CN103379108A - Flexible and safe concentrated identity authentication method - Google Patents
Flexible and safe concentrated identity authentication method Download PDFInfo
- Publication number
- CN103379108A CN103379108A CN2012101286115A CN201210128611A CN103379108A CN 103379108 A CN103379108 A CN 103379108A CN 2012101286115 A CN2012101286115 A CN 2012101286115A CN 201210128611 A CN201210128611 A CN 201210128611A CN 103379108 A CN103379108 A CN 103379108A
- Authority
- CN
- China
- Prior art keywords
- server
- user
- processing module
- intelligent processing
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000012545 processing Methods 0.000 claims abstract description 29
- 238000012550 audit Methods 0.000 claims abstract description 11
- 238000013475 authorization Methods 0.000 claims description 21
- 230000004044 response Effects 0.000 claims description 5
- 230000000694 effects Effects 0.000 claims 1
- 230000000644 propagated effect Effects 0.000 claims 1
- 238000000926 separation method Methods 0.000 claims 1
- 230000008569 process Effects 0.000 abstract description 30
- 238000004140 cleaning Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000012797 qualification Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a flexible and safe concentrated identity authentication method. According to the flexible and safe concentrated identity authentication method, a temporary server operator can log in a server through temporary user authentication information (such as a password). An intelligent processing module is introduced to a concentrated authentication server terminal, so that a server operator does not need to send real authentication information of a user password and the like to the temporary server operator in the whole authentication process and the safety of the authentication process is improved. The intelligent processing module guarantees that the server login user password is only known by the server operator or the temporary server operator at any time so that the identity of a login person can be identified. Authentication information application and authorized operation tracks relative to login of a user is recorded by the intelligent processing module in the whole process and a server login user audit information blind zone is eliminated. The intelligent processing module is independent in function, simple in logic and capable of being deployed in a unified mode with various authentication methods of LDAP and the like and satisfying the flexible and diversified requirements of enterprises and public institutions.
Description
Technical field
The present invention relates to the central authentication implementation method that a kind of staging server director uses casual user's authorization information (such as password etc.) logon server.The method does not only need the server director to transmit the authorization informations such as real user cipher for interim director, and can realize that complete period authorization information special messenger is special-purpose, can realize the server log user content non-blind area of auditing.
Background technology
At present, central authentication at home and abroad a plurality of applications of enterprises and institutions be widely adopted.Pass through the direct logon server of control desk or pass through the mode telnet server application facet such as telnet, SSH similar user, central authentication also has multiple manifestation mode.No matter it adopts the forms of expression such as conventional cipher, safety certificate, or Adoption Network information system NIS (Network Information System), domain authentication, the technical implementation way such as lightweight directory authentication LDAP (Lightweight Directory Authentication Protocol), pluggable authentication module PAM (Pluggable Authentication Module), the structure composed of central authentication and realization principle are basic identical.
The central authentication system is comprised of the client and server end, the client of central authentication system namely is the server of user's sign-on access, the server end of central authentication system then responds the ID authentication request from different clients, and provides the client user to login the functions such as security audit.
Under the prerequisite of client and server end network interworking, the central authentication implementation procedure was divided into for four steps.The first step creates client identity authentication information file store at the central authentication server end, comprises the authorization information such as the user name on all clients and password in its compass of competency.Second step, the central authentication client proposes ID authentication request, after the user entered the authorization information such as server log interface input username and password, the server internal process waited for that with user name, password the information that nuclear is veritified is forwarded to the central authentication server end, the wait-for-response result.In the 3rd step, the central authentication server provides authentication response, and the information of Collective qualification server in the file store is strictly checked the information accuracy that newly receives as benchmark according to the algorithm of agreement, draws and send to whether let pass this user's conclusion of client.In the 4th step, the central authentication client allows or the refusing user's login according to the response of central authentication server.
But the demand that exists again the more general authorization information extensions such as user cipher to disseminate at internal institution, as because of need of work, the forced server highest weight that it is responsible of system manager limits the use of family (root or Administrator) login authentication information (such as password) and hands to other people use, this must cause many people to know the same user's of server authorization information, has increased the unsafe factor that system access is controlled.In addition, for the shared reality of authorization information that internal institution ubiquitous " machine is double " post setting pattern is introduced, the central authentication system can't carry out associative operation by concrete who logon server of explicit recognition.To sum up, existing central authentication can't solve that the authorization information special messenger such as user cipher is special-purpose to disseminate the contradiction of demand with its extension, and the server user logins the security audit function and has blind spot.
Summary of the invention
The present invention is a kind of improvement to common user logon server central authentication implementation method.The present invention is by additionally disposing intelligent processing module at the central authentication server end, can satisfy not only that the authorization information special messenger such as internal institution user cipher is special-purpose to disseminate two kinds of demands with its extension and coexist simultaneously, and related application, the Authorized operation vestige of the omnidistance recording user login of system, the comprehensive and confidence level of raising audit information.
The technical solution adopted for the present invention to solve the technical problems is: additionally dispose intelligent processing module at the central authentication server end, mainly finish " obtaining the interim password of user (210) ", " authorisation process (220) " and " regularly user cipher recovers (230) " three flow processs.When the staging server director will use user that a certain server director administers and authorization information logon server, the staging server director is at first by obtaining the interim password of user (210) flow process, initiate to obtain the request of the user cipher that other people administer temporarily, input identifying information (such as IP) and the employed user's name (310) of server to be visited, through intelligent processing module in the news file storehouse, inquire about examine after (320), generate the interim password of this server user (330), revise, confirm receive mode (340), and look user class and principle of delegation (350), backup, revise news file storehouse content (360), and the receive mode that the interim password of newly-generated user is determined by the front sends to the staging server director.For the interim password application of high level server user, need leading body at a higher level to authorize by " authorisation process (220) " flow process.After leading body at a higher level receives authorization notification message, login central authentication server end, enter Authorized operation (410), other people use (420) to ratify this user cipher, revise, confirm the up duration time limit (440), system revises news file storehouse related content (450) again, and by the receive mode of obtaining the interim password of user (210) flow process and setting, sends the interim password of user for the staging server director.In addition, whether intelligent processing module detects in real time the interim password of user and expires, after the interim password expiration of the server user who changed, the intelligent processing module very first time is carried out " regularly user cipher recovers (230) " flow process, according to backup information, recover user's original password, and the relevant information (510) such as the cleaning term of validity, the consistency of guarantee information file store.After the staging server director receives interim password, can use interim password login server in interim cryptographic validity, the login authentication flow process is identical with conventional central authentication process.Since the intelligent processing module detail record the various operation vestiges that occur in each flow process, therefore, take user cipher change time point as the boundary, the user that can clearly distinguish logon server is the server director on earth or new authorizes the staging server director who allows logon server, and then guarantees the authenticity of audit information and comprehensive.
In addition, in order to ensure the fail safe of intelligent processing module self, inside modules also has the safeguard after the functions such as general login user management, rights management and password take defeat, and is similar to common system, not in this discussion.
The invention has the beneficial effects as follows, by authorization informations such as interim generation server user ciphers, promote the convenience of staging server director logon server process, satisfy the at any time diversified demand of operations server of enterprises.Simultaneously, because this scheme can guarantee that any moment server user password only is kept in server director or personnel hand of staging server director, eliminate the blind spot that the user logins audit function.The present invention disposes framework and general central authentication framework is basic identical, and internal process is simple, is easy to dispose and realize.
Description of drawings
The present invention is described in more detail below in conjunction with drawings and embodiments.
Fig. 1 is the logon server overview flow chart.
Fig. 2 is inner three the main operating processes of intelligent processing module.
Fig. 3 obtains the interim password flow chart of server log user.
Fig. 4 is the Authorized operation flow chart.
Fig. 5 is that regularly user cipher recovers flow chart.
Embodiment
Specific implementation process comprises four partial interiors: the logon server overall procedure, use unauthorized level user login services device, use authority level user login services device and timing user cipher to recover flow process.
One, logon server overall procedure
Fig. 1 shows the logon server overview flow chart.(110) the staging server director logins Collective qualification server intelligent processing module, (120) according to use server user rank, (detailed description sees two to finish inner respective handling, use unauthorized level user login services device and three, use authority level user login services device), (130) finish the backup of news file related content and modification, (140) send the authorization information such as casual user's password to the staging server director, (150) staging server director or server director use server user's name and the authorization information logon server that institute knows or grasps, (160) after the inner associated process of server is finished the processing such as reception, information is transmitted to the common authentication module, (170) common authentication module check verify information accuracy, authentication result is fed back to the Collective qualification client, be user's server to be visited, (180) server to be visited allows according to response results or refusal staging server director or server director login.(190) restoration disposal is finished to expired casual user's password in intelligent processing module inside.
Two, use unauthorized level user login services device
When the staging server director will use the unauthorized level user login services device that the server director administers, at first by obtaining the interim password of user (210) flow process, initiate to obtain server user's password request temporarily, show such as Fig. 3.Success is logined the central authentication server end and is disposed intelligent processing module, input identifying information (such as IP) and the employed user's name (310) of server to be visited, through intelligent processing module in the news file storehouse, inquire about examine after (320), generate the interim password of user (330), revise, confirm receive mode (340), the direct echo of default mode also can be SMS notification or mail notification; For for mandate level user (350), internal system backup, modification news file storehouse content, and by the specific mode echo or send newly-generated password (360), internal system records whole operating process, and forms audit log (390).Staging server director whereby interim cryptographic acess treats logon server, inputs user name and corresponding interim password thereof, through the central authentication server examine, confirm errorless after, server to be visited allows login.
Three, use authority level user login services device
When the staging server director will use mandate level user (such as root or the administrator) logon server that the server director administers, equally will be first initiate the request that temporarily obtain server user's password by flow process shown in Figure 3.Login central authentication server end is disposed intelligent processing module, input identifying information (such as IP) and the employed user's name (310) of server to be visited, through intelligent processing module in the news file storehouse, inquire about examine after (320), generate the interim password of user (330), revise, confirm receive mode (340), the direct echo of default mode also can be SMS notification or mail notification;
For need mandate level user (350), after confirming authorized person and message informing mode (370), internal system backup, modification news file storehouse content (380) are preserved the information such as user notification mode, the original password of backup user, and be set to " waiting to authorize " state.Internal system records whole operating process, and forms audit log (390), and wait sends casual user's password after authorizing and finishing.
After leading body at a higher level receives authorization notification message, finish mandate by " authorisation process (220) " shown in Figure 4 flow process.Leading body at a higher level successfully logins central authentication server end (410), after the information such as affirmation applicant, the used user of application and service time, is confirmed whether this time application (420) of approval.If disapprove, internal system cleaning user cipher state, the backup information (430) that deletion is redundant.If interim cryptographic validity (440) is then revised, confirmed in approval, change password state extracts the password receive mode that application process is registered for authorizing, and interim password is sent (450).Last complete operation vestige record (460) is used for later stage secure log audit.After the staging server director receives interim password, namely carry out the logon server operation.
Four, regularly user cipher recovers flow process
All interim passwords all have the term of validity to limit.When interim password expiration, " regularly user cipher recovers (230) " flow process that the inner execution of intelligent processing module is shown in Figure 5.According to backup information, intelligent processing module recovers the user name original password, and the relevant information (510) such as the cleaning term of validity, and then gives back original subscriber's password director with the exclusive power of password.Intelligent processing module records whole operating process, and forms audit log (520).Take recovery time point as the boundary, the back has the behavior of this user login services device again, its operator must be the server director.
Claims (7)
1. the central authentication method of a flexible safety is comprised of the client and server end.It is characterized in that: the authorization informations such as client use casual user password are sent the identity authentication service request, and server end provides the authentication response, and disposes intelligent processing module.
2. central authentication method according to claim 1, it is characterized in that: server end is additionally disposed intelligent processing module, is used for the interim news file storehouse information that generates and revise, and the convenience of non-server director logon server is provided.
3. central authentication method according to claim 1, it is characterized in that: the extra intelligent processing module of disposing of server end can be guaranteed: at any time, the server log user cipher is only individual-specific by server director or staging server director one, and separation accurately can be looked into.
4. central authentication method according to claim 1 is characterized in that: the extra intelligent processing module of disposing of server end can provide authorization function selectively according to user class, improves the controling mechanism that password is propagated between different personnel.
5. central authentication method according to claim 1 is characterized in that: the extra intelligent processing module of disposing of server end can realize that interim password checked with the effect phase, and after exceeding the time limit, user cipher restores.
6. central authentication method according to claim 1 is characterized in that: the omnidistance record of the extra intelligent processing module of disposing of server end Operation Log, realize the server user login the audit information all standing, without blind spot.
7. central authentication method according to claim 1, it is characterized in that: the extra intelligent processing module of disposing of server end can application and NIS, domain authentication, the multiple implementation server ends such as LDAP, PAM, and can realize flexibly the authentication function expansion according to each Scheme Characteristics.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210128611.5A CN103379108B (en) | 2012-04-28 | 2012-04-28 | A kind of flexible safe central authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210128611.5A CN103379108B (en) | 2012-04-28 | 2012-04-28 | A kind of flexible safe central authentication method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103379108A true CN103379108A (en) | 2013-10-30 |
| CN103379108B CN103379108B (en) | 2016-06-08 |
Family
ID=49463671
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210128611.5A Expired - Fee Related CN103379108B (en) | 2012-04-28 | 2012-04-28 | A kind of flexible safe central authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103379108B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105159701A (en) * | 2015-07-30 | 2015-12-16 | 广东欧珀移动通信有限公司 | System resetting method and terminal |
| CN107124390A (en) * | 2016-02-25 | 2017-09-01 | 阿里巴巴集团控股有限公司 | Prevention-Security, implementation method, the apparatus and system of computing device |
| CN109450859A (en) * | 2018-10-15 | 2019-03-08 | 成都安恒信息技术有限公司 | A kind of cipher code protection method applied to plaintext agency by agreement in O&M auditing system |
| CN110430048A (en) * | 2019-07-23 | 2019-11-08 | 上海易点时空网络有限公司 | Account right management method and device |
| CN110795745A (en) * | 2019-10-14 | 2020-02-14 | 山东药品食品职业学院 | Information storage and transmission system based on server and method thereof |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101369893A (en) * | 2008-10-06 | 2009-02-18 | ***通信集团设计院有限公司 | Method for local area network access authentication of casual user |
| CN101483525A (en) * | 2009-01-22 | 2009-07-15 | 中兴通讯股份有限公司 | Implementing method for authentication center |
| CN101656963A (en) * | 2008-08-21 | 2010-02-24 | 财团法人工业技术研究院 | Method and system for managing network identities |
| CN101674575A (en) * | 2009-09-17 | 2010-03-17 | 中兴通讯股份有限公司 | Method for protecting security of mobile communication terminal data and device thereof |
-
2012
- 2012-04-28 CN CN201210128611.5A patent/CN103379108B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101656963A (en) * | 2008-08-21 | 2010-02-24 | 财团法人工业技术研究院 | Method and system for managing network identities |
| CN101369893A (en) * | 2008-10-06 | 2009-02-18 | ***通信集团设计院有限公司 | Method for local area network access authentication of casual user |
| CN101483525A (en) * | 2009-01-22 | 2009-07-15 | 中兴通讯股份有限公司 | Implementing method for authentication center |
| EP2391083A1 (en) * | 2009-01-22 | 2011-11-30 | ZTE Corporation | Method for realizing authentication center and authentication system |
| CN101674575A (en) * | 2009-09-17 | 2010-03-17 | 中兴通讯股份有限公司 | Method for protecting security of mobile communication terminal data and device thereof |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105159701A (en) * | 2015-07-30 | 2015-12-16 | 广东欧珀移动通信有限公司 | System resetting method and terminal |
| CN107124390A (en) * | 2016-02-25 | 2017-09-01 | 阿里巴巴集团控股有限公司 | Prevention-Security, implementation method, the apparatus and system of computing device |
| CN107124390B (en) * | 2016-02-25 | 2021-05-04 | 阿里巴巴集团控股有限公司 | Security defense and implementation method, device and system of computing equipment |
| CN109450859A (en) * | 2018-10-15 | 2019-03-08 | 成都安恒信息技术有限公司 | A kind of cipher code protection method applied to plaintext agency by agreement in O&M auditing system |
| CN110430048A (en) * | 2019-07-23 | 2019-11-08 | 上海易点时空网络有限公司 | Account right management method and device |
| CN110795745A (en) * | 2019-10-14 | 2020-02-14 | 山东药品食品职业学院 | Information storage and transmission system based on server and method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103379108B (en) | 2016-06-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8955076B1 (en) | Controlling access to a protected resource using multiple user devices | |
| US7707626B2 (en) | Authentication management platform for managed security service providers | |
| US6275941B1 (en) | Security management method for network system | |
| US8209749B2 (en) | Uninterrupted virtual private network (VPN) connection service with dynamic policy enforcement | |
| US7644434B2 (en) | Computer security system | |
| US20160307165A1 (en) | Authorizing Participant Access To A Meeting Resource | |
| US20230055282A1 (en) | Multi-Factor Authentication with Increased Security | |
| CN103986584A (en) | Double-factor identity verification method based on intelligent equipment | |
| CN107251035A (en) | Account recovers agreement | |
| WO2018219056A1 (en) | Authentication method, device, system and storage medium | |
| CA2945774A1 (en) | Device registration, authentication, and authorization system and method | |
| CN106230594B (en) | A method of user authentication is carried out based on dynamic password | |
| CN104253812A (en) | Delegating authentication for a web service | |
| CN103379108A (en) | Flexible and safe concentrated identity authentication method | |
| CN100365974C (en) | Device and method for controlling computer access | |
| US11716312B1 (en) | Platform for optimizing secure communications | |
| CN102571874B (en) | On-line audit method and device in distributed system | |
| JP4862551B2 (en) | Authentication control program and authentication device | |
| Shevchuk et al. | Designing Secured Services for Authentication, Authorization, and Accounting of Users | |
| KR101510290B1 (en) | Apparatus for implementing two-factor authentication into vpn and method for operating the same | |
| CN104753854A (en) | Method for setting uniform Web interface for various authentication/authorization servers | |
| CN114422182B (en) | Unified identity management platform | |
| CN112767576B (en) | Lockset authorization management method and lockset authorization management system | |
| WO2021106381A1 (en) | Information processing device, information processing method, authentication device, authentication method, authentication system, authentication method in authentication system, and computer program | |
| CN100474825C (en) | Method and system for unified process of domain authentication and user network authority control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160608 |