Embodiment
Along with public key architecture (PKI, Public Key Infrastructure) technology reaches its maturity, bring into use public key certificate to carry out authentication in many application.Public key certificate is to be that sign and issue at certificate verification CA center (server) by the just third-party institution of authority, the encryption technology take public key certificate as core, and the authenticity of verifying entity identity, thus guarantee safety.
The embodiment of the invention is utilized wireless network to carry out authentication and is obtained the public key certificate of wireless terminal by wireless network access CA server, thereby wireless terminal is authenticated, but operate by rear ability logging in network terminal in authentication and authentication, improved like this level of security of network terminal access control, so that the user is more safe and reliable to the accessing operation of the network terminal.
Embodiment one
In the embodiment of the invention, the system group network pattern of the method for the enforcement embodiment of the invention as shown in Figure 1, this system comprises: wireless terminal (such as Wireless USB-Modem), the network terminal (as, PC or portable terminal) and certificate verification CA server.
Wireless terminal and the network terminal interconnect, and wherein wireless terminal is used for accepting wireless network side to its authentication; After the authentication of described wireless terminal was passed through, wireless terminal used the private key of self preserving and authenticates public key certificate corresponding on the CA server and carries out ca authentication; And after described ca authentication is passed through, authorize the access to the described network terminal.
Comprise SIM/UIM card or flash memory Flash in the described wireless terminal, described SIM/UIM card or flash memory Flash can be used for preserving described private key.
Comprise special-purpose application programming interface api interface in the described wireless terminal, be used for controlling the access of the described private key that described wireless terminal is preserved.
Spread its tail at the sign-on access network terminal, network terminal screen locking, the network terminal moment such as curtain guarantor, computer obtains the connection status of wireless terminal and PC by interrupting or inquiry mode, utilizes this opportunity, by wireless network, carries out authentication.
With reference to Fig. 2, the method for a kind of access control network terminal that the embodiment of the invention provides utilizes wireless terminal to realize the authentication of PC login or access.
S201, wireless network is to the wireless terminal authentication;
Particularly, wireless terminal sends the request of access of radio network, accepts wireless network side is identified SIM card to the user of this wireless terminal authentication; Pass through when this SIM card authentication, described wireless terminal accesses described wireless network.
S202, after the authentication of described wireless terminal was passed through, described wireless terminal used the private key of self preserving and the public key certificate that authenticates the corresponding described wireless terminal on the CA server to carry out ca authentication;
In order to obtain the public key certificate of described wireless terminal, need to apply for public key certificate before, particularly, the process of application public key certificate, wireless terminal by cryptographic algorithm (as, RSA) produce key to (PKI-private key), private key is kept at the secure storage section of wireless terminal, and sends PKI and part personally identifiable information to authentication center (CA server).Authentication center will carry out some necessary steps after examining identity, really sent by the user to be sure of request, then, authentication center will issue public key certificate of user, comprise user's personal information and his public key information in this certificate, also have simultaneously the signing messages of authentication center.The various encrypting and authenticatings that the user just can use the public key certificate of oneself to be correlated with.
Described wireless terminal obtains the public key certificate of described wireless terminal from described CA server, be specially:
After described wireless terminal is activated, to described CA server application public key certificate;
Described wireless terminal is kept at the public key certificate that receives in the wireless terminal, for subsequent authentication after receiving the public key certificate that the CA server sends.
Particularly, the public key certificate after encrypting with the private key of described wireless terminal with by eating dishes without rice or wine deposits in SIM/UIM card or the flash memory Flash.
For the purpose of safe and reliable, special-purpose application programming interface api interface can be set, described api interface is used for controlling private key and public key certificate that described wireless terminal is preserved and conducts interviews.
In the time of the CA authentication, the network terminal authenticates the private key in the wireless terminal, by wireless network access CA server, utilizes public key certificate on the CA server and the private key of wireless terminal that wireless terminal is authenticated.If the private key of the PKI in the public key certificate and wireless terminal coupling is then by authentication.This mode is also referred to as on-line authentication.
Although private key and " public key certificate (PKI) " have been kept in the wireless terminal, PC can directly access by relevant interfaces such as USB, but also need to whether expired at the line justification public key certificate, whether effective etc., so all be to go to access by wireless network that the CA server determines one's identity, authority when authenticating, guarantee is safe and reliable so at every turn.
S203 after ca authentication is passed through, authorizes the access to the described network terminal.
In the technical scheme that the embodiment of the invention provides, wireless terminal user is when activating this terminal equipment, be connected to the CA server by wireless network, to CA server application public key certificate, after the user receives public key certificate, be saved in SIM card/UIM card (or be saved in the terminal flash appointed area, certificate is preserved and decided on the form of wireless terminal, can guarantee that private key is not stolen in the certificate by special purpose interface) by the terminal-specific interface.Wireless terminal device is connected with the PC main frame, reports the USB mouth automatically to be connected to wireless network and CA server interaction to the PC main frame and by default parameters after powering on, and need to carry out the SIM card authentication during connecting wireless network, if authentication is passed through then the wireless network successful connection.PC utilizes the public key certificate information that the CA server provides in the wireless network, and this user is carried out authentication, if the verification passes, then authorizes login PC main frame.
Hence one can see that, the embodiment of the invention is utilized the wireless network authentication and is obtained the public key certificate of wireless terminal by wireless network from the CA server, wireless terminal is carried out double authentication, improved the reliability of authentication, realized the safety operation management to the network terminal.
Embodiment two
As shown in Figure 3, the method for a kind of access control network terminal that the embodiment of the invention provides is used for the authentication that the start of realization PC or other network terminals is logined, and comprises the steps:
Step S301 is connected to PC with wireless terminal, and passes through network access by wireless terminal;
Wireless terminal device starts, and wireless terminal passes through the default parameters access of radio network, and reports USB port to arrive PC;
Step S302, wireless network carries out authentication to wireless terminal;
Wireless terminal is connected with the PC main frame, need to carry out user's identification (SIM, Subscriber Identity Model) card authentication during connecting wireless network, if authentication is passed through, then wireless network successful connection, by wireless network access CA server, and with the CA server interaction.
Wireless terminal is connected the mode that usually adopts modal USB connecting line with PC.Can certainly the time PCMCIA or Express interface, interaction protocol then can adopt usb protocol.
If by authentication, then proceed subsequent step S303, otherwise, the prompting failed authentication, and forward step S306 to;
Step S303 obtains the public key certificate that wireless terminal is carried out ca authentication;
Particularly, when wireless terminal activated, wireless terminal was pressed flow process to CA server application public key certificate, and this public key certificate is built in wireless terminal, can take to deposit in the SIM/UIM card or deposit in the Flash, but consider the safety of storage, need special API to conduct interviews;
Perhaps, the PC main frame is connected to the CA server by wireless network, to obtain public key certificate;
Particularly, the PC main frame also is connected to wireless network and CA server interaction automatically by default parameters, can obtain like this for the public key certificate that described wireless terminal is carried out ca authentication.
Wherein start shooting in the operating process such as the sign-on access network terminal, network terminal screen locking, network terminal solution screen lock, the PC authentication need to be revised interface for the Logon.dll module of Windows system and realize, and for linux system (MAC OS is similar), this module adopts logon.lib, the forms such as logon.so, in booting script/etc/rc.d/rc x.d/, utilize booting script to call operation, the login authentication of starting shooting.
Step S304, PC utilize the public key certificate information that the CA server provides in the wireless network, and this wireless terminal user is carried out authentication;
If by the authentication to this wireless terminal, then carry out follow-up step S105, otherwise prompting ca authentication failure, and forward step S106 to;
Step S305 enters licensing mode, can login/access the PC operation;
Step S306 enters unauthorized mode of operation, forbids logining this PC, such as screen locking.
Hence one can see that, and the embodiment of the invention is utilized the wireless network authentication and wireless terminal is carried out double authentication, improved the reliability of authentication, carries out effective authentication during start logging in network terminal, realizes the safety operation management to the network terminal.
Embodiment three
In addition, the method for a kind of access control network terminal that the embodiment of the invention provides also comprises after the disconnection of wireless terminal, forbids the step of logging in network terminal, and is specific as follows:
When the physical connection of user's disconnection of wireless terminal and PC, the PC authentication need to detect this wireless terminal and not exist for the Logon.dll module of Windows system, then the direct lock-screen of PC main frame.
As shown in Figure 4, the method for a kind of access control network terminal that the embodiment of the invention provides comprises that also the PC main frame is in lock state of screen, separates the step of screen protection flow process, and is specific as follows:
Step S401, wireless terminal device starts, and wireless terminal reports USB port to arrive PC and connects online by default parameters;
Step S402, wireless network carries out authentication to wireless terminal;
Wireless terminal device is connected with the PC main frame, reports the USB mouth to the PC main frame after powering on, and automatically is connected to wireless network and CA server interaction by default parameters, need to carry out the SIM card authentication during connecting wireless network, if authentication is passed through then wireless network successful connection.
Wireless terminal is connected the mode that can adopt modal USB connecting line with PC.Can certainly the time PCMCIA or Express interface, interaction protocol then can adopt usb protocol.
If by authentication, then proceed subsequent step S403, otherwise, the prompting failed authentication, and forward step S406 to;
Step S403 obtains the public key certificate that wireless terminal is carried out ca authentication;
Particularly, when wireless terminal activates, press flow process to CA server application public key certificate, public key certificate is built in wireless terminal, its built-in mode can be taked to deposit in the SIM/UIM card or deposit in the Flash, but consider the safety of storage, need special application programming interface (API, Application Programming Interface) to conduct interviews;
Perhaps, the PC main frame is connected to the CA server by wireless network, to obtain public key certificate;
Particularly, the PC main frame also is connected to wireless network and CA server interaction automatically by default parameters, can obtain like this for the public key certificate that described wireless terminal is carried out ca authentication.
Step S404, PC utilize the public key certificate information that the CA server provides in the wireless network, and this wireless terminal user is carried out authentication;
If by the authentication to this wireless terminal, then carry out follow-up step S405, otherwise prompting ca authentication failure, and forward step S406 to;
Step S405 enters licensing mode, can login PC and operate;
Step S406 enters unauthorized mode of operation, as, PC is in screen locking.
In order to have prevented that the people from illegally usurping wireless terminal login PC main frame, can be wireless terminal exploitation vertical application DLL (dynamic link library) api interface, control is to the access of public key certificate, the built-in public key certificate of every access wireless terminal, all need to input Personal Identification Number (PIN, Personal Identification Number) code.
Hence one can see that, and the present invention utilizes the wireless network authentication and wireless terminal is authenticated, and improved the reliability of authentication, effectively controls in the operational network terminal procedures, realizes the safety operation management to the network terminal.
Embodiment four
The embodiment of the invention also provides a kind of system of the access control network terminal, and with reference to Fig. 1, this system comprises: wireless terminal, the network terminal (as, PC main frame or other network-termination devices) and digital authenticating CA server.
Digital authenticating CA server is used for providing the public key certificate that described wireless terminal is authenticated;
Wireless terminal and the network terminal interconnect, and wireless terminal is used to the PC main frame that the communication connection link of access network is provided; Be used for accepting wireless network side to its authentication; After the authentication of described wireless terminal is passed through, use the private key of self preserving and the public key certificate that authenticates the corresponding described wireless terminal on the CA server to carry out ca authentication; And after described ca authentication is passed through, authorize the access to the described network terminal.
Comprise SIM/UIM card or flash memory Flash in the described wireless terminal, described SIM/UIM card or flash memory Flash are used for preserving described public key certificate and described private key.
Comprise special-purpose application programming interface api interface in the described wireless terminal, be used for described private key that control preserves described wireless terminal and the access of public key certificate.
Wireless terminal is connected to the CA server by wireless network, provide public key certificate to the application of CA server, after wireless terminal receives public key certificate, be saved in the SIM card of wireless terminal/UIM card by the wireless terminal special purpose interface and (or be saved in the terminal flash appointed area, certificate is preserved and is decided on the form of wireless terminal, and key is to guarantee that private key is not stolen in the certificate by special purpose interface).
Wireless terminal device adopts wired mode to be connected with the PC main frame, after powering on, wireless terminal report the USB mouth automatically to be connected to wireless network and CA server interaction to the PC main frame and by default parameters, need to carry out the SIM card authentication during connecting wireless network, if authentication is passed through then the wireless network successful connection.Afterwards, PC utilizes the public key certificate information that the CA server provides in the wireless network, and this user is carried out authentication, if the verification passes, then authorizes login PC main frame.
Be provided with SIM/UIM card or flash memory Flash in the described wireless terminal, described public key certificate is kept in SIM/UIM card or the flash memory Flash.
Be provided with special-purpose application programming interface api interface in the described wireless terminal, be used for controlling the access of the public key certificate that described wireless terminal is preserved.
In the system that the embodiment of the invention provides, utilize the wireless network authentication and wireless terminal is carried out double authentication, improve the reliability of authentication, in network terminal start login or operating process, can effectively control, realized the safety operation management to the network terminal.
Embodiment five
With reference to Fig. 5, a kind of wireless terminal 500 that the embodiment of the invention provides comprises:
Authentication module 510 is used for accepting wireless network side to the authentication of described wireless terminal;
Particularly, wireless terminal sends the request of access of radio network, and this authentication module is accepted wireless network side is identified SIM card to the user of this wireless terminal authentication;
Judge module 520 is used for judging whether the authentication of described wireless terminal is passed through;
Pass through when this SIM card authentication, described wireless terminal accesses described wireless network.
Acquisition module 530 is for the public key certificate that obtains described wireless terminal from the CA server;
Authentication module 540 is used for when described judge module 520 judges that the authentication of described wireless terminal is passed through, and uses the private key of described wireless terminal preservation and the public key certificate of the corresponding described wireless terminal on the authentication CA server to carry out ca authentication;
Described judge module 520 also is used for judging whether described ca authentication is passed through;
In the time of each CA authentication, the network terminal authenticates the private key in the wireless terminal, by wireless network access CA server, utilizes public key certificate on the CA server and the private key of wireless terminal that wireless terminal is authenticated.If the PKI in the described public key certificate and the private key of wireless terminal coupling, then described judge module 520 definite ca authentications are passed through.
Authorization module 550 is used for authorizing the access to the described network terminal when described judge module judges that described ca authentication is passed through.
Wherein, described acquisition module 530 comprises application module 531, receiver module 532 and preserves module 533.
Described application module 531 is used for when described wireless terminal activates, to described CA server application public key certificate;
Particularly, the described application module 531 described PKIs of transmission and wireless terminal identity information are to the ca authentication server, with the application public key certificate.
Described receiver module 532 is used for receiving the public key certificate that described CA server sends;
Described preservation module 533 is used for after receiving the public key certificate that the CA server sends the public key certificate that receives being kept in the wireless terminal.
For the purpose of safe and reliable, special-purpose application programming interface api interface is set in wireless terminal, this api interface is used for controlling the access of the public key certificate that described wireless terminal is preserved.
Preferably, the described public key certificate after described preservation module 533 will be encrypted by eating dishes without rice or wine deposits in SIM/UIM card or the flash memory Flash.
Before carrying out ca authentication, described acquisition module 530 obtains the public key certificate of corresponding described wireless terminal from the CA server by wireless network.
Described wireless terminal also comprises:
Key generation module 560 is used for producing public, private key pair by cryptographic algorithm;
Described preservation module 533 is kept at the private key that produces in the described wireless terminal;
For safety, must by the described wireless terminal of application programming interface API Access of described special use, just can obtain described private key.
In sum, the embodiment of the invention is connected wireless terminal with the network terminal, thereby by wireless terminal being carried out authentication and utilizing wireless network access CA server to carry out ca authentication, but operate by rear ability logging in network terminal in authentication and authentication, improved like this authentication reliability of network terminal access control, so that the user is safer to the accessing operation of the network terminal.Compare with USB key authentication login of the prior art, improved the level of security of logging in network terminal, and user's operation is more flexible.When the embodiment of the invention had overcome employing CA server authentication public key certificate, USBKey can't be used for the shortcoming of mobile authentication.Can be so that the portable terminal in PC that can't the access cable network or mobile the use operates safer convenience according to the embodiment of the invention.
Obviously, it will be appreciated by those skilled in the art that, each module of the above-mentioned embodiment of the invention or each step can realize with general calculation element, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and be carried out by calculation element, perhaps they are made into respectively each integrated circuit modules, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the embodiment of the invention is not restricted to any specific hardware and software combination.
The above is embodiments of the invention only, is not for limiting protection scope of the present invention.All any modifications of doing within the spirit and principles in the present invention, be equal to replacement, improvement etc., all be included in protection scope of the present invention.