CN106487785B - A kind of authentication identifying method and system based on mobile terminal - Google Patents

A kind of authentication identifying method and system based on mobile terminal Download PDF

Info

Publication number
CN106487785B
CN106487785B CN201610860171.0A CN201610860171A CN106487785B CN 106487785 B CN106487785 B CN 106487785B CN 201610860171 A CN201610860171 A CN 201610860171A CN 106487785 B CN106487785 B CN 106487785B
Authority
CN
China
Prior art keywords
user
information
information system
client
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610860171.0A
Other languages
Chinese (zh)
Other versions
CN106487785A (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ITRUSCHINA CO.,LTD.
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201610860171.0A priority Critical patent/CN106487785B/en
Publication of CN106487785A publication Critical patent/CN106487785A/en
Application granted granted Critical
Publication of CN106487785B publication Critical patent/CN106487785B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3215Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The present invention relates to a kind of authentication identifying method based on mobile terminal and based on the system of the method: user's use information system client by account name be submitted to information system request logs in or identity identification;User uses login assistant and user identity voucher in mobile terminal to identify in information system completion login or identity simultaneously;The information system client that user uses is associated with by information system using the account name that user submits with the identity documents used with login assistant;Login assistant sends information to information system client by information system, and determines whether information system client has received transmitted information by the confirmation operation of user;After user's confirmation message system client has received information transmitted by login assistant, login assistant confirms to information system allows the user of use information system client to complete login or identity identification operation in information system, later, information system allows user to log in or identify by identity.

Description

A kind of authentication identifying method and system based on mobile terminal
Technical field
The invention belongs to field of information security technology, especially a kind of authentication identifying method based on mobile terminal and it is System.
Background technique
Account existing for (logon) network information system is logged in using public computer in public environment such as Internet bars in order to cope with The stolen risk of name in an account book, password, and user is in the login of information system for convenience, there has been proposed some by mobile whole The information system login scheme for holding (such as mobile phone, tablet computer), as " one kind is based on patent applicant of the present invention in its patent application The login method of mobile communication terminal and short message " (application number: 201510225152.6), a kind of " system logged in based on mobile phone And login method " (application number: 201410395338.1), " a kind of asynchronous login method of oriented of Information System " (201510393405.0), and Tencent, Baidu a series of patents in propose the solution based on mobile terminal.These The common feature of scheme is: when user logs in an information system or application system using computer, user uses mobile whole Register is completed in information system or application system or a login auxiliary system in end, to realize that user uses computer Login in information system or application system.Using these schemes, user is not necessarily to input account name, password on computers, So as to avoid the risk that account name, password are stolen on public computer.
These schemes perhaps require user to use using mobile terminal by scanning bar code (two dimensional code) input or requirement Family inputs in the computer or mobile terminal for carrying out register, closes for establishing between subscriber computer and mobile terminal The random word string of connection, and attacker is attacked by guessing random word string in order to prevent, this random word string wants long enough.It sweeps It retouches bar code or manually enters long random word string and make troubles to user and (no matter scan bar code or manually enter, user will be into The more operation of row, and manually enter error-prone).
Summary of the invention
The purpose of the present invention is to propose to a kind of authentication identifying methods based on mobile terminal and system to overcome existing scheme Deficiency.
To achieve the goals above, technical solution proposed by the present invention includes a kind of identity identification side based on mobile terminal The system of method and the method, wherein the authentication identifying method based on mobile terminal is as follows.
When user's use information system client an information system log in or identity identify when (logon or Authentication), user is by information system client (login or identity identify interface) input user in information system The account name of system, and account name is submitted to information system;
Before or after account name is submitted to information system by information system client by user, user uses movement Login assistant and user in terminal complete to log in information system in the identity documents of information system or identity identifies operation (successfully log in or identified by identity);
User is submitted in the account name of information system by information system by information system client in user and is made With login assistant after information system completes login or identity identifies operation, information system passes through information system client using user The account name and user that end is submitted are logged in using login assistant or identity identifies identity documents when operating, by information system The session phase between login assistant that the session between information system client used with user is used with information system and user It is associated with (being thus associated the information system client that user uses with the login assistant that user uses), and is sent out to login assistant The request for sending request that user is allowed to log in or identify by identity in information system, or user's request is sent to login assistant Log in information system or the prompt of identity identification is (if there are multiple information system clients believing using same account name Breath system log in or identity identifies operation, then this session association has multiple, the login or body that login assistant receives Part identify request or prompt have it is multiple, and user can successively be handled one of those);
Receiving request allows user in the request that information system logs in or identity identifies, or receives user's request After the prompt that information system carries out login or identity identifies, login assistant is automatic or passes through information after user clicks confirmation System sends information or login assistant prompt user to information system client and inputs in the human-computer interaction interface of login assistant Information, and the information of user's input is sent by information system to information system client;
Login assistant determines whether information system client has received login assistant and sent out by the confirmation operation of user The information sent;
If determining that information system client has received information transmitted by login assistant by the confirmation operation of user, Login assistant allows using the user of (associated with login assistant) information system client to information system confirmation in information system System completes to log in or identity identifies operation (successfully log in or identify by identity), and later, information system allows use information system The user for client of uniting logs in information system or is identified by identity;
If determining that information system client is not received by information transmitted by login assistant by the confirmation operation of user, The user that then login assistant require information system refuses currently used information system client (associated with login assistant) is believing The login or identity that breath system carries out identify operation, or continue through information system and send information to information system client, And the confirmation operation for continuing through user determines whether information system client has received information transmitted by login assistant, directly Information transmitted by login assistant is had received to determining information system client, or (is repeated after reaching maximum attempts Carry out transmission information-to be confirmed whether to receive the maximum number of operations of message, which can preset), login assistant requirement The user that information system refuses currently used information system client (associated with login assistant) steps on what information system carried out Record or identity identify operation;
The system that the information system is to provide the application system of application function or carries out online identity identification to user;Institute Stating information system client is program of the information system in user end computer namely client-side program (including dedicated client Hold program and general purpose client program, such as browser);
The login assistant is in the mobile terminal for operating in user, auxiliary user's use information system client It completes to log in information system or identity identifies the program operated;
The mobile terminal is portable electronic device (such as a mobile phone, tablet computer with communication ability Deng);
The user identity voucher is the electronic information for proving user's identity in information system, including identity is (such as Account name, digital certificate etc.) and prove that user is private data (such as password, private key, the identity private key of identity owner Deng);In the account name of information system, there are corresponding relationships (in such as identity documents in the identity documents of information system and user by user Identity be exactly account name of the user in information system, include account name in the subject of digital certificate).
Login assistant sends information to information system client by information system, and is determined by the confirmation operation of user A kind of scheme whether information system client has received information transmitted by login assistant is:
Login assistant generates a displaying information (such as text, picture) or the selection one from pre-generated displaying information It shows information, then on the one hand will show that information is submitted to information system, on the other hand will show that information passes through login assistant Human-computer interaction interface is shown on mobile terminals;
Information system (being associated between the login assistant that the information system client used according to user is used with user System) the displaying information received return (transmission) is shown to the information system client that user uses;
The displaying information and shifting shown on the human-computer interaction interface confirmation message system client that user passes through login assistant Whether the displaying information shown in dynamic terminal is consistent or whether information system client has displaying information;
If user confirms that the two is consistent, login assistant determines that information system client has received transmitted by login assistant Information;If user confirms the two, inconsistent or user's confirmation message system client does not show and shows information, logs in Assistant determines that information system client is not received by information transmitted by login assistant.
Login assistant sends information to information system client by information system, and is determined by the confirmation operation of user Another scheme whether information system client has received information transmitted by login assistant is:
Login assistant generates a displaying information (such as text, picture) or selects one from pre-generated displaying information Then on the one hand a displaying information will show that information is submitted to information system, on the other hand will submit to letter comprising login assistant One group of displaying information of the displaying information of breath system is shown on mobile terminals by the human-computer interaction interface of login assistant;
Information system (being associated between the login assistant that the information system client used according to user is used with user System) the displaying information received return (transmission) is shown to the information system client that user uses;
User selects and information system client in one group of displaying information that the human-computer interaction interface of login assistant is shown The consistent displaying information of the displaying information of display simultaneously confirms;
If user selects and the displaying information confirmed is consistent with the displaying information for being submitted to information system before login assistant, Then login assistant determines that information system client has received information transmitted by login assistant;If the exhibition that user selects and confirms Show that information is inconsistent with the displaying information for being submitted to information system before login assistant or user's confirmation can not be helped in login Select the displaying information shown with information system client consistent in one group of displaying information that the human-computer interaction interface of hand is shown Show that information or user's confirmation message system client do not show displaying information, then login assistant determines information system visitor Family end is not received by information transmitted by login assistant.Login assistant prompts user defeated in the human-computer interaction interface of login assistant Enter information, and the information of user's input is sent by information system to information system client, login assistant passes through user's Confirmation operation determine information system client whether have received information transmitted by login assistant a kind of scheme it is as follows:
Login assistant prompts user to input information in the human-computer interaction interface of login assistant and prompts user to check, confirmation letter Whether breath system client shows the information that user inputs in mobile terminal;
User is by the human-computer interaction interface of login assistant in random (at will, any) the input information of mobile terminal;
The information that user inputs is sent information system by login assistant;
Information system (being associated between the login assistant that the information system client used according to user is used with user System) information received return (transmission) is shown to the information system client that user uses;
User checks the information whether information system client shows that user inputs in mobile terminal, and is helped by logging in The human-computer interaction interface of hand is confirmed;
If user shows user mobile whole by the human-computer interaction interface confirmation message system client of login assistant The information of input is held, then login assistant determines that information system client has received information transmitted by login assistant;If user The information that user inputs in mobile terminal is not shown by the human-computer interaction interface confirmation message system client of login assistant, Or the information of display is incorrect, then login assistant determines that information system client is not received by letter transmitted by login assistant Breath.
Message above is sent, confirmation scheme is not whole possibility scheme, and implementer can design others as needed Scheme.
Identity identification system based on above-mentioned authentication identifying method is as follows.
Identity identification system based on above-mentioned authentication identifying method includes identity authentication server, runs in the terminal Login assistant, wherein identity authentication server be in the authentication identifying method to user carry out online identity identification is System;Identity authentication server application oriented system (providing the information system of application function) provides user identity identification function; The client of identity authentication server is to carry out the application system of identity identification to user using the identity authentication server Client-side program, i.e. application system client be exactly identity authentication server client or one in subscriber computer It is middle by application system client call, for identity authentication server to user carry out identity identification program, for the former, The client of identity authentication server is the information system client in the corresponding authentication identifying method, for the latter, application The client of system client and identity authentication server merges the information system client constituted in the authentication identifying method End;If the client of identity authentication server be one by application system client call, in identity authentication server to user The program of identity identification is carried out, then the identity identification system further includes the client (program) of identity authentication server;
When a user using an application system client when application system logs in, user first using application system The login assistant of client of uniting and operation in the terminal is by the authentication identifying method in identity authentication server It completes identity and identifies operation;
When user presses the authentication identifying method after identity authentication server completes identity identification operation, identity, which identifies, to be taken Business device returns to the security token of a proof user identity to the application system client of user;The application system client of user Register is completed in application system using the security token of return;
If application system client is serviced by calling the client (program) of identity authentication server to identify in identity Device is completed to identify the identity of user, then application system client is submitted by the client (program) of identity authentication server and used The account name at family obtains the information that login assistant is sent and the security token that identity authentication server returns.
It can be seen that, based on method and system of the invention: user is by mobile terminal and operates in shifting from the above description Login assistant in dynamic terminal, may not need and realize information system client in the case where information system client is using identity documents End in the successful login of information system or identity identification, meanwhile, user is not necessarily to scan the two-dimensional code or hand again in login process Work is inputted for establishing associated sufficiently long random word string between information system client and login assistant, to reach both Guarantee safety, and simplifies the effect of the operation of user.Prompt user in the human-computer interaction interface of login assistant login assistant Information is inputted, and by the information of user's input in such a way that information system is sent to information system client, at this moment user can With random (at will, any) input information, and the information inputted can be very short, is short to a character and is ok, because here Login assistant only needs to confirm that it is to establish to be associated with the information system client of user, rather than the information system with personator System client establishes association, what information itself is, how many is unimportant.Another benefit of the invention is a user Easily another user of remote authorization the account of oneself can be used to log in identity documents of the application system without revealing oneself Private information.
There is also a weakness, here it is be subject to Denial of Service attack for the above method and system: attacker is maliciously, no The account name trial use information system client for reusing some user disconnectedly is logged in information system or identity is reflected It does not operate, this will lead to, and real user can not normally be logged in information system or identity identifies operation.It is answered in Intranet With under environment, this is not big problem (this attack is very easy to find), under outer network environment, to this weakness, can be used as follows Counter-measure:
User using in mobile terminal login assistant and user information system identity documents in information system When carrying out login or identity identification operation, or after information system completes login or identity identification operates, login assistant is generated One displayable random word string (can be shorter random word string, such as the number of 4-6 byte), then on the one hand will be with Machine word string is sent to information system, is on the one hand shown by the man-machine interface of login assistant to user;
User by information system client to information system submit account name when or before or after, login is helped The random word string that the man-machine interface of hand is shown is input to information system client and is submitted to information system;
The identity that account name, random word string and the login assistant that information system is submitted by information system client use Voucher, submission random word string, the session between information system client that information system and user are used with information system with The session between login assistant that user uses is associated (thus to be used the information system client that user uses with user Login assistant association).
Although the above counter-measure also requires user to input between information system client and login assistant and establishes connection Random word string, but since this word string can be shorter, and since information system in order to prevent submit and log in by the repetition of malice Request, generally also requires user to input when use information system client logs in and submits random confirmation code, and this In random word string can be used as random confirmation code and submit, because such way will not bring excessive trouble to user.
The present invention and published patent of invention " a kind of asynchronous login method of oriented of Information System " (number of patent application: 201510393405.0) there is also difference, the difference of the two is not only logging in the generation main body of confirmation message (showing information), is passing Send approach different, it is often more important that for invention 201510393405.0, log in confirmation message must be it is random and There is enough randomness, i.e., in user's first log-on message system, attacker or other users log-on message system are obtained equally A possibility that logging in confirmation message is very low, and otherwise, in user's second authorized user's first log-on message system, (no matter first, second is The no same person, if in the same position), attacker's fake user first or other users are surprisingly used as user's first to be awarded A possibility that power, will greatly increase;The randomness for logging in confirmation message is big, and the text or picture that login confirmation message includes are not But it is required that being random and it is necessary to which enough, this is confirmed to user also makes troubles, and is also easy to malfunction;And for this For invention, shows information (i.e. login confirmation message), can be the information of several fixations, and quantity need not be very much, or even can Apparent information is distinguished to be two, because the login of user helps when attacker's trial is palmed off real user and logged in The information that hand is sent has been sent to the information system client of attacker, and the information system client of user oneself, which can't see, steps on The information that assistant sends is recorded, to not receive information by confirmation to refuse the login of attacker and attempt.
Detailed description of the invention
Fig. 1 is the schematic diagram of the embodiment of the present invention 1,2.
Fig. 2 is the schematic diagram of the embodiment of the present invention 3.
Fig. 3 is the schematic diagram of the embodiment of the present invention 4.
Fig. 4 is the schematic diagram of the embodiment of the present invention 5.
Fig. 5 is the schematic diagram of the embodiment of the present invention 6.
Specific embodiment
The invention will be further described with reference to the accompanying drawings and examples.
Embodiment 1,
The embodiment of the present invention 1 (as shown in Figure 1) is that authentication identifying method of the invention is directly used in application system Register.In this embodiment, the application system of the present embodiment corresponds to the information in the authentication identifying method of invention System, the information system client in the corresponding authentication identifying method of the present invention of the client of the application system in the present embodiment.When Using application system client when application system logs in, user is inputted by application system client and is submitted and applied user The account name of system;Meanwhile user using login assistant and user in mobile terminal identity documents (such as account name password, Account name and identity private key, digital certificate and private key) log in application system;Application system passes through between account name and identity documents Corresponding relationship by the application system client of user with user login assistant be associated with;To generate at random a string of login assistant It can show that character or pre-generated one section of word are sent to the application system client of user by application system, and simultaneously will hair The information sent shows in the human-computer interaction interface of login assistant, and the information that prompts user to confirm that application system client show and Whether the information that user shows on mobile terminals is consistent;If user's confirmation message is consistent, login assistant notification information system User's use information system client is allowed to log in application system;Otherwise, on the one hand login assistant requires application system to refuse User by the register of information system client, on the other hand require user reuse application system client-side program into Row register.When user re-starts register using application system client-side program, application system client empties it The displaying information of preceding display.If the information that user's confirmation is seen is inconsistent, there are two types of possible: first is that user misunderstands, second is that separately There are other people to log in using the account name of active user in information system, if the latter, application system is according to the requirement of login assistant The login for refusing other people is attempted.If information is can't see in user's confirmation, also there are two types of possible: first is that network there is a problem, two It is that the account name for separately having other people using active user is logged in information system, if the latter, application system is according to login assistant It is required that other people login of refusal is attempted.If login assistant is that the one section of word that will be pre-generated are sent to user by application system Application system client, then login assistant can pre-generate one group of word, and then one section of selection is different in this group word every time Words are sent to application system client (the different words in this group word can be recycled).It the use of one section of word that pre-selection generates is not deposit It can only be distinguished obviously comprising two sections in problem, and in this group word, because, if not user application visitor currently in use Family end is being associated with the login assistant of user, then user is the information that can't see login assistant and be sent to it in application system client 's.
Embodiment 2,
The present embodiment (as shown in Figure 1) is also the login behaviour that authentication identifying method of the invention is directly used in application system Make, it is a figure that login assistant, which is sent to the displaying information of application system client, unlike the first embodiment, in the present embodiment One group of picture of the picture comprising being sent to application system client is shown in mobile terminal for piece, login assistant.User exists The picture for selecting him to see in application system client in one group of picture that mobile terminal is shown, is helped to login in this way Hand confirms the displaying information that he sees, or informs that login assistant has not seen to be consistent and picture or have not seen in information system client Picture.Here, login assistant is sent and the picture of display can be that (this group of picture can be only from one group of pre-generated picture Include many pictures of two differences).
Embodiment 3,
The present embodiment (as shown in Figure 2) is also the login behaviour that authentication identifying method of the invention is directly used in application system Make, unlike Examples 1 and 2, in the present embodiment, the request that login assistant receives information system transmission allows user After the request of login, prompt user in random (at will, any) the input information of the human-computer interaction interface of login assistant, and by user The information of input is sent by information system to information system client;User checks according to the prompt of login assistant in information Whether system client shows the information that user inputs in mobile terminal, and result is confirmed to login assistant, login assistant Determine therefrom that whether information system client has received the information of its transmission.In this fashion, the information of user's input is more It is few inessential, it is what is inessential, user commonly enters several characters, number, or even input one character, number are It can.
Embodiment 4,
(as shown in Figure 3) in the present embodiment, Web application system carry out user using identity identification system of the invention and step on Identity when recording (logon) Web application system identifies, and identity identification system includes in identity authentication server and mobile terminal Login assistant, at this point, browser is both the client-side program (application system client) of user's access Web system and user exists The client-side program (identity identification client) of identity authentication server progress identity identification.When user is accessed using browser When Web application system, user browser is directed to identity authentication server, user by HTTP redirection by Web application system Account name of the user in identity server is submitted by browser, while login assistant and user in mobile terminal being used to exist The identity documents of identity authentication server are completed identity in identity authentication server and are identified, and then user confirms clear to login assistant Whether device of looking at shows the consistent displaying information of the displaying information shown with login assistant, and displaying information here can be strictly according to the facts It applies in example 1 and shows word string, be also possible to such as the picture in embodiment 2.If user is aobvious to login assistant confirmation browser It is shown with the consistent displaying information of the displaying information shown with login assistant, then login assistant confirms to identity authentication server and allows Using browser user by identity identify, identity authentication server to browser return prove user identity (and prove User have access Web application system permission) security token, pass through the automatic POST mode of HTTP or HTTP redirection later Security token (or the information for obtaining security token) is submitted to Web application system by browser by mode;Web application system is tested After the validity for having demonstrate,proved the security token of user, user is allowed to log in Web application system.If security token verifying does not pass through, Then Web application system refusal user uses browser in the login of Web system.
In this embodiment, the interaction of identity authentication server and login assistant can both use TCP connection, can also use HTTP, identity authentication server is on backstage by itself and the session of user browser and the session association of itself and login assistant.Safety Token can be SAML and assert, WS-Federation security token or customized security token.
The situation that HTTP is interacted with identity authentication server, body are passed through for client-side program (browser, login assistant) Part authentication server actively sends message to client-side program by the reversed push technology of HTTP, or uses clients poll side Formula obtains message from identity authentication server by client-side program.
Embodiment 5,
(as shown in Figure 4) in the present embodiment is identified using the application system of private client using identity of the invention Identity when system carries out user's login (logon) application system identifies;Identity identification system include identity authentication server and The login assistant of operation in the terminal, meanwhile, identity authentication server is provided with special client-side program (such as dynamic Library), i.e., identity identifies client, the interaction for client and identity authentication server;At this point, the client journey of application system Sequence is interacted by calling the client-side program of identity authentication server and identity to identify service, such as user is submitted to reflect in identity The account name of other server obtains the displaying information that login assistant is sent, and obtains the security token that identity authentication server returns, Then the application system that security token is submitted will be obtained and complete register.Here, user inputs account name, display login assistant The client human-computer interaction interface of the displaying information of transmission can be provided by the human-computer interaction interface of application system client, can also To be provided by the client-side program of identity authentication server (such as dynamic base).When user confirms to login assistant in subscriber computer After client has received the displaying information of login assistant transmission, login assistant allows (to call to the confirmation of identity authentication server Identity identify client) identity authentication server carry out applications client corresponding to user by identity identification;Identity mirror Other server (passing through the client of identity authentication server) to application system client return prove user identity (and prove User have access application system permission) security token, security token is submitted to application by application system client later System request logs in;After application system demonstrates the validity of security token, user's use information system client is allowed to answer Use system login;If security token verifying is invalid, refuse user's login.
Embodiment 6,
The application scenarios of the present embodiment (as shown in Figure 5) are same as Example 4, as different from Example 4, in this implementation In example, after the request that the request that login assistant receives information system transmission allows user to identify by identity, prompt user exists Random (at will, any) the input information of the human-computer interaction interface of login assistant, and the information that user inputs is passed through into information system It is sent to user browser;User checks whether show user mobile whole on a web browser according to the prompt of login assistant The information of input is held, and result is confirmed to login assistant, login assistant determines therefrom that information system client namely user are clear Whether device of looking at has received the information of its transmission.
In above implement, information system (application system, identity authentication server) (answers it with information system client Identify client with system client or identity), there are many kinds of the schemes that are associated of the session between login assistant, Yi Zhongfang Formula is: the session between information system and information system client, login assistant has a session identification, including information system Deposit or database in safeguard a table, wherein each single item storage be associated information system client, login assistant and letter The session identification (a pair of of session identification) of session between breath system.
Other unaccounted particular techniques are implemented, and are it is well known that not saying certainly for those skilled in the relevant art Bright.

Claims (7)

1. a kind of authentication identifying method based on mobile terminal, it is characterized in that:
When user's use information system client is when an information system logs in or identity identifies, user passes through information system Client of uniting inputs user in the account name of information system, and account name is submitted to information system;
Before or after account name is submitted to information system by information system client by user, user uses mobile terminal In login assistant and user information system identity documents information system complete for login assistant login or body Part identifies operation;
User is submitted in the account name of information system by information system by information system client in user and use is stepped on Assistant is recorded after information system is completed to identify operation for the login of login assistant or identity, information system passes through letter using user The account name and user that breath system client is submitted are logged in using login assistant or identity identifies identity documents when operating, The login assistant that session between information system client that information system and user use is used with information system and user Between session it is associated, and sending request to login assistant allows user to log in information system or by identity identification Request, to login assistant send user request information system logs in or identity identification prompt;
Receiving request allows user in the request that information system logs in or identity identifies, or receives user's request and believing After the prompt that breath system carries out login or identity identifies, login assistant is automatic or passes through information system after user clicks confirmation Information or login assistant prompt user, which are sent, to information system client inputs letter in the human-computer interaction interface of login assistant Breath, and the information of user's input is sent by information system to information system client;
Login assistant determines whether information system client has received transmitted by login assistant by the confirmation operation of user Information;
If determining that information system client has received information transmitted by login assistant by the confirmation operation of user, log in Assistant confirms to information system allows the user of use information system client to complete login or identity identification behaviour in information system Make, later, information system allows the user of use information system client to log in information system or identify by identity;
The system that the information system is to provide the application system of application function or carries out online identity identification to user;The letter Ceasing system client is program namely client-side program of the information system in user end computer;
The login assistant be it is in the mobile terminal for operating in user, auxiliary user's use information system client believing Breath system completes to log in or identity identifies the program operated;
The mobile terminal is the portable electronic device with communication ability;
The user identity voucher is the electronic information for proving user's identity in information system, including identity and proof are used Family is the private data of identity owner;User information system identity documents and user information system account name There are corresponding relationships.
2. the authentication identifying method according to claim 1 based on mobile terminal, it is characterized in that:
If determining that information system client is not received by information transmitted by login assistant by the confirmation operation of user, step on Record assistant's require information system refuses login or identity that the user of currently used information system client carries out in information system Identify operation, or continue through information system and send information to information system client, and continues through the confirmation behaviour of user Make to determine whether information system client has received information transmitted by login assistant, until determining that information system client terminates Information transmitted by login assistant is had received, or after reaching maximum attempts, login assistant require information system refusal is worked as The login or identity identification operation that the user of preceding use information system client carries out in information system.
3. the authentication identifying method according to claim 1 based on mobile terminal, it is characterized in that:
Login assistant sends information to information system client by information system, and determines information by the confirmation operation of user A kind of scheme whether system client has received information transmitted by login assistant is:
Login assistant generates a displaying information or selects a displaying information from pre-generated displaying information, then a side Face will show that information is submitted to information system, on the other hand will show information by the human-computer interaction interface of login assistant in movement It is shown in terminal;
Information system shows the displaying information received back to the information system client that user uses;
The displaying information shown on the human-computer interaction interface confirmation message system client that user passes through login assistant and movement are eventually Whether the displaying information shown on end is consistent or whether information system client has displaying information;
If user confirms that the two is consistent, login assistant determines that information system client has received letter transmitted by login assistant Breath;If user confirms the two, inconsistent or user's confirmation message system client does not show and shows information, login assistant Determine that information system client is not received by information transmitted by login assistant.
4. the authentication identifying method according to claim 1 based on mobile terminal, it is characterized in that:
Login assistant sends information to information system client by information system, and determines information by the confirmation operation of user A kind of scheme whether system client has received information transmitted by login assistant is:
Login assistant generates a displaying information or selects a displaying information from pre-generated displaying information, then a side Face will show that information is submitted to information system, and the one of the displaying information of information system on the other hand will be submitted to comprising login assistant Group shows that information is shown on mobile terminals by the human-computer interaction interface of login assistant;
Information system shows the displaying information received back to the information system client that user uses;
User selects to show with information system client in one group of displaying information that the human-computer interaction interface of login assistant is shown The consistent displaying information of displaying information and confirm;
If user selects and the displaying information confirmed is consistent with the displaying information for being submitted to information system before login assistant, step on Record assistant determines that information system client has received information transmitted by login assistant;If the displaying letter that user selects and confirms Breath is inconsistent with the displaying information for being submitted to information system before login assistant or user's confirmation can not be in login assistant The consistent displaying of displaying information shown with information system client is selected in one group of displaying information that human-computer interaction interface is shown Information or user's confirmation message system client do not show displaying information, then login assistant determines information system client It is not received by information transmitted by login assistant.
5. the authentication identifying method according to claim 1 based on mobile terminal, it is characterized in that:
Login assistant prompts user to input information in the human-computer interaction interface of login assistant, and the information that user inputs is passed through letter Breath system is sent to information system client, and login assistant determines whether information system client connects by the confirmation operation of user A kind of scheme for having received information transmitted by login assistant is as follows:
Login assistant prompts user to input information in the human-computer interaction interface of login assistant and prompts user to check, confirmation message system Whether system client shows the information that user inputs in mobile terminal;
User is by the human-computer interaction interface of login assistant in mobile terminal Stochastic Input Information;
The information that user inputs is sent information system by login assistant;
Information system shows the information received back to the information system client that user uses;
User checks the information whether information system client shows that user inputs in mobile terminal, and passes through login assistant Human-computer interaction interface is confirmed;
If user shows that user is defeated in mobile terminal by the human-computer interaction interface confirmation message system client of login assistant The information entered, then login assistant determines that information system client has received information transmitted by login assistant;If user passes through The human-computer interaction interface confirmation message system client of login assistant does not show the information that user inputs in mobile terminal, or The information of display is incorrect, then login assistant determines that information system client is not received by information transmitted by login assistant.
6. the authentication identifying method according to claim 1 based on mobile terminal, it is characterized in that: being directed to Denial of Service attack A kind of precautionary measures it is as follows:
User using in mobile terminal login assistant and user carried out in information system in the identity documents of information system When login for login assistant or identity identify operation, or user using in mobile terminal login assistant and user Information system identity documents information system complete for login assistant login or identity identify operation after, login assistant A displayable random word string is generated, random word string is on the one hand then sent to information system, is on the one hand helped by logging in The man-machine interface of hand is shown to user;
User by information system client to information system submit account name when or before or after, by login assistant The random word string that man-machine interface is shown is input to information system client and is submitted to information system;
The identity that account name, random word string and the login assistant that information system is submitted by information system client use with Card, the random word string submitted, the session between information system client that information system and user are used is with information system and uses The session between login assistant that family uses is associated.
7. a kind of identity identification system using authentication identifying method described in claim 1, it is characterized in that:
The identity identification system includes identity authentication server, the login assistant of operation in the terminal, wherein identity mirror Other server is the system for carrying out online identity identification to user in the authentication identifying method;Identity authentication server is towards answering User identity identification function is provided with system;The client of identity authentication server be using the identity authentication server to The client that the client-side program of the application system of family progress identity identification, i.e. application system client are exactly identity authentication server End or one in subscriber computer by application system client call, for identity authentication server to user into The program that row identity identifies, for the former, the client of identity authentication server is the letter in the corresponding authentication identifying method System client is ceased, for the latter, the client merging of application system client and identity authentication server constitutes the body Information system client in part discrimination method;If the client of identity authentication server is one by application system client tune With, the program of identity identification is carried out in identity authentication server to user, then the identity identification system further includes that identity identifies The client of server;
When a user using an application system client when application system logs in, user first uses application system objective The login assistant of family end and operation in the terminal is completed by the authentication identifying method in identity authentication server Identity identifies operation;
When user by the authentication identifying method identity authentication server complete identity identify operation after, identity authentication server The security token of a proof user identity is returned to the application system client of user;The application system client of user utilizes The security token of return completes register in application system;
If application system client be by call identity authentication server client identity authentication server complete to The identity at family identifies, then application system client submits account name, the acquisition of user by the client of identity authentication server The security token that the information and identity authentication server that login assistant is sent return.
CN201610860171.0A 2016-09-28 2016-09-28 A kind of authentication identifying method and system based on mobile terminal Active CN106487785B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610860171.0A CN106487785B (en) 2016-09-28 2016-09-28 A kind of authentication identifying method and system based on mobile terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610860171.0A CN106487785B (en) 2016-09-28 2016-09-28 A kind of authentication identifying method and system based on mobile terminal

Publications (2)

Publication Number Publication Date
CN106487785A CN106487785A (en) 2017-03-08
CN106487785B true CN106487785B (en) 2019-07-23

Family

ID=58268204

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610860171.0A Active CN106487785B (en) 2016-09-28 2016-09-28 A kind of authentication identifying method and system based on mobile terminal

Country Status (1)

Country Link
CN (1) CN106487785B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106454830B (en) * 2016-10-10 2020-01-14 武汉理工大学 Method and system for establishing connection with program in mobile terminal

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2355443A2 (en) * 2010-01-27 2011-08-10 Keypasco AB Network authentication method and device for implementing the same
CN104580117A (en) * 2013-10-28 2015-04-29 深圳市腾讯计算机***有限公司 Authentication method, device and system
EP2894891A2 (en) * 2013-12-20 2015-07-15 Verisec AB Mobile token
CN105141577A (en) * 2015-07-07 2015-12-09 武汉理工大学 Asynchronous login method for information system
CN105162773A (en) * 2015-08-04 2015-12-16 武汉理工大学 Mobile terminal based shortcut login method for Web system
CN105391727A (en) * 2015-11-26 2016-03-09 武汉理工大学 System login method based on mobile terminal
CN105491010A (en) * 2015-11-19 2016-04-13 上海携程商务有限公司 Cross validation method and system for verification codes

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2355443A2 (en) * 2010-01-27 2011-08-10 Keypasco AB Network authentication method and device for implementing the same
CN104580117A (en) * 2013-10-28 2015-04-29 深圳市腾讯计算机***有限公司 Authentication method, device and system
EP2894891A2 (en) * 2013-12-20 2015-07-15 Verisec AB Mobile token
CN105141577A (en) * 2015-07-07 2015-12-09 武汉理工大学 Asynchronous login method for information system
CN105162773A (en) * 2015-08-04 2015-12-16 武汉理工大学 Mobile terminal based shortcut login method for Web system
CN105491010A (en) * 2015-11-19 2016-04-13 上海携程商务有限公司 Cross validation method and system for verification codes
CN105391727A (en) * 2015-11-26 2016-03-09 武汉理工大学 System login method based on mobile terminal

Also Published As

Publication number Publication date
CN106487785A (en) 2017-03-08

Similar Documents

Publication Publication Date Title
US10013728B2 (en) Social authentication for account recovery
US10171454B2 (en) Method for producing dynamic data structures for authentication and/or password identification
US8151328B1 (en) Accessing secure network areas by utilizing mobile-device authentication
US8707408B2 (en) Secure authentication systems and methods
CN107070945B (en) Identity login method and equipment
US8712453B2 (en) Login security with short messaging
US7188314B2 (en) System and method for user authentication interface
US20080052245A1 (en) Advanced multi-factor authentication methods
US20090276839A1 (en) Identity collection, verification and security access control system
US20130139238A1 (en) Method and System For Authenticating User Access To A Restricted Resource Across A Computer Network
CN108055253A (en) Software login verification method, device and system
CN104270338A (en) A method and system of electronic identity registration and authentication login
CA2962163A1 (en) Secure remote password retrieval
US9143500B1 (en) Cloud data storage access verification method utilizing a variable assigning request string generator and receiver algorithm
WO2013117019A1 (en) Method and device for system login based on dynamic password generated autonomously by user
CN102317903A (en) Using social information for authenticating a user session
CN103001770B (en) A kind of user rs authentication method, server and system
CN102946384A (en) User authentication method and device
CN105763520A (en) Network account password recovery method and device, client terminal device and server
CN101611588A (en) Secure access for limited resources
CN104767616A (en) Message processing method, system and related device
JP2007527059A (en) User and method and apparatus for authentication of communications received from a computer system
CN113259140B (en) Cloud conference box rapid conference entering method and system
CN106357669B (en) A kind of Web system login method and log in auxiliary system
CN106487785B (en) A kind of authentication identifying method and system based on mobile terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20211027

Address after: Room 401a, building 4, yard 7, Shangdi 8th Street, Haidian District, Beijing 100085

Patentee after: ITRUSCHINA CO.,LTD.

Address before: 430070 Hubei Province, Wuhan city Hongshan District Luoshi Road No. 122

Patentee before: WUHAN University OF TECHNOLOGY