CN103684798B - Authentication method used in distributed user service - Google Patents
Authentication method used in distributed user service Download PDFInfo
- Publication number
- CN103684798B CN103684798B CN201310753321.4A CN201310753321A CN103684798B CN 103684798 B CN103684798 B CN 103684798B CN 201310753321 A CN201310753321 A CN 201310753321A CN 103684798 B CN103684798 B CN 103684798B
- Authority
- CN
- China
- Prior art keywords
- key
- authentication center
- authentication
- server
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an authentication system used in distributed user service. The system comprises an authentication center, a client, a server and custom made identity authentication devices, wherein the authentication center comprises an encryption storage medium and an encryption chip which are connected mutually; every two of the authentication center, the client and the server are connected, the client and the server are both connected with the custom made identity authentication devices through USB (Universal Serial Bus) ports, the encryption chip of the authentication center is used for processing encryption and decryption requests and generating a key, the encryption storage medium is used for storing the key information of all the custom made identity authentication devices, the identity authentication devices carry out encryption and decryption, and store keys of identity authenticators and keys used in communication, when encryption data communication is performed, two parties in each communication adopt keys to encrypt, the server and the authentication center as well as the client and the authentication center respectively adopt the corresponding keys, and the client and the server adopt a session key newly generated by the authentication center. The system has the advantages of safety and reliability. The hadden danger of data leakage is lowered.
Description
Technical field
The present invention relates to field of information security technology, Verification System between particularly a kind of service for distributed user.
Background technology
With the continuous development of Internet technology, the terminal of each platform starts with higher performance, more rich interface
Operating system, computing resource start to enrich, and on this basis the safety requirements of platform are started to gradually step up.Information security is main
Including two aspects of system safety and data safety.System safety typically adopts fire wall, anti-virus and other safety precaution skills
The measures such as art, are belonging to the safety measure of passive-type.Data safety is then mainly carried out to data actively using modern cryptographic technique
Safeguard protection, the such as technology such as data confidentiality, data integrity, authentication.
Digital signature technology is others the hop count word string that cannot forge that the sender of only information could produce, this section
Numeric string is also that the sender to information sends valid certificates of information authenticity, is asymmetric encryption in cryptography simultaneously
With the connected applications of digital digest technology.Also need to a believable management equipment in the transmitting procedure of digital signature to unify
The mechanism's certificate management authority for provide, managing, abolish digital certificate(CA).CA centers are the use that each uses public-key cryptography
A digital certificate is provided at family, the effect of digital certificate is that the user listed in certification is legal possess certificate in the public affairs listed
Open key.The digital signature of CA mechanisms prevents attacker from forging and distorting certificate, and it is responsible for producing, distribute and managing all
The digital certificate needed for the individuality of online transaction is participated in, therefore is the core link of secure electronic transaction.Data, key are believed at present
, in transmission over networks in the form of plaintext or simple encryption, the hidden danger of the leaking data for being brought is larger, information security degree for breath
It is low.
The content of the invention
It is an object of the invention to provide it is a kind of it is safe and reliable for distributed user service between Verification System, with recognizing
The function of card user validation, Data Encryption Transmission and Information Signature.
The technical solution for realizing the object of the invention is:Verification System between a kind of service for distributed user, including
The identification authentication system of authentication center, client computer, server and customization, the authentication center include the encryption storage being connected with each other
Medium and encryption chip;The authentication center, client-server are connected two-by-two, and client-server is connect by usb
Mouth is connected with the identification authentication system of customization;The encryption chip of the authentication center process encrypting and decrypting ask and generate key,
Encryption storage medium stores the key information of the identification authentication system of all customizations;The identification authentication system is encrypted solution
It is close, and store identity authentication key and it is current when the key that uses;When being encrypted data communication, the both sides for communicating every time are
Encrypted using key, server uses each self-corresponding key, client computer respectively with authentication center, client computer and authentication center
With server then using the session key that authentication center is newly-generated.
Authentication method between a kind of service for distributed user, comprises the following steps:
Step 1, client computer read the identity information in the identification authentication system of customization, using the identification authentication system of customization
Encryption chip and user key user profile, information on services and timestamp are encrypted, and be sent to authentication center;
Step 2, authentication center read the user key in internal cryptographic storage medium, and the authentication information to receiving enters
Row decryption, judges user validation:If user is legal, authentication center generates this conversational services by internal cryptographic chip and carries
The session key that the public key and private key and session that the public key that supplier's server is used is used with private key, client computer is used;
The service side server key that step 3, authentication center are stored in reading internal cryptographic storage medium, encrypts this and leads to
Telecommunications services side's privacy key, the public key of client computer and session key are simultaneously sent to service side server;
Service side's key that step 4, service side server are stored in the identification authentication system using customization, decryption are taken
Business device private key, client public key and session key simultaneously generate confirmation, are sent to using session key confirmation and are recognized
Card center;
After step 6, authentication center receive the confirmation of server, using client key encryption server public key, visitor
Family machine private key and session key are sent to client computer;
Step 7, client computer obtain Client private key, server public key and session using the identification authentication system decryption of customization
Key, using session key confirmation and is sent to authentication center;
Step 8, server use session key, while it is complete to send certification to client computer and service side server respectively
Into information, client-server is received after certification completes information, is communicated independently of authentication center.
Compared with prior art, its remarkable advantage is the present invention:(1)The generation of authentication center's control certificate is propagated, certificate
It is used in mixed way with key and realizes complete encryption and authentication mechanism;(2)Password and key are not passed in the form of plaintext in a network
Broadcast, key is propagated in an encrypted form;(3)The life cycle of certificate is shorter, and session can all have new certificate to produce every time;
(4)Authentication center's server is encrypted using encryption chip, and stores data into the storage chip of encryption, and client needs
The equipment of customization carries out cipher key operation and the computing without main frame, safe and efficient.
Description of the drawings
Fig. 1 is structural representation of the present invention for Verification System between distributed user service.
Specific embodiment
Below in conjunction with the accompanying drawings and specific embodiment is described in further detail to the present invention.
With reference to Fig. 1, the present invention is used for Verification System between distributed user service, including authentication center, client computer, service
Device and the identification authentication system of customization, the authentication center include the encryption storage medium being connected with each other and encryption chip;It is described
Authentication center, client-server are connected two-by-two, and authentication of the client-server by usb interfaces with customization is filled
Put connected;
The encryption chip of the authentication center processes encrypting and decrypting and asks and generate key, encrypts storage medium and store and own
The key information of the identification authentication system of customization;The identification authentication system is encrypted decryption, and it is close to store identity authentication
Key and it is current when the key that uses;The identification authentication system of the customization includes that encryption chip, encryption storage medium and encryption are slow
Deposit, wherein encryption chip is connected with each other with encryption storage medium and encryption caching respectively;The encryption core of the identification authentication system
Piece is encrypted decryption, and encryption storage medium is used for storing identity authentication key, and encryption caching is used when being used for storing current
Key.When being encrypted data communication, every time the both sides of communication are encrypted using key, server and authentication center, client
Machine uses each self-corresponding key respectively with authentication center, and client computer is then close using the newly-generated session of authentication center with server
Key.
The present invention principle be:User and server have been required to password in authentication center as certification authority, but
Password is not in transmission over networks in the form of plaintext, ciphertext or cryptographic Hash.By certain flow process, user will be used for, in certification
The information confirmed before the heart, server is transmitted in the way of encrypting, and is transmitted using digital signature reinforcement number every time
According to integrity check, the certificate file for certification has adjustable life cycle.Authentication center can automatically control all of
Certificate, it is possible to achieve the function that newly-built certificate, certificate revocation, certificate are renewed.
Whole system is realized needing at least 3 computers, and wherein authentication center is the computer of customization, is internally integrated special
Encryption chip has the encrypting and decrypting circuit and key generator circuitry of hardware level, realizes the encrypting and decrypting of high speed high concurrent;Certification
Also there is jumbo encryption storage medium to be used for storing the key of each identification authentication system for customizing at center, and wherein encryption is deposited
Storage media has to pass through encryption chip and could read and write.The authentication device of the identity of customization uses usb interfaces and client computer and clothes
Business device connection, wherein also including encryption chip and encryption storage medium, the encryption chip can only realize hardware level plus
Close decryption and digital signature, encrypt the key that storage medium only stores the authenticator, additionally with encryption caching, for depositing
The various keys that storage and service side's server communication are used.Each authentication means has unique key, can step on during order
Remember each key.
The present invention for distributed user service between authentication method, the ability with global administration's certificate, password not with appoint
What form is transmitted in a network and is only used as the encryption key of centre, whole process and uses certificate and symmetric cryptography as digital signature and recognize
The means of card, certification and service request are comprised the following steps:
Step 1, client computer read the identity information in the identification authentication system of customization, using the identification authentication system of customization
Encryption chip and user key user profile, information on services and timestamp are encrypted, and be sent to authentication center;
Step 2, authentication center read the user key in internal cryptographic storage medium, and the authentication information to receiving enters
Row decryption, judges user validation:If user is legal, authentication center generates this conversational services by internal cryptographic chip and carries
The session key that the public key and private key and session that the public key that supplier's server is used is used with private key, client computer is used;
The service side server key that step 3, authentication center are stored in reading internal cryptographic storage medium, encrypts this and leads to
Telecommunications services side's privacy key, the public key of client computer and session key are simultaneously sent to service side server;
Service side's key that step 4, service side server are stored in the identification authentication system using customization, decryption are taken
Business device private key, client public key and session key simultaneously generate confirmation, are sent to using session key confirmation and are recognized
Card center;
After step 6, authentication center receive the confirmation of server, using client key encryption server public key, visitor
Family machine private key and session key are sent to client computer;
Step 7, client computer obtain Client private key, server public key and session using the identification authentication system decryption of customization
Key, using session key confirmation and is sent to authentication center;
Step 8, server use session key, while it is complete to send certification to client computer and service side server respectively
Into information,
Step 9, client-server are received after certification completes information, are communicated independently of authentication center;Every time
Transmission is signed using session key and using respective key.
Through this 9 steps can be achieved with user certification, for digital signature private key transmit, the client that user uses
Machine private key has time limit regular hour, and expired rear authentication center will carry out key revocation, and user is also required to be recognized again
Card is key application process again, key application process again:
1st step, authentication center are sent out to client-server using session key before key expiration in advance simultaneously
Key expiration is sent to notify and expired time.
2nd step, before expired time, session key and public key that client-server both sides can also apply before use
Private key is communicated.
3rd step, after expired time is arrived, server sends key expiration information to client using old session key
Machine, and service is suspended.
4th step, after client computer receives key expiration information, use out of service, according to verification process step 1 to certification
Center proposes service request.
5th step, client-server generate new session key and public, private key according to verification process re-authentication.
6th step, client computer initiate service recurrence request using new session key to service side.
7th step, server restart service after receiving service recurrence request.
In sum, the present invention there is certification user validation, data to add for Verification System between distributed user service
Close transmission and Information Signature function, solve at this stage data, key information with plain text or in the form of simple encryption in network
The potential problem of the brought leaking data of upper transmission.
Claims (1)
1. it is a kind of to be used for authentication method between distributed user service, it is characterised in that to comprise the following steps:
Step 1, client computer read the identity information in the identification authentication system of its customization, the identification authentication system customized using which
Encryption chip and user key user profile, information on services and timestamp are encrypted, and be sent to authentication center;
Step 2, authentication center read the user key in internal cryptographic storage medium, and the authentication information to receiving is solved
It is close, judge user validation:If user is legal, authentication center generates this conversational services provider by internal cryptographic chip
The session key that the public key and private key and session that the public key that server is used is used with private key, client computer is used;
The service provider servers key that step 3, authentication center are stored in reading internal cryptographic storage medium, encrypts this meeting
Words service provider servers private key, the public key of client computer and session key are simultaneously sent to service provider servers;
The service provider servers stored in the identification authentication system that step 4, service provider servers are customized using which are close
Key, decryption obtain service provider servers private key, the public key of client computer and session key and generate confirmation, using session
Key encrypted acknowledgment information is sent to authentication center;
After step 5, authentication center receive the confirmation of service provider servers, provided using user key cryptographic services
Square server public key, Client private key and session key are sent to client computer;
It is public that step 6, client computer obtain Client private key, service provider servers using its identification authentication system decryption for customizing
Key and session key, using session key confirmation and are sent to authentication center;
Step 7, service provider servers use session key confirmation, while sending certification to client computer completes letter
Breath, client computer are received after certification completes information, are communicated independently of authentication center and service provider servers.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310753321.4A CN103684798B (en) | 2013-12-31 | 2013-12-31 | Authentication method used in distributed user service |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310753321.4A CN103684798B (en) | 2013-12-31 | 2013-12-31 | Authentication method used in distributed user service |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103684798A CN103684798A (en) | 2014-03-26 |
CN103684798B true CN103684798B (en) | 2017-03-22 |
Family
ID=50321192
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310753321.4A Expired - Fee Related CN103684798B (en) | 2013-12-31 | 2013-12-31 | Authentication method used in distributed user service |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103684798B (en) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TW201616831A (en) * | 2014-10-27 | 2016-05-01 | Chunghwa Telecom Co Ltd | Cloud storage service method in keymap access mode |
CN105554008B (en) * | 2015-12-28 | 2018-12-14 | 联想(北京)有限公司 | User terminal, certificate server, intermediate server, system and transfer approach |
CN106790075A (en) * | 2016-12-21 | 2017-05-31 | 上海云熵网络科技有限公司 | For the Verification System and authentication method of UDP transmission |
CN107070912B (en) * | 2017-04-07 | 2020-10-13 | 许昌学院 | Network security verification method and system for distributed system |
CN108632251B (en) * | 2018-03-28 | 2020-09-01 | 杭州电子科技大学 | Credible authentication method based on cloud computing data service and encryption algorithm thereof |
CN108881327A (en) * | 2018-09-29 | 2018-11-23 | 德州职业技术学院(德州市技师学院) | A kind of computer internet information safety control system based on cloud computing |
CN112202556B (en) * | 2020-10-30 | 2023-07-04 | 联通物联网有限责任公司 | Security authentication method, device and system |
CN113342896B (en) * | 2021-06-29 | 2024-03-01 | 南京大学 | Scientific research data safety protection system based on cloud fusion and working method thereof |
CN114124545A (en) * | 2021-11-25 | 2022-03-01 | 杭州摸象大数据科技有限公司 | Data credible cochain and identity authentication terminal for supply chain finance |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101340285A (en) * | 2007-07-05 | 2009-01-07 | 杭州中正生物认证技术有限公司 | Method and system for identity authentication by finger print USBkey |
CN101674304A (en) * | 2009-10-15 | 2010-03-17 | 浙江师范大学 | Network identity authentication system and method |
CN101686126A (en) * | 2008-09-24 | 2010-03-31 | 北京创原天地科技有限公司 | Method for certification of set of novel dynamic passwords and autonymous network accessing |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050182925A1 (en) * | 2004-02-12 | 2005-08-18 | Yoshihiro Tsukamura | Multi-mode token |
-
2013
- 2013-12-31 CN CN201310753321.4A patent/CN103684798B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101340285A (en) * | 2007-07-05 | 2009-01-07 | 杭州中正生物认证技术有限公司 | Method and system for identity authentication by finger print USBkey |
CN101686126A (en) * | 2008-09-24 | 2010-03-31 | 北京创原天地科技有限公司 | Method for certification of set of novel dynamic passwords and autonymous network accessing |
CN101674304A (en) * | 2009-10-15 | 2010-03-17 | 浙江师范大学 | Network identity authentication system and method |
Non-Patent Citations (1)
Title |
---|
《基于微软MSN的安全即时通信插件研究》;张斌等;《计算机工程与设计》;20090628;第30卷(第12期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN103684798A (en) | 2014-03-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103684798B (en) | Authentication method used in distributed user service | |
TWI749061B (en) | Blockchain identity system | |
CN113783836B (en) | Internet of things data access control method and system based on block chain and IBE algorithm | |
CN103763356B (en) | A kind of SSL establishment of connection method, apparatus and system | |
CN109728909A (en) | Identity identifying method and system based on USBKey | |
CN104917741B (en) | A kind of plain text document public network secure transmission system based on USBKEY | |
CN116566660B (en) | Identity authentication method based on medical block chain | |
CN107852404A (en) | Secret communication is mutually authenticated | |
US8806206B2 (en) | Cooperation method and system of hardware secure units, and application device | |
CN108243166A (en) | A kind of identity identifying method and system based on USBKey | |
CN103916363B (en) | The communication security management method and system of encryption equipment | |
EP1782213A2 (en) | Secure messaging system with derived keys | |
EP2984782A1 (en) | Method and system for accessing device by a user | |
EP3360279B1 (en) | Public key infrastructure&method of distribution | |
CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
CN103490881A (en) | Authentication service system, user authentication method, and authentication information processing method and system | |
TWI760546B (en) | Computer-implemented system and method for highly secure, high speed encryption and transmission of data | |
CN112766962A (en) | Method for receiving and sending certificate, transaction system, storage medium and electronic device | |
CN111756530B (en) | Quantum service mobile engine system, network architecture and related equipment | |
CN103905384A (en) | Embedded inter-terminal session handshake realization method based on security digital certificate | |
CN113079022A (en) | Secure transmission method and system based on SM2 key negotiation mechanism | |
CN110417547A (en) | The key updating method and system of anti-quantum calculation secret communication based on no cryptographic certificate | |
CN110557367B (en) | Secret key updating method and system for quantum computing secure communication resistance based on certificate cryptography | |
Zhang et al. | NDN-MPS: supporting multiparty authentication over named data networking | |
KR101204980B1 (en) | Method and System of One-Time Password Authentication Scheme Provide Enhanced Randomness |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20170713 Address after: High tech Zone Nanjing city Jiangsu province 210000 Liufang Road No. 8 Building 7 layer Patentee after: Nanjing China Network Technology Co., Ltd. Address before: 222000 No. 2 Chenguang Road, Sinpo District, Jiangsu, Lianyungang Patentee before: Lianyungang Research Institute of Nanjing University of Science and Technology |
|
TR01 | Transfer of patent right | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170322 Termination date: 20191231 |
|
CF01 | Termination of patent right due to non-payment of annual fee |