CN101277192A - Method and system for checking client terminal - Google Patents
Method and system for checking client terminal Download PDFInfo
- Publication number
- CN101277192A CN101277192A CNA2008100940685A CN200810094068A CN101277192A CN 101277192 A CN101277192 A CN 101277192A CN A2008100940685 A CNA2008100940685 A CN A2008100940685A CN 200810094068 A CN200810094068 A CN 200810094068A CN 101277192 A CN101277192 A CN 101277192A
- Authority
- CN
- China
- Prior art keywords
- client
- key
- service end
- service
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method for verifying a client terminal. The method includes: receiving service request of the client terminal and generating a secret key; sending the generated secret key to the client terminal and a service terminal, verifying the client terminal by processing interacting between the client terminal and the service terminal using the secret key. The invention also provides a system for verifying the client terminal which includes the service terminal, the client terminal and a verifying server. The verifying server includes a receiving unit, a secret key generating unit and a sending unit; the service terminal receives the client terminal command encrypted by the secret key, processes decryption and authentication to the command, when authentication is passed, request or command of the client terminal is responded, and corresponding operation is executed. The method provided by the invention can make the client terminal validation easily simply, safely and reliably.
Description
Technical field
The present invention relates to the network security technology field, be specifically related to a kind of method and system of checking client.
Background technology
Security authentication mechanism is the most important thing in the software system design always, and especially the software systems safety certification in fields such as finance, telecommunications, national security seems particularly important.When client was connected with server, server can carry out respective handling according to the secure authenticated information that current client submits to, and whether the decision client has authority to enter system, and which operating right is arranged.Concrete mechanism is by the scheme decision of system itself.Client software is the one section program that resides on the subscriber set, need move on client machine, and it and server interaction are also formed the complete system of a cover.Because browser/server (B/S, Browser/Server) development cost of framework low, support that cross-platform operation, maintenance upgrade are convenient, have good fail safe, opening and extendibility, and do not need special client, only need just can access server by browser, become the first-selected architecture of current application software.Though have this convenience, also brought the hidden danger of secure context, often need simple a, safety, highly effective and safe authentication mechanism to remedy.Usually adopt the mode of user's login in the prior art, will carry out registed authorization earlier before user's using system, its flow process is roughly:
1, the user imports essential information and is submitted to server end and registers, and server is saved in user profile database and waiting system keeper's processing.
2, the system manager is according to user profile approval or refuse this user's registration and authorize accordingly.
3, server is saved in database with user's authorization message.
4, user submits user name, password login system.
5, the user name that provides according to the user of system, password and the database information of preserving is verified.In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: this technical scheme can not be guaranteed the safety of all services in the system, only be provided with authentication at the system entry place, for some relatively independent service in the system, just be easy to be invaded if exposed corresponding interface.For example, because the remote control software among the Web network user interface Web UI (Web User Interface) is to adopt java Applet technological development, the user can download to this locality with it, propagate then, as long as can obtain the IP and the port numbers of service end, just can break away from the authentication of Web UI and control server arbitrarily.
Certainly, can in these relatively independent services, take this technology implementation secondary authentication, but relatively loaded down with trivial details, need the user to import authentication information once more.In addition, prior art needs the support of database, also needs the accessing operation of database, has expended certain resource.In a large amount of clients' system was arranged, this shortcoming seemed particularly evident.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of method and system of checking client, can make to the checking of client simple, safe and reliable.
The embodiment of the invention provides a kind of method of checking client, comprising:
Receive the service request of client, produce a key according to described service request;
The key that is produced is sent to described client and service end respectively;
Utilize described key, carry out between described client and the service end alternately described client being verified.
The system of a kind of checking client that the embodiment of the invention provides comprises: client, service end and authentication server,
Described authentication server comprises:
Receiving element is used to receive the request of client;
The key generation unit is used to produce random number, and this random number is as key;
Transmitting element, the key that described key generation unit is produced sends to client and service end respectively;
Described service end receives the order of the described secret key encryption of described customer end adopted, and described order is decrypted, authenticates, and after authentication is passed through, responds the request or the order of described client, carries out corresponding business.
The embodiment of the invention also provides a kind of authentication server, comprising:
Receiving element is used to receive the request of client;
The key generation unit is used for producing a random number as key according to the request of described client;
Transmitting element, the key that described key generation unit is produced sends to client and service end respectively, and described key is used for verifying between described client and the service end.
In sum, in the embodiment of the invention, key generates at random by service for checking credentials end, carries out Authority Verification by the agreement distributed key.Having client software authentication server login separately carries out initialization and also can't use.Owing to use service to need the login authentication server, the random key that produces by authentication server carries out authentication, thereby fundamentally solved the potential safety hazard of directly illegally controlling server by client software, avoid the user to carry out the secondary login, make simple, safe and reliable the checking of client for using some service.
Description of drawings
Fig. 1 is the principle schematic that realizes client validation in the embodiment of the invention;
Fig. 2 is a method flow diagram of realizing client validation in the embodiment of the invention;
Fig. 3 is a method flow diagram of realizing client validation in the embodiment of the invention one;
Fig. 4 is the principle schematic that realizes client validation in the embodiment of the invention two;
Fig. 5 is a method flow diagram of realizing client validation in the embodiment of the invention two;
Fig. 6 is that the system that realizes client validation in the embodiment of the invention two constitutes schematic diagram.
Embodiment
Simple, safe and reliable to the checking of client for making, the embodiment of the invention provides a kind of client validation method and system.
With reference to Fig. 1, when the user of login Web website asks to carry out the service of safety certification, submit a request of obtaining this service to the web server, after the web server receives this request, produce a random number as key according to programmed algorithm, Web server turns back to this key respectively client and serves the provider.Client is according to all monitor command of this secret key encryption and by the proprietary protocol encapsulation, and the order that all clients send all can be through the checking and the deciphering of service end Authority Verification module, carries out corresponding business again after checking is passed through.When the Authority Verification module of service end is not received the order of the effective secret key encryption of basis within a certain period of time, will discharge casual user's key automatically, this user key also will lose efficacy.Connect once more if desired, then need by request authentication once more on the Web website.
With reference to Fig. 2, the client validation method that the embodiment of the invention provides comprises:
Step S01, client signs in to Web server: send logging request Login Request (user name, password) to Web server;
Step S02, Web server carry out authentication to this client after receiving this Login Request request;
Step S03, Web server send login success message to this client after confirming that this client identity is legal;
Step S04, client sends service request information to Web server after receiving the successful affirmation information of login, and said service refers to carry out the service of safety certification;
After step S05, Web server receive this service request, produce a random number according to programmed algorithm, with this random number as key;
Step S06, Web server adopts the https agreement key that is produced to be sent to the service end that described service is provided the key that is produced;
Step S07, the affirmation information that service end feedback institute requested service can be used is given Web server;
Step S08, Web server adopt the https agreement that the key that is produced is sent to client;
Step S09, client sends the service connection request that has described key to described service end, and is concrete, and the described key of described customer end adopted is encrypted and is formed described service connection request by the proprietary protocol encapsulation all operational orders;
Step S10, the service connection request that client is sent are decrypted and verify that described checking is carried out by the Authority Verification module that is arranged on service end;
Step S11, the checking object information of service end feedback service request is given client.
After authentication passed through, the application server of service end was carried out corresponding monitor command again, and the affirmation information of feedback service request is given client.If checking is not passed through, then do not process, and will verify that object information feeds back to client.When the Authority Verification module of service end is not received the monitor command of the effective secret key encryption of basis within the predetermined time, will discharge the casual user automatically, key also will lose efficacy.Proceed if desired to connect, then need by request authentication once more on the Web website.
Present invention is described below in conjunction with specific embodiment.
Embodiment one
In the present embodiment, utilize a Web server, between client and service end, set up a reliable Authority Verification mode,, made full use of the security mechanism of original web website if broken away from this Web server then Authority Verification can not pass through as carrier.
With reference to Fig. 3, when the user of login browser (Web website) asks to carry out the service of safety certification, submit a request of obtaining this service to the web server, after the web server receives this request, produce a random number as key according to programmed algorithm, Web server turns back to client and service end respectively with this key.Client is according to all monitor command of this secret key encryption and by the proprietary protocol encapsulation, and the order that all clients send all can and then be carried out corresponding business through the checking of service end Authority Verification module and deciphering.Will discharge casual user's key automatically when the Authority Verification module of service end is not received the monitor command of the effective secret key encryption of basis within a certain period of time also will lose efficacy.Connect to need once more if desired by request authentication once more on the Web website.
KVM is Keyboard (keyboard), Video (display) and Mouse (mouse), the KVM system manages a kind of system of remote server for the local keyboard of simulation, mouse and display, in the embodiment of the invention based on carrying out client validation in the KVM system, this system comprises web server, KVM client and KVM server, and the client validation method that provides comprises the steps:
S101, client send the Https request;
The user sends Https and asks the server to web by browser login web server; The corresponding URL that generates key of link;
The key generation module that can at first enter Web server when the user clicks this link obtains key.
S102, Web server produce key according to described Https request, adopt the https agreement that this key is sent to the KVM client;
After the web server receives this request, produce a random number as key according to programmed algorithm:
int?verifyValue=generateRandom();
generateRandom()
{
Time on date with Web server generates random number as the factor;
}
S103, Web server adopt the https agreement that the key distribution that is produced is arrived the KVM service end;
The random number that is produced is sent to the KVM service end as key;
The key that the ServerKVM.keyCode=Web server produces;
S104, KVM client in the Html label that shows Applet, add key parameter with initialization KVM program according to the cipher key initialization of returning.
<PARAM?NAME=″verifyValue″VALUE=″-1574763008″>
KVMApplet kvmApplet=new KVMApplet (key that Web server produces);
The Applet that adopts is a kind of applet of writing with Java language, can be directly embedded in the page, explain execution by Java-compliant browser (IE or Netscape etc.), it can improve the interaction capabilities and the dynamic executive capability of the Web page and service end greatly.
S105, the described key of KVM customer end adopted encrypt and send to the KVM service end to order;
The random number that KVM customer end adopted Web server sends is encrypted and is encapsulated by proprietary protocol all orders that will send to service end as key;
Cmd=new RequestCmd (key that Web server produces, command word);
UDPSocket.sent(cmd);
S106, KVM service end resolve the UDP message and handle, and utilize described cipher key-extraction and judge the validity of encrypted command;
S107, KVM service end send to described KVM client to KVM client echo reply information with the result who judges encrypted command.
After checking was passed through, the KVM server was carried out corresponding business again, and the affirmation information of feedback service request is given the KVM client.
If checking is not passed through, then do not process; And will verify that the result feeds back to client.
When the KVM server is not received the order of the effective secret key encryption of basis within the predetermined time, will discharge the casual user automatically, key also will lose efficacy.Proceed if desired to connect, then need by Web server request authentication once more.
Embodiment two
Because the service end key is not limited to from the obtaining of Web server, can provide so long as have the server that key produces function, then according to cipher key initialization client business module, also can realize this safety verification mechanism.
With reference to Fig. 4, in the present embodiment, utilize an authentication server that can produce key, between client and service end, set up a reliable Authority Verification mode.
With reference to Fig. 4, need to obtain the user of certain service (as paid service, particular service), when at first needing to carry out the service of safety certification, user's login authentication server, send a request of obtaining this service to authentication server, after authentication server receives this request, produce a random number as key according to programmed algorithm, authentication server turns back to client and service end respectively with this key.
Client is according to all monitor command of this secret key encryption and by the proprietary protocol encapsulation, and the order that all clients send is through the checking of service end Authority Verification module and deciphering and then carry out corresponding business.When the Authority Verification module of service end is not received the order of the effective secret key encryption of basis within a certain period of time, will discharge casual user's key automatically, this user key also will lose efficacy.Connecting once more if desired need be by asking key to authentication server once more.
The system that is used for client validation in the embodiment of the invention comprises authentication server, client and service end, and as shown in Figure 5, the client validation method that the embodiment of the invention provides comprises the steps:
S201, client send service request to authentication server;
S202, authentication server produce key according to described service request;
Concrete, after authentication server receives this request, produce a random number as key according to programmed algorithm;
S203, authentication server send to client with the key that is produced;
S204, the described key of distribution are to service end;
S205, client are utilized described cipher key initialization business module;
S206, the described secret key encryption order of customer end adopted, and the order that encapsulates after this encryption by proprietary protocol obtains the UDP message, then this UDP message sent to service end;
S207, service end are resolved the UDP message and are handled, and extract the validity of described key and judgement order, and judged result is sent to described client.
With reference to Fig. 6, the embodiment of the invention also provides a kind of system of checking client, comprising: client 610, service end 630 and authentication server 620,
Described authentication server 620 comprises:
Receiving element 621 is used to receive the service request of client;
Transmitting element 623, the key that described key generation unit is produced sends to client and service end respectively;
Described service end 630 receives the order that described client 610 adopts described secret key encryption, and described order is decrypted, authenticates, and after authentication is passed through, responds the request or the order of described client 610, carries out corresponding business.
Described service end 630 is not received the encrypted command that described client 610 sends in the given time, can discharge the key that is received automatically.
In sum, in the embodiment of the invention, key generates at random by authentication server, carries out Authority Verification by the agreement distributed key.Owing to use service to need the login authentication server, the random key that produces by authentication server carries out authentication, even having client software so separately also can't avoid authentication server and control service end, thereby fundamentally solved the potential safety hazard of directly illegally controlling server by client software, avoid the user to carry out the secondary login, make simple, safe and reliable the checking of client for using some service.
And, do not operate in the stipulated time and can reclaim automatically.Holding of authority has controllability, and the authority of distribution all has provisional.In addition, control command is carried out double-security, encapsulate all control commands, further strengthened fail safe according to the secret key encryption that produces at random and by proprietary protocol.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.All any modifications of being done within the spirit and principles in the present invention, be equal to replacement, improvement etc., all be included in protection scope of the present invention.
Claims (10)
1, a kind of method of checking client is characterized in that, comprising:
Receive the service request of client, produce key according to described service request;
The key of described generation is sent to described client and service end respectively, and described key is used for carrying out between described client and the described service end alternately so that described client is verified.
2, the method for claim 1 is characterized in that, carries out between described client and the service end specifically comprising alternately:
Described service end receives the order after the described secret key encryption of described customer end adopted;
Order after the described encryption is decrypted, verifies, after authentication is passed through, respond described command execution corresponding business.
3, method as claimed in claim 2 is characterized in that, also comprises:
Do not receive the encrypted command of client in the given time, described service end discharges the key that is received automatically.
4, method as claimed in claim 2 is characterized in that, also comprises:
The order of described customer end adopted proprietary protocol after to described encryption encapsulates;
The order after decapsulation obtains described encryption is carried out in the order of described service end after to the encapsulation that receives.
5, the method for claim 1 is characterized in that,
When the requested service device that receives client is a Web server, then described Web server adopts the https agreement that the key that is produced is sent to described client and service end respectively.
6, a kind of system of checking client is characterized in that, comprising: client, service end and authentication server,
Described authentication server comprises:
Receiving element is used to receive the request of client;
The key generation unit is used for producing key according to the request of described client;
Transmitting element, the key that described key generation unit is produced sends to client and service end respectively;
Described service end receives the order of the described secret key encryption of described customer end adopted, and the order of described encryption is decrypted, authenticates, and after authentication is passed through, responds the request or the order of described client, carries out corresponding business.
7, system as claimed in claim 6 is characterized in that,
Described service end is not received the encrypted command of client in the given time, discharges the key that is received automatically.
8, a kind of authentication server is characterized in that, comprising:
Receiving element is used to receive the request of client;
The key generation unit is used for producing a random number as key according to the request of described client;
Transmitting element, the key that described key generation unit is produced sends to client and service end respectively, and described key is used for carrying out between described client and the service end alternately, so that described client is verified.
9, authentication server as claimed in claim 8 is characterized in that, described authentication server is a Web server,
Described transmitting element adopts the https agreement that the key that is produced is sent to described client and service end respectively.
10, authentication server as claimed in claim 8 is characterized in that, also comprises:
Decapsulation unit, decapsulation is carried out in the order that is used for the customer end adopted proprietary protocol that receives after the order after to described encryption encapsulates.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100940685A CN101277192A (en) | 2008-04-25 | 2008-04-25 | Method and system for checking client terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100940685A CN101277192A (en) | 2008-04-25 | 2008-04-25 | Method and system for checking client terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101277192A true CN101277192A (en) | 2008-10-01 |
Family
ID=39996232
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100940685A Pending CN101277192A (en) | 2008-04-25 | 2008-04-25 | Method and system for checking client terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101277192A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103198130A (en) * | 2013-04-11 | 2013-07-10 | 上海心动企业发展有限公司 | Method and device for realizing login unified with webpage on client side |
| CN104270346A (en) * | 2014-09-12 | 2015-01-07 | 北京天行网安信息技术有限责任公司 | Bidirectional authentication method, device and system |
| CN105450765A (en) * | 2015-12-03 | 2016-03-30 | 广州云新信息技术有限公司 | Server KVM remote control method and device |
| CN105554098A (en) * | 2015-12-14 | 2016-05-04 | 瑞斯康达科技发展股份有限公司 | Device configuration method, server and system |
| CN107045461A (en) * | 2017-04-13 | 2017-08-15 | 宇龙计算机通信科技(深圳)有限公司 | The method and device of data processing |
| CN107733838A (en) * | 2016-08-11 | 2018-02-23 | ***通信集团安徽有限公司 | A kind of mobile terminal client terminal identity identifying method, device and system |
| CN109120408A (en) * | 2017-06-26 | 2019-01-01 | 中国电信股份有限公司 | For authenticating the methods, devices and systems of user identity |
| CN112230889A (en) * | 2020-10-16 | 2021-01-15 | 湖南皖湘科技有限公司 | Method for making software development coding specification |
| CN114006697A (en) * | 2021-12-30 | 2022-02-01 | 北京微步在线科技有限公司 | Encrypted communication method and device |
| CN114244563A (en) * | 2021-11-15 | 2022-03-25 | 珠海许继芝电网自动化有限公司 | Front-end and back-end cross-language communication method and system based on AES encryption |
| CN117675244A (en) * | 2022-08-30 | 2024-03-08 | 北京火山引擎科技有限公司 | Task key distribution method and device based on cluster environment |
-
2008
- 2008-04-25 CN CNA2008100940685A patent/CN101277192A/en active Pending
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103198130A (en) * | 2013-04-11 | 2013-07-10 | 上海心动企业发展有限公司 | Method and device for realizing login unified with webpage on client side |
| CN103198130B (en) * | 2013-04-11 | 2016-12-28 | 心动网络股份有限公司 | The method and apparatus realizing the login unified with webpage at client |
| CN104270346B (en) * | 2014-09-12 | 2017-10-13 | 北京天行网安信息技术有限责任公司 | The methods, devices and systems of two-way authentication |
| CN104270346A (en) * | 2014-09-12 | 2015-01-07 | 北京天行网安信息技术有限责任公司 | Bidirectional authentication method, device and system |
| CN105450765A (en) * | 2015-12-03 | 2016-03-30 | 广州云新信息技术有限公司 | Server KVM remote control method and device |
| CN105554098A (en) * | 2015-12-14 | 2016-05-04 | 瑞斯康达科技发展股份有限公司 | Device configuration method, server and system |
| CN105554098B (en) * | 2015-12-14 | 2019-01-25 | 瑞斯康达科技发展股份有限公司 | A kind of equipment configuration method, server and system |
| CN107733838A (en) * | 2016-08-11 | 2018-02-23 | ***通信集团安徽有限公司 | A kind of mobile terminal client terminal identity identifying method, device and system |
| CN107045461A (en) * | 2017-04-13 | 2017-08-15 | 宇龙计算机通信科技(深圳)有限公司 | The method and device of data processing |
| CN109120408A (en) * | 2017-06-26 | 2019-01-01 | 中国电信股份有限公司 | For authenticating the methods, devices and systems of user identity |
| CN112230889A (en) * | 2020-10-16 | 2021-01-15 | 湖南皖湘科技有限公司 | Method for making software development coding specification |
| CN114244563A (en) * | 2021-11-15 | 2022-03-25 | 珠海许继芝电网自动化有限公司 | Front-end and back-end cross-language communication method and system based on AES encryption |
| CN114006697A (en) * | 2021-12-30 | 2022-02-01 | 北京微步在线科技有限公司 | Encrypted communication method and device |
| CN117675244A (en) * | 2022-08-30 | 2024-03-08 | 北京火山引擎科技有限公司 | Task key distribution method and device based on cluster environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101277192A (en) | Method and system for checking client terminal | |
| CN101202753B (en) | Method and device for accessing plug-in connector applied system by client terminal | |
| CN101350717B (en) | Method and system for logging on third party server through instant communication software | |
| CN102457507B (en) | Cloud computing resources secure sharing method, Apparatus and system | |
| JP4252620B1 (en) | Server certificate issuing system | |
| WO2016188256A1 (en) | Application access authentication method, system, apparatus and terminal | |
| CA2744971C (en) | Secure transaction authentication | |
| EP2770662A1 (en) | Centralized security management method and system for third party application and corresponding communication system | |
| CN104468119B (en) | A kind of disposal password Verification System and authentication method | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| CN103986584A (en) | Double-factor identity verification method based on intelligent equipment | |
| CN101816140A (en) | Token-based management system for PKI personalization process | |
| CN104508713A (en) | Method and device for control of a lock mechanism using a mobile terminal | |
| AU2007259489A1 (en) | Authentication methods and systems | |
| WO2006039771A1 (en) | System and method for access control | |
| CN112861089B (en) | Authorization authentication method, resource server, resource user, equipment and medium | |
| CN104954330A (en) | Method of accessing data resources, device and system | |
| CN102571693A (en) | Capability safety calling method, device and system | |
| CN112887340B (en) | Password resetting method and device, service management terminal and storage medium | |
| CN102271136A (en) | Access control method and equipment under NAT (Network Address Translation) network environment | |
| KR102012262B1 (en) | Key management method and fido authenticator software authenticator | |
| JP2020014168A (en) | Electronic signature system, certificate issuing system, key management system, and electronic certificate issuing method | |
| KR20090054774A (en) | Method of integrated security management in distribution network | |
| CN110417784B (en) | Authorization method and device of access control equipment | |
| CN111814186A (en) | Menu authority access control method of intelligent equipment operation platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20081001 |