CN102468961A - Distributive enterprise identification authentication method, system and embedded terminal - Google Patents
Distributive enterprise identification authentication method, system and embedded terminal Download PDFInfo
- Publication number
- CN102468961A CN102468961A CN2010105500890A CN201010550089A CN102468961A CN 102468961 A CN102468961 A CN 102468961A CN 2010105500890 A CN2010105500890 A CN 2010105500890A CN 201010550089 A CN201010550089 A CN 201010550089A CN 102468961 A CN102468961 A CN 102468961A
- Authority
- CN
- China
- Prior art keywords
- authentication
- user
- platform
- digital certificate
- distributed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention discloses a distributive enterprise identification authentication method, a distributive enterprise identification authentication system and an embedded terminal. The method comprises the following steps that: a distributive identification authentication platform obtains and stores a user digital certificate through an integrated identification platform; a service platform sends identification and authentication request information to the distributive identification authentication platform; the distributive identification authentication platform carries out identity identification on the identification and authentication request information according to the user digital certificate, after the identification is passed, the service authentication logic processing is carried out according to the pre-stored authority setting conditions and returns the results to the service platform; and the service platform carries out service logic processing according to the results. The enterprise identification authentication system and the embedded terminal can be used for realizing the method. When the method, the system and the embedded terminal are adopted, on one hand, the problem of different-identity logging in several systems by a user can be solved through the unified user digital certificate, and on the other hand, the user identity can be effectively prevented from counterfeiting through the user digital certificate issued by a certification authority (CA) center.
Description
Technical field
The present invention relates to information security and field of authentication, relate in particular to distributed enterprise authentication method, system and embed the terminal.
Background technology
Existing distributed Identity Management and authentication generally have two kinds of methods:
First kind is to use username and password to carry out Identity Management and authentication.When carrying out authentication, client uses symmetric key technique to encrypt to the PIN information such as (Personal Identity Numbers) of user's input, and service end uses identical symmetric key that enciphered data is carried out decrypted authentication.There is a great potential safety hazard in this method, in case symmetric key is cracked or loses exactly, then whole authentication is exactly unsafe, makes troubles even causes irremediable loss to the user; In addition, the exchange of symmetric key also can only be through carrying out under the line, and is not too convenient.
Because there is great potential safety hazard in said method, has occurred second method in recent years: the Identity Management and the authentication method that use PKI (Public Key Infrastructure, public base measure) system.
Make when carrying out authentication in this way, client uses the private key for user of being preserved that the PIN information such as (Personal Identity Numbers) of user's input is signed, and service end uses client public key that signed data is carried out authentication.This method has certain framework defective, because there is not centralized authentication to do backing, distributed Identity Management and authentication all are in independently free state.For same user, when landing a plurality of operation system, need a plurality of different number identity, increased the complexity of customer service operation, also increased the application and the management cost of enterprise.
Summary of the invention
Embodiment of the invention technical problem to be solved is, a kind of distributed enterprise authentication method, system is provided and embeds the terminal, solves user's problem that the different digital identity is landed in a plurality of operation systems.
In order to solve the problems of the technologies described above, the embodiment of the invention provides a kind of distributed enterprise authentication method, comprising:
The distributed authentication authentication platform obtains and preserves customer digital certificate through centralized authentication platform;
Business platform sends authentication and authentication request information to the distributed authentication authentication platform;
The distributed authentication authentication platform carries out authentication according to said customer digital certificate to said authentication and authentication request information, and after authentication is passed through, according to the authority that prestores situation is set and carries out the service authentication logical process, and to said business platform return results;
Said business platform carries out business logic processing according to said result.
Wherein, the distributed authentication authentication platform comprises through the step that centralized authentication platform obtained and preserved customer digital certificate:
Distributed authentication authentication platform recording user information, and send said user profile and customer digital certificate solicited message to centralized authentication platform;
Centralized authentication platform is searched customer digital certificate according to said user profile, when finding, returns said customer digital certificate; When not finding, the judges information conforms requires the back to obtain customer digital certificate and return said customer digital certificate to the CA center;
The distributed authentication authentication platform is preserved said user profile and corresponding customer digital certificate thereof.
Wherein, said authentication and authentication request information comprise the digital signature that the private key in user profile and the employing customer digital certificate generates.
Wherein, the distributed authentication authentication platform carries out identification step according to said customer digital certificate to said authentication and authentication request information and comprises:
The distributed authentication authentication platform receives said authentication and authentication request information;
The distributed authentication authentication platform is searched corresponding customer digital certificate according to said user profile, and said customer digital certificate comprises PKI;
PKI in the customer digital certificate of the correspondence that the employing of distributed authentication authentication platform finds is tested label to said digital signature.
Wherein, said user profile comprises address name, subscriber directory number, one or more in user identity passport NO. and the ID sign indicating number.
Correspondingly, the embodiment of the invention also provides a kind of distributed enterprise authentication system, comprises server and at least one terminal, it is characterized in that:
Said terminal comprises an above operation system, and said operation system is used for when the said operation system of user capture, sending authentication and authentication request information to said server;
Said server; Be used for when receiving, authentication being carried out in said authentication and authentication request information, after authentication is passed through from the authentication of said operation system and authentication request information; According to the authority that prestores situation is set and carries out the service authentication logical process, and to said operation system return results.
Wherein, said server comprises: user management module, authentication module, system management module and door administration module;
Said user management module is used for managing user information, and the access rights of user and operation system relation;
Said authentication module is used for the user is carried out authentication and service authentication;
Said system management module is used for to the authentication module base support technology being provided, and comprises operator's management, rights management, configuration management;
Said door administration module is used for to each module that needs interface operation the interface operational capacity being provided, and said each module of interface operation that needs includes but not limited to said user management module and said system management module.
Further, said server also comprises statistical analysis module and service management module;
Said service management module is used for the business that management enterprise provides, to newly-increased business audit is provided, the mechanism of reaching the standard grade;
Said statistical analysis module is used for information such as each business datum, business datum operating position, user behavior are added up.
The embodiment of the invention also provides a kind of distributed enterprise authentication to embed the terminal, comprising: embedded operation system and embedded authentication system;
Said embedded operation system is used for when the said embedded operation system of user capture sending authentication and authentication request information to said embedded authentication system;
Said embedded authentication system is used for when receiving from the authentication of said embedded operation system and authentication request information; Authentication is carried out in said authentication and authentication request information; After authentication is passed through; According to the authority that prestores situation is set and carries out the service authentication logical process, and to said embedded operation system return results.
Wherein, said embedded authentication system comprises: user management module, authentication module, service management module, system management module;
Said user management module is used for managing user information, and said user profile comprises subscriber identity information, and the access rights of user and operation system relation;
Said authentication module is used for the user is carried out authentication and service authentication;
Said service management module is used for the business that management enterprise provides, to newly-increased business audit is provided, the mechanism of reaching the standard grade;
Said system management module is used for to the authentication module base support technology being provided, and comprises operator's management, rights management, configuration management.
Embodiment of the present invention embodiment has following beneficial effect:
The distributed authentication authentication platform obtains the customer digital certificate of CA central authority through centralized authentication platform; Realize that same user lands with unified customer digital certificate in a plurality of operation systems; By the distributed authentication authentication platform user's access rights are carried out logical process again, eliminated a plurality of systems of user different identity and landed institute's trouble caused; Simultaneously, the customer digital certificate through issue at the CA center can effectively prevent the forgery of user identity, has improved the safety guarantee of operation system information.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of first embodiment of distributed enterprise authentication method of the present invention;
Fig. 2 is the flow chart of second embodiment of distributed enterprise authentication method of the present invention;
Fig. 3 is the flow chart of the 3rd embodiment of distributed enterprise authentication method of the present invention;
Fig. 4 is the structural representation of distributed enterprise authentication system embodiment of the present invention;
Fig. 5 is the structural representation of the server of authentication system shown in Figure 4;
Fig. 6 is the structural representation that distributed enterprise authentication of the present invention embeds terminal embodiment;
Fig. 7 is the structural representation of the embedded authentication system at embedding terminal shown in Figure 6.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
See also Fig. 1, be the flow chart of first embodiment of distributed enterprise authentication method of the present invention; Said method comprises:
Step S101, the distributed authentication authentication platform obtains and preserves customer digital certificate through centralized authentication platform.
In concrete the realization, distributed authentication authentication platform recording user information, and send said user profile and customer digital certificate solicited message to centralized authentication platform; Said user profile comprises address name, subscriber directory number, one or more in user identity passport NO. and the ID sign indicating number.
Centralized authentication platform is searched customer digital certificate according to said user profile, when finding, returns said customer digital certificate; When not finding, the judges information conforms requires the back to obtain customer digital certificate and return said customer digital certificate to the CA center.
The distributed authentication authentication platform is preserved said user profile and corresponding customer digital certificate thereof.
Step S102, business platform sends authentication and authentication request information to the distributed authentication authentication platform.
In concrete the realization, when the user landed a certain operation system, business platform sent authentication and authentication request information to said distributed authentication authentication platform.The digital signature that said authentication and authentication request information comprise user profile and adopts the private key in the customer digital certificate to generate.
In concrete the realization, the distributed authentication authentication platform receives said authentication and authentication request information, searches corresponding customer digital certificate according to the user profile in said authentication and the authentication request information then, and said customer digital certificate comprises PKI.PKI in the customer digital certificate of the correspondence that the employing of distributed authentication authentication platform finds is tested label to said digital signature.Test sign pass through after, the distributed authentication authentication platform is provided with situation according to the authority that prestores again and carries out the service authentication logical process, and to said business platform return results.The said authority that prestores is provided with situation and comprises: the specific user haves no right to visit some operation system, and the specific user can only visit some operation system with " read-only " mode, and the specific user can visit some operation system with " read-write " mode.Corresponding, sign the user that passes through to its operation system authority of visiting during when testing for " have no right visit ", then the distributed authentication authentication platform returns " have no right visit " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-only " when testing, then the distributed authentication authentication platform returns " read-only " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-write " when testing, then the distributed authentication authentication platform returns " read-write " information to said business platform.
Step S104, said business platform carries out business logic processing according to said result.
Concrete, when said business platform is received " have no right visit " information, the user is provided the prompting interface of " you have no right to visit this system "; When said business platform is received " read-only " information, the user is provided the user interface that to carry out " reading " operation; When said business platform is received " read-write " information, the user is provided the user interface that to carry out " read-write " operation.
The distributed authentication authentication platform of the embodiment of the invention obtains the customer digital certificate of CA central authority through centralized authentication platform; Realize that same user lands with unified customer digital certificate in a plurality of operation systems; By the distributed authentication authentication platform user's access rights are carried out logical process again, eliminated a plurality of systems of user different identity and landed institute's trouble caused; Simultaneously, the customer digital certificate through issue at the CA center can effectively prevent the forgery of user identity, has improved the safety guarantee of operation system information.
See also Fig. 2, be the flow chart of second embodiment of distributed enterprise authentication method of the present invention; Said method comprises:
Step S201, distributed authentication authentication platform recording user information, and send said user profile and customer digital certificate solicited message to centralized authentication platform.
In concrete the realization, said user profile comprises address name, subscriber directory number, one or more in user identity passport NO. and the ID sign indicating number.
Step S202, centralized authentication platform is searched customer digital certificate according to said user profile, when finding, returns said customer digital certificate; When not finding, the judges information conforms requires the back to obtain customer digital certificate and return said customer digital certificate to the CA center.
In concrete the realization; Said centralized authentication platform receives said user profile and customer digital certificate solicited message; And according to the customer digital certificate of said user profile in centralized authentication platform internal searching correspondence; When finding the customer digital certificate of said correspondence, return said customer digital certificate to the distributed authentication authentication platform; When can not find; Whether centralized authentication platform judges information meets the requirements; When meeting the requirements,, store said customer digital certificate then and return said customer digital certificate to the distributed authentication authentication platform then to CA center application and obtain customer digital certificate.
Step S203, distributed authentication authentication platform preserve said user profile and corresponding customer digital certificate thereof.
In concrete the realization, said distributed authentication authentication platform receives the customer digital certificate that centralized authentication platform returns, and preserves said user profile and corresponding customer digital certificate thereof.
Step S204, business platform sends authentication and authentication request information to the distributed authentication authentication platform.
In concrete the realization, when the user landed a certain operation system, business platform sent authentication and authentication request information to said distributed authentication authentication platform.The digital signature that said authentication and authentication request information comprise user profile and adopts the private key in the customer digital certificate to generate.
Step S205; The distributed authentication authentication platform carries out authentication according to said customer digital certificate to said authentication and authentication request information; After authentication is passed through, according to the authority that prestores situation is set and carries out the service authentication logical process, and to said business platform return results.
In concrete the realization, the distributed authentication authentication platform receives said authentication and authentication request information, searches corresponding customer digital certificate according to the user profile in said authentication and the authentication request information then, and said customer digital certificate comprises PKI.PKI in the customer digital certificate of the correspondence that the employing of distributed authentication authentication platform finds is tested label to said digital signature.Test sign pass through after, the distributed authentication authentication platform is provided with situation according to the authority that prestores again and carries out the service authentication logical process, and to said business platform return results.The said authority that prestores is provided with situation and comprises: the specific user haves no right to visit some operation system, and the specific user can only visit some operation system with " read-only " mode, and the specific user can visit some operation system with " read-write " mode.Corresponding, sign the user that passes through to its operation system authority of visiting during when testing for " have no right visit ", then the distributed authentication authentication platform returns " have no right visit " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-only " when testing, then the distributed authentication authentication platform returns " read-only " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-write " when testing, then the distributed authentication authentication platform returns " read-write " information to said business platform.
Step S206, said business platform carries out business logic processing according to said result.
Concrete, when said business platform is received " have no right visit " information, the user is provided the prompting interface of " you have no right to visit this system "; When said business platform is received " read-only " information, the user is provided the user interface that to carry out " reading " operation; When said business platform is received " read-write " information, the user is provided the user interface that to carry out " read-write " operation.
The distributed authentication authentication platform of the embodiment of the invention obtains the customer digital certificate of CA central authority through centralized authentication platform; Realize that same user lands with unified customer digital certificate in a plurality of operation systems; By the distributed authentication authentication platform user's access rights are carried out logical process again, eliminated a plurality of systems of user different identity and landed institute's trouble caused; Simultaneously, the customer digital certificate through issue at the CA center can effectively prevent the forgery of user identity, has improved the safety guarantee of operation system information.
See also Fig. 3, be the flow chart of the 3rd embodiment of distributed enterprise authentication method of the present invention; Said method comprises:
Step S301, the distributed authentication authentication platform obtains and preserves customer digital certificate through centralized authentication platform.
In concrete the realization, distributed authentication authentication platform recording user information, and send said user profile and customer digital certificate solicited message to centralized authentication platform; Said user profile comprises address name, subscriber directory number, one or more in user identity passport NO. and the ID sign indicating number.
Centralized authentication platform is searched customer digital certificate according to said user profile, when finding, returns said customer digital certificate; When not finding, the judges information conforms requires the back to obtain customer digital certificate and return said customer digital certificate to the CA center.
The distributed authentication authentication platform is preserved said user profile and corresponding customer digital certificate thereof.The distributed authentication authentication platform obtains and preserves customer digital certificate through centralized authentication platform.
Step S302, business platform sends authentication and authentication request information to the distributed authentication authentication platform.
In concrete the realization, when the user landed a certain operation system, business platform sent authentication and authentication request information to said distributed authentication authentication platform.The digital signature that said authentication and authentication request information comprise user profile and adopts the private key in the customer digital certificate to generate.
Step S303, distributed authentication authentication platform receive said authentication and authentication request information.
In concrete the realization, the distributed authentication authentication platform receives authentication and the authentication request information that said business platform sends, the digital signature that said authentication and authentication request information comprise user profile and adopts the private key in the customer digital certificate to generate.
Step S304, the distributed authentication authentication platform is searched corresponding customer digital certificate according to said user profile, and said customer digital certificate comprises PKI.
In concrete the realization, the distributed authentication authentication platform is according to the address name in the said user profile, subscriber directory number, and user identity passport NO. or ID sign indicating number remove to inquire about corresponding customer digital certificate, and said customer digital certificate comprises PKI.
Step S305, the PKI in the customer digital certificate of the correspondence that the employing of distributed authentication authentication platform finds is tested label to said digital signature.
In concrete the realization, the PKI in the customer digital certificate of the correspondence that the employing of distributed authentication authentication platform finds is tested label to the digital signature of said authentication and authentication request information.When test sign through the time, promptly user identity obtains authentication.
Step S306, distributed authentication authentication platform are provided with situation according to the authority that prestores and carry out the service authentication logical process, and to said business platform return results.
In concrete the realization; The distributed authentication authentication platform to the digital signature of said authentication and authentication request information test sign pass through after; The distributed authentication authentication platform is provided with situation according to the authority that prestores again and carries out the service authentication logical process, and to said business platform return results.The said authority that prestores is provided with situation and comprises: the specific user haves no right to visit some operation system, and the specific user can only visit some operation system with " read-only " mode, and the specific user can visit some operation system with " read-write " mode.Corresponding, sign the user that passes through to its operation system authority of visiting during when testing for " have no right visit ", then the distributed authentication authentication platform returns " have no right visit " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-only " when testing, then the distributed authentication authentication platform returns " read-only " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-write " when testing, then the distributed authentication authentication platform returns " read-write " information to said business platform.
Step S307, said business platform carries out business logic processing according to said result.
Concrete, when said business platform is received " have no right visit " information, the user is provided the prompting interface of " you have no right to visit this system "; When said business platform is received " read-only " information, the user is provided the user interface that to carry out " reading " operation; When said business platform is received " read-write " information, the user is provided the user interface that to carry out " read-write " operation.
The distributed authentication authentication platform of the embodiment of the invention obtains the customer digital certificate of CA central authority through centralized authentication platform; Realize that same user lands with unified customer digital certificate in a plurality of operation systems; By the distributed authentication authentication platform user's access rights are carried out logical process again, eliminated a plurality of systems of user different identity and landed institute's trouble caused; Simultaneously, the customer digital certificate through issue at the CA center can effectively prevent the forgery of user identity, has improved the safety guarantee of operation system information.
Accordingly, the invention provides a kind of distributed enterprise authentication system, see also Fig. 4, be the structural representation of distributed enterprise authentication system embodiment of the present invention;
Said system comprises: server 20, and at least one terminal 10 (this terminal comprises that all need unify the terminal at each operation system place of number identity in the enterprise, only illustrates 3 among the figure, and only one of them is carried out label).
Said portable terminal 10 comprises an above operation system, and said operation system is used for when the said operation system of user capture, sending authentication and authentication request information to said server 20.
In concrete the realization, the digital signature that said authentication and authentication request information comprise user profile and adopts the private key in the customer digital certificate to generate.Said user profile comprises address name, subscriber directory number, one or more in user identity passport NO. and the ID sign indicating number.
Said server 20; Be used for when receiving from the authentication of said operation system and authentication request information; Authentication is carried out in said authentication and authentication request information; After authentication is passed through, according to the authority that prestores situation is set and carries out the service authentication logical process, and to said operation system return results.
In concrete the realization, said server 20 obtains the customer digital certificate of CA central authority through centralized authentication platform, and preserves said customer digital certificate.After server 20 is received said authentication and authentication request information, search corresponding customer digital certificate according to the user profile in said authentication and the authentication request information, said customer digital certificate comprises PKI.PKI in the customer digital certificate of the correspondence that server 20 employings find is tested label to said digital signature.Test sign pass through after, server 20 is provided with situation according to the authority that prestores again and carries out the service authentication logical process, and to said business platform return results.The said authority that prestores is provided with situation and comprises: the specific user haves no right to visit some operation system, and the specific user can only visit some operation system with " read-only " mode, and the specific user can visit some operation system with " read-write " mode.Corresponding, sign the user that passes through to its operation system authority of visiting during when testing for " have no right visit ", then the distributed authentication authentication platform returns " have no right visit " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-only " when testing, then the distributed authentication authentication platform returns " read-only " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-write " when testing, then the distributed authentication authentication platform returns " read-write " information to said business platform.
For clearer explanation the present invention, will the server 20 in the above-mentioned distributed enterprise authentication system be described in detail below.
See also Fig. 5, Fig. 5 is the structural representation of the server 20 of authentication system shown in Figure 4; Said server 20 comprises:
Said user management module 201 is used for managing user information, and the access rights of user and operation system relation.
In concrete the realization, said user profile comprises address name, subscriber directory number, one or more in user identity passport NO. and the ID sign indicating number.Corresponding, the access rights relation of user and each operation system has three kinds, and a kind of is " having no right to visit ", and a kind of is to visit with " read-only " mode, and at last a kind of is to visit with " read-write " mode.
Said authentication module 202 is used for the user is carried out authentication and service authentication.
In concrete the realization, after said server 20 is received said authentication and authentication request information, search corresponding customer digital certificate according to the user profile in said authentication and the authentication request information, said customer digital certificate comprises PKI.PKI in the customer digital certificate of the correspondence that 202 employings of authentication module find is tested label to said digital signature.Test sign pass through after, authentication module 202 is provided with situation according to the authority that prestores again and carries out the service authentication logical process, and to said business platform return results.The said authority that prestores is provided with situation and comprises: the specific user haves no right to visit some operation system, and the specific user can only visit some operation system with " read-only " mode, and the specific user can visit some operation system with " read-write " mode.Corresponding, sign the user that passes through to its operation system authority of visiting during when testing for " have no right visit ", then the distributed authentication authentication platform returns " have no right visit " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-only " when testing, then the distributed authentication authentication platform returns " read-only " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-write " when testing, then the distributed authentication authentication platform returns " read-write " information to said business platform.
Said system management module 203 is used for to the authentication module base support technology being provided, and comprises operator's management, rights management and configuration management.
In concrete the realization, user profile is by operator's typing, and to operator's Identity Management and rights management, and the inner configuration management of server is all realized by said system management module 203.
Said door administration module 204 is used for to each module that needs interface operation the interface operational capacity being provided, and said each module of interface operation that needs includes but not limited to said user management module and said system management module.
In concrete the realization, preferred service management module 205 also is the module that needs interface operation with statistical analysis module 206, and said door administration module 204 also is used for said service management module 205 and the statistical analysis module 206 said interface operational capacities that provide.
Said service management module 205 is used for the business that management enterprise provides, to newly-increased business audit is provided, the mechanism of reaching the standard grade.
In concrete the realization, the operation system that enterprise provides has a plurality of, and can constantly increase along with the increase of enterprise demand.Said service management module 205 is used to manage newly-increased operation system, to newly-increased business audit is provided, the mechanism of reaching the standard grade.
Said statistical analysis module 206 is used for information such as each business datum, business datum operating position, user behavior are added up.
In concrete the realization, said statistical analysis module 206 instructs according to operations of operators information such as some business datum, business datum operating position, user behavior is added up.
The distributed authentication right discriminating system of the embodiment of the invention comprises terminal and server, and said server obtains the customer digital certificate of CA central authority through centralized authentication platform, and preserves said customer digital certificate.Realized that same user lands with unified customer digital certificate in a plurality of operation systems, and it has been carried out authentication and authentication, eliminated a plurality of systems of user different identity and landed institute's trouble caused; Simultaneously, the customer digital certificate through issue at the CA center can effectively prevent the forgery of user identity, has improved the safety guarantee of operation system information.
The present invention also provides a kind of distributed enterprise authentication to embed the terminal, sees also Fig. 6, embeds the structural representation of terminal embodiment for distributed enterprise authentication of the present invention;
Said embedding terminal comprises: embedded operation system 10 and embedded authentication system 20.
Said embedded operation system 10 is used for when the said embedded operation system of user capture sending authentication and authentication request information to said embedded authentication system.
In concrete the realization, the digital signature that said authentication and authentication request information comprise user profile and adopts the private key in the customer digital certificate to generate.Said user profile comprises address name, subscriber directory number, one or more in user identity passport NO. and the ID sign indicating number.
Said embedded authentication system 20; Be used for when receiving from the authentication of said embedded operation system and authentication request information; Authentication is carried out in said authentication and authentication request information; After authentication is passed through, according to the authority that prestores situation is set and carries out the service authentication logical process, and to said embedded operation system return results.
In concrete the realization, said embedded authentication system 20 obtains the customer digital certificate of CA central authority through centralized authentication platform, and preserves said customer digital certificate.After said authentication and authentication request information are received by said embedded authentication system 20, search corresponding customer digital certificate according to the user profile in said authentication and the authentication request information, said customer digital certificate comprises PKI.Said embedded authentication system adopts the PKI in the customer digital certificate of the correspondence that finds, and said digital signature is tested label.Test sign pass through after, said embedded authentication system is provided with situation according to the authority that prestores again and carries out the service authentication logical process, and to said business platform return results.The said authority that prestores is provided with situation and comprises: the specific user haves no right to visit some operation system, and the specific user can only visit some operation system with " read-only " mode, and the specific user can visit some operation system with " read-write " mode.Corresponding, sign the user that passes through to its operation system authority of visiting during when testing for " have no right visit ", then embedded authentication system 20 returns " have no right visit " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-only " when testing, then embedded authentication system 20 returns " read-only " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-write " when testing, then embedded authentication system 20 returns " read-write " information to said business platform.
For clearer explanation the present invention, will the embedded authentication system 20 that above-mentioned distributed enterprise authentication embeds in the terminal be described in detail below.
See also Fig. 7, Fig. 7 is the structural representation that authentication shown in Figure 6 embeds the embedded authentication system 20 at terminal; Said embedded authentication system 20 comprises:
Said user management module 201 is used for managing user information, and the access rights of user and operation system relation.
In concrete the realization, said user profile comprises address name, subscriber directory number, one or more in user identity passport NO. and the ID sign indicating number.Corresponding, the access rights relation of user and each operation system has three kinds, and a kind of is " having no right to visit ", and a kind of is to visit with " read-only " mode, and at last a kind of is to visit with " read-write " mode.
Said authentication module 202 is used for the user is carried out authentication and service authentication.
In concrete the realization, after said authentication and authentication request information are received by said embedded authentication system 20, search the customer digital certificate of correspondence according to the user profile in said authentication and the authentication request information, said customer digital certificate comprises PKI.PKI in the customer digital certificate of the correspondence that 202 employings of authentication module find is tested label to said digital signature.Test sign pass through after, authentication module 202 is provided with situation according to the authority that prestores again and carries out the service authentication logical process, and to said business platform return results.The said authority that prestores is provided with situation and comprises: the specific user haves no right to visit some operation system, and the specific user can only visit some operation system with " read-only " mode, and the specific user can visit some operation system with " read-write " mode.Corresponding, sign the user that passes through to its operation system authority of visiting during when testing for " have no right visit ", then the distributed authentication authentication platform returns " have no right visit " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-only " when testing, then the distributed authentication authentication platform returns " read-only " information to said business platform; Sign the user pass through to its operation system authority of visiting during for " read-write " when testing, then embedded authentication system returns " read-write " information to said business platform.
Said system management module 203 is used for to the authentication module base support technology being provided, and comprises operator's management, rights management and configuration management.
In concrete the realization, user profile is by operator's typing, and to operator's Identity Management and rights management, and the inner configuration management of server is all realized by said system management module 203.
Said service management module 204 is used for the business that management enterprise provides, to newly-increased business audit is provided, the mechanism of reaching the standard grade.
In concrete the realization, the operation system that enterprise provides has a plurality of, and can constantly increase along with the increase of enterprise demand.Said service management module 204 is used to manage newly-increased operation system, to newly-increased business audit is provided, the mechanism of reaching the standard grade.
The distributed authentication authentication of the embodiment of the invention embeds the terminal and comprises embedded operation system and embedded authentication system; Said embedded authentication system obtains the customer digital certificate of CA central authority through centralized authentication platform, and preserves said customer digital certificate.Realized that same user lands with unified customer digital certificate in a plurality of operation systems, and it has been carried out authentication and authentication, eliminated a plurality of systems of user different identity and landed institute's trouble caused; Simultaneously, the customer digital certificate through issue at the CA center can effectively prevent the forgery of user identity, has improved the safety guarantee of operation system information.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method; Be to instruct relevant hardware to accomplish through computer program; Described program can be stored in the computer read/write memory medium; This program can comprise the flow process like the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
Above disclosedly be merely preferred embodiment of the present invention; Certainly can not limit the present invention's interest field with this; One of ordinary skill in the art will appreciate that all or part of flow process that realizes the foregoing description; And, still belong to the scope that invention is contained according to the equivalent variations that claim of the present invention is done.
Claims (10)
1. a distributed enterprise authentication method is characterized in that, comprising:
The distributed authentication authentication platform obtains and preserves customer digital certificate through centralized authentication platform;
Business platform sends authentication and authentication request information to the distributed authentication authentication platform;
The distributed authentication authentication platform carries out authentication according to said customer digital certificate to said authentication and authentication request information, and after authentication is passed through, according to the authority that prestores situation is set and carries out the service authentication logical process, and to said business platform return results;
Said business platform carries out business logic processing according to said result.
2. the method for claim 1 is characterized in that, the distributed authentication authentication platform comprises through the step that centralized authentication platform obtained and preserved customer digital certificate:
Distributed authentication authentication platform recording user information, and send said user profile and customer digital certificate solicited message to centralized authentication platform;
Centralized authentication platform is searched customer digital certificate according to said user profile, when finding, returns said customer digital certificate; When not finding, the judges information conforms requires the back to obtain customer digital certificate and return said customer digital certificate to the CA center;
The distributed authentication authentication platform is preserved said user profile and corresponding customer digital certificate thereof.
3. the method for claim 1 is characterized in that, the digital signature that said authentication and authentication request information comprise user profile and adopts the private key in the customer digital certificate to generate.
4. method as claimed in claim 3 is characterized in that, the distributed authentication authentication platform carries out identification step according to said customer digital certificate to said authentication and authentication request information and comprises:
The distributed authentication authentication platform receives said authentication and authentication request information;
The distributed authentication authentication platform is searched corresponding customer digital certificate according to said user profile, and said customer digital certificate comprises PKI;
PKI in the customer digital certificate of the correspondence that the employing of distributed authentication authentication platform finds is tested label to said digital signature.
5. like each described method of claim 1 to 4, it is characterized in that said user profile comprises address name, subscriber directory number, one or more in user identity passport NO. and the ID sign indicating number.
6. a distributed enterprise authentication system comprises server and at least one terminal, it is characterized in that:
Said terminal comprises an above operation system, and said operation system is used for when the said operation system of user capture, sending authentication and authentication request information to said server;
Said server; Be used for when receiving, authentication being carried out in said authentication and authentication request information, after authentication is passed through from the authentication of said operation system and authentication request information; According to the authority that prestores situation is set and carries out the service authentication logical process, and to said operation system return results.
7. system as claimed in claim 6 is characterized in that, said server comprises: user management module, authentication module, system management module and door administration module;
Said user management module, the access rights that are used for managing user information and user and operation system concern;
Said authentication module is used for the user is carried out authentication and service authentication;
Said system management module is used for to the authentication module base support technology being provided, and comprises operator's management, rights management, configuration management;
Said door administration module is used for to each module that needs interface operation the interface operational capacity being provided, and said each module of interface operation that needs includes but not limited to said user management module and said system management module.
8. system as claimed in claim 7 is characterized in that, said server also comprises statistical analysis module and service management module;
Said service management module is used for the business that management enterprise provides, to newly-increased business audit is provided, the mechanism of reaching the standard grade;
Said statistical analysis module is used for information such as each business datum, business datum operating position, user behavior are added up.
9. a distributed enterprise authentication embeds the terminal, it is characterized in that, comprising: embedded operation system and embedded authentication system;
Said embedded operation system is used for when the said embedded operation system of user capture sending authentication and authentication request information to said embedded authentication system;
Said embedded authentication system is used for when receiving from the authentication of said embedded operation system and authentication request information; Authentication is carried out in said authentication and authentication request information; After authentication is passed through; According to the authority that prestores situation is set and carries out the service authentication logical process, and to said embedded operation system return results.
10. embedding as claimed in claim 9 terminal is characterized in that, said embedded authentication system comprises: user management module, authentication module, service management module, system management module;
Said user management module is used for managing user information, and said user profile comprises subscriber identity information, and the access rights of user and operation system relation;
Said authentication module is used for the user is carried out authentication and service authentication;
Said service management module is used for the business that management enterprise provides, to newly-increased business audit is provided, the mechanism of reaching the standard grade;
Said system management module is used for to the authentication module base support technology being provided, and comprises operator's management, rights management, configuration management.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105500890A CN102468961A (en) | 2010-11-18 | 2010-11-18 | Distributive enterprise identification authentication method, system and embedded terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105500890A CN102468961A (en) | 2010-11-18 | 2010-11-18 | Distributive enterprise identification authentication method, system and embedded terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102468961A true CN102468961A (en) | 2012-05-23 |
Family
ID=46072173
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105500890A Pending CN102468961A (en) | 2010-11-18 | 2010-11-18 | Distributive enterprise identification authentication method, system and embedded terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102468961A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102867269A (en) * | 2012-08-29 | 2013-01-09 | 福建联迪商用设备有限公司 | Synchronous transmission system and method for financial service data |
| CN104243154A (en) * | 2013-06-07 | 2014-12-24 | 腾讯科技(深圳)有限公司 | Server user authority centralized control system and server use authority centralized control method |
| CN105357190A (en) * | 2015-10-26 | 2016-02-24 | 网宿科技股份有限公司 | Method and system for performing authentication on access request |
| CN106936582A (en) * | 2015-12-31 | 2017-07-07 | 航天信息股份有限公司 | Electronic Seal System and method |
| CN107111697A (en) * | 2014-10-15 | 2017-08-29 | 艾拉物联公司 | For the access control based roles of the consumer device connected |
| CN107294722A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | A kind of terminal identity authentication method, apparatus and system |
| CN107580000A (en) * | 2017-10-20 | 2018-01-12 | 北京知道创宇信息技术有限公司 | Digital certificate authentication method and device |
| CN108427880A (en) * | 2018-03-07 | 2018-08-21 | 北京元心科技有限公司 | The method and device of program operation |
| CN109194681A (en) * | 2018-09-27 | 2019-01-11 | 卓望数码技术(深圳)有限公司 | A kind of mobile terminal/server-side mobile application security authentication method, apparatus and system |
| CN110493237A (en) * | 2019-08-26 | 2019-11-22 | 深圳前海环融联易信息科技服务有限公司 | Identity management method, device, computer equipment and storage medium |
| CN113569285A (en) * | 2021-07-26 | 2021-10-29 | 长春吉大正元信息安全技术有限公司 | Identity authentication and authorization method, device, system, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1469583A (en) * | 2002-07-16 | 2004-01-21 | 北京创原天地科技有限公司 | Method of sharing subscriber confirming information in different application systems of internet |
| CN1738241A (en) * | 2005-04-28 | 2006-02-22 | 上海交通大学 | Identity attestation safety control method based on remote distributed assembly |
| CN101207485A (en) * | 2007-08-15 | 2008-06-25 | 深圳市同洲电子股份有限公司 | System and method of unification identification safety authentication for users |
| CN101207482A (en) * | 2007-12-13 | 2008-06-25 | 深圳市戴文科技有限公司 | System and method for implementation of single login |
-
2010
- 2010-11-18 CN CN2010105500890A patent/CN102468961A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1469583A (en) * | 2002-07-16 | 2004-01-21 | 北京创原天地科技有限公司 | Method of sharing subscriber confirming information in different application systems of internet |
| CN1738241A (en) * | 2005-04-28 | 2006-02-22 | 上海交通大学 | Identity attestation safety control method based on remote distributed assembly |
| CN101207485A (en) * | 2007-08-15 | 2008-06-25 | 深圳市同洲电子股份有限公司 | System and method of unification identification safety authentication for users |
| CN101207482A (en) * | 2007-12-13 | 2008-06-25 | 深圳市戴文科技有限公司 | System and method for implementation of single login |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102867269A (en) * | 2012-08-29 | 2013-01-09 | 福建联迪商用设备有限公司 | Synchronous transmission system and method for financial service data |
| CN104243154B (en) * | 2013-06-07 | 2018-07-06 | 腾讯科技(深圳)有限公司 | Server user's permission centralized control system and method |
| CN104243154A (en) * | 2013-06-07 | 2014-12-24 | 腾讯科技(深圳)有限公司 | Server user authority centralized control system and server use authority centralized control method |
| CN107111697A (en) * | 2014-10-15 | 2017-08-29 | 艾拉物联公司 | For the access control based roles of the consumer device connected |
| CN107111697B (en) * | 2014-10-15 | 2021-01-05 | 艾拉物联网络(深圳)有限公司 | Role-based access control for connected consumer devices |
| CN105357190A (en) * | 2015-10-26 | 2016-02-24 | 网宿科技股份有限公司 | Method and system for performing authentication on access request |
| CN105357190B (en) * | 2015-10-26 | 2018-12-07 | 网宿科技股份有限公司 | The method and system of access request authentication |
| CN106936582A (en) * | 2015-12-31 | 2017-07-07 | 航天信息股份有限公司 | Electronic Seal System and method |
| CN107294722A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | A kind of terminal identity authentication method, apparatus and system |
| CN107580000A (en) * | 2017-10-20 | 2018-01-12 | 北京知道创宇信息技术有限公司 | Digital certificate authentication method and device |
| CN108427880A (en) * | 2018-03-07 | 2018-08-21 | 北京元心科技有限公司 | The method and device of program operation |
| CN109194681A (en) * | 2018-09-27 | 2019-01-11 | 卓望数码技术(深圳)有限公司 | A kind of mobile terminal/server-side mobile application security authentication method, apparatus and system |
| CN110493237A (en) * | 2019-08-26 | 2019-11-22 | 深圳前海环融联易信息科技服务有限公司 | Identity management method, device, computer equipment and storage medium |
| CN113569285A (en) * | 2021-07-26 | 2021-10-29 | 长春吉大正元信息安全技术有限公司 | Identity authentication and authorization method, device, system, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102468961A (en) | Distributive enterprise identification authentication method, system and embedded terminal | |
| CN111383021B (en) | Node management method, device, equipment and medium based on block chain network | |
| CN108684041B (en) | System and method for login authentication | |
| CN101751712B (en) | Centralized invoice authentication system and authentication method | |
| EP2605175B1 (en) | Method and apparatus for checking field replaceable unit and communication device | |
| CN109286632B (en) | Block chain-based big data authorization and evidence-storing method and system | |
| CN100464315C (en) | Mobile memory divulgence protection method and system | |
| CN104320389B (en) | A kind of fusion identity protection system and method based on cloud computing | |
| CN103416040A (en) | Terminal control method, apparatus and terminal | |
| KR20080032228A (en) | Secure software updates | |
| KR101509043B1 (en) | Implementing method, system of universal card system and smart card | |
| CN106161348A (en) | A kind of method of single-sign-on, system and terminal | |
| CN109254734A (en) | A kind of date storage method, device, equipment and computer readable storage medium | |
| CN102685122B (en) | The method of the software protection based on cloud server | |
| CN104104650B (en) | data file access method and terminal device | |
| CN103905514A (en) | Server, terminal device and network data access right management method | |
| CN110543775B (en) | Data security protection method and system based on super-fusion concept | |
| US20210157910A1 (en) | Access card penetration testing | |
| CN102542645A (en) | Entrance guard authentication method and system | |
| CN104735020A (en) | Method, device and system for acquiring sensitive data | |
| CN110955909B (en) | Personal data protection method and block link point | |
| CN100476841C (en) | Method and system for centrally managing code to hard disk of enterprise | |
| CN108427982A (en) | A kind of data read-write method and device | |
| CN106034031A (en) | Method, device, terminal and cloud authentication platform for obtaining identity information | |
| CN116319927A (en) | Service calling method, electronic equipment and system in hybrid cloud environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20160316 |
|
| C20 | Patent right or utility model deemed to be abandoned or is abandoned |