing information of the authentication server in the authentication credential of the user A.
- the authentication server may also carry the routing information through a separate cell, and the routing information may be carried in the step, and the authentication gateway obtains the corresponding authentication server by using the routing information.
- the authentication gateway sends an authentication request to the authentication server, where the authentication request carries the authentication credentials of user A.
- step 410 When the authentication server matches the authentication credential of the user A, the process proceeds to step 410.
- the authentication server returns the mobile phone number of user A to the authentication gateway.
- the authentication server does not obtain the user's mobile number because the authentication is matched. Therefore, the authentication server searches for the corresponding user information record by matching the user index included in the authentication credential.
- the authentication server allocates authentication credentials to the user, which can be implemented by using existing technologies. For example, referring to the allocation method of a Globally Unique Identifier (GUID), a user index may be included in the authentication credential, and the authentication server may also attach other required information to the authentication credential.
- GUID Globally Unique Identifier
- the authentication server may also carry the user index through a separate cell, and return to the application server through step 406 and step 407. After the application server sends the user index to the authentication server in step 409 and step 410, the authentication server searches for the corresponding user information record through the user index matching.
- the authentication gateway sends a short message to the user, where the short message carries the verification code.
- the authentication gateway sends the verification code sent by the application server received in step 408 to the communication network element, and the communication network element carries the verification code in the short message and sends the verification code to the terminal device of the user A.
- the terminal device provides a verification code to the application server to complete the authentication.
- user A fills in the verification code in the short message and submits it to the application server; or the user replies with a short message to the phone number specified by the application server, carries the specified verification code, etc., and completes Authentication of the identity of User A.
- the application server can only obtain the authentication credentials associated with the user, but not the user's mobile phone number. Since the user authentication credentials can only be contacted to the user through a control channel between the authentication device (for example, message, voice call or email), it cannot be directly used to make a call or send a peer-to-peer message to the user. Can be managed by enhancing the authentication of the application server and the content sent from the application server to the authentication gateway. Control to prevent unauthorized messages from being sent to the user's mobile phone. Other personnel, such as sellers, couriers, etc., even if they obtain the user's identity authentication information, but because they do not have access to the control channel, they cannot directly contact the user, thereby better protecting the user's privacy.
- FIG. 6 shows a schematic diagram of an authentication credential database in accordance with yet another embodiment of the present invention.
- the authentication server stores an authentication credential database
- the authentication credential database stores a plurality of authentication credential lists, and each authentication credential list corresponds to one user.
- Each authentication credential list user records a correspondence between at least one authentication credential of the corresponding user and at least one application identifier.
- the correspondence between the authentication credential and the application identifier may be one-to-one correspondence, that is, for one user, one authentication credential corresponds to one application identifier.
- FIG. 6 only one-to-one correspondence between the authentication credential and the application identifier is taken as an example, and an example of the authentication credential database in the embodiment of the present invention is shown.
- a user is usually registered to multiple Internet applications.
- the authentication server when different application servers request user authentication credentials from an authentication server in a mobile communication network, the authentication server returns the same credentials or different credentials for different application servers.
- the authentication server returns different authentication credentials to different application servers, thereby enhancing the role of the mobile communication network operator in managing rights of different applications.
- the authentication server when the application server generates the portal by the authentication credential, and/or the authentication gateway requests the authentication server to obtain the authentication credential of the user, the authentication server first searches in the authentication credential database according to the user identifier (eg, the mobile phone number). After the user record is found, the authentication credential corresponding to the currently requested application is also located according to the identifier of the application (for example, Alipay, WeChat, etc.), and returned to the application server.
- the user identifier eg, the mobile phone number
- the authentication server If the authentication credential of the current request application is not included in the authentication credential list of the user, the authentication server generates the authentication credential for the current request application of the user and saves in the authentication credential database.
- the embodiment is applied to the foregoing embodiment.
- the authentication credential generating portal and/or the authentication gateway verify the identity of the application server. Get and verify the identity of the app.
- the identifier of the application may be mapped on the authentication credential generation portal and/or the authentication gateway according to the IP address of the application server, and the port number.
- the authentication server may also provide a login interface for the application server to authenticate its identity and identity by having the application server perform a dedicated login process.
- the identifier of the application may also be explicitly carried by the application server in the request message with its own application identifier to notify the authentication credential generation portal and/or the authentication gateway.
- the authentication server when the application server generates the portal through the authentication credential, and/or the authentication gateway requests the authentication server to authenticate the authentication, if it supports providing different authentication credentials to different applications, the authentication server first searches the authentication credential database according to the user identifier. Target user records. Then, according to the identifier of the application, the authentication credential corresponding to the currently requested application is located and matched with the authentication credential in the request message.
- the authentication server Before the authentication server receives the request identity authentication message, it also includes an authentication credential generation portal, and/or the authentication gateway verifies the identity of the application server to obtain and verify the identity of the application.
- the authentication server may invalidate or refresh the authentication credentials according to the request of the user. For example, when an application has a behavior such as pushing a message, the user may request invalidation or refresh the authentication credentials corresponding to the application. To avoid the app's own harassment.
- the authentication server in the mobile communication network has the authentication credential management capability that distinguishes the application granularity, so that different applications can be controlled to distinguish different rights. For example, different applications send different types of information to users, and the license time period is different. Or, if the application has a message harassment or other irregularity to the user, the mobile communication network operator can temporarily or permanently close the channel for the specific application to send the message to the user according to legal specifications or the agreement with the user and the application. This can effectively enhance the user experience, protect the privacy of users, and improve the ability of communication network operators to control the network.
- the method for transmitting information in the embodiment of the present invention can be used not only for the current mobile communication network, but also for the scenario of identity authentication through the email system and the instant messaging system.
- an email system operator assigns authentication credentials to a user and provides it to an application server, which expires when the email account is logged off. If the new user requests to obtain the email account, since the authentication credentials saved on the application server have expired, the new user cannot obtain the verification code information sent by the application server through the email account, and cannot enter the application account registered by the previous user. , or make key transactions such as transaction payments, thereby protecting the previous user from the threat of identity spoofing.
- the authentication server distributes and saves one authentication credential for each user, and transmits the authentication credential to the application server.
- the application server sends information to the user (for example, a short message including a verification code)
- the authentication server authorizes the communication network to send the information that the application server needs to send to the user, otherwise the authentication server does not authorize the communication network to send the information to the user. It can avoid security risks caused by incorrect sending of information.
- the security of the application server when transmitting information to the user can be improved.
- FIG. 7 shows a schematic block diagram of an apparatus 500 for transmitting information in accordance with an embodiment of the present invention.
- the apparatus 500 includes:
- the receiving unit 510 is configured to receive an authentication request message sent by the application server, where the authentication request message includes the first authentication credential;
- the processing unit 520 is configured to allow the application server to transmit information to the user when the first authentication credential matches the authentication credential on the device;
- the application server is prohibited from transmitting information to the user.
- Each unit in the apparatus 500 for transmitting information and the other operations or functions described above according to an embodiment of the present invention respectively implement respective flows executed by the authentication server in the embodiments of the present invention. For the sake of brevity, it will not be repeated here.
- the authentication server distributes and saves one authentication credential for each user, and transmits the authentication credential to the application server.
- the application server sends information to the user (for example, a short message including a verification code)
- the authentication server authorizes the communication network to send the information that the application server needs to send to the user. User, otherwise the communication network will not be authorized to send this information to the user. Thereby, security risks caused by erroneous transmission of information can be avoided, and thus, security of the application server when transmitting information to the user can be improved.
- FIG. 8 shows a schematic block diagram of an apparatus 500 for transmitting information in accordance with an embodiment of the present invention.
- the apparatus 600 includes:
- the receiving unit 610 is configured to receive the first authentication credential sent by the authentication server.
- the storage unit 620 is configured to save the first authentication credential
- the sending unit 630 is configured to send an authentication request message to the authentication server when the information needs to be transmitted to the user, where the first authentication credential is included in the authentication request message.
- the units in the apparatus 600 for transmitting information according to the embodiment of the present invention and the other operations or functions described above are respectively implemented in order to implement the respective processes executed by the application server in the embodiments of the present invention. For the sake of brevity, it will not be repeated here.
- the authentication server distributes and saves one authentication credential for each user, and transmits the authentication credential to the application server.
- the application server sends information to the user (for example, a short message including a verification code)
- the authentication server authorizes the communication network to send the information that the application server needs to send to the user, otherwise the communication network is not authorized to send the information to the user. user.
- security risks caused by erroneous transmission of information can be avoided, and thus, security of the application server when transmitting information to the user can be improved.
- FIG. 9 shows a schematic block diagram of an apparatus 700 for transmitting information in accordance with an embodiment of the present invention.
- the apparatus 700 includes:
- the receiving unit 710 is configured to receive a user registration authentication credential redirection request sent by the application server.
- the processing unit 720 is configured to acquire a user identifier.
- the sending unit 730 is configured to send the user identifier to the authentication server.
- the receiving unit 710 is further configured to receive the first authentication credential sent by the authentication server;
- the sending unit 730 is further configured to send the first authentication credential to the application server.
- Each unit in the apparatus 700 for transmitting information according to an embodiment of the present invention and the other operations or functions described above are respectively configured to implement a third party device (or authentication credential generation gate) in various embodiments of the present invention.
- the corresponding process performed by the user For the sake of brevity, it will not be repeated here.
- the user identifier is obtained by the third-party device, and the user identifier is sent to the authentication server to obtain the authentication credential corresponding to the application identifier, so that the credential credential is sent to the application server, so that the application is applied.
- the server can only obtain the authentication credentials of the user, but not the user ID of the user (for example, the mobile number). Therefore, the application server cannot directly call the user or send a peer-to-peer message, so that the mobile communication network operator can control the identity of the application server and the content sent from the application server to the authentication gateway to prevent unauthorized message transmission. It is better to protect the privacy of users by going to the user's mobile phone.
- FIG. 10 shows a schematic block diagram of an apparatus 800 for transmitting information in accordance with an embodiment of the present invention.
- the apparatus 800 includes:
- the receiving unit 810 is configured to receive an authentication request message sent by the application server, where the authentication request message includes a first authentication credential, where the authentication request message is sent to the device when the application server needs to transmit information to the user;
- the processing unit 820 is configured to determine an authentication server.
- the sending unit 830 is configured to send the authentication request message to the authentication server.
- the units in the apparatus 800 for transmitting information and the other operations or functions described above are respectively implemented in accordance with the embodiments of the present invention in order to implement the respective processes performed by the authentication gateway in the embodiments of the present invention. For the sake of brevity, it will not be repeated here.
- the authentication server distributes and saves one authentication credential for each user, and transmits the authentication credential to the application server.
- the application server sends information to the user (for example, a short message including a verification code)
- the authentication server authorizes the communication network to send the information that the application server needs to send to the user, otherwise the communication network is not authorized to send the information to the user. user.
- the security risk caused by the incorrect transmission of information can be avoided, and thus the security of the application server when transmitting information to the user can be improved.
- FIG. 11 shows a schematic structural diagram of an apparatus 900 for transmitting information according to an embodiment of the present invention.
- the signal transmitting device 900 includes a receiver 910, a transmitter 920, a processor 930, a memory 940, and a bus system 950.
- the receiver 910, the transmitter 920, The processor 930 and the memory 940 are connected by a bus system 950 for storing instructions for executing instructions stored in the memory 940 to control the receiver 910 to receive signals and controlling the transmitter 920 to transmit signals. among them,
- the receiver 910 is configured to receive an authentication request message sent by the application server, where the authentication request message includes the first authentication credential;
- the processor 930 is configured to allow the application server to transmit information to the user when the first authentication credential matches the authentication credential on the device;
- the application server is prohibited from transmitting information to the user.
- the processor 930 may be a central processing unit (“CPU"), and the processor 930 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
- the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
- the memory 940 can include read only memory and random access memory and provides instructions and data to the processor 930. A portion of the memory 940 can also include a non-volatile random access memory. For example, the memory 940 can also store information of the device type.
- the bus system 950 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 950 in the figure.
- each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 930 or an instruction in a form of software.
- the steps of the method for transmitting information disclosed in the embodiments of the present invention may be directly implemented as hardware processor execution completion, or performed by a combination of hardware and software modules in the processor.
- the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
- the storage medium is located in memory 940, and processor 930 reads the information in memory 940 and, in conjunction with its hardware, performs the steps of the above method. To avoid repetition, it will not be described in detail here.
- Each unit in the device 900 for transmitting information and the above-described other operations or functions according to an embodiment of the present invention are respectively configured to execute respective processes executed by the authentication server in the respective embodiments. For the sake of brevity, it will not be repeated here.
- the authentication server allocates and saves one for each user. Authentication credentials and send the authentication credentials to the application server.
- the application server sends information to the user (for example, a short message including a verification code)
- the authentication server authorizes the communication network to send the information that the application server needs to send to the user, otherwise the communication network is not authorized to send the information to the user. user.
- the security risk caused by the incorrect transmission of information can be avoided, and thus the security of the application server when transmitting information to the user can be improved.
- FIG. 12 shows a schematic structural diagram of an apparatus 1100 for transmitting information according to an embodiment of the present invention.
- the signal transmitting device 1100 includes a receiver 1110, a transmitter 1120, a processor 1130, a memory 1140, and a bus system 1150.
- the receiver 1110, the transmitter 1120, the processor 1130, and the memory 1140 are connected by a bus system 1150.
- the memory 1140 is configured to store instructions for executing the instructions stored by the memory 1140 to control the receiver 1110 to receive. Signaling and controlling the transmitter 1120 to send a signal, wherein
- the processor 1130 is configured to receive a first authentication credential sent by the authentication server.
- the storage 1140 is configured to save the first authentication credential
- the sender 1120 is configured to send an authentication request message to the authentication server when the information needs to be transmitted to the user, where the first authentication credential is included in the authentication request message.
- the processor 1300 may be a central processing unit (“CPU"), and the processor 1300 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
- the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
- the memory 1140 can include read only memory and random access memory and provides instructions and data to the processor 1130. A portion of the memory 1140 can also include a non-volatile random access memory. For example, the memory 1140 can also store information of the device type.
- the bus system 1150 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 1150 in the figure.
- each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 1130 or an instruction in a form of software.
- Transmission information disclosed in connection with embodiments of the present invention The steps of the method may be directly implemented by the hardware processor, or by a combination of hardware and software modules in the processor.
- the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
- the storage medium is located in the memory 1140, and the processor 1130 reads the information in the memory 1140 and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
- Each unit in the device 1100 for transmitting information and the above-described other operations or functions according to an embodiment of the present invention are respectively configured to execute respective processes executed by the application server in the respective embodiments. For the sake of brevity, it will not be repeated here.
- the authentication server distributes and saves one authentication credential for each user, and transmits the authentication credential to the application server.
- the application server sends information to the user (for example, a short message including a verification code)
- the authentication server authorizes the communication network to send the information that the application server needs to send to the user, otherwise the communication network is not authorized to send the information to the user. user.
- the security risk caused by the incorrect transmission of information can be avoided, and thus the security of the application server when transmitting information to the user can be improved.
- FIG. 13 shows a schematic block diagram of an apparatus 1200 for transmitting information according to an embodiment of the present invention.
- the signal transmitting device 1200 includes a receiver 1210, a transmitter 1220, a processor 1230, a memory 1240, and a bus system 1250.
- the receiver 1210, the transmitter 1220, the processor 1230, and the memory 1240 are connected by a bus system 1250 for storing instructions for executing the instructions stored by the memory 1240 to control the receiver 1210 to receive.
- the receiver 1210 is configured to receive a user registration authentication credential redirection request sent by the application server.
- the processor 1230 is configured to acquire a user identifier.
- the sender 1220 is configured to send the user identifier to the authentication server.
- the receiver 1210 is configured to receive the first authentication credential sent by the authentication server.
- the transmitter 1220 is further configured to send the first authentication credential to the application server.
- the processor 1230 may be a central processing unit (“CPU"), and the processor 1230 may also be another general-purpose processor.
- DSP digital signal processor
- ASIC application specific integrated circuit
- FPGA off-the-shelf programmable gate array
- the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
- the memory 1240 can include read only memory and random access memory and provides instructions and data to the processor 1230. A portion of the memory 1240 may also include a non-volatile random access memory. For example, the memory 1240 can also store information of the device type.
- the bus system 1250 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 1250 in the figure.
- each step of the above method may be completed by an integrated logic circuit of hardware in the processor 1230 or an instruction in a form of software.
- the steps of the method for transmitting information disclosed in the embodiments of the present invention may be directly implemented as hardware processor execution completion, or performed by a combination of hardware and software modules in the processor.
- the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
- the storage medium is located in the memory 1240, and the processor 1230 reads the information in the memory 1240 and, in conjunction with its hardware, performs the steps of the above method. To avoid repetition, it will not be described in detail here.
- Each unit in the device 1200 for transmitting information according to an embodiment of the present invention and the other operations or functions described above are respectively configured to execute respective processes executed by the third party device in the respective embodiments. For the sake of brevity, it will not be repeated here.
- the user identifier is obtained by the third-party device, and the user identifier is sent to the authentication server to obtain the authentication credential corresponding to the application identifier, so that the credential credential is sent to the application server, so that the application is applied.
- the server can only obtain the authentication credentials of the user, but not the user ID of the user (for example, the mobile number). Therefore, the application server cannot directly call the user or send a peer-to-peer message, so that the mobile communication network operator can control the identity of the application server and the content sent from the application server to the authentication gateway to prevent unauthorized message transmission. It is better to protect the privacy of users by going to the user's mobile phone.
- FIG. 14 shows a schematic structural diagram of an apparatus 1300 for transmitting information according to an embodiment of the present invention.
- the signal transmitting device 1300 includes a receiver 1310, a transmitter 1320, a processor 1330, a memory 1340, and a bus system 1350.
- the receiver 1310, the transmitter The processor 1330 and the memory 1340 are connected by a bus system 1350 for storing instructions for executing instructions stored by the memory 1340 to control the receiver 1310 to receive signals and controlling the transmitter 1320 to transmit.
- Signal where
- the processor 1330 is configured to receive an authentication request message sent by the application server, where the authentication request message includes a first authentication credential, where the authentication request message is sent to the device when the application server needs to transmit information to the user;
- the processor 1330 is configured to determine an authentication server.
- the sender 1320 is configured to send the authentication request message to the authentication server.
- the processor 1300 may be a central processing unit (“CPU"), and the processor 1300 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
- the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
- the memory 1340 can include read only memory and random access memory and provides instructions and data to the processor 1330. A portion of the memory 1340 can also include a non-volatile random access memory. For example, the memory 1340 can also store information of the device type.
- the bus system 1350 can include, in addition to the data bus, a power bus, a control bus, a status signal bus, and the like. However, for clarity of description, various buses are labeled as bus system 1350 in the figure.
- each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 1330 or an instruction in a form of software.
- the steps of the method for transmitting information disclosed in the embodiments of the present invention may be directly implemented as hardware processor execution completion, or performed by a combination of hardware and software modules in the processor.
- the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
- the storage medium is located in the memory 1340, and the processor 1330 reads the information in the memory 1340 and performs the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
- Each unit in the device 1300 for transmitting information according to an embodiment of the present invention and the other operations or functions described above are respectively configured to perform respective processes performed by the authentication gateway in the respective embodiments. For the sake of brevity, it will not be repeated here.
- the authentication server allocates and saves one for each user. Authentication credentials and send the authentication credentials to the application server.
- the application server sends information to the user (for example, a short message including a verification code)
- the authentication server authorizes the communication network to send the information that the application server needs to send to the user, otherwise the communication network is not authorized to send the information to the user. user.
- the security risk caused by the incorrect transmission of information can be avoided, and thus the security of the application server when transmitting information to the user can be improved.
- the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention.
- the implementation process constitutes any limitation.
- the term "and/or” is merely an association relationship describing an associated object, indicating that there may be three relationships.
- a and/or B may indicate that A exists separately, and A and B exist simultaneously, and B cases exist alone.
- the character "/" in this article generally indicates that the contextual object is an "or" relationship.
- the disclosed systems, devices, and methods may be implemented in other manners.
- the device embodiments described above are merely illustrative.
- the division of the unit is only a logical function division.
- there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
- the mutual coupling or direct coupling or communication connection shown or discussed may be indirect coupling through some interfaces, devices or units or Communication connections can also be electrical, mechanical or other forms of connection.
- the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
- each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
- the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
- the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
- the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
- a number of instructions are included to cause a computer device (which may be a personal computer, server, or authentication device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
- the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
Abstract
本发明公开了一种传输信息的方法,能够提高传输信息的安全性。认证服务器接收应用服务器发送的认证请求消息,该认证请求消息中包含第一认证凭据;当该第一认证凭据与该认证服务器上的认证凭据匹配时,该认证服务器允许该应用服务器向用户传输信息;或者当该第一认证凭据与该认证服务器上的认证凭据不匹配时,该认证服务器禁止该应用服务器向该用户传输信息。
Description
本发明涉及互联网领域,并且更具体地,涉及一种传输信息的方法和装置。
随着网络技术的发展和普及,互联网在各行各业为大众用户提供越来越多的服务(例如,购物、视频、电子邮件、打车、订餐和企业信息管理等等)。用户在使用互联网应用提供的服务之前,一般都需要先进行登录,完成身份认证。最常用的身份认证机制是账号加上密码,单纯使用账号加密码保护用户账号存在两个方面的弊端。一方面是密码可能被其他人窃取。另一方面是用户可能会忘记密码。
移动通讯网络对移动终端有比较完善的认证机制的进一步发展和完善(包括,网络对手机SIM卡的鉴权,以及对签约用户的实名认证等),越来越多的互联网应用通过手机号码来辅助完成用户的身份认证,提升系统的安全性和用户使用的便捷性。甚至一些应用为了简化操作,进一步提升用户体验,不再使用单独的密码来保护用户账户安全,而完全使用手机短消息传递验证码的方式来完成用户认证和登录。一些应用虽然保留了密码认证的方式,但在用户忘记密码时,可以通过互联网应用提供的“找回密码”功能,即通过手机短消息传递验证码的方式完成用户认证,并通过重新设置密码完成登录。换句话说,手机短消息传递验证码的方式对这些应用来说几乎成了唯一的用户认证方式。
另外,在电子商务交易付款,转账等关键操作时,应用服务器也可能通过向用户的手机发送短消息验证码的方式对正在进行操作的用户身份进行增强的认证。
通过手机短消息传递验证码完成用户认证的方式,一方面,简化了操作,提升了用户体验。但是,另一方面,也存在着安全漏洞。例如,当原用户不想继续使用手机号码,向网络运营商申请停机并注销手机号码后,由于手机号码是有限的网络资源,停机销号后的手机号码并不会永久封存,网络运营商通常是将该手机号码冻结一段时间后重新进行销售,分配给新用户。新用
户获得该手机号码后,假设新用户存在恶意,尝试登录一些热门互联网应用,输入其新获得的手机号码,通过手机短消息传递验证码,或者,通过“忘记密码”的方式重新设置密码,就能完成认证和登录。如果原用户恰好在这些互联网应用中注册了账户并绑定了手机号码,那么新用户就可以进入原用户的应用账号,导致原用户的隐私泄露,造成极大的安全隐患。
发明内容
本申请提供一种传输信息的方法和装置,能够提高信息传输的安全性。
第一方面,本申请提供一种传输信息的方法,该方法包括:认证服务器接收应用服务器发送的认证请求消息,该认证请求消息中包含第一认证凭据;当该第一认证凭据与该认证服务器上的认证凭据匹配时,该认证服务器允许该应用服务器向用户传输信息;或者,当该第一认证凭据与该认证服务器上的认证凭据不匹配时,该认证服务器禁止该应用服务器向用户传输信息。
在一种可能的实现方式中,该认证服务器接收应用服务器发送的第一认证凭据之前,该方法还包括:该认证服务器生成与用户标识关联的该第一认证凭据,并保存该第一认证凭据作为该认证服务器上的认证凭据;该认证服务器将该第一认证凭据发送给该应用服务器。
在一种可能的实现方式中,该认证服务器接收应用服务器发送的第一认证凭据之前,该方法还包括:该认证服务器生成与用户标识和该应用服务器的应用标识关联的该第一认证凭据,并保存该第一认证凭据作为该认证服务器上的认证凭据;该认证服务器将该第一认证凭据发送给该应用服务器。
在一种可能的实现方式中,该认证请求消息中包含用户标识信息,以及,该第一认证凭据与该认证服务器上的认证凭据匹配,包括:该认证服务器获取该认证请求消息中的该用户标识信息;该认证服务器确定该用户标识信息对应的认证凭据与该第一认证凭据匹配。
在一种可能的实现方式中,该认证请求消息中包含该用户标识信息以及该应用服务器的应用标识,以及,该第一认证凭据与该认证服务器上的认证凭据匹配,包括:该认证服务器获取该认证请求消息中的该用户标识信息以及该应用服务器的应用标识;该认证服务器确定该用户标识和该应用服务器的应用标识对应的认证凭据与该第一认证凭据匹配。
在一种可能的实现方式中,该认证服务器将该第一认证凭据发送给该应用服务器之后,该方法还包括:该认证服务器获取清除用户认证凭据指令,该清除用户认证凭据指令用于指示该认证服务器将该第一认证凭据无效;该认证服务器根据该清除用户认证凭据指令,将该认证服务器上的认证凭据中的该第一认证凭据无效。
在一种可能的实现方式中,该认证服务器将该第一认证凭据无效之后,该方法还包括:该认证服务器生成与该用户标识关联的第二认证凭据,并保存该第二认证凭据作为该认证服务器上的认证凭据。
在一种可能的实现方式中,该认证服务器将该第一认证凭据无效之后,该方法还包括:该认证服务器生成与该用户标识和该应用服务器的应用标识关联的第二认证凭据,并保存该第二认证凭据作为该认证服务器上的认证凭据。
在一种可能的实现方式中,该方法还包括:该认证服务器向该应用服务器发送刷新指示信息,该刷新指示信息用于指示该应用服务器刷新该第一认证凭据。
在一种可能的实现方式中,当该第一认证凭据与该认证服务器上的认证凭据不匹配时,该认证服务器禁止该应用服务器向用户传输信息,包括:该认证服务器向该应用服务器发送认证失败信息。
在一种可能的实现方式中,该认证服务器通过认证网关和/或第三方设备,与该应用服务器进行通信,其中,该认证网关和/或该第三方设备与该认证服务器合设,或者该认证网关和/或该第三方设备与该认证服务器分设。
在一种可能的实现方式中,当该第一认证凭据与该认证服务器上的认证凭据匹配时,该认证服务器允许该应用服务器向用户传输信息,包括:该认证服务器向该应用服务器发送认证通过信息,以便于该应用服务器将第一信息发送给用户;或者,该认证服务器向该认证网关发送认证通过信息,以便该认证网关将该应用服务器发送的该第一信息发送给用户。
第二方面,本申请提供一种传输信息的方法,该方法包括:应用服务器接收认证服务器发送的第一认证凭据;该应用服务器保存该第一认证凭据;当该应用服务器需要向用户传输信息时,该应用服务器发送认证请求消息给该认证服务器,该认证请求消息中包含该第一认证凭据。
在一种可能的实现方式中,该认证请求消息中包含用户标识信息。
在一种可能的实现方式中,该认证请求消息中包含该应用服务器的应用标识;或者,该应用服务器执行登录操作,在登录信息中向该认证服务器提供该应用服务器的应用标识。
在一种可能的实现方式中,该方法还包括:该应用服务器接收该认证服务器发送的认证失败信息,该认证失败信息是在该第一认证凭据与该认证服务器上的认证凭据不匹配时,该认证服务器发送给该应用服务器的。
在一种可能的实现方式中,该应用服务器通过认证网关和/或第三方设备与该认证服务器进行通信,其中,该认证网关和/或该第三方设备与该认证服务器合设,或者该认证网关和/或该第三方设备与该认证服务器分设。
在一种可能的实现方式中,该方法还包括:该应用服务器接收该认证网关发送的认证通过信息,并向该认证网关发送第一信息;或者,该应用服务器向该认证网关发送认证请求消息,该认证请求消息中包括第一信息,以便该认证网关接收到该认证服务器发送的认证通过信息时,该认证网关将该第一信息发送给用户,其中,该第一信息是该应用服务器包含在该认证请求消息中发送给该认证网关的,或该第一信息是该应用服务器在接收到该认证网关发送的该认证通过消息后发送给该认证网关的。
第三方面,本申请提供一种传输信息的方法,该方法包括:第三方设备接收应用服务器发送的用户登记认证凭据重定向请求;该第三方设备获取用户标识;该第三方设备将该用户标识发送给认证服务器;该第三方设备接收该认证服务器发送的第一认证凭据;该第三方设备将该第一认证凭据发送给应用服务器。
第四方面,本申请提供一种传输信息的方法,该方法包括:认证网关接收应用服务器发送的认证请求消息,该认证请求消息中包含第一认证凭据,该认证请求消息是该应用服务器需要向用户传输信息时发送给该认证网关的;该认证网关确定认证服务器;该认证网关将该认证请求消息发送给该认证服务器。
在一种可能的实现方式中,该认证请求消息中包含路由信息,以及,该认证网关确定认证服务器,包括:该认证网关根据该路由信息确定认证服务器。
在一种可能的实现方式中,该认证网关接收应用服务器发送的认证请求消息之前,该方法还包括:该认证网关接收该认证服务器发送的该第一认证
凭据;该认证网关将该第一认证凭据发送给该应用服务器。
在一种可能的实现方式中,该方法还包括:该认证网关接收该认证服务器发送的认证失败信息,该认证失败信息是在该第一认证凭据与该认证服务器上的认证凭据不匹配时,该认证服务器发送给该认证网关的;该认证网关将该认证失败信息发送给该应用服务器。
在一种可能的实现方式中,该方法还包括:该认证网关接收该认证服务器发送的认证通过信息,该认证通过信息是在该第一认证凭据与该认证服务器上的认证凭据匹配时,该认证服务器发送给该认证网关的;该认证网关将第一信息发送给用户;该第一信息为该应用服务器发送的该认证请求消息中包含;或者该第一信息为该应用服务器收到该认证网关发送的认证通过消息后发送给该认证网关。
在一种可能的实现方式中,该认证网关接收该认证服务器发送的认证通过信息,该方法还包括:该认证通过信息中携带该用户标识;该认证网关根据该用户标识,将该第一信息发送给该用户标识对应的该用户。
第五方面,本申请提供一种传输信息的装置,用于执行第一方面或第一方面的任意可能的实现方式中的方法。具体地,该装置包括用于执行第一方面或第一方面的任意可能的实现方式中的方法的功能。该装置可以是认证服务器。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或者模块。
第六方面,本申请提供一种传输信息的装置,用于执行第二方面或第二方面的任意可能的实现方式中的方法。具体地,该装置包括用于执行第二方面或第二方面的任意可能的实现方式中的方法的功能。该装置可以是应用服务器。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或者模块。
第七方面,本申请提供一种传输信息的装置,用于执行第三方面的方法。具体地,该装置包括用于执行第三方面的方法的功能。该装置可以是第三方设备。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或者模块。
第八方面,本申请提供一种传输信息的装置,用于执行第四方面或第四方面的任意可能的实现方式中的方法。具体地,该装置包括用于执行第四方面或第四方面的任意可能的实现方式中的方法的功能。该装置可以是认证网
关。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或者模块。
在一种可能的实现方式中,该认证请求消息中包含路由信息,以及,该处理单元具体用于根据该路由信息确定认证服务器。
在一种可能的实现方式中,在该接收单元接收应用服务器发送的认证请求消息之前,该接收单元具体用于接收该认证服务器发送的该第一认证凭据;以及,该发送单元具体用于将该第一认证凭据发送给该应用服务器。
在一种可能的实现方式中,该接收单元具体用于接收该认证服务器发送的认证失败信息,该认证失败信息是在该第一认证凭据与该认证服务器上的认证凭据不匹配时,该认证服务器发送给该装置的;以及,该发送单元具体用于将该认证失败信息发送给该应用服务器。
在一种可能的实现方式中,该接收单元具体用于接收该认证服务器发送的认证通过信息,该认证通过信息中携带用户标识,其中,该认证通过信息是在该第一认证凭据与该认证服务器上的认证凭据匹配时,该认证服务器发送给该装置的;以及,该发送单元具体用于将第一信息发送给该用户标识对应的该用户,其中,该第一信息是该应用服务器包含在该认证请求消息中发送给该装置的,或该第一信息是该应用服务器在接收到该装置发送的该认证通过消息后发送给该装置的。
第九方面,本申请提供一种传输信息的设备,该设备包括接收器、发送器、处理器、存储器和总线系统。该设备可以是认证服务器。其中,接收器、发送器、处理器和存储器通过总线系统相连,存储器用于存储指令,处理器用于执行存储器存储的指令,以控制接收器接收信号和控制发送器发送信号。并且当处理器执行存储器存储的指令时,执行使得处理器执行第一方面或第一方面的任意可能的实现方式中的方法。
第十方面,本申请提供一种传输信息的设备,该设备包括接收器、发送器、处理器、存储器和总线系统。该设备可以是应用服务器。其中,接收器、发送器、处理器和存储器通过总线系统相连,存储器用于存储指令,处理器用于执行存储器存储的指令,以控制接收器接收信号和控制发送器发送信号。并且当处理器执行存储器存储的指令时,执行使得处理器执行第二方面或第二方面的任意可能的实现方式中的方法。
第十一方面,本申请提供一种传输信息的设备,该设备包括接收器、发
送器、处理器、存储器和总线系统。该设备可以是第三方设备。其中,接收器、发送器、处理器和存储器通过总线系统相连,存储器用于存储指令,处理器用于执行存储器存储的指令,以控制接收器接收信号和控制发送器发送信号。并且当处理器执行存储器存储的指令时,执行使得处理器执行第三方面或第三方面的任意可能的实现方式中的方法。
第十二方面,本申请提供一种传输信息的设备,该设备包括接收器、发送器、处理器、存储器和总线系统。该设备可以是认证网关。其中,接收器、发送器、处理器和存储器通过总线系统相连,存储器用于存储指令,处理器用于执行存储器存储的指令,以控制接收器接收信号和控制发送器发送信号。并且当处理器执行存储器存储的指令时,执行使得处理器执行第四方面或第四方面的任意可能的实现方式中的方法。
第十三方面,本申请提供一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第一方面或第一方面的任意可能的实现方式中的方法的指令。
第十四方面,本申请提供一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第二方面或第二方面的任意可能的实现方式中的方法的指令。
第十五方面,本申请提供一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第三方面或第三方面的任意可能的实现方式中的方法的指令。
第十六方面,本申请提供一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第四方面或第四方面的任意可能的实现方式中的方法的指令。
又一方面,本发明实施例提供了一种通信系统,该系统包括上述方面所述的认证服务器和应用服务器;或者,该系统还包括上述方面所述的第三方设备,和/或认证网关。
本申请提供的传输信息的方法,认证服务器通过为每一个用户分配并保存一个认证凭据,并将该认证凭据发送给应用服务器。应用服务器在向用户发送信息(例如,包含验证码的短消息)时,需要向认证服务器(或者网络中负责对认证凭据进行匹配的网元)提供该用户的认证凭据,只有在认证凭据数据库中存在与应用服务器提供的该用户的认证凭据匹配的认证凭据时,
认证服务器才会授权通讯网络将应用服务器需要发送给用户的信息发送给该用户,否则认证服务器不会授权通讯网络发送该信息给用户,能够避免由于信息的错误发送造成的安全隐患。因而,可以提高应用服务器向用户传输信息时的安全性。
为了更清楚地说明本发明实施例的技术方案,下面将对本发明实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1是现有技术中传输信息时的一种应用场景。
图2示出了根据本发明一实施例的传输信息的方法的示意性流程图。
图3示出了根据本发明一实施例的传输信息的方法的示意性交互图。
图4示出了根据本发明另一实施例的传输信息的方法的示意性交互图。
图5示出了根据本发明又一实施例的传输信息的方法的示意性交互图。
图6示出了根据本发明又一实施例的认证凭据数据库的示意图。
图7示出了根据本发明一实施例的传输信息的装置的示意性框图。
图8示出了根据本发明另一实施例的传输信息的装置的示意性框图。
图9示出了根据本发明又一实施的传输信息的装置的示意性框图。
图10示出了根据本发明又一实施的传输信息的装置的示意性框图。
图11示出了根据本发明一实施例的传输信息的设备的示意性结构图。
图12示出了根据本发明另一实施例的传输信息的设备的示意性结构图。
图13示出了根据本发明又一实施例的传输信息的设备的示意性结构图。
图14示出了根据本发明又一实施例的传输信息的设备的示意性结构图。
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明的一部分实施例,而不是全部实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动的前提下所获得的所有其他实施例,都应属于本发明保护的范围。
应理解,在本发明实施例中,编号“第一”、“第二”仅仅为了区分不同
的对象,例如,为了区分不同的用户、用户标识等,不应对本发明实施例的保护范围构成任何限定。
为了便于理解和说明,首先结合图1,对现有技术中传输信息的方法进行简单介绍。
图1是现有技术中传输信息时的一种应用场景。如图1所示,在该应用场景中包括移动通讯网络、互联网应用服务器和用户。三者之间包括如下的交互过程。
1、用户A签约开户,获得手机号码MSISDNA。
2、用户A持有手机号码(MSISDNA)期间注册互联网应用的账号。
3、互联网应用在用户A执行登录或支付等操作时,通过向手机号码MSISDNA发送包含验证码的短消息的方式,对用户A进行身份认证。
4、用户A向移动通讯网络办理该手机号码的停机销号。
具体地,在用户A办理手机号码MSISDNA的停机销号后,移动通讯网络将该手机号码MSISDNA冻结一段时间后,重新进行销售。假设在重新销售时,用户B获得该手机号码MSISDNA。
5、用户B签约开户,获得手机号码MSISDNA。
6、互联网应用在用户B执行登录或支付等操作时,通过向手机号码MSISDNA发送包含验证码的短消息的方式,对用户B进行身份认证。
由此可见,在现有技术中,互联网应用对用户进行身份认证时,通过移动通讯网络向一个手机号码发送包含验证码的短消息,只要用户能够向互联网应用提供手机短消息中传递的验证码,无论当前持有终端设备(例如,手机)的用户是谁,身份认证都可以通过。如果新用户B尝试仿冒原用户A向该互联网应用执行登录或支付等操作,由于包含验证码的短消息会发送给当前持有该手机号码的新用户B,导致新用户B能够完成身份认证,成功执行用户登录或支付等操作。
由于移动通讯网络与互联网应用是由各自不同的企业进行运营和管理,原有用户在移动通讯网络中停机销号,手机号码被重新分配给新的用户。这个手机号码持有者发生变化的信息,并没有同步给互联网应用。互联网应用仍然向登记的手机号码发送验证信息,导致新用户可以接收到实际是发送给原用户的验证信息,从而存在身份仿冒的风险。由于越来越多应用依赖手机短消息来验证用户身份,使得新用户可以冒用原来用户的身份,给原用户带
来损失。因此,在现有技术中,应用服务器与用户之间的信息传输存在安全漏洞。
以下,结合图2至图7,详细说明根据本发明实施例的传输信息的方法。
图2示出了根据本发明实施例的传输信息的方法100的示意性流程图。该方法可以由认证服务器执行。如图2所示,该方法包括:
110、认证服务器接收应用服务器发送的认证请求消息,该认证请求消息包含第一认证凭据信息。
应理解,第一认证凭据是认证服务器分配的,用于唯一地标识一个用户的身份的标识。在本发明实施例中,当拥有某一个用户标识的用户发生改变时,与该用户标识关联的认证凭据也会随之改变。
例如,认证凭据可以为一定长度的电子数据(比如,10个字节长度的二进制码)。
其中,该第一认证凭据与用户标识关联,或与用户标识和该应用服务器的应用标识关联。该用户标识可以为用户的手机号码,电子邮箱账号等。
需要说明的是,该第一认证凭据是该认证服务器在接收应用服务器发送的认证请求消息之前生成,并发送给该应用服务器保存的。并且,该认证服务器在生成该第一认证凭据后,也将该第一认证凭据保存在认证凭据数据库中,以便于后续对该用户的身份进行认证。
在本发明实施例中,应用服务器需要向该用户标识所标识的用户发送信息时,需要向认证服务器提供该用户的认证凭据。其中,应用服务器向认证服务器发送该第一认证凭据信息可以为第一认证凭据本身,或者,为该第一认证凭据的变换形式等。
120、当该第一认证凭据与该认证服务器上的认证凭据匹配时,该认证服务器允许该应用服务器向用户传输信息;或者
当该第一认证凭据与该认证服务器上的认证凭据不匹配时,该认证服务器禁止该应用服务器向用户传输信息。
在本发明实施例中,应用服务器需要向用户发送信息时,首先需要向认证服务器提供该用户的认证凭据。之后,认证服务器会确认(或者说,判断)认证凭据数据库中是否存在与该第一认证凭据匹配的认证凭据。如果,认证凭据数据库中存在与该第一认证凭据匹配的认证凭据,认证服务器允许该应用服务器向该用户发送信息。如果,证凭据数据库中不存在与该第一认证凭
据匹配的认证凭据,认证服务器禁止该应用服务器向用户发送信息。
可以理解的是,认证凭据数据库是认证服务器上用于存储多个用户的认证凭据(或者说,身份凭据)的。由于每个用户可以由用户标识唯一地标识,因此,也可以说,认证服务器存储有用户标识与认证凭据的对应关系。
具体地说,如果认证凭据数据库中存在与第一认证凭据匹配的认证凭据,说明在认证服务器根据该用户标识生成第一认证凭据之后,到认证服务器接收到应用服务器发送的第一认证凭据的期间,该用户标识一直被同一个用户持有。换句话说,通过该用户标识向用户发送信息,会被该用户所持有的终端设备接收到。因此,认证服务器允许应用服务器向该用户标识所标识的用户传输信息。如果认证凭据数据库中不存在与第一认证凭据匹配的认证凭据,说明在认证服务器根据该用户标识生成第一认证凭据之后,到认证服务器接收到应用服务器发送的第一认证凭据的期间,该用户标识的持有者已经发生了变化,因而找不到与第一认证凭据匹配的认证凭据。或者,认证凭据数据库中不存在与该用户标识对应的认证凭据。或者,该用户标识可能暂时没有被使用。或者,其它可能的情况。无论出于哪种可能的情况,此时,应用服务器向用户传输信息是禁止的。否则,可能会出现,原本是发送给用户A的信息,结果被用户B所持有的终端设备接收到,造成信息的错误发送,使得用户A的信息泄露。
需要说明的是:认证凭据数据库中不存在与第一认证凭据匹配的认证凭据,包括多种情况,例如:没有在认证凭据数据库中查找到对应用户的记录;或者在认证凭据数据库中查找到对应用户记录,但记录中没有对应的认证凭据的记录;或者在认证凭据数据库中查找到对应用户记录,并且用户记录中存在对应的认证凭据,但与应用服务器提供的第一认证凭据不匹配,等等。
可以理解的是,应用服务器向用户发送信息是指,应用服务器通过向用户所持有的终端设备发送信息,使得终端设备将信息传递给用户。
需要说明的是,两个认证凭据匹配,包括两个认证凭据完全相同。或者,一个认证凭据是另一个认证凭据的某种变换形式等,后文会作详细说明。
因此,本发明实施例中,应用服务器在向用户发送信息(例如,包含验证码的短消息)时,需要向认证服务器(或者网络中负责对认证凭据进行匹配的网元)发送该用户的认证凭据,只有在认证凭据数据库中存在与应用服务器提供的该用户的认证凭据匹配的认证凭据时,认证服务器才会授权通讯
网络将应用服务器需要发送给用户的信息发送给该用户,否则认证服务器不会授权通讯网络发送该信息给用户。因而,可以提高应用服务器向用户传输信息时的安全性。
以下结合多个实施例,对本发明实施例的传输信息的方法进行更加详细的说明。
图3示出了根据本发明一实施例的传输信息的方法的示意性交互图。如图3所示,该方法包括:
201、用户向互联网应用登记用户标识。
在本发明实施例中,用户标识用于在通讯系统或应用服务器中唯一地标识一个用户。例如,用户标识可以为移动用户号码(Mobile Subscriber International ISDN/PSTN number,MSISDN),邮箱账号等。
应理解,在步骤201,用户一般可以通过应用客户端,网页浏览器等向应用进行注册,登记用户标识,如手机号码。
202、应用服务器向认证服务器获取用户的认证凭据。
203、认证服务器为用户分配认证凭据,并保存。
具体地说,认证服务器可以在用户获得该用户标识(或者,称为身份标识)的时候就分配并存储认证凭据。如,移动通信网络在用户签约获得手机号码时,为用户分配并存储认证凭据。或者,认证服务器也可以在应用服务器首次请求认证凭据时为用户分配认证凭据并保存。
204、认证服务器向应用服务器返回用户的认证凭据。
认证服务器将分配的认证凭据发送给应用服务器。在具体地实施过程中,有多种实现方式。例如,认证服务器在应用服务器请求用户的认证凭据时,将该用户的认证凭据发送给应用服务器。
可以理解的是,在本发明实施例中,认证服务器将第一认证凭据发送给应用服务器以后,可选地,包括步骤205和步骤206。
205、认证设备获取清除用户认证凭据指令。
其中,该清除用户认证凭据指令用于指示认证服务器将该第一认证凭据设置为无效。
需要说明的是,清除用户认证凭据指令可以是针对用户标识的,即,将用户标识对应的认证凭据全部设置为无效。或者,也可以是针对应用标识的,即,只将某个用户标识和某个或某几个应用标识对应的认证凭据设置为无
效。
例如,用户A在使用手机号码#1(用户标识的一例)期间,认证服务器为手机号码#1分配认证凭据#1,用于认证用户A的身份。并且,认证服务器在应用服务器#1(应用服务器的一例)请求获取手机号码#1的认证凭据时,将认证凭据#1发送给应用服务器#1保存。之后,用户A办理停机销号业务,申请将认证凭据#1无效(场景1)。或者,用户A办理停机保号业务,在一段时间内,暂时停止使用手机号码#1(场景2)。又或者,通讯网络侦测到潜在安全风险,例如,存在应用服务器连续多次提供错误的认证凭据时,主动锁定用户的认证凭据(场景3)。
又例如,用户A在使用手机号码#1(用户标识的一例)期间,认证服务器为应用标识#1分配认证凭据#1,用于认证用户A使用应用#1身份。并且,认证服务器在应用服务器#1(应用服务器的一例)请求获取手机号码#1的应用标识#1对应的认证凭据时,将认证凭据#1发送给应用服务器#1保存。之后,如果应用#1存在对用户A进行消息骚扰或其它不规范的情况,移动通讯网络运营商可以根据法律规范或者与用户以及应用的协议规定,将应用#1对应的认证凭据无效(场景4)。
应理解,以上几种情况仅作为示例,不应对本发明实施例的应用场景构成限定。
需要说明的是,认证服务器可以通过连接到运营商网络的运维系统,运维系统在用户进行停机销号,或者,停机保号等需要无效现有认证凭据的操作时,产生该清除请求并发送给认证服务器进行处理。
进一步的,认证服务器也可以根据用户的请求无效认证凭据,如某应用存在推送广告等骚扰用户的行为,则用户可以请求无效该应用对应的认证凭据。
206、认证服务器将该用户的认证凭据设置为无效。
认证服务器将认证凭据#1无效。
应理解,在该实施例中,在场景1中,认证服务器将认证凭据#1无效。这里,可以理解为永久无效。在场景2、场景3或场景4中,认证服务器将认证凭据#1无效。这里,可以理解为暂时无效。当用户A恢复使用手机号码#1后,或认证服务器对用户的认证凭据锁定达到指定的时长后,认证凭据#1可以继续使用,并继续用于认证用户A的身份。
认证服务器将认证凭据设置为无效的操作可以为,认证服务器将对应的认证凭据删除,或者为对应的认证凭据设置无效标记,又或者认证服务器将用户信息记录删除,又或者认证服务器将用户信息记录下应用对应的记录删除。
应理解,步骤205和步骤206是认证服务器将第一认证凭据发送给应用服务器(步骤204)之后的可选步骤。即,对于认证服务器而言,将第一认证凭据发送给应用服务器之后,可以获取清除用户认证凭据指令,将自身保存的该第一认证凭据无效。可选地,认证服务器后续还可以生成与用户标识关联的第二认证凭据,或,生成与用户标识和该应用服务器的应用标识关联的第二认证凭据,并将该第二认证凭据保存在认证服务器上。
若认证服务器将第一认证凭据发送给应用服务器之后,一直保存该第一认证凭据,那么,步骤204之后转至步骤207。
207、应用服务器接收认证服务器发送的认证凭据,并保存。
208、应用服务器向认证服务器发送认证凭据和需要发送给用户的信息。
具体地说,在步骤208,当应用服务器需要向用户发送信息时,应用服务器将需要发送给用户的信息(即,第一信息)和该用户的认证凭据信息发送给认证服务器,以便于认证服务器确定认证凭据数据库中是否存在与该应用服务器提供的该用户的认证凭据(即,第一认证凭据)匹配的认证凭据。也或者说,应用服务器需要向用户发送信息时,先向认证服务器发送认证请求消息,以请求认证服务器对该用户的认证凭据进行匹配认证。例如,应用服务器需要向用户发送信息的场景可能为,应用服务器向手机号码发送包含验证码的短消息,或者向邮箱账号发送验证邮件,或者通过语音留言将验证码通知给用户,以对用户进行身份认证。应用服务器向认证服务器发送验证消息,消息中携带步骤207中获取的该用户的认证凭据和应用服务器需要发送给用户的信息,例如,包含验证码的短消息,验证邮件等。
需要说明的是,在本发明实施例中,认证服务器生成该第一认证凭据,并保存该第一认证凭据。之后,认证服务器会在应用服务器请求获取该用户标识的认证凭据时,将该第一认证凭据发送给应用服务器保存。之后,在应用服务器需要向用户发送信息时,需要向认证服务器提供该用户的认证凭据。容易想到的是,应用服务器可以直接将保存的第一认证凭据发送给认证服务器。或者,应用服务器也可以向认证服务器发送第一认证凭据的变换形
式。
可选地,该认证请求消息中包含用户标识信息。
其中,该用户标识信息可以为用户标识或用户索引。
可选地,该认证请求消息中包含用户标识信息和该应用服务器的应用标识。
认证服务器根据用户标识信息,或者根据用户标识信息和该应用服务器的应用标识,可以在认证凭据数据库中查询到与该用户标识关联(或者说,对应)的认证凭据。
另外,应用服务器在向认证服务器发送第一认证凭据时,可以只发送第一认证凭据信息,而不发送用户标识,这种情况下,通讯网络可以通过第一认证凭据中包含的信息路由到服务该用户的认证服务器并定位到对应用户的认证凭据记录。
209、认证服务器对应用服务器发送的认证凭据和自身保存的认证凭据进行匹配认证。
具体地说,如果匹配认证不通过,认证服务器则认为该互联网应用的请求不合法,不会授权通讯网络将应用服务器发送的信息转发给用户。
根据步骤208,应用服务器向认证服务器发送的可能是第一认证凭据,或者,也可以为第一认证凭据的变换形式。在应用服务器发送的认证凭据为第一认证凭据时,认证服务器可以直接进行匹配认证。在应用服务器发送的认证凭据为第一认证凭据的变换形式时,认证服务器基于相同的变换规则,与自身保存的认证凭据进行匹配认证。
根据步骤208,如果应用服务器同时发送了第一认证凭据和用户标识信息(可以为用户标识或用户索引),认证服务器首先根据用户标识或用户索引,在认证凭据数据库中查找该用户标识对应的用户记录。如果不存在该用户标识,说明,该用户标识可能已经被注销或处于冻结状态,因此,认证服务器可以直接确定不存在与第一认证凭据匹配的认证凭据。如果存在该用户标识,认证服务器确定该用户标识在当前时刻对应的认证凭据是否与第一认证凭据匹配。
进一步地,认证服务器可以在匹配认证不通过的情况下,向应用服务器发送认证失败信息,以指示该应用服务器该用户的认证凭据的匹配认证不通过。
应用服务器获知该用户的认证凭据匹配认证不通过后,可以采取暂时将该注册用户账号锁定、在应用客户端向当前操作用户显示警告信息等措施,避免可能出现的用户仿冒带来的损害。
需要说明的是,应用服务器需要发送给用户的信息,可以和认证凭据一起发送给认证服务器。在认证服务器对该用户的认证凭据匹配认证通过之后,认证服务器通过通讯网络将信息转发给用户。或者,应用服务器也可以先向认证服务器发送该用户的认证凭据,在认证服务器对该用户的认证凭据的匹配认证通过后,向该应用服务器发送认证通过信息。该应用服务器接收到认证通过信息后,再将需要发送给用户的信息发送给通讯网络中负责与终端设备传输信息的网元,由该传输信息的网元将该信息发送给用户。本发明实施例对此不作限定。
如果匹配认证通过,转至步骤210。
210、如果匹配认证通过,认证服务器授权通讯网络向用户发送信息。
211、用户向互联网应用提供验证码,完成身份验证。
具体地说,用户通过终端设备(或者说,通讯终端)接收到认证服务器发送的信息,可以向应用服务器提供验证码完成应用层的验证。例如,用户将获得的短消息中的验证码填写在应用验证页面中,并提交给应用服务器。或者,用户向应用服务器指定的电话号码回复一条短消息,该短消息中携带应用服务器通过语音呼叫指定的验证码。或者用户点击确认收到的验证邮件中的链接等,从而完成对身份的验证。本发明实施例对认证方式不作任何限定,用户只要按照应用服务器的指示完成身份认证即可。
可见,在本发明实施例中,应用服务器向用户发送验证码等信息时,需要向认证服务器提供正确的认证凭据,由于一个认证凭据只对一个用户有效,在用户停机销号后即失效,因此新用户得到同样的手机号码后,无法收到原来用户注册的应用的验证码等信息,不能仿冒身份登录原来用户的账号对原来用户造成损害。
本发明实施例的传输信息的方法,认证服务器通过为每一个用户分配并保存一个认证凭据,并将该认证凭据发送给应用服务器。当应用服务器需要向用户发送信息时,需要向认证服务器提供该用户的认证凭据,认证服务器只有在确定认证凭据数据库中存在与应用服务器提供的该用户的认证凭据匹配的认证凭据时,才会授权通讯网络将应用服务器需要发送给用户的信息
发送给该用户,否则认证服务器不会授权通讯网络发送该信息给用户。从而,能够避免由于信息的错误发送造成的安全隐患,提高了信息传输的安全性。
本发明实施例不仅可以保证验证码等信息不会发送到新用户的手机终端上,也可以保证与原来用户相关的任何信息都不会错误的发送到新用户的手机终端上。从另一个角度,也可以保证新用户得到该手机号码后,不会接收到原用户订阅的一些信息(例如,广告信息等),从而可以起到保护新用户免受无关信息骚扰的效果。
可以理解的是,在实际应用中,认证服务器、应用服务器和终端设备之间进行通讯的网络的结构可能是更加复杂和多样的,即,存在多种不同类型的网络。另外,网络内部完成一个流程的处理是非常复杂的,涉及很多网元。因此,根据本发明实施例的传输信息的方法在不同网络中的实现细节不作详细说明。需要说明的是,不管采用什么样的网络结构或类型,只要能够实现本发明实施例中描述的认证服务器的用于实施本发明实施例的传输信息的方法的功能,都应认为落入本发明实施例的保护范围。
图4示出了根据本发明另一实施例的传输信息的方法的示意性交互图。如图4所示,在该实施例中,将上述实施例中描述的认证服务器的部分功能分别配置在不同的网元上,这些不同的网元可以为:通讯网元和认证网关。这些网元应用于移动通讯网络。
为了便于理解和说明首先对各个网元的功能进行说明。
通讯网元:用于将消息发送给用户,或者,将用户通过终端设备发送的消息发送给应用服务器。
需要说明的是,在实际应用中,通讯网元又可以包括多个子网元,此处不再展开。
认证服务器:用于生成用户的认证凭据,并提供给外部应用。还用于管理用户的认证凭据的生命周期。例如,在用户停机销号时将用户现有认证凭据视作失效。又例如,验证应用服务器提供的认证凭据是否与当前的用户的认证凭据匹配,并返回匹配结果等。
认证网关:用于提供与外部多个应用的统一接口。
该认证网关可以与用户认证服务器合设,为合一节点,也可以与用户认证服务器分设,为分离节点。
如图4所示,在该实施例中,根据本发明实施例的传输信息的方法,主
要包括步骤301至步骤312。
301、用户A向应用服务器登记用户标识(例如,手机号码#1)。
具体地说,用户A(用户的一例)在终端设备(例如,手机、笔记本电脑等)上,通过应用客户端向应用服务器登记用户标识。并且,假设用户A的手机号码为手机号码#1。
此处的用户标识可参见前文步骤201中对用户标识所作的说明。
在该实施例中,以用户标识为手机号码为例,对本发明实施例的传输信息的方法进行说明。
302、应用服务器验证用户A是否真实持有手机号码#1。
在本发明实施例中,应用服务器获得用户A的手机号码(即,手机号码#1)以后,可以对用户A是否真实持有该手机号码#1进行验证。
例如,应用服务器可以向该手机号码#1发送一条短消息,该短消息中携带验证码,要求用户A收到短消息后在应用页面上填写正确的验证码。或者,要求用户A按照收到的短消息中的提示,编辑一条指定格式的短消息发送给指定的号码,等等。如果验证码匹配,应用服务器则认为用户A确实正在持有其提供的手机号码#1。
需要说明是,用户A在初次登记手机号码时,应用服务器还没有获得用户的A的认证凭据,因此,在步骤302中,应用服务器通过通讯网元发送给用户的短消息为普通的短消息,即,不携带用户A的认证凭据,也不需要认证服务器进行匹配认证,直接转发给用户A即可。具体可以通过现有技术实现,此处不再赘述。
303、应用服务器请求获取用户A的认证凭据。
具体地说,应用服务器确认用户A持有手机号码#1后,应用服务器向移动通讯网络中的认证网关发送请求消息,该请求消息中携带了用户A的手机号码,即手机号码#1。应理解,该请求消息用于向移动通讯网络请求获取用户A的认证凭据。
认证网关将该请求消息发送到移动通讯网络内部服务用户A的认证服务器。
需要说明的是,网络内部的认证服务器可能有多个,认证网关可以根据手机号码#1的前缀路由到对应的认证服务器。认证服务器可以与通信网络中用户归属签约服务器(Home Subscriber Server,HSS),或用户归属位置寄存
器(Home Location Register,HLR)合设,也可以独立部署,或者与其它网络实体合设等。本发明实施例对此不作任何限定。
另外,根据手机号码#1的前缀路由到对应的认证服务器的过程,可以通过现有技术实现,此处不作详细说明。
304、认证服务器返回用户A的认证凭据。
步骤304的具体实现,可以参见前文所述的步骤204的说明。为了简洁,此处不作赘述。
认证服务器还可以返回路由信息给应用服务器,具体为,在认证服务器生成认证凭据时,该认证凭据中包含了到认证服务器的路由信息,或者认证服务器通过单独的信元,将路由信息返回给应用服务器。
进一步地,在本发明实施例中,认证服务器还可以定期的刷新认证凭据以提升安全性。
例如,认证服务器在向应用服务器返回用户的认证凭据时,可以指定认证凭据的有效时段。例如,XXXX年X月X日0时0分之前有效,在该失效时间到达前的一段时间内(例如7天内),要求应用服务器携带原有的认证凭据,请求刷新认证凭据。在刷新周期内,新老认证凭据同时有效,超过失效时间后,原有认证凭据失效,只有新认证凭据有效。又或者,认证服务器也可以单独发送刷新指示信息,以提示应用服务器对用户的认证凭据进行刷新。
305、应用服务器向认证网关发送验证消息,该验证消息中携带验证码和用户A的认证凭据。
具体地说,应用服务器在有用户(为了便于说明,记作用户B)通过执行登录、“找回密码”或交易支付等动作时,应用服务器决定对用户B进行手机验证码认证。应用服务器向认证网关发送验证消息,该验证消息中携带验证码和用户A的认证凭据。根据不同的实现方案,应用服务器可以同时在该验证消息中携带手机号码#1,也可以不携带。
应理解,此处的用户B可能是用户A,也可能不是用户A。当用户B不是用户A时,现有技术中,由于应用服务器和移动通讯网络不会对用户的身份进行验证,而是应用服务器直接将包含验证码的短消息通过通讯网元发送给用户B。因此,用户B可能会通过应用验证页面填写短消息中的验证码的方式进入用户A的应用账号。从而,可能会导致用户A的隐私泄露,或
者金钱损失,甚至更严重的后果。
可以理解的是,在该实施例中,用户A可能是使用手机号码#1的原用户,用户A办理停机销号后,用户B在移动通讯网络签约开户,得到手机号码#1,成为手机号码#1的新用户。或者,用户A可能将手机丢失,被用户B捡到等,都可能出现上述用户B登录用户A注册的应用账号的可能。
而在本发明实施例中,应用服务器在向用户发送信息(包括包含验证码的短消息)时,需要向认证设备(或者移动通讯网络中负责认证凭据匹配的网元)发送该用户的认证凭据,只有在认证设备确定存在与该应用服务器发送的该用户的认证凭据匹配的认证凭据时,认证设备才会授权通讯网络将应用服务器发送给用户的信息转发给用户。否则认证设备不会授权将信息转发给用户。因而,可以提高应用服务器向用户传输信息时的安全性。
306、认证网关向认证服务器发送认证请求,该认证请求中携带用户A的认证凭据。
如果步骤305中的验证消息中同时携带了手机号码和认证凭据,认证网关根据手机号码可以路由到合适的认证服务器。如果验证短消息中只携带了认证凭据,则在认证服务器在生成认证凭据时,该认证凭据中包含了到认证服务器的路由信息。例如,用认证凭据中的某些比特指示到认证服务器的路由,从而认证网关可以根据认证凭据中包含的路由信息,路由到与手机号码对应的认证服务器。如果验证消息中携带了路由信息和认证凭据,该路由信息为独立的信元,认证网关可以根据该路由信息,路由到与手机号码对应的认证服务器。
307、认证服务器对认证凭据进行匹配认证。
具体地说,认证服务器是将应用服务器发送的用户A的认证凭据与自身保存的手机号码#1对应的用户的认证凭据进行匹配认证。
在本发明实施例中,匹配的方式可以根据不同的安全方案有所不同。以下,举例说明。
方式1
认证服务器对应用服务器提供的认证凭据与自身存储的认证凭据进行比较,如果相同,则认为匹配。
方式2
认证服务器对应用服务器提供的认证凭据进行某种特定的算法转换后
再进行比较。
如果结果符合预期(不限于相同),则认为匹配。例如,认证凭据中某些比特包含了之前生成该认证凭据时的时间戳信息,如果该时间戳信息早于当前用户的开户时间,说明该认证凭据不是为当前持有手机号码的用户分配的,即,认证结果为不匹配,或者说,认证不通过。
方式3
应用服务器在步骤304获得用户认证凭据后,在步骤305并不直接传递该认证凭据,而是传递该认证凭据的某种变换形式。
例如,将该用户认证凭据的全部或部分信息(例如,去除认证凭据中用于对认证服务器进行路由寻址的信息后的部分)与当天的日期时间信息组合在一起进行哈希变换。其中,采用的哈希变换算法可以是安全哈希算法(Secure Hash Algorithm,SHA),消息摘要算法5(Message Digest Algorithm5,MD5),高级加密标准(Advanced Encryption Standard,AES),哈希消息认证码(Hash Message Authentication Code,HMAC)等单向散列算法。应用服务器可以将变换后的认证信息通过认证网关发送给认证服务器,认证服务器按照相同的算法规则,对应用服务器提供的认证信息与自身保存的认证信息进行比较。
可以理解的是,通过方式3,可以避免直接在网元接口上传递用户认证凭据,能够防止重放攻击,进一步提高安全性。
或者,在本发明实施例中,对于认证凭据的匹配还可以采用上述方式的变换或其他的方式,都应落入本发明实施例的保护范围。
在步骤307中,如果认证服务器对应用服务器提供的认证凭据的判定结果为不匹配,则转至步骤308。如果判定结果为匹配,可选地,则转至步骤309。
308、如果认证凭据不匹配(或者说,不相符),认证服务器返回认证失败信息。
具体地,认证服务器通过认证网关将认证失败信息发送给应用服务器。
在认证不通过的情况下,认证服务器和应用服务器根据自身策略进行相应处理。
例如,认证服务器记录认证失败的事件日志,包含请求认证的应用名称或代号,请求认证的手机号码、认证凭据信息、发生的时间等。应用服务器
判断当前尝试操作账户的用户可能不是等级手机号码时的原用户,存在仿冒风险,可以锁定用户账户。改用其它不依赖手机号码的认证方法要求用户进行认证。进一步地,可以向当前存在仿冒行为的用户发送提示或警告信息等。
309、如果认证凭据匹配(或者说,相符),认证服务器向认证网关返回认证通过信息。
需要说明的是,在步骤305中,如果应用服务器将验证码和用户A的认证凭据,同时携带在验证消息发送给了认证网关。在步骤309之后,转至步骤312。在步骤305中,如果应用服务器只发送了用户A的认证凭据,而没有发送验证码,那么在步骤309之后,还包括步骤310和步骤311。之后,转至步骤312。
310、认证网关将认证服务器返回的认证通过信息发送给应用服务器。
311、应用服务器向认证网关发送验证码。
具体地说,应用服务器接收到认证网关发送的认证通过信息之后,向认证网关发送验证码。
312、认证网关向终端设备发送包含验证码的短消息。
具体地说,认证网关通过通讯网元向用户A发送包含验证码的短消息。
需要说明的是,在本发明实施例中,认证网关也可以只用于处理认证消息,发送包含验证码的短消息可以由应用服务器通过原有的点对点发送消息的方式,直接发送给通讯网元,而不经过认证网关。
313、终端设备向应用服务器提供验证码信息,完成身份认证。
用户A收到应用服务器发送的包含验证码的短消息,向应用服务器提供验证码信息完成应用层的验证。
例如,用户A将获得的短消息中的验证码信息填写在应用验证页面中并提交给应用服务器。又例如,用户A向应用服务器指定的电话号码回复一条短消息,该短消息中携带指定的验证码信息等等,此处不再赘述。
进一步地,在用户初次登记手机号码时,或者需要更换用户的认证凭据时,除了短信、邮件认证以外,还可能要求用户提供增强的认证方式。
例如要求用户输入手机号码在运营商处保留的操作密码,或者密保问题的答案等等。
进一步地,如果用户终端的手机号码被锁定时,该手机号码对应的认证凭据匹配认证也暂时锁定,等到用户终端的手机号码解锁后再恢复认证凭据
匹配认证的功能。
需要说明的是,本发明实施例中的通讯系统可以为移动通信网络、电子邮件系统,或者即时通讯系统等为用户分配身份标识信息,并提供语音、短消息、邮件通讯或即时通讯等服务的系统。
以上结合图4,对本发明实施例的传输信息的方法,在包括多个网元,即,认证服务器、通讯网元和认证网关的通讯系统,与应用服务器之间的交互过程进行了详细说明。
在上述图3和图4所描述的实施例中,应用一方是合作方,即认为应用本身有识别用户身份仿冒,保护其用户免受损失的诉求和驱动力,这符合当前互联网大多数业务的现实情况。
进一步地,不仅互联网应用和用户有防止身份仿冒的诉求,用户本身也有保护自身隐私的诉求。手机号码作为用户的重要隐私信息,用户不一定希望提供给互联网应用保存。例如,当前发送垃圾短信,卖家骚扰买家的事件也层出不穷。本发明实施例中描述的用户的认证凭据,也可以进一步增强,使得应用一方不需要获得用户的手机号码也可以向用户发送验证码信息,以保护用户的隐私。
以下结合图5,对根据本发明实施例的传输信息的方法,在用户的手机号码不提供给应用服务器保存的情况下的应用进行详细说明。
图5示出了根据本发明又一实施例的传输信息的方法的示意性交互图。如图5所示,在该实施例中,除了上述实施例中的通讯网元、认证服务器、认证网关和应用服务器,还包括认证凭据生成门户(即,第三方设备的一例)。
需要说明的是,在本发明实施例中,该认证凭据生成门户作为一个第三方设备,可以由移动通讯网络的运行商,或者其它可信的第三方合作伙伴运营。
还需要说明的是,该认证凭据生成门户与应用服务器是部署隔离的。
如图5所示,在该实施例中,本发明实施例的传输信息的方法,主要包括步骤401至步骤412。
401、应用服务器请求用户提供带隐私保护的手机号码绑定。
在本发明实施例中,带隐私保护的号码绑定,是指应用承诺不收集和保存用户的手机号码。
用户确认进行绑定动作。
402、应用服务器将绑定页面重定向到认证凭据生成门户。
403、认证凭据生成门户请求用户A提供手机号码。
如,在应用服务器重定向的绑定页面中,用户A输入手机号码,认证凭据生成门户获得手机号码。在步骤403中,由于认证凭据生成门户与应用服务器是隔离部署的,因此应用服务器不会获得用户A的手机号码。
404、认证凭据生成门户验证该用户A是否真实持有该手机号码。
例如,认证凭据生成门户向该手机号码发送包含验证码的短消息,并要求用户在返回给认证凭据生成门户的回复消息中携带验证码信息。在认证凭据生成门户确认该用户真实持有该手机号码时,转至步骤405。
可以理解的是,用户是否真实持有手机号码是指,步骤403中提供手机号码的用户是否真的持有该手机号码。以免,该手机号码为其它用户持有,造成错误注册。
405、认证凭据生成门户请求获取用户A的认证凭据。
具体地,认证凭据生成门户通过认证网关,向认证服务器发送获取请求,该获取请求用于向认证服务器请求获取用户A的认证凭据。
其中,该获取请求中携带用户A的手机号码(为了便于描述,以下记作手机号码#1),以便于认证网关根据手机号码#1,将获取请求路由到用户A对应的认证服务器。
406、认证服务器向认证凭据生成门户返回用户A的认证凭据。
407、认证凭据生成门户将用户A的认证凭据返回给应用服务器。
由此可见,在该实施例中,应用服务器只获取到用户A的认证凭据,但并没有得到用户A的手机号码。
需要说明的是,在该实施例中,在应用服务器获取不到用户的用户标识的情况下,应用服务器可以将认证服务器返回的认证凭据与该用户在应用上创建的账号关联。或者,应用服务器也可以在用户在该应用上申请账号时,为用户分配一个标识,在获取到认证服务器返回的该用户的认证凭据后,将该认证凭据与该标识关联。
通过这样的方式,在应用服务器上保存有多个认证凭据的情况下,应用服务器可以将该多个认证凭据与用户一一对应(或者说,匹配)起来。
408、应用服务器向认证网关发送验证消息,该验证消息中携带用户A的认证凭据和验证码。
409、认证网关通过用户A的认证凭据中的到认证服务器的路由信息获知对应的认证服务器。或者,步骤406和步骤407中,认证服务器也可以通过单独的信元携带路由信息,本步骤中还可以携带该路由信息,认证网关通过该路由信息获知对应的认证服务器。认证网关向认证服务器发送认证请求,该认证请求中携带用户A的认证凭据。
在认证服务器对用户A的认证凭据匹配通过时,转至步骤410。
410、认证服务器向认证网关返回用户A的手机号码。
在该实施例中,因为匹配认证时,认证服务器没有获得用户的手机号码。所以,认证服务器通过认证凭据中包含的用户索引匹配查找对应的用户信息记录。
需要说明的是,认证服务器为用户分配认证凭据,可以通过现有技术实现。例如,参考全球唯一标识符(GUID,Globally Unique Identifier)的分配方式,在认证凭据中可以包含用户索引,认证服务器还可以在认证凭据上附加其它所需的信息。
具体实现时,认证服务器也可以通过单独的信元携带用户索引,并通过步骤406和步骤407返回给应用服务器。应用服务器在步骤409和步骤410将该用户索引发送给认证服务器后,认证服务器通过该用户索引匹配查找对应的用户信息记录。
411、认证网关向用户发送短消息,该短消息中携带验证码。
具体地,认证网关将步骤408中接收到的应用服务器发送的验证码发送给通讯网元,通讯网元将该验证码携带在短消息中发送至用户A的终端设备上。
412、终端设备向应用服务器提供验证码,完成认证。
具体地说,用户A将获得短消息中的验证码填写在应用验证页面中并提交给应用服务器;或者用户向应用服务器指定的电话号码回复一条短消息,携带指定的验证码等等,完成对于用户A的身份的认证。
在该实施例中,应用服务器只能获得与用户关联的认证凭据,而不能获得用户的手机号码。由于通过用户认证凭据只能通过与认证设备之间的管控通道联系到用户(例如,消息、语音电话或电子邮件等方式),不能直接用于给用户拨打电话或者发送点对点的消息,通信网络运营商可以通过加强对应用服务器的身份验证,以及从应用服务器发送到认证网关的内容进行管
控,避免非授权的消息发送到用户的手机上。其它人员,例如卖家,快递人员等,即使获得用户的身份认证信息,但由于没有接入该管控通道的权限,也不能直接联系用户,从而能够更好地保护用户的隐私。
图6示出了根据本发明又一实施例的认证凭据数据库的示意图。如图6所示,认证服务器上存有认证凭据数据库,该认证凭据数据库中保存有多个认证凭据列表,每个认证凭据列表与一个用户对应。每个认证凭据列表用户记录对应的用户的至少一个认证凭据与至少一个应用标识之间的对应关系。
需要说明的是,认证凭据与应用标识之间的对应关系可以是一一对应的,即,对于一个用户而言,一个认证凭据对应一个应用标识。另外,也可以是,多个应用标识对应一个认证凭据。图6中仅以认证凭据与应用标识之间一一对应为例,示出了本发明实施例中认证凭据数据库的一例。
可以理解的是,一个用户通常会注册到多个互联网应用中。在前文的各个实施例的描述中,没有限制在不同应用服务器向移动通讯网络中的认证服务器请求用户认证凭据时,认证服务器对于不同的应用服务器,返回相同的凭据还是不同的凭据。
在该实施例中,认证服务器对不同的应用服务器,返回不同的认证凭据,从而起到加强移动通讯网络运营商对不同应用的权限管理能力的作用。
具体地说,当应用服务器通过认证凭据生成门户,和/或认证网关向认证服务器请求获得用户的认证凭据时,认证服务器首先根据用户标识(例如:手机号码)在认证凭据数据库中进行查找。查找到用户记录后,还要根据应用的标识(例如,支付宝、微信等)定位到对应当前请求的应用的认证凭据,并返回给应用服务器。
如果该用户的认证凭据列表中还不包含当前请求应用的认证凭据,认证服务器为该用户的当前请求应用生成认证凭据保存在该认证凭据数据库中。
将本实施例应用到上述实施例中,上述实施例中,在认证服务器收到获取用户的认证凭据的请求消息之前,还包括认证凭据生成门户和/或认证网关对应用服务器的身份进行验证以获取并验证应用的标识。
在本发明实施例中,应用的标识可以根据应用服务器的IP地址,端口号在认证凭据生成门户和/或认证网关上进行映射。
或者,也可以由认证服务器为应用服务器提供一个登录界面,通过让应用服务器执行一个专门的登录过程认证自己的身份和标识。
再或者,应用的标识还可以由应用服务器在请求消息中,显式地携带自身的应用标识,以通知给认证凭据生成门户和/或认证网关。
同样地,当应用服务器通过认证凭据生成门户,和/或认证网关向认证服务器请求身份认证时,如果支持对不同应用提供不同的认证凭据,则认证服务器首先根据用户标识在认证凭据数据库中查找以定位到用户记录。之后,还要根据应用的标识定位到对应当前请求的应用的认证凭据并与请求消息中的认证凭据进行匹配认证。
在认证服务器收到请求身份认证消息之前,还包括认证凭据生成门户,和/或认证网关对应用服务器的身份进行验证以获取并验证应用的标识。
本实施例中,认证服务器可以根据用户的请求无效或者刷新认证凭据。例如,当某应用存在推送消息等行为时,用户可以请求无效或者刷新该应用对应的认证凭据。以避免该应用对自身的骚扰。
在该本实施例中,移动通讯网络中的认证服务器具备区分应用粒度的认证凭据管理能力,从而可以对不同应用区分不同的权利进行控制。例如,不同应用向用户发送信息的类型不同,许可时间段不同。又或者,如果应用存在对用户进行消息骚扰或其它不规范的情况,移动通讯网络运营商可以根据法律规范或者与用户以及应用的协议规定,暂时或者永久关闭特定应用向用户发送消息的通道。这样可以有效的提升用户的体验,保护用户的隐私,也提升了通讯网络运营商对网络的控制能力。
另外,本发明实施例的传输信息的方法,不仅可以用于当前移动通讯网络,还可以用于通过电子邮件系统、即时通讯系统进行身份认证的场景。例如,电子邮件系统运营商为用户分配认证凭据并提供给应用服务器,在电子邮件账户注销时,该认证凭据同时失效。新的用户如果申请获得该电子邮件账户,由于之前应用服务器上保存的认证凭据已经失效,新用户不能通过该电子邮件账户获取到应用服务器发送的验证码信息,不能进入之前的用户注册的应用账户,或进行交易付款等关键交易,从而保护了之前用户受到身份仿冒的威胁。
应理解,在上述多个实施例中,不同实施例之间的一些执行步骤是相同或类似的。例如,一些步骤的执行在于执行该步骤的网元不同,或执行该步骤的网元的个数不同等。因此,对于该多个实施例的相同或类似步骤所作的说明可以相互参考。并且,不同实施例的各步骤之间的执行顺序应以其功能
和内在逻辑而确定,上述各个实施例中仅给出一种可能的实现方式,对于各个步骤在不同实施例中执行时执行顺序的变化,或者容易想到的执行各步骤的变换形式等,都应认为属于本发明实施例的保护范围。
因此,在本发明实施例中,认证服务器通过为每一个用户分配并保存一个认证凭据,并将该认证凭据发送给应用服务器。应用服务器在向用户发送信息(例如,包含验证码的短消息)时,需要向认证服务器(或者网络中负责对认证凭据进行匹配的网元)发送该用户的认证凭据,只有在认证凭据数据库中存在与应用服务器提供的该用户的认证凭据匹配的认证凭据时,认证服务器才会授权通讯网络将应用服务器需要发送给用户的信息发送给用户,否则认证服务器不会授权通讯网络发送信息给用户。能够避免由于信息的错误发送而导致的安全隐患。因而,可以提高应用服务器向用户传输信息时的安全性。
上文中结合图2至图6,详细描述了根据本发明实施例的传输信息的方法,下面将结合图7至图9,描述根据本发明实施例的传输信息的装置。
图7示出了根据本发明一实施例的传输信息的装置500的示意性框图。如图7所示,该装置500包括:
接收单元510,用于接收应用服务器发送的认证请求消息,该认证请求消息中包含第一认证凭据;
处理单元520,用于当该第一认证凭据与该装置上的认证凭据匹配时,允许该应用服务器向用户传输信息;或者
用于当该第一认证凭据与该装置上的认证凭据不匹配时,禁止该应用服务器向用户传输信息。
根据本发明实施例的传输信息的装置500中的各单元和上述其它操作或功能,分别为了实现本发明各实施例中由认证服务器执行的相应流程。为了简洁,此处不再赘述。
因此,在本发明实施例中,认证服务器通过为每一个用户分配并保存一个认证凭据,并将该认证凭据发送给应用服务器。应用服务器在向用户发送信息(例如,包含验证码的短消息)时,需要向认证服务器(或者,网络中负责对认证凭据进行匹配的网元)发送该用户的认证凭据,只有在认证凭据数据库中存在与应用服务器提供的该用户的认证凭据匹配的认证凭据时,认证服务器才会授权通讯网络将应用服务器需要发送给用户的信息发送给该
用户,否则就不会授权通讯网络发送该信息给用户。从而能够避免由于信息的错误发送造成的安全隐患,因而,可以提高应用服务器向用户传输信息时的安全性。
图8示出了根据本发明一实施例的传输信息的装置500的示意性框图。如图8所示,该装置600包括:
接收单元610,用于接收认证服务器发送的第一认证凭据;
存储单元620,用于保存该第一认证凭据;
发送单元630,用于需要向用户传输信息时,发送认证请求消息给该认证服务器,该认证请求消息中包含该第一认证凭据。
根据本发明实施例的传输信息的装置600中的各单元和上述其它操作或功能,分别为了实现本发明各实施例中由应用服务器执行的相应流程。为了简洁,此处不再赘述。
因此,在本发明实施例中,认证服务器通过为每一个用户分配并保存一个认证凭据,并将该认证凭据发送给应用服务器。应用服务器在向用户发送信息(例如,包含验证码的短消息)时,需要向认证服务器(或者,网络中负责对认证凭据进行匹配的网元)发送该用户的认证凭据,只有在认证凭据数据库中存在与应用服务器提供的该用户的认证凭据匹配的认证凭据时,认证服务器才会授权通讯网络将应用服务器需要发送给用户的信息发送给该用户,否则就不会授权通讯网络发送该信息给用户。从而能够避免由于信息的错误发送造成的安全隐患,因而,可以提高应用服务器向用户传输信息时的安全性。
图9示出了根据本发明一实施例的传输信息的装置700的示意性框图。如图9所示,该装置700包括:
接收单元710,用于接收应用服务器发送的用户登记认证凭据重定向请求;
处理单元720,用于获取用户标识;
发送单元730,用于将该用户标识发送给认证服务器;
接收单元710,还用于接收该认证服务器发送的第一认证凭据;
该发送单元730,还用于将该第一认证凭据发送给应用服务器。
根据本发明实施例的传输信息的装置700中的各单元和上述其它操作或功能,分别为了实现本发明各实施例中由第三方设备(或,认证凭据生成门
户)执行的相应流程。为了简洁,此处不再赘述。
因此,在本发明实施例中,通过第三方设备获取用户标识,并将该用户标识发送给认证服务器,以获取与该应用标识对应的认证凭据,从而将该认账凭据发送给应用服务器,使得应用服务器只能获得与用户的认证凭据,而不能获得用户的用户标识(例如,手机号码)。因而应用服务器不能直接给用户拨打电话或者发送点对点的消息,使得移动通讯网络运营商可以通过加强对应用服务器的身份验证,以及从应用服务器发送到认证网关的内容进行管控,避免非授权的消息发送到用户的手机上,从而能够更好地保护用户的隐私。
图10示出了根据本发明一实施例的传输信息的装置800的示意性框图。如图10所示,该装置800包括:
接收单元810,用于接收应用服务器发送的认证请求消息,该认证请求消息中包含第一认证凭据,该认证请求消息是该应用服务器需要向用户传输信息时发送给该装置的;
处理单元820,用于确定认证服务器;
发送单元830,用于将该认证请求消息发送给该认证服务器。
根据本发明实施例的传输信息的装置800中的各单元和上述其它操作或功能,分别为了实现本发明各实施例中由认证网关执行的相应流程。为了简洁,此处不再赘述。
因此,在本发明实施例中,认证服务器通过为每一个用户分配并保存一个认证凭据,并将该认证凭据发送给应用服务器。应用服务器在向用户发送信息(例如,包含验证码的短消息)时,需要向认证服务器(或者,网络中负责对认证凭据进行匹配的网元)发送该用户的认证凭据,只有在认证凭据数据库中存在与应用服务器提供的该用户的认证凭据匹配的认证凭据时,认证服务器才会授权通讯网络将应用服务器需要发送给用户的信息发送给该用户,否则就不会授权通讯网络发送该信息给用户。能够避免由于信息的错误发送造成的安全隐患,因而,可以提高应用服务器向用户传输信息时的安全性。
图11示出了根据本发明一实施例的传输信息的设备900的示意性结构图。如图11所示,该信号发送端设备900包括:接收器910、发送器920、处理器930、存储器940和总线系统950。其中,接收器910、发送器920、
处理器930和存储器940通过总线系统950相连,该存储器940用于存储指令,该处理器930用于执行该存储器940存储的指令,以控制接收器910接收信号,并控制发送器920发送信号,其中,
接收器910,用于接收应用服务器发送的认证请求消息,该认证请求消息中包含第一认证凭据;
处理器930,用于当该第一认证凭据与该设备上的认证凭据匹配时,允许该应用服务器向用户传输信息;或者,
用于当该第一认证凭据与该设备上的认证凭据不匹配时,禁止该应用服务器向用户传输信息。
应理解,在本发明实施例中,该处理器930可以是中央处理单元(central processing unit,简称为“CPU”),该处理器930还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器940可以包括只读存储器和随机存取存储器,并向处理器930提供指令和数据。存储器940的一部分还可以包括非易失性随机存取存储器。例如,存储器940还可以存储设备类型的信息。
该总线系统950除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统950。
在实现过程中,上述方法的各步骤可以通过处理器930中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的传输信息的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器940,处理器930读取存储器940中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
根据本发明实施例的传输信息的设备900中的各单元和上述其它操作或功能,分别为了执行各实施例中由认证服务器执行的相应流程。为了简洁,此处不再赘述。
因此,在本发明实施例中,认证服务器通过为每一个用户分配并保存一
个认证凭据,并将该认证凭据发送给应用服务器。应用服务器在向用户发送信息(例如,包含验证码的短消息)时,需要向认证服务器(或者,网络中负责对认证凭据进行匹配的网元)发送该用户的认证凭据,只有在认证凭据数据库中存在与应用服务器提供的该用户的认证凭据匹配的认证凭据时,认证服务器才会授权通讯网络将应用服务器需要发送给用户的信息发送给该用户,否则就不会授权通讯网络发送该信息给用户。能够避免由于信息的错误发送造成的安全隐患,因而,可以提高应用服务器向用户传输信息时的安全性。
图12示出了根据本发明一实施例的传输信息的设备1100的示意性结构图。如图12所示,该信号发送端设备1100包括:接收器1110、发送器1120、处理器1130、存储器1140和总线系统1150。其中,接收器1110、发送器1120、处理器1130和存储器1140通过总线系统1150相连,该存储器1140用于存储指令,该处理器1130用于执行该存储器1140存储的指令,以控制接收器1110接收信号,并控制发送器1120发送信号,其中,
处理器1130,用于接收认证服务器发送的第一认证凭据;
存储器1140,用于保存该第一认证凭据;
发送器1120,用于在需要向用户传输信息时,发送认证请求消息给该认证服务器,该认证请求消息中包含该第一认证凭据。
应理解,在本发明实施例中,该处理器1300可以是中央处理单元(central processing unit,简称为“CPU”),该处理器1300还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器1140可以包括只读存储器和随机存取存储器,并向处理器1130提供指令和数据。存储器1140的一部分还可以包括非易失性随机存取存储器。例如,存储器1140还可以存储设备类型的信息。
该总线系统1150除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统1150。
在实现过程中,上述方法的各步骤可以通过处理器1130中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的传输信息
的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1140,处理器1130读取存储器1140中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
根据本发明实施例的传输信息的设备1100中的各单元和上述其它操作或功能,分别为了执行各实施例中由应用服务器执行的相应流程。为了简洁,此处不再赘述。
因此,在本发明实施例中,认证服务器通过为每一个用户分配并保存一个认证凭据,并将该认证凭据发送给应用服务器。应用服务器在向用户发送信息(例如,包含验证码的短消息)时,需要向认证服务器(或者,网络中负责对认证凭据进行匹配的网元)发送该用户的认证凭据,只有在认证凭据数据库中存在与应用服务器提供的该用户的认证凭据匹配的认证凭据时,认证服务器才会授权通讯网络将应用服务器需要发送给用户的信息发送给该用户,否则就不会授权通讯网络发送该信息给用户。能够避免由于信息的错误发送造成的安全隐患,因而,可以提高应用服务器向用户传输信息时的安全性。
图13示出了根据本发明一实施例的传输信息的设备1200的示意性结构图。如图12所示,该信号发送端设备1200包括:接收器1210、发送器1220、处理器1230、存储器1240和总线系统1250。其中,接收器1210、发送器1220、处理器1230和存储器1240通过总线系统1250相连,该存储器1240用于存储指令,该处理器1230用于执行该存储器1240存储的指令,以控制接收器1210接收信号,并控制发送器1220发送信号,其中,
接收器1210,用于接收应用服务器发送的用户登记认证凭据重定向请求;
处理器1230,用于获取用户标识;
发送器1220,用于将该用户标识发送给认证服务器;
接收器1210,用于接收该认证服务器发送的第一认证凭据;
该发送器1220,还用于将该第一认证凭据发送给应用服务器。
应理解,在本发明实施例中,该处理器1230可以是中央处理单元(central processing unit,简称为“CPU”),该处理器1230还可以是其他通用处理器、
数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器1240可以包括只读存储器和随机存取存储器,并向处理器1230提供指令和数据。存储器1240的一部分还可以包括非易失性随机存取存储器。例如,存储器1240还可以存储设备类型的信息。
该总线系统1250除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统1250。
在实现过程中,上述方法的各步骤可以通过处理器1230中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的传输信息的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1240,处理器1230读取存储器1240中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
根据本发明实施例的传输信息的设备1200中的各单元和上述其它操作或功能,分别为了执行各实施例中由第三方设备执行的相应流程。为了简洁,此处不再赘述。
因此,在本发明实施例中,通过第三方设备获取用户标识,并将该用户标识发送给认证服务器,以获取与该应用标识对应的认证凭据,从而将该认账凭据发送给应用服务器,使得应用服务器只能获得与用户的认证凭据,而不能获得用户的用户标识(例如,手机号码)。因而应用服务器不能直接给用户拨打电话或者发送点对点的消息,使得移动通讯网络运营商可以通过加强对应用服务器的身份验证,以及从应用服务器发送到认证网关的内容进行管控,避免非授权的消息发送到用户的手机上,从而能够更好地保护用户的隐私。
图14示出了根据本发明一实施例的传输信息的设备1300的示意性结构图。如图13所示,该信号发送端设备1300包括:接收器1310、发送器1320、处理器1330、存储器1340和总线系统1350。其中,接收器1310、发送器
1320、处理器1330和存储器1340通过总线系统1350相连,该存储器1340用于存储指令,该处理器1330用于执行该存储器1340存储的指令,以控制接收器1310接收信号,并控制发送器1320发送信号,其中,
处理器1330,用于接收应用服务器发送的认证请求消息,该认证请求消息中包含第一认证凭据,该认证请求消息是该应用服务器需要向用户传输信息时发送给该设备的;
处理器1330,用于确定认证服务器;
发送器1320,用于将该认证请求消息发送给该认证服务器。
应理解,在本发明实施例中,该处理器1300可以是中央处理单元(central processing unit,简称为“CPU”),该处理器1300还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器1340可以包括只读存储器和随机存取存储器,并向处理器1330提供指令和数据。存储器1340的一部分还可以包括非易失性随机存取存储器。例如,存储器1340还可以存储设备类型的信息。
该总线系统1350除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统1350。
在实现过程中,上述方法的各步骤可以通过处理器1330中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的传输信息的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1340,处理器1330读取存储器1340中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
根据本发明实施例的传输信息的设备1300中的各单元和上述其它操作或功能,分别为了执行各实施例中由认证网关执行的相应流程。为了简洁,此处不再赘述。
因此,在本发明实施例中,认证服务器通过为每一个用户分配并保存一
个认证凭据,并将该认证凭据发送给应用服务器。应用服务器在向用户发送信息(例如,包含验证码的短消息)时,需要向认证服务器(或者,网络中负责对认证凭据进行匹配的网元)发送该用户的认证凭据,只有在认证凭据数据库中存在与应用服务器提供的该用户的认证凭据匹配的认证凭据时,认证服务器才会授权通讯网络将应用服务器需要发送给用户的信息发送给该用户,否则就不会授权通讯网络发送该信息给用户。能够避免由于信息的错误发送造成的安全隐患,因而,可以提高应用服务器向用户传输信息时的安全性。
应理解,在本发明的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。
应理解,在本发明实施例中,术语“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系。例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口、装置或单元的间接耦合或
通信连接,也可以是电的,机械的或其它的形式连接。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本发明实施例方案的目的。
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者认证设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。
Claims (30)
- 一种传输信息的方法,其特征在于,所述方法包括:认证服务器接收应用服务器发送的认证请求消息,所述认证请求消息中包含第一认证凭据;当所述第一认证凭据与所述认证服务器上的认证凭据匹配时,所述认证服务器允许所述应用服务器向用户传输信息;或者当所述第一认证凭据与所述认证服务器上的认证凭据不匹配时,所述认证服务器禁止所述应用服务器向所述用户传输信息。
- 根据权利要求1所述的方法,其特征在于,所述认证服务器接收应用服务器发送的第一认证凭据之前,所述方法还包括:所述认证服务器生成与用户标识关联的所述第一认证凭据,并保存所述第一认证凭据作为所述认证服务器上的认证凭据;所述认证服务器将所述第一认证凭据发送给所述应用服务器。
- 根据权利要求1所述的方法,其特征在于,所述认证服务器接收应用服务器发送的第一认证凭据之前,所述方法还包括:所述认证服务器生成与用户标识和所述应用服务器的应用标识关联的所述第一认证凭据,并保存所述第一认证凭据作为所述认证服务器上的认证凭据;所述认证服务器将所述第一认证凭据发送给所述应用服务器。
- 根据权利要求1至3中任一项所述的方法,其特征在于,所述认证请求消息中包含用户标识信息,以及所述第一认证凭据与所述认证服务器上的认证凭据匹配,包括:所述认证服务器获取所述认证请求消息中的所述用户标识信息;所述认证服务器确定所述用户标识信息对应的认证凭据与所述第一认证凭据匹配。
- 根据权利要求3所述的方法,其特征在于,所述认证请求消息中包含所述用户标识信息以及所述应用服务器的应用标识,所述第一认证凭据与所述认证服务器上的认证凭据匹配,包括:所述认证服务器获取所述认证请求消息中的所述用户标识信息以及所述应用服务器的应用标识;所述认证服务器确定所述用户标识和所述应用服务器的应用标识对应 的认证凭据与所述第一认证凭据匹配。
- 根据权利要求1至5中任一项所述的方法,其特征在于,所述认证服务器将所述第一认证凭据发送给所述应用服务器之后,所述方法还包括:所述认证服务器获取清除用户认证凭据指令,所述清除用户认证凭据指令用于指示所述认证服务器将所述第一认证凭据无效;所述认证服务器根据所述清除用户认证凭据指令,将所述认证服务器上的认证凭据中的所述第一认证凭据无效。
- 根据权利要求6所述的方法,其特征在于,所述认证服务器将所述第一认证凭据无效之后,所述方法还包括:所述认证服务器生成与所述用户标识关联的第二认证凭据,并保存所述第二认证凭据作为所述认证服务器上的认证凭据。
- 根据权利要求6所述的方法,其特征在于,所述认证服务器将所述第一认证凭据无效之后,所述方法还包括:所述认证服务器生成与所述用户标识和所述应用服务器的应用标识关联的第二认证凭据,并保存所述第二认证凭据作为所述认证服务器上的认证凭据。
- 根据权利要求1至8中任一项所述的方法,其特征在于,所述方法还包括:所述认证服务器向所述应用服务器发送刷新指示信息,所述刷新指示信息用于指示所述应用服务器刷新所述第一认证凭据。
- 一种传输信息的方法,其特征在于,所述方法包括:应用服务器接收认证服务器发送的第一认证凭据;所述应用服务器保存所述第一认证凭据;当所述应用服务器需要向用户传输信息时,所述应用服务器发送认证请求消息给所述认证服务器,所述认证请求消息中包含所述第一认证凭据。
- 根据权利要求10所述的方法,其特征在于,所述认证请求消息中包含用户标识信息。
- 根据权利要求10或11所述的方法,其特征在于,所述认证请求消息中包含所述应用服务器的应用标识;或者所述应用服务器执行登录操作,在登录信息中向所述认证服务器提供所述应用服务器的应用标识。
- 根据权利要求10至12中任一项所述的方法,其特征在于,所述方法还包括:所述应用服务器接收所述认证服务器发送的认证失败信息,所述认证失败信息是在所述第一认证凭据与所述认证服务器上的认证凭据不匹配时,所述认证服务器发送给所述应用服务器的。
- 一种传输信息的方法,其特征在于,所述方法包括:第三方设备接收应用服务器发送的用户登记认证凭据重定向请求;第三方设备获取用户标识;所述第三方设备将所述用户标识发送给认证服务器;所述第三方设备接收所述认证服务器发送的第一认证凭据;所述第三方设备将所述第一认证凭据发送给所述应用服务器。
- 一种传输信息的方法,其特征在于,所述方法包括:认证网关接收应用服务器发送的认证请求消息,所述认证请求消息中包含第一认证凭据,所述认证请求消息是所述应用服务器需要向用户传输信息时发送给所述认证网关的;所述认证网关确定认证服务器;所述认证网关将所述认证请求消息发送给所述认证服务器。
- 一种传输信息的装置,其特征在于,所述装置包括:接收单元,用于接收应用服务器发送的认证请求消息,所述认证请求消息中包含第一认证凭据;处理单元,用于当所述第一认证凭据与所述装置上的认证凭据匹配时,允许所述应用服务器向用户传输信息;或者用于当所述第一认证凭据与所述装置上的认证凭据不匹配时,禁止所述应用服务器向用户传输信息。
- 根据权利要求16所述的装置,其特征在于,所述处理单元具体用于生成与用户标识关联的所述第一认证凭据;以及,所述装置还包括:存储单元,用于并保存所述第一认证凭据作为所述认证服务器上的认证凭据;发送单元,用于将所述第一认证凭据发送给所述应用服务器。
- 根据权利要求16所述的装置,其特征在于,所述处理单元具体用 于生成与用户标识和所述应用服务器的应用标识关联的所述第一认证凭据;以及,所述装置还包括:存储单元,用于并保存所述第一认证凭据作为所述认证服务器上的认证凭据;发送单元,用于将所述第一认证凭据发送给所述应用服务器。
- 根据权利要求16至18中任一项所述的装置,其特征在于,所述认证请求消息中包含用户标识信息,以及,所述处理单元具体用于:获取所述认证请求消息中的所述用户标识信息;确定所述用户标识信息对应的认证凭据与所述第一认证凭据匹配。
- 根据权利要求18所述的装置,其特征在于,所述认证请求消息中包含所述用户标识信息以及所述应用服务器的应用标识,以及,所述处理单元具体用于:获取所述认证请求消息中的所述用户标识信息以及所述应用服务器的应用标识;确定所述用户标识和所述应用服务器的应用标识对应的认证凭据与所述第一认证凭据匹配。
- 根据权利要求16至20中任一项所述的装置,其特征在于,在所述发送单元将所述第一认证凭据发送给所述应用服务器之后,所述处理单元具体用于:获取清除用户认证凭据指令,所述清除用户认证凭据指令用于指示所述认证服务器将所述第一认证凭据无效;根据所述清除用户认证凭据指令,将所述认证服务器上的认证凭据中的所述第一认证凭据无效。
- 根据权利要求21所述的装置,其特征在于,在所述处理单元将所述第一认证凭据无效之后,所述处理单元还用于生成与所述用户标识关联的第二认证凭据;以及,所述存储单元还用于保存所述第二认证凭据作为所述认证服务器上的认证凭据。
- 根据权利要求21所述的装置,其特征在于,在所述处理单元将所述第一认证凭据无效之后,所述处理单元还用于生成与所述用户标识和所述应用服务器的应用标识关联的第二认证凭据;以及,所述存储单元还用于保存所述第二认证凭据作为所述认证服务器上的认证凭据。
- 根据权利要求14至23中任一项所述的装置,其特征在于,所述发送单元还用于向所述应用服务器发送刷新指示信息,所述刷新指示信息用于指示所述应用服务器刷新所述第一认证凭据。
- 一种传输信息的装置,其特征在于,所述装置包括:接收单元,用于接收认证服务器发送的第一认证凭据;存储单元,用于保存所述第一认证凭据;发送单元,用于当所述装置需要向用户传输信息时,发送认证请求消息给所述认证服务器,所述认证请求消息中包含所述第一认证凭据。
- 根据权利要求25所述的装置,其特征在于,所述认证请求消息中包含用户标识信息。
- 根据权利要求25或26所述的装置,其特征在于,所述认证请求消息中包含所述装置的应用标识;或者所述装置包括:处理单元,用于执行登录操作,在登录信息中向所述认证服务器提供所述装置的应用标识。
- 根据权利要求25至27中任一项所述的装置,其特征在于,所述接收单元具体用于接收所述认证服务器发送的认证失败信息,所述认证失败信息是在所述第一认证凭据与所述认证服务器上的认证凭据不匹配时,所述认证服务器发送给所述装置的。
- 一种传输信息的装置,其特征在于,所述装置包括:接收单元,用于接收应用服务器发送的用户登记认证凭据重定向请求;处理单元,用于获取用户标识;发送单元,用于将所述用户标识发送给认证服务器;所述接收单元,用于接收所述认证服务器发送的第一认证凭据;所述发送单元还用于将所述第一认证凭据发送给所述应用服务器。
- 一种传输信息的装置,其特征在于,所述装置包括:接收单元,用于接收应用服务器发送的认证请求消息,所述认证请求消息中包含第一认证凭据,所述认证请求消息是所述应用服务器需要向用户传输信息时发送给所述装置的;处理单元,用于确定认证服务器;发送单元,用于将所述认证请求消息发送给所述认证服务器。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2016/085384 WO2017210914A1 (zh) | 2016-06-08 | 2016-06-08 | 传输信息的方法和装置 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2016/085384 WO2017210914A1 (zh) | 2016-06-08 | 2016-06-08 | 传输信息的方法和装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017210914A1 true WO2017210914A1 (zh) | 2017-12-14 |
Family
ID=60577614
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/085384 WO2017210914A1 (zh) | 2016-06-08 | 2016-06-08 | 传输信息的方法和装置 |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2017210914A1 (zh) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111859324A (zh) * | 2020-07-16 | 2020-10-30 | 北京百度网讯科技有限公司 | 授权的方法、装置、设备以及存储介质 |
CN111950284A (zh) * | 2020-07-31 | 2020-11-17 | 上海中通吉网络技术有限公司 | 录单自动识别寄件人实名信息方法、系统、设备和存储介质 |
CN112291188A (zh) * | 2019-09-23 | 2021-01-29 | 中建材信息技术股份有限公司 | 注册验证方法及系统、注册验证服务器、云服务器 |
CN114697055A (zh) * | 2020-12-28 | 2022-07-01 | 中国移动通信集团终端有限公司 | 一种业务访问的方法、装置、设备及系统 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101742507A (zh) * | 2009-12-21 | 2010-06-16 | 中兴通讯股份有限公司 | 一种WAPI终端访问Web应用站点的系统及方法 |
CN102739658A (zh) * | 2012-06-16 | 2012-10-17 | 华南师范大学 | 一种单点登录的离线验证方法 |
WO2014188957A1 (ja) * | 2013-05-21 | 2014-11-27 | シャープ株式会社 | 通信端末、基地局装置およびサーバ装置 |
CN104901925A (zh) * | 2014-03-05 | 2015-09-09 | 中国移动通信集团北京有限公司 | 终端用户身份认证方法、装置、系统及终端设备 |
CN105024819A (zh) * | 2015-05-29 | 2015-11-04 | 北京中亦安图科技股份有限公司 | 一种基于移动终端的多因子认证方法及系统 |
CN105610810A (zh) * | 2015-12-23 | 2016-05-25 | 北京奇虎科技有限公司 | 一种数据处理方法、客户端和服务器 |
-
2016
- 2016-06-08 WO PCT/CN2016/085384 patent/WO2017210914A1/zh active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101742507A (zh) * | 2009-12-21 | 2010-06-16 | 中兴通讯股份有限公司 | 一种WAPI终端访问Web应用站点的系统及方法 |
CN102739658A (zh) * | 2012-06-16 | 2012-10-17 | 华南师范大学 | 一种单点登录的离线验证方法 |
WO2014188957A1 (ja) * | 2013-05-21 | 2014-11-27 | シャープ株式会社 | 通信端末、基地局装置およびサーバ装置 |
CN104901925A (zh) * | 2014-03-05 | 2015-09-09 | 中国移动通信集团北京有限公司 | 终端用户身份认证方法、装置、系统及终端设备 |
CN105024819A (zh) * | 2015-05-29 | 2015-11-04 | 北京中亦安图科技股份有限公司 | 一种基于移动终端的多因子认证方法及系统 |
CN105610810A (zh) * | 2015-12-23 | 2016-05-25 | 北京奇虎科技有限公司 | 一种数据处理方法、客户端和服务器 |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112291188A (zh) * | 2019-09-23 | 2021-01-29 | 中建材信息技术股份有限公司 | 注册验证方法及系统、注册验证服务器、云服务器 |
CN112291188B (zh) * | 2019-09-23 | 2023-02-10 | 中建材信息技术股份有限公司 | 注册验证方法及系统、注册验证服务器、云服务器 |
CN111859324A (zh) * | 2020-07-16 | 2020-10-30 | 北京百度网讯科技有限公司 | 授权的方法、装置、设备以及存储介质 |
CN111859324B (zh) * | 2020-07-16 | 2024-03-15 | 北京百度网讯科技有限公司 | 授权的方法、装置、设备以及存储介质 |
CN111950284A (zh) * | 2020-07-31 | 2020-11-17 | 上海中通吉网络技术有限公司 | 录单自动识别寄件人实名信息方法、系统、设备和存储介质 |
CN114697055A (zh) * | 2020-12-28 | 2022-07-01 | 中国移动通信集团终端有限公司 | 一种业务访问的方法、装置、设备及系统 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11218481B2 (en) | Personal identity system | |
US7882346B2 (en) | Method and apparatus for providing authentication, authorization and accounting to roaming nodes | |
CN112311530A (zh) | 一种基于区块链的联盟信任分布式身份凭证管理认证方法 | |
US9608971B2 (en) | Method and apparatus for using a bootstrapping protocol to secure communication between a terminal and cooperating servers | |
CN102195957A (zh) | 一种资源共享方法、装置及系统 | |
TW201215070A (en) | Key Management Systems and methods for shared secret ciphers | |
US12058258B2 (en) | Crypto tunnelling between two-way trusted network devices in a secure peer-to-peer data network | |
US11582241B1 (en) | Community server for secure hosting of community forums via network operating system in secure data network | |
US12058122B2 (en) | Password concatenation for secure command execution in a secure network device | |
US12058243B2 (en) | Identity management system establishing two-way trusted relationships in a secure peer-to-peer data network | |
WO2017210914A1 (zh) | 传输信息的方法和装置 | |
CN101039181B (zh) | 防止通用鉴权框架中服务功能实体受攻击的方法 | |
CN103944716A (zh) | 用户认证的方法和装置 | |
US11582201B1 (en) | Establishing and maintaining trusted relationship between secure network devices in secure peer-to-peer data network based on obtaining secure device identity containers | |
US20230209345A1 (en) | Device-specific selection between peer-to-peer connections and core-based hybrid peer-to-peer connections in a secure data network | |
US20230299973A1 (en) | Service registration method and device | |
US12003504B2 (en) | Dynamic secure keyboard resource obtaining interface definitions for secure ad-hoc control of a target device in a secure peer-to-peer data network | |
US11870899B2 (en) | Secure device access recovery based on validating encrypted target password from secure recovery container in trusted recovery device | |
US12088590B2 (en) | Secure keyboard resource limiting access of user input to destination resource requesting the user input | |
US11848763B2 (en) | Secure ad-hoc deployment of IoT devices in a secure peer-to-peer data network | |
CN114978741B (zh) | 一种系统间认证方法及系统 | |
CN115051848B (zh) | 一种基于区块链的身份认证方法 | |
US20230125556A1 (en) | Secure autonomic recovery from unusable data structure via a trusted device in a secure peer-to-peer data network | |
US12010245B2 (en) | Secure assistance for asynchronous task completion by unavailable endpoint device upon restored availability in a secure peer-to-peer data network | |
GB2560895A (en) | Secure transfer of data between internet of things devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16904366 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16904366 Country of ref document: EP Kind code of ref document: A1 |