CN102378170B - Method, device and system of authentication and service calling - Google Patents

Abstract

The invention discloses a method, device and system of authentication and service calling, used for realizing legality authentication of an authentication server in a service platform to a client side application and promoting the safety reliability of a calling mechanism of a platform capacity API (Application Programming Interface). The authentication server realizes the safe distribution of a clientKey by displacing a test authentication module in the client side application to a client side authentication module preset with an MAC (Media Access Control) fingerprint and the clientKey. When the client side application satisfies a trigger condition, the client side authentication module firstly passes an integrity check based on an MAC fingerprint mechanism and applies for registration to the authentication server based on an MAC1 generated by the shared clientKey and obtains a random authentication factor. When the client side application needs to call the platform capacity API, a dynamic token is generated based on the authentication factor to be carried in a service request. After the dynamic token authentication passes, the platform capacity API is allowed to be called.

Description

A kind of authentication and service calling method, device and system

Technical field

The present invention relates to data service technical field, relate in particular to a kind of method for authenticating and device and a kind of service calling method and system.

Background technology

Along with 3-G (Generation Three mobile communication system) (3rd Generation, be called for short 3G) and the carrying forward vigorously of mobile Internet business, when Virtual network operator provides more and more abundanter value-added service for user, also be third party SP (Service Provider, service provider) business integration more and more abundanter network capabilities resource is provided, for example location services capability, GIS (Geographic Information System, GIS-Geographic Information System) ability, game services ability, for charging ability, IMS (IP Multimedia Subsystem, IP multimedia system) ability, short message ability, Multimedia Message ability, search engine capability, cloud computing ability, Presence (presenting) ability, Widget service ability, instant messaging ability etc.In general, above-mentioned network capabilities resource is form by Service (network service) or API (ApplicationProgramming Interface, application programming interfaces) substantially provides service for user or third party SP.In present specification, above-mentioned Service or API are referred to as to platform capabilities API, and platform capabilities API major part is all to be disposed and offered user's by the mode with client application in terminal, be that user is before using corresponding business, need on user terminal, install one carries out business with the client application of this traffic aided and uses and promote, for example locations services client application, game client application, MobileMarket application, Widget application, the application of music walkman, Fetion application etc., these business forms are all different from STK (SIM Tool Kit in the past, STK) business or WAP (WirelessApplication Protocol, WAP (wireless application protocol)) business.

But, dispose business by the mode with client application on user terminal, itself exist great potential safety hazard: for example, platform capabilities API may be used by disabled user or illegal third party SP; Platform capabilities API may counterfeiting client application call; Illegal third party SP may provide the platform capabilities API of personation for user; Etc..Therefore, urgently provide a kind of safety protecting mechanism of high efficient and reliable, in order to ensure security deployment and the operation of the mobile Internet business based on platform capabilities API.

At present, Virtual network operator generally adopts the authentication mechanism of transmitting based on static token to ensure security deployment and the operation of mobile Internet business, the right discriminating system of mobile Internet business mainly comprises client application, application server, three entities of authentication server, as shown in Figure 1, and wherein:

Client application is mounted in the client application on user terminal, and client application can be passed through specific interface accessing authentication server, completes the operation of obtaining token;

The service request of the client application that application server processes is forwarded by Service Gateway, and provide service for client application;

User's order relations that authentication server storage service authentication is relevant and service order status data, have service authentication function, and the token that provides business to use to client application according to authenticating result.

The authorizing procedure of mobile Internet business, as shown in Figure 2, comprises the steps:

Step 1, client application are initiated service authentication request to authentication server;

The service subscription state corresponding to user ID (identifier) of service authentication request initiated in step 2, authentication server inspection, if service order state is legal, produce the token of indicating this client application can use business that application server provides;

Client application is follow-up must carry this token in the time of access application server, normally to obtain corresponding service; And in order to ensure the fail safe of token, token is generated and is carried out safeguard protection in authentication server side by authentication server;

Step 3, authentication server are carried at the token of generation in authenticating result, to return to client application;

Step 4, client application, to application server initiating business request, are wherein carried the token obtaining from authentication server;

Step 5, application server are verified the token in service request;

Step 6, be verified after, application server in subsequent applications session for client application provides service;

Step 7, application server are being received after legal token, notice authentication server, and in notice message, carry this token, and authentication server can judge whether service occurs accordingly.

In prior art, there is following shortcoming in the authentication mechanism based on static token transmission:

1, the existing authentication mechanism of transmitting based on static token, obtain the stage at token, only authentication server carries out authentication to service order state corresponding to user ID, and do not have to consider the legitimacy of client application to carry out authentication, cause the client application of personation may initiate illegal service request, for example initiate illegal accounting request, thereby cause the generation of malice subscription event.

2, the existing authentication mechanism of transmitting based on static token, at business mounting phase, the token that only application server carries client application carries out authentication, and does not consider the authentication of client application application server, causes the application server of personation to provide illegal service to user.

3, the existing authentication mechanism poor stability transmitting based on static token, the token that user terminal obtains can be applied in all service request, cannot prevent from being applied in illegal service request after token victim from illegally obtaining.

Summary of the invention

The embodiment of the present invention provides a kind of method for authenticating and device, in order to realize authentication server in the business platform legitimacy authentication to client application.

The embodiment of the present invention also provides a kind of service calling method and system, in order to the security reliability of the call-by mechanism of lifting platform ability API.

The embodiment of the present invention provides a kind of method for authenticating, comprising:

In the time downloading to client application in user terminal and meet trigger condition, the client authentication module in described client application generates the first message authentication code MAC1 according to the local storage of client authentication module with the shared client application key clientKey of authentication server; And

Send the registration request that carries described MAC1 to described authentication server, the MAC1 carrying in described registration request carries out legitimacy authentication for the shared clientKey of authentication server basis and described client application to described client application.

The embodiment of the present invention provides another kind of method for authenticating, comprising:

Authentication server receives the registration request that the client authentication module in client application sends, and wherein carries the first message authentication code MAC1 generating with the shared client application key clientKey of authentication server according to the local storage of client authentication module;

Described authentication server, according to the clientKey shared with described client authentication module, carries out legitimacy authentication to the MAC1 carrying in the registration request receiving, if authentication by; confirm that described client application is legal.

The embodiment of the present invention provides a kind of client application, and described client application comprises client authentication module, and described client authentication module comprises:

Secure storage unit, for storing the client application key clientKey shared with authentication server;

Generation unit, in the time that the client application that downloads to user terminal meets trigger condition, generates the first message authentication code MAC1 according to the clientKey storing in described secure storage unit;

Control unit, for send the registration request that carries described MAC1 to described authentication server, the MAC1 carrying in described registration request carries out legitimacy authentication for the shared clientKey of authentication server basis and described client application to described client application.

The embodiment of the present invention provides a kind of authentication server, comprising:

Memory cell, for storing the clientKey shared with each client authentication module;

Receiving element, the registration request sending for receiving the client authentication module of client application, wherein carries the first message authentication code MAC1 generating according to the shared client application key clientKey of the local storage of client authentication module and authentication server;

Authentication unit, for according to the clientKey shared with described client authentication module, carries out legitimacy authentication to the MAC1 carrying in the registration request receiving, if authentication by; confirm that described client application is legal.

The embodiment of the present invention provides a kind of service calling method, comprising:

Application programming interfaces API Access control module receives the service request that client application sends, and wherein carries the dynamic token generating according to the authentication factor getting from authentication server;

When API Access control module confirms that to the authentication result of the dynamic token carrying in described service request certification is passed through according to authentication server, allow described API Calls module calling platform ability API.

The embodiment of the present invention provides a kind of calling service system, comprises client application, application programming interfaces API Access control module and authentication server, wherein:

Described client application, for sending service request, wherein carries the dynamic token generating according to the authentication factor getting from authentication server;

Described API Access control module, after receiving described service request, while the authentication result of the dynamic token carrying in described service request being confirmed to certification is passed through according to authentication server, allows described API Calls module calling platform ability API;

Described authentication server, authenticates for the described dynamic token that described API Access control module is forwarded.

The embodiment of the present invention provides another kind of service calling method, comprising:

Application programming interfaces API Access control module receives the service request that client application sends, and wherein carries the effectively interim token getting from API Access control module;

API Access control module is mated the interim token carrying in described service request according to the interim token of the described client authentication module of this locality storage;

If coupling is consistent, allow described API Calls module calling platform ability API.

The embodiment of the present invention provides another kind of calling service system, comprises client application and application programming interfaces API Access control module, wherein:

Described client application, for sending service request, wherein carries the effectively interim token getting from API Access control module;

Described API Access control module, after receiving described service request, mates the interim token carrying in described service request according to the interim token of the described client authentication module of this locality storage; If coupling is consistent, allow described API Calls module calling platform ability API.

The method for authenticating that the embodiment of the present invention provides and device, the legitimacy authentication of authentication server in supporting business platform to client application, in prior art, only carry out authentication authentication for user terminal, the security threat of the client application of not considering personation or be tampered to platform capabilities API, the MAC1 that the clientKey of the embodiment of the present invention based on shared generates realizes the legitimacy authentication of authentication server to client application.

The service calling method that the embodiment of the present invention provides and system, solved the security breaches problem in existing scheme.In existing scheme, based on static token mechanism, the token that user terminal obtains is applied in all service request, and cannot prevent from after token victim from illegally obtaining being applied in illegal service request, exists and is reproduced attack possibility.In the embodiment of the present invention, in the time of client application initiating business request, client application generates dynamic token or gets interim token and add in business request information according to dynamic token based on the authentication factor, to prevent Replay Attack etc.

Other features and advantages of the present invention will be set forth in the following description, and, partly from specification, become apparent, or understand by implementing the present invention.Object of the present invention and other advantages can be realized and be obtained by specifically noted structure in write specification, claims and accompanying drawing.

Brief description of the drawings

Fig. 1 is the right discriminating system block diagram of mobile Internet business in prior art;

Fig. 2 is the authorizing procedure figure of mobile Internet business in prior art;

Fig. 3 is business platform and client application system architecture diagram in the embodiment of the present invention one;

Fig. 4 is that the register flow path of client application in the embodiment of the present invention two is method for authenticating flow chart;

Fig. 5 is the structured flowchart of client authentication module in the embodiment of the present invention two;

Fig. 6 is the structured flowchart of authentication server in the embodiment of the present invention two;

Fig. 7 is service calling method flow chart in the embodiment of the present invention three;

Fig. 8 is that in the embodiment of the present invention four, interim token obtains the process chart in stage;

Fig. 9 is the process chart of safety service request stage in the embodiment of the present invention four.

Embodiment

Login mechanism and the dynamic token mechanism of the embodiment of the present invention based on client application, propose a kind of can bi-directional authentification, can realize the platform capabilities API protection mechanism of user terminal, client application and business platform being carried out to authentication.In the embodiment of the present invention, illegally abuse in illegal client application for fear of developer or third party SP, reuse client application key (being called clientKey in present specification), after the test examination & verification of client application is passed through, by business platform, this client application key clientKey is stored securely in the client authentication module of client application, and by the integrity protection scheme of the MAC fingerprint mechanism based on client application, client authentication module and this client application are bound, thereby realizing client application key clientKey is unknowable to developer, simultaneously, by the test authentication module of the client application of developer's submission is replaced into client authentication module, or preassigned file in test authentication module is replaced into the file that presets MAC fingerprint and clientKey (client application key), obtain client authentication module, thereby realized the secure distribution of clientKey.Download to client application in user terminal first by login mechanism, based on user ID (identifier) thereby and client application key clientKey etc. realize authentication server in business platform to the bi-directional authentification between authentication authentication, client application and the business platform of user terminal, obtain corresponding session id and obtain again the authentication factor.Client application, before calling platform ability API, is generated dynamic token and is added in the service request of platform capabilities API by the authentication factor, to realize the access protection to platform capabilities API; Meanwhile, the embodiment of the present invention also provides a kind of call-by mechanism of the platform capabilities API of the reusable token mechanism based on dynamically updating efficiently.

Below in conjunction with Figure of description, the preferred embodiments of the present invention are described, be to be understood that, preferred embodiment described herein is only for description and interpretation the present invention, be not intended to limit the present invention, and in the situation that not conflicting, the feature in embodiment and embodiment in the present invention can combine mutually.

Embodiment mono-

The system architecture that the paper embodiment of the present invention relates to, as shown in Figure 3, comprising:

Platform capabilities API, wherein platform capabilities API is divided into " running environment platform capabilities API " and " development environment platform capabilities API ", " running environment platform capabilities API " mainly used by user terminal in service operation process, and " " mainly in development and testing process, the person of being developed uses with Virtual network operator development environment platform capabilities API, mainly calls test in development environment SDK;

Authentication server, for storing the identity information of user terminal and client application, and provides safe identity information and dynamic token for the operation phase;

API Access control module realizes in the open engine of business platform ability, for client application is carried out to legitimacy authentication, with the safety of protecting platform ability API, avoids platform capabilities API illegally to be called or override call;

Client authentication module, for encapsulating the mutual all functions of client application and platform capabilities API authentication, wherein client authentication module comprises secure storage unit, be mainly used in the safe storage of the sensitive informations such as association key, the authentication factor and dynamic token, safe storage can be based on software security reinforcement technique, also can be based on hardware technology, as sensitive information can be deposited in the smart card of encryption;

API Calls module, for example, for calling platform ability API (location-based service API);

Service Gateway, in present specification, for providing the identity informations such as user ID to other network entity, for example, WAP gateway can provide MSISDN with identifying user identity based on radius module.

Wherein, platform capabilities API, API Access control module, authentication server and Service Gateway belong to the network entity in business platform, and client authentication module and API Calls module belong to the functional module in client application.

Due to the built-in important client authentication module of client application and API Calls module, thus very important by oneself safety protection, and main security hardening can comprise the following aspects:

Integrity protection: client application is by realizing integrity protection based on methods such as MAC fingerprint mechanism software oneself's integrality detection method (other module in order to protection except " client authentication module " is illegally distorted or replaced) and Code obfuscations (in order to prevent that whole client application is implemented anti-reverse engineering and attacks), and Code obfuscation mechanism can link environment by the editor in SDK and automatically complete;

Sensitive information confidentiality: client application realizes the Confidentiality protection of sensitive information by mechanism such as Code obfuscation, anti-static de-edit analysis, the tracking of anti-Dynamic Execution, security algorithm conversion, sensitive information conversions, the relevant secret information (as clientkey, the authentication factor, interim token) in protective capability API authentication mechanism;

Local API protection: client application can, by mechanism such as the transfer of input and output entrance, security algorithm conversion, sensitive information conversions, ensure the safety of calling between different assemblies;

Security capabilities update mechanism: after monitoring client application and being attacked, can upgrade the security component in terminal applies or forbid by the terminal access platform capabilities API after attacking by platform safety strategy by security capabilities update mechanism in time, to guarantee that platform capabilities API is by legal use.

Embodiment bis-

In order to realize the legitimacy authentication of authentication server (authentication server belongs to a part for business platform) to client application, the login mechanism of the embodiment of the present invention based on client application, a kind of method for authenticating is proposed, realize the bi-directional authentification between legitimacy authentication and client application and the business platform of business platform to user terminal, realized client application to the obtaining of the authentication factor, for subsequent calls platform capabilities API provides basis simultaneously.

The development and testing stage of paper client application.

Comprise " the test authentication module " for development and testing at SDK environment.Developer carries out the development and testing of client application based on " test authentication module ", and client application comprises " test authentication module ".In test process, need the support of development environment platform capabilities API.

The launch phase of paper client application.

Client application exploitation being completed in based on SDK environment as developer is submitted to after business platform, business platform will strictly be tested client application, to guarantee that this client application meets security strategy requirement, there is no built-in malicious code and illegal accounting code etc.

Authentication server in business platform will independently generate the client authentication module for moving for this client application simultaneously, determine the MAC fingerprint of other functional module except client authentication module (key modules that for example information generally can not be upgraded) in client application safe storage in client authentication module, so that user terminal carries out local completeness check using in client application process.Wherein, described MAC fingerprint can be determined by multiple computational methods of the prior art, for example HMAC value or HASH value calculating method; Described safe storage can adopt means such as encrypting storage, Code obfuscation, cryptographic algorithm conversion to realize.MAC fingerprint has been realized the binding relationship of client authentication module and this client application, prevents that client authentication module from illegally being used by other client application.

Client authentication module in each client application and authentication server are shared client application key clientKey, and each client application all has one or more clientKey.Use the stage of client application at user terminal, business platform is realized the legitimacy certification to client application based on clientKey.In illegal client application, illegally abuse, reuse this client application key clientKey for fear of developer or third party SP, after client application test examination & verification is passed through, by the authentication server in business platform, this clientKey is stored securely in newly-built client authentication module.Because clientKey has carried out safe storage in client authentication module, therefore, except authentication server, clientKey is all unknowable for anyone (comprising developer).

Client authentication module safe storage after MAC fingerprint and clientKey, it should be noted that, both do not have special requirement at the order of storage, and authentication server will be replaced the test authentication module (all can adopt the identical Test clientkey for testing for all test authentication module of development and testing) that developer used in the development and testing stage with it.Authentication server, by the displacement to client authentication module, has been realized the secure distribution to clientKey.In addition, authentication server also can preset by certain preassigned file in test authentication module is replaced into the file of MAC fingerprint and client application key clientKey and realize the secure distribution to clientKey, thereby realizes test authentication module to the displacement of client authentication module and without the whole test authentication module of displacement.

Based on development and testing stage and launch phase, introduce in detail the operation registration phase of client application.

After user downloads on user terminal by client application, need to install and move, for example, if client application is moved for the first time or user terminal is changed user smart card (SIM card, usim card) or preassigned parameter is expired, client application need to be carried out following register flow path and realize authentication, as shown in Figure 4, comprise the steps:

After S401～S402, client authentication module are carried out local integrity detection to client application, (redefine MAC fingerprint and mate with the MAC fingerprint being stored securely in client authentication module, and coupling is consistent), send registration request to authentication server, login request message comprises: traffic ID, business release, timestamp, the first message authentication code MAC1 and other optional parameters.MAC1 adopts clientkey or its derived value to be encrypted generation to the isoparametric hashed value of traffic ID, business release and timestamp, or the parameter including clientkey, traffic ID, business release and timestamp is calculated to hashed value generates.Registration request essential process Service Gateway (as WAP gateway) is with user ID on Portable belt (as MSISDN).Authentication server is received after registration request, MAC1 is authenticated to guarantee whether this registration request comes from legal client application (client application of licensing through Virtual network operator), has so far realized the legitimacy authentication of authentication server to client application; Come from the user terminal of legal Virtual network operator by authenticated user ID to guarantee this registration request;

In general, for example, if authentication server cannot directly for example, acquire unique identifying number (the IMSI:International MobileStation Equipment Identity of user smart card according to user ID (MSISDN) from business platform, International Mobile Station Equipment Identity), in registration request, also need to comprise the ciphertext value that is encrypted unique identifying number He other optional parameters of the user smart card obtaining through the derived value of clientkey or clientkey;

In concrete enforcement, based on the requirement of security strategy, client authentication module is carried out local integrity detection to client application and be can be used as possibility, be in client authentication module, can only store the clientKey shared with authentication server and without store M AC fingerprint, in the time downloading to client application in user terminal and meet trigger condition, client authentication module generates MAC1 according to clientKey; And send and carry the registration request of MAC1 to authentication server;

S403～S404, authentication server generate after session id at random, return to session id through Service Gateway (as WAP gateway) to client authentication module;

S405, client authentication module are directly set up HTTPS with authentication server and are connected, this HTTPS is connected to unilateral authentication (client authentication module authentication server), the root certificate corresponding to PKI (PublicKey Infrastructure, PKIX) certificate of authentication server is preset in client authentication module in the development phase.Then, the authentication factor that client authentication module is carried session id to authentication server transmission is obtained request, and the authentication factor is obtained and please be comprised: unique identifying number, the second message authentication code (MAC2) and other optional parameters of traffic ID, business release, timestamp, session id, user smart card.The generation method of MAC2 is with step 1, and the request of obtaining of this authentication factor is without process Service Gateway;

S406, authentication server receive that the authentication factor obtains after request, unique identifying number according to record before to session id and user smart card etc. verifies to guarantee the legitimacy of user terminal, MAC2 is authenticated to guarantee that this request comes from legal client application simultaneously.After certification is passed through, the random authentication factor (the authentication factor of each user terminal is all not identical, and the authentication factor that same user terminal is issued is at every turn not identical yet) that generates of authentication server returns to client authentication module through HTTS safety data transmission passage.Client authentication module is carried out safe storage by secure storage unit to it after receiving the authentication factor.

It should be noted that, according to security strategy, at regular hour week after date, or user terminal changes after user smart card (as usim card), or some preassigned parameter crosses after date, requires client application again to initiate register flow path.Described preassigned parameter is expired, for example, in the follow-up process that generates dynamic token according to the authentication factor, use HOTP dynamic token, and this preassigned parameter can be counter counter.The generation of MAC2 and MAC1 can adopt different clientkey, now, in client authentication module, is not just a preset clientkey, but preset at least two clientkey.

Based on same technical conceive, the present embodiment also provides a kind of right discriminating system, comprise client application and authentication server, described client application comprises client authentication module, the storage client application key clientKey shared with authentication server in described client authentication module, wherein:

Described client authentication module, in the time that the client application that downloads to user terminal meets trigger condition, generates MAC1 according to the clientKey of this locality storage, and sends to authentication server the registration request that carries this MAC1;

Described authentication server, for according to the clientKey shared with described client authentication module, carries out legitimacy authentication to the MAC1 carrying in the registration request receiving, if authentication by; confirm that described client application is legal.

Wherein, client application comprises client authentication module, and the one possibility structure of described client authentication module, as shown in Figure 5, comprising:

Secure storage unit 501, for storing the clientKey shared with authentication server (client application key);

Generation unit 502, in the time that the client application that downloads to user terminal meets trigger condition, generates MAC1 according to the clientKey of storage in secure storage unit 501;

Control unit 503, when consistent for mating at matching unit, send the registration request that carries this MAC1 to described authentication server, the MAC1 carrying in described registration request carries out legitimacy authentication for the shared clientKey of authentication server basis and described client application to described client application.

The one possibility structure of authentication server, as shown in Figure 6, comprising:

Memory cell 601, for storing the clientKey shared with each client authentication module;

Receiving element 602, the registration request sending for receiving the client authentication module of client application, wherein carries the first message authentication code MAC1 generating according to the shared client application key clientKey of the local storage of client authentication module and authentication server;

Authentication unit 603, for according to the clientKey shared with described client authentication module, carries out legitimacy authentication to the MAC1 carrying in the registration request receiving, if authentication by; confirm that described client application is legal.

Embodiment tri-

In the time that API Calls module needs calling platform ability API, first API Calls module hands to service request client authentication module, after client authentication module is carried out local integrity detection to client application alternatively according to security strategy, generate in real time dynamic token and token purposes parameter is set alternatively, and the HTTPS safety data transmission passage that dynamic token and token purposes parameter are made an addition among former service request through setting up with API Access control module is again sent to business platform, API Access control module in business platform receives after service request, the type of confirmation service request or priority level meet the regulation of token purposes parameter, dynamic token being forwarded to authentication server verifies, if dynamic token, by the checking of authentication server, returns to correct information, API Access control module allows calling platform ability API, that concrete is running environment platform capabilities API, otherwise, return to error message.

As shown in Figure 7, the service calling method that the present embodiment provides, comprises the steps:

First S701～S702, API Calls module are forwarded to client authentication module by the service request sending to business platform and process, after client authentication module is carried out local integrity detection to client application alternatively according to security strategy, the authentication factor getting from authentication server according to the registration request stage generates dynamic token, the dynamic token for example generating can be HOTP dynamic token, and the authentication factor can be served as the Seed parameter that generates HOTP dynamic token;

S703～S704, client authentication module is set up unidirectional HTTPS (client authentication module certification API Access control module) with API Access control module and is connected, and will comprise dynamic token, token purposes parameter, traffic ID, business release, client application ID, parameter (the HOTP dynamic tokens if such as the unique identifying number (as IMSI) of user smart card, need to comprise reader counter parameter) service request be forwarded to business platform, API Access control module is truncated to after service request, the type of confirmation service request or priority level meet the regulation of token purposes parameter, dynamic token being forwarded to authentication server authenticates,

The dynamic token carrying in the authentication factor pair service request of the relative users terminal that S705, authentication server are preserved according to this locality authenticates, and return authentication result is to API Access control module;

S706～S707, API Access control module receive authentication result, if authentication result for passing through, allows to call running environment platform capabilities API, otherwise return to error message to API Calls module by client authentication module.

Above token purposes parameter is for specifying type or the level of security of the adaptable service request of this dynamic token; for example only can be used in the service request of Location Service Platform ability API; or only can be used in the platform capabilities API class of common level of security, to realize the protection of the platform capabilities API to dissimilar or different level of securitys.

In addition, in above-mentioned call flow, if without the demand for security of client application authentication business platform and the safe and secret demand to service request and response message, unidirectional HTTPS safety data transmission passage is optional.

Based on same technical conceive, the present embodiment also provides a kind of calling service system, comprises client application, API Access control module and authentication server, wherein:

Described client application, for sending service request, wherein carries the dynamic token generating according to the authentication factor getting from authentication server;

Described API Access control module, after receiving described service request, while the authentication result of the dynamic token carrying in described service request being confirmed to certification is passed through according to authentication server, allows described API Calls module calling platform ability API;

Described authentication server, authenticates for the described dynamic token that described API Access control module is forwarded.

Embodiment tetra-

In the calling service flow process providing at embodiment tri-, send service request, authentication server all needs dynamic token to verify at every turn.In order to alleviate the burden of authentication server, in the calling service stage, the embodiment of the present invention also provides a kind of call-by mechanism of the platform capabilities API of the reusable token mechanism based on dynamically updating efficiently.This mechanism is divided into two stages: interim token obtains stage and safety service request stage.

A. interim token obtains the stage

The object in this stage is that client authentication module is obtained interim token by dynamic token.In the time that API Calls module need to be called access platform ability API, first API Calls module hands to request message client authentication module, after client authentication module is carried out local integrity detection to client application alternatively according to security strategy, generate in real time dynamic token and token purposes parameter is set, send and comprise that the interim token of dynamic token obtains request to API Access control module through the HTTPS passage of setting up simultaneously, API Access control module is received after request, forwards dynamic token to authentication server.If authentication server checking dynamic token passes through, return to interim token to API Access control module (interim token also can be generated by API Access control module), otherwise return to error code.Finally, return to interim token or error code by API Access control module to client authentication module, simultaneously to API Calls module return state value.Interim token carries out safe storage by API Access control module; this interim token can be for the protection of in multiple business request information of follow-up same type; also can be used for protecting in certain class ability API request message of identical safe class; and effective in the definition of certain security strategy (as effective in 10 minutes or 1 hour); when this interim token is crossed after date, client authentication module will be obtained new interim token again.

As shown in Figure 8, interim token obtains the handling process in stage and comprises the steps:

First S801～S802, API Calls module are forwarded to client authentication module by the service request sending to business platform and process, after client authentication module is carried out local integrity detection to client application alternatively according to security strategy, the authentication factor getting from authentication server according to the registration request stage generates dynamic token, the dynamic token for example generating can be HOTP dynamic token, and the authentication factor can be served as the Seed parameter that generates HOTP dynamic token;

S803～S804, client authentication module and API Access control module are set up unidirectional HTTPS (client authentication module certification API Access control module) safety data transmission passage, and will comprise dynamic token, token purposes parameter, traffic ID, business release, client application ID, parameter (the HOTP tokens if such as the unique identifying number (as IMSI) of user smart card, need to comprise reader counter parameter) the request of obtaining of interim token be forwarded to business platform, API Access control module is truncated to interim token and obtains after request, the type of confirmation service request or level of security meet the regulation of token purposes parameter, dynamic token being forwarded to authentication server authenticates,

The authentication factor pair dynamic token of the relative users terminal that S805, authentication server are preserved according to this locality is verified, return to if the verification passes the interim token of random generation, otherwise return to error message, it should be noted that, interim token also can be generated by API Access control module;

S806～S807, API Access control mould return to interim token or error message to client authentication module, and client authentication module is to API Calls module return state value.

B. safety service request stage

API Calls module is initiated the service request of access platform ability API again, similarly, first API Calls module is handed to request message in client authentication module, after client authentication module is carried out local integrity detection to client application alternatively according to security strategy, take out corresponding interim token and make an addition among former request message, then being sent to business platform through the HTTPS safety data transmission passage of setting up.API Access control module in business platform receives after service request, according to preserved interim token, the interim token in business request information is mated, if coupling is consistent, allow calling platform ability API (being specially running environment platform capabilities API), otherwise, return to error message.

As shown in Figure 9, the handling process of safety service request stage comprises the steps:

First S901, API Calls module are forwarded to client authentication module by the service request sending to business platform and process, and client authentication module is carried out local integrity detection to client application alternatively according to security strategy;

S902, client authentication module and API Access control module are set up unidirectional HTTPS (client authentication module certification API Access control module) safety data transmission passage, and will comprise that the isoparametric service request of interim token is forwarded to business platform;

S903～S904, API Access control module are truncated to after service request, according to preserved interim token, the interim token in business request information is mated, if coupling is consistent, allow calling platform ability API (being specially running environment platform capabilities API), otherwise, otherwise return to error message to API Calls module by client authentication module.

Based on same technical conceive, the present embodiment also provides a kind of calling service system, comprises client application and API Access control module, wherein:

Client application, for sending service request, wherein carries the effectively interim token getting from API Access control module;

API Access control module, after receiving described service request, mates the interim token carrying in described service request according to the interim token of the described client authentication module of this locality storage; If coupling is consistent, allow described API Calls module calling platform ability API.

It should be noted that:

1, in calling service flow process, (comprise embodiment tri-and embodiment tetra-), the service request of API Calls module can forward after client authentication module is processed again, but API Calls module obtains from client authentication module the parameter such as corresponding dynamic token or interim token sending before service request, in service request, re-send to business platform by API Calls module from adding to;

2, in the first calling service flow process (embodiment tri-), client application sends to the service request of business platform can be all through authentication server, after dynamic token being wherein verified by authentication server, be transmitted to again business platform, forward to reduce business platform the flow process that dynamic token is verified to authentication server.But in service request, need to add the URL parameter of service server etc., after the success of checking dynamic token, will containing the service request of the security parameters such as dynamic token not be forwarded to corresponding business platform according to service server URL for authentication server;

3, the protection mechanism of the platform capabilities API described in the embodiment of the present invention can be used as a general security capabilities, reuses in multiple business platforms.

The technical scheme that the embodiment of the present invention provides, the legitimacy authentication of supporting business platform to client application, in prior art, only carry out authentication authentication for user terminal, the security threat of the client application of not considering personation or be tampered to platform capabilities API, the embodiment of the present invention has realized the secure distribution of the integrity protection of client application and client application key (between client application and authentication server shared key) based on " MAC fingerprint mechanism " and " client authentication module displacement mechanism ", and by client application according to client application key generating message authentication code to realize the authentication of business platform to client application.Meanwhile, can prevent that developer or third party from illegally abusing and reusing this client application key in the middle of the application of unauthorized client end.

The technical scheme that the embodiment of the present invention provides, supports the authentication of client application to business platform.Prior art is unidirectional authentication, does not consider that business platform itself also may service request counterfeiting or that user terminal sends be relocated.Root certificate and the fill order of the embodiment of the present invention based on built-in business platform in client application realizes the authentication of client application to business platform and both sides' secure communication to HTTPS.Avoided the complicated PKI certificate management for client application simultaneously.

The technical scheme that the embodiment of the present invention provides has solved the security breaches problem in existing scheme.In existing scheme, based on static token mechanism, the token that user terminal obtains is applied in all service request, and cannot prevent from after token victim from illegally obtaining being applied in illegal service request, exists and is reproduced attack possibility.In the embodiment of the present invention, in the time of client application initiating business request, client application generates dynamic token temporarily and adds in business request information, to prevent Replay Attack etc.

The technical scheme that the embodiment of the present invention provides, supports the platform capabilities API of dissimilar or different security level requireds to manage respectively.In existing scheme, User Token is applied in all service request, easily causes the leakage of User Token also by illegal or the use of going beyond one's commission.In the embodiment of the present invention, for the platform capabilities API of dissimilar or different security level requireds, the dynamic token based on identifying by " token purposes parameter " is realized the fine granularity safeguard protection to implementation platform ability API.

Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if these amendments of the present invention and within modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention is also intended to comprise these changes and modification interior.

Claims (15)

1. a method for authenticating, is characterized in that, comprising:

In the time downloading to client application in user terminal and meet trigger condition, the client authentication module in described client application generates the first message authentication code MAC1 according to the local storage of client authentication module with the shared client application key clientKey of authentication server; And

Send the registration request that carries described MAC1 to described authentication server, the MAC1 carrying in described registration request carries out legitimacy authentication for the shared clientKey of authentication server basis and described client application to described client application; Wherein,

Described client authentication module sends to authentication server by Service Gateway by described registration request, in described registration request, also carry user identifier ID corresponding to described user terminal that described Service Gateway adds, the user ID of carrying in described registration request is carried out authentication authentication for authentication server to described user terminal;

Described client authentication module receive described authentication server to described client application and subscriber terminal authority by after the session id that returns, the root certificate corresponding to PKIX PKI certificate of the authentication server based on setting in advance, set up safety data transmission passage with described authentication server, and verify the legitimacy of described authentication server;

Described client authentication module is by the safety data transmission passage of setting up with described authentication server, sends the authentication factor of carrying described session id and obtains request; And

Receive described authentication server according to the pre-recorded session id for the random generation of described user terminal, the authentication factor receiving is obtained after the session id certification of carrying in request passes through, and what return by the safety data transmission passage of setting up is the random authentication factor generating of described user terminal.

2. the method for claim 1, is characterized in that, also stores the MAC fingerprint of the functional module except client authentication module in the described client application that described authentication server determines in described client authentication module; And described method also comprises:

Before described client authentication module sends described registration request, determine the MAC fingerprint of the functional module except client authentication module in described client application, and the MAC fingerprint of determining is consistent with the MAC fingerprint matching of the local storage of client authentication module.

3. the method for claim 1, is characterized in that, describedly meets trigger condition and comprises: described client application is moved for the first time or described user terminal is changed user smart card or preassigned parameter is expired.

4. method as claimed in claim 2, is characterized in that, also comprises:

Test authentication module in the client application that developer is submitted to is replaced into described client authentication module; Or

Preassigned file in test authentication module is replaced into the file that presets MAC fingerprint and client application key clientKey, obtains described client authentication module.

5. a method for authenticating, is characterized in that, comprising:

Authentication server receives the registration request that the client authentication module in client application sends, and wherein carries the first message authentication code MAC1 generating with the shared client application key clientKey of authentication server according to the local storage of client authentication module;

Described authentication server, according to the clientKey shared with described client authentication module, carries out legitimacy authentication to the MAC1 carrying in the registration request receiving, if authentication by; confirm that described client application is legal; Wherein,

Described registration request sends to authentication server by Service Gateway, also carries user identifier ID corresponding to user terminal that described Service Gateway adds in the registration request that described authentication server receives; And

Described method also comprises:

Described authentication server carries out authentication authentication to the user ID of carrying in the registration request receiving, if authentication by; confirm that described user terminal is legal;

Described client application and subscriber terminal authority, by rear random generation Session ID ID, and are returned to described client authentication module by the session id of generation through described Service Gateway;

Described authentication server receives the authentication factor of carrying described session id that described client authentication module sends by the safety data transmission passage of setting up with described authentication server and obtains request;

According to pre-recorded be the random session id generating of described user terminal, the authentication factor receiving is obtained to the session id carrying in request and authenticates, and if certification by; for described user terminal generate at random the authentication factor and by set up safety data transmission passage return to described client authentication module.

6. method as claimed in claim 5, it is characterized in that, the described authentication factor is obtained the second message authentication code MAC2 that also carries the unique identification of user smart card in user terminal and generate according to the clientKey of the local storage of client authentication module in request; And

Described authentication server is, before described user terminal generates the authentication factor at random, also to comprise:

According to the unique identification of user smart card in the described user terminal getting in advance, the unique identification of user smart card in the user terminal carrying in the registration request receiving is authenticated; And according to the clientKey shared with described client authentication module, the MAC2 carrying in the registration request receiving is authenticated, and confirm to authenticate and pass through.

7. method as claimed in claim 6, is characterized in that, described authentication server obtains the uniquely identified step of user smart card in described user terminal, specifically comprises:

The user ID that described authentication server is corresponding according to the user terminal carrying in described registration request, inquires about the uniquely identified corresponding relation of pre-recorded user ID and user smart card, obtains the unique identification of user smart card in described user terminal;

Or,

In described registration request, also carry according to the unique identification of user smart card in described user terminal being encrypted to the ciphertext value obtaining according to the clientKey of the local storage of client authentication module; And described authentication server is according to the clientKey shared with described client authentication module, and the ciphertext value of carrying in the registration request receiving is decrypted, and obtains the unique identification of user smart card in described user terminal.

8. a service calling method, is characterized in that, comprising:

Application programming interfaces API Access control module receives the service request of the client application transmission downloading in user terminal, wherein carries the dynamic token generating according to the authentication factor getting from authentication server;

When API Access control module confirms that to the authentication result of the dynamic token carrying in described service request certification is passed through according to authentication server, allow API Calls module calling platform ability API;

Wherein, described client application is specifically obtained the authentication factor in the following way from authentication server:

Client authentication module in described client application sends to authentication server by Service Gateway by the registration request that carries the first message authentication code MAC1, also carries user identifier ID corresponding to described user terminal that described Service Gateway adds in described registration request;

Described client authentication module receive described authentication server to described client application and subscriber terminal authority by after the session id that returns, the root certificate corresponding to PKIX PKI certificate of the authentication server based on setting in advance, set up safety data transmission passage with described authentication server, and verify the legitimacy of described authentication server;

Described client authentication module is by the safety data transmission passage of setting up with described authentication server, sends the authentication factor of carrying described session id and obtains request; And

Receive described authentication server according to the pre-recorded session id for the random generation of described user terminal, the authentication factor receiving is obtained after the session id certification of carrying in request passes through, and what return by the safety data transmission passage of setting up is the random authentication factor generating of described user terminal.

9. method as claimed in claim 8, is characterized in that,

Described service request is sent by the client authentication module in client application; And described client authentication module sends the step of described service request, specifically comprise:

Described client authentication module receives the service request that the API Calls module in described client application generates, generate dynamic token according to the authentication factor getting from authentication server, described dynamic token is added in described service request and send to API Access control module;

Or,

Described service request is sent by the API Calls module in client application; And described API Calls module sends the step of described service request, specifically comprise:

The client authentication module of described API Calls module from described client application obtained dynamic token, and described dynamic token is generated according to the authentication factor getting from authentication server by client authentication module; And described dynamic token is carried at and in service request, sends to API Access control module.

10. method as claimed in claim 9, is characterized in that, also comprises:

Client authentication module is that the dynamic token generating arranges token purposes parameter, and described token purposes parameter is for specifying type or the level of security of the service request that described dynamic token can apply; And

Described API Access control module is according to the token purposes parameter of carrying in the service request receiving, confirm that the type of described service request or level of security meet the regulation of token purposes parameter, the dynamic token carrying in described service request is transmitted to authentication server and authenticates, and receive the authentication result that described authentication server returns.

11. methods as claimed in claim 9, is characterized in that, also comprise:

Before described client authentication module generates dynamic token according to the authentication factor getting from authentication server, determine the MAC fingerprint of the functional module except client authentication module in described client application, and mate with the MAC fingerprint of this locality storage, and confirm that coupling is consistent, in described client authentication module, store the MAC fingerprint of the functional module except client authentication module in the described client application that authentication server determines.

12. 1 kinds of calling service systems, is characterized in that, comprise the client application, application programming interfaces API Access control module and the authentication server that download in user terminal, wherein:

Described client application, for sending service request, wherein carries the dynamic token generating according to the authentication factor getting from authentication server;

Described API Access control module, after receiving described service request, while the authentication result of the dynamic token carrying in described service request being confirmed to certification is passed through according to authentication server, allows API Calls module calling platform ability API;

Described authentication server, authenticates for the described dynamic token that described API Access control module is forwarded;

Wherein, described client application specifically for obtaining in the following way the authentication factor from authentication server:

Client authentication module in described client application sends to authentication server by Service Gateway by the registration request that carries the first message authentication code MAC1, also carries user identifier ID corresponding to described user terminal that described Service Gateway adds in described registration request;

Described client authentication module receive described authentication server to described client application and subscriber terminal authority by after the session id that returns, the root certificate corresponding to PKIX PKI certificate of the authentication server based on setting in advance, set up safety data transmission passage with described authentication server, and verify the legitimacy of described authentication server;

Described client authentication module is by the safety data transmission passage of setting up with described authentication server, sends the authentication factor of carrying described session id and obtains request; And

Receive described authentication server according to the pre-recorded session id for the random generation of described user terminal, the authentication factor receiving is obtained after the session id certification of carrying in request passes through, and what return by the safety data transmission passage of setting up is the random authentication factor generating of described user terminal.

13. 1 kinds of service calling methods, is characterized in that, comprising:

Application programming interfaces API Access control module receives the service request of the client application transmission downloading in user terminal, wherein carries the effectively interim token getting from API Access control module;

API Access control module is mated the interim token carrying in described service request according to the interim token of the client authentication module of this locality storage;

If coupling is consistent, allow API Calls module calling platform ability API; Wherein,

Described service request is sent by the client authentication module in client application; And described client authentication module sends the step of described service request, specifically comprise:

Described client authentication module receives the service request that the API Calls module in described client application generates, store the effectively interim token getting from API Access control module if local, described interim token is added in described service request, and send to described API Access control module;

Or,

Described service request is sent by the API Calls module in client application; And described API Calls module sends the step of described service request, specifically comprise:

The client authentication module of described API Calls module from described client application obtained effectively interim token, and described effectively interim token is obtained from API Access control module by client authentication module; And described effectively interim token is carried at and in service request, sends to API Access control module;

If interim token or described interim token that in client authentication module, storage does not get from API Access control module are invalid, generate dynamic token according to the authentication factor getting from authentication server, and the interim token that the carries described dynamic token request of obtaining is sent to API Access control module;

API Access control module receives after described interim token obtains request, described interim token is obtained to the dynamic token carrying in request and be transmitted to authentication server and authenticate; And

When the authentication result of returning according to authentication server confirms that certification is passed through, interim token is returned to client authentication module;

Wherein, described client authentication module is specifically obtained the authentication factor in the following way from authentication server:

Described client authentication module sends to authentication server by Service Gateway by the registration request that carries the first message authentication code MAC1, also carries user identifier ID corresponding to described user terminal that described Service Gateway adds in described registration request;

Described client authentication module receive described authentication server to described client application and subscriber terminal authority by after the session id that returns, the root certificate corresponding to PKIX PKI certificate of the authentication server based on setting in advance, set up safety data transmission passage with described authentication server, and verify the legitimacy of described authentication server;

Described client authentication module is by the safety data transmission passage of setting up with described authentication server, sends the authentication factor of carrying described session id and obtains request; And

Receive described authentication server according to the pre-recorded session id for the random generation of described user terminal, the authentication factor receiving is obtained after the session id certification of carrying in request passes through, and what return by the safety data transmission passage of setting up is the random authentication factor generating of described user terminal.

14. methods as claimed in claim 13, is characterized in that, also comprise:

Described interim token is generated and is carried at by authentication server and in authentication result, returns to described API Access control module; Or,

Described interim token by API Access control module the authentication result returned according to authentication server confirm certification by time generate.

15. 1 kinds of calling service systems, is characterized in that, comprise the client application and the application programming interfaces API Access control module that download in user terminal, wherein:

Described client application, for sending service request, wherein carries the effectively interim token getting from API Access control module;

Described API Access control module, after receiving described service request, mates the interim token carrying in described service request according to the interim token of the client authentication module of this locality storage; If coupling is consistent, allow API Calls module calling platform ability API; Wherein,

Described client application comprises client authentication module, API Calls module and API Access control module;

Described client authentication module in described client application sends described service request; ,

Described client authentication module, specifically for:

Described client authentication module receives the service request that the API Calls module in described client application generates, store the effectively interim token getting from API Access control module if local, described interim token is added in described service request, and send to described API Access control module;

Or,

Described API Calls module in described client application sends described service request; , described API Calls module, specifically for:

The client authentication module of described API Calls module from described client application obtained effectively interim token, and described effectively interim token is obtained from API Access control module by client authentication module; And described effectively interim token is carried at and in service request, sends to API Access control module;

If interim token or described interim token that in client authentication module, storage does not get from API Access control module are invalid, generate dynamic token according to the authentication factor getting from authentication server, and the interim token that the carries described dynamic token request of obtaining is sent to API Access control module;

API Access control module, for receiving after described interim token obtains request, obtains by described interim token the dynamic token carrying in request and is transmitted to authentication server and authenticates; And

When the authentication result of returning according to authentication server confirms that certification is passed through, interim token is returned to client authentication module;

Wherein, described client authentication module specifically for obtaining in the following way the authentication factor from authentication server:

Described client authentication module sends to authentication server by Service Gateway by the registration request that carries the first message authentication code MAC1, also carries user identifier ID corresponding to described user terminal that described Service Gateway adds in described registration request;

Described client authentication module receive described authentication server to described client application and subscriber terminal authority by after the session id that returns, the root certificate corresponding to PKIX PKI certificate of the authentication server based on setting in advance, set up safety data transmission passage with described authentication server, and verify the legitimacy of described authentication server;

Described client authentication module is by the safety data transmission passage of setting up with described authentication server, sends the authentication factor of carrying described session id and obtains request; And

Receive described authentication server according to the pre-recorded session id for the random generation of described user terminal, the authentication factor receiving is obtained after the session id certification of carrying in request passes through, and what return by the safety data transmission passage of setting up is the random authentication factor generating of described user terminal.