CN110324276A - A kind of method, system, terminal and electronic equipment logging in application - Google Patents
A kind of method, system, terminal and electronic equipment logging in application Download PDFInfo
- Publication number
- CN110324276A CN110324276A CN201810266079.0A CN201810266079A CN110324276A CN 110324276 A CN110324276 A CN 110324276A CN 201810266079 A CN201810266079 A CN 201810266079A CN 110324276 A CN110324276 A CN 110324276A
- Authority
- CN
- China
- Prior art keywords
- application
- information
- sent
- user
- access token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of method, system, terminal and electronic equipments for logging in application, belong to field of information security technology.The described method includes: the first application is after getting the license confirmation for the second application of subscriber identity information login that user allows to apply using described first in terminal, the certification request for carrying the authenticated encryption information of identification information of the second application is sent to certificate server, when the authentication result returned according to certificate server determines that the second application is legal, access token is obtained from the service server of the first application and the access token that will acquire is sent to the second application, so that the second application can use the business datum that access token obtains user from service server, user is allowed to use the business datum in the business that carry out second is applied simultaneously.The present invention transmits data by way of encryption, avoids information in transmission process and is stolen, to ensure that the safety for the data that user records on service server.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of method, system, terminal and electronics for logging in application
Equipment.
Background technique
As the prevalence of CRM software and the user volume of the application with functions such as customer account managements increasingly increase,
Either there is the users of the application of functions such as customer account management or other third company to be all not only satisfied in the application
Using the correlation function of the application, they prefer to can be by the related software development kit of the application and development
(Software Development Kit, SDK) can the account on third-party application using the application logged in and made
With the correlation function of the application, such as customer account management function.In order to avoid causing the wealth of the leakage of customer information and then influence client
The generation with adverse events such as personal safeties is produced, will there is the customer information using upper management of the functions such as customer account management to give
Third-party application in use, the legitimacy of safety and third-party application to customer data more stringent requirements are proposed.
And in the existing client-based authenticated login scheme of third-party application, usually client enrollment is managed with client
The username and password used when the applications of functions such as reason is sent to server in clear text manner.This method is in transmission process
In, username and password is easily stolen to be taken, and the information leakage of client is easily led to.
Therefore, third-party application based on user with functions such as customer account managements using upper subscriber identity information into
When row authenticated login, how to improve the safety of subscriber identity information is one of the technical problems that are urgent to solve in the prior art.
Summary of the invention
The embodiment of the present invention provides a kind of method, system, terminal and electronic equipment for logging in application, to solve existing skill
In art third-party application using user using upper subscriber identity information log in when because subscriber identity information is stolen
Caused by customer data reveal, and then the problems such as endanger property and the personal safety of client.
In a first aspect, the embodiment of the present invention provides a kind of method for logging in application, comprising:
First application obtains the license confirmation that user logs in the second application, and the license confirmation, which is used to indicate user, to be allowed to make
Second application is logged in the subscriber identity information of first application;
First application sends certification request to certificate server and receives the authentication result that the certificate server returns, institute
The authenticated encryption information that certification request carries the identification information of second application is stated, includes described second in the authentication result
The encryption information of the legitimacy authentication result of application;
When first application is legal according to legitimacy authentication result confirmation second application of second application, to business
Server sends access token acquisition request, and the access token that will acquire is sent to the second application, so that second application
The business datum of user is obtained from the service server using the access token and user is allowed to answer in progress described second
The business datum is used when business.
In this way, first apply getting user allow using first application subscriber identity information log in second application
After license confirmation, by the way that the sensitive data for being sent to certificate server is encrypted, it ensure that data in transmission process
Safety, so as to avoid in the prior art because transmit plaintext sensitive data due to caused by user recorded on service server
Data generation the problems such as being stolen.
Optionally, the subscriber identity information includes account information and encrypted message;And
The authenticated encryption information are as follows: using the encrypted message to the identification information and first key of second application
The encryption information that the public key of centering is encrypted.
By being encrypted in the encrypted message of the first upper registration of application to sensitive data using user, even if encryption
Obtained authenticated encryption information is stolen, and since stolen party does not know decipherment algorithm and decruption key, is also impossible to crack
Sensitive data out, to ensure that the safety of data in transmission process.
Preferably, the authentication result also includes the encryption information of the public key of access permission instruction and the second cipher key pair,
The access permission instruction, which is used to indicate, allows the user to access intermediate server using the subscriber identity information of the first application;
And
It is described to service server send access token acquisition request before, further includes:
First application sends the acquisition of credentials request of access service server, the acquisition of credentials request to intermediate server
In carry credentials encryption information, the credentials encryption information is using the second cipher key pair public key to the access permission
What instruction was encrypted, the public key of second cipher key pair and access permission instruction are to utilize described first
The private key of cipher key pair decrypts what the authentication result obtained;And
First application receives the acquisition of credentials of the intermediate server transmission as a result, carrying in the acquisition of credentials result
Allowed results encryption information, the allowed results encryption information are that intermediate server utilizes second obtained from certificate server close
It is close using second after the private key of key centering is decrypted the credentials encryption information and is verified to the access permission instruction decrypted
The public key of license ticket and third cipher key pair is encrypted in the private key of key centering;
First application is decrypted the allowed results encryption information using the public key of second cipher key pair, and benefit
The license ticket is encrypted with the public key of the third cipher key pair decrypted to obtain access permission encryption information;With
And
First application, which carries the access permission encryption information, is sent to business in the access token acquisition request
Server, so as to utilize what is obtained from intermediate server after the service server receives the access token acquisition request
The access permission encryption information is decrypted in the private key of third cipher key pair, and logical verifying to the license ticket
Later, distribute the access token for second application, and using the private key of third cipher key pair to the access token into
Row encryption obtains access permission result information, and the access permission result information is sent to the first application.
First application with transmitted by way of encryption between certificate server, intermediate server and service server plus
Close data thus it can be prevented that stolen party after obtaining encryption data, due to that can not know decipherment algorithm reconciliation Migong key then
Encryption data can not be decrypted, which thereby enhance the safety of transmission link, and then also ensure that subscriber identity information
Safety, further avoid what user caused by due to subscriber identity information is stolen recorded on service server
The loss of business datum and so on.
Preferably, before the access token is sent to the second application, further includes:
First applies after receiving the access permission result information, using the public key of the third cipher key pair to institute
It states access permission result information to be decrypted, obtains the access token.
Since data are encryptions in the downlink transfer link of service server to the first application, therefore the first application needs pair
Access permission result information is decrypted, and access token could be obtained only after successful decryption, thereby ensures that visit
The safety of token is asked, if decryption is unsuccessful to indicate that the application for receiving access permission result information may be illegal, but due to this
Using that can not decrypt access token, which is also impossible to obtain user in the business number of service server using access token
According to also avoid the leakage of business datum.
Preferably, before the license confirmation of first application acquisition user the second application of login, further includes:
Receive the cipher key acquisition request that the second application is sent;
The public key of the 4th cipher key pair is sent to second application, so that second application utilizes the 4th key
The identification information of second application is encrypted in the public key of centering, and the carrying of obtained information to be verified is being logged in
First application is sent in request;
After receiving logging request, place is decrypted to the information to be verified using the private key of the 4th cipher key pair
Reason obtains the identification information of second application.
The transmission link between first the second application of application causes loss of data because monitored in order to prevent, and the present invention mentions
Out when sending data to the first application, the sensitive datas such as the identification information of the second application are encrypted, by encryption
Data are transmitted between the second application and the first application, avoid the occurrence of sensitive data is stolen.
Preferably, the information to be verified further includes the encryption information of the public key of the 5th cipher key pair;And by the visit
It asks that token is sent to the second application, specifically includes:
The access token is encrypted using the public key of the 5th cipher key pair decrypted, obtains password letter
Breath;And
The password information is sent to second application.
The second application is sent to for the access token safety that will acquire, and the first application carries out at encryption access token
Reason, be stolen so as to avoid access token in transmission process and so on, and then also avoid illegal application utilization
The case where access token acquisition business datum, occurs.
4th key pair is the first application generation, or the service server generation applied for first;
5th key pair is the second application generation, or the service server generation applied for second.
Second aspect, the embodiment of the present invention provide a kind of system for logging in application, comprising: certificate server and business service
Device, in which:
Certificate server, after the certification request of the first application transmission in receiving terminal, to the certification request
The identification information of the second application is authenticated in the terminal of middle carrying, and to the first application return authentication as a result, described recognize
The encryption information comprising the legitimacy authentication result of the second application in terminal in result is demonstrate,proved, wherein the certification request is described the
One applies and sends after the license confirmation for getting user and logging in the second application, and the license confirmation is used to indicate user's permission
The subscriber identity information applied using described first logs in second application;
Service server, for after receiving the access token acquisition request that first application is sent, Xiang Suoshu the
One application sends access token, so that the access token that first application will acquire is sent to the second application, by described second
The business datum of user is obtained from the service server using the access token and user is allowed to carry out described the
The business datum is used when the business of two applications, wherein the access token acquisition request is first application according to
The legitimacy authentication result for second application that certificate server returns confirms to be sent when second application is legal.
In this way, first apply getting user allow using first application subscriber identity information log in second application
After license confirmation, by the way that the sensitive data for being sent to certificate server is encrypted, it ensure that data in transmission process
Safety, so as to avoid in the prior art because transmit plaintext sensitive data due to caused by user recorded on service server
Data generation the problems such as being stolen.
Preferably, the system also includes intermediate servers;And it is also indicated comprising access permission in the authentication result
With the encryption information of the public key of the second cipher key pair, the access permission instruction, which is used to indicate, allows the user to answer using first
Subscriber identity information accesses intermediate server;And
The intermediate server, in the acquisition of credentials for receiving the access service server that first application is sent
After request, the credentials encryption information is decrypted using the private key of the second cipher key pair obtained from certificate server and to decrypting
Access permission instruction be verified after, using the private key of the second cipher key pair to the public key of license ticket and third cipher key pair
It is encrypted to obtain allowed results encryption information;And the allowed results encryption information is carried in acquisition of credentials result
It is sent to the first application, wherein the public key of second cipher key pair and access permission instruction are that first application utilizes
The private key of the first key centering decrypts what the authentication result obtained;
The service server, specifically for after receiving the access token acquisition request, using from intermediary service
The private key for the third cipher key pair that device obtains carries out the access permission encryption information carried in the access token acquisition request
Decryption processing, and after being verified to the license ticket decrypted, the access token, and benefit are distributed for second application
The access token is encrypted with the private key of third cipher key pair to obtain access permission result information, by the access
Allowed results information is sent to the first application, wherein the access permission encryption information is that first application utilizes described second
The allowed results encryption information carried in the acquisition of credentials result is decrypted in the public key of cipher key pair, and utilizes and decrypt
The public key of third cipher key pair the license ticket is encrypted to obtain.
First application with transmitted by way of encryption between certificate server, intermediate server and service server plus
Close data thus it can be prevented that stolen party after obtaining encryption data, due to that can not know decipherment algorithm reconciliation Migong key then
Encryption data can not be decrypted, which thereby enhance the safety of transmission link, and then also ensure that subscriber identity information
Safety, further avoid what user caused by due to subscriber identity information is stolen recorded on service server
The loss of business datum and so on.
Preferably, carrying timestamp in the license ticket, the timestamp is used to indicate the life of the license ticket
At the time;And
The service server, specifically for determine the license ticket that is obtained from intermediate server and the license that decrypts with
It whether consistent demonstrate,proves;If consistent, the timestamp in the license ticket is extracted, however, it is determined that go out the timestamp before the deadline,
Then determination is verified the license ticket.
By carrying out validation verification to license ticket, when determining that license ticket is invalid without being sent to the first application
Access token can prevent illegal application from holding invalid license ticket and obtain access token, in this way to ensure that user's
The safety of business datum.
Optionally, the subscriber identity information includes account information and encrypted message;And the authenticated encryption information is also
The encryption information of the public key of first key centering including acquisition;And
The certificate server, specifically for after receiving the certification request, according to the account information of storage with it is close
The corresponding relationship of code information, determines the corresponding encrypted message of the account information carried in certification request;And according to the message in cipher
Breath, if to the authenticated encryption information successful decryption, it is determined that subscriber identity information certification is passed through;And it will decrypt
The identification information of second application is sent to open platform;And it receives the open platform and the legitimacy of second application is recognized
Demonstrate,prove result;And using the public key of first key centering decrypted to the legitimacy authentication result of second application, described
Authentication result, the access permission of subscriber identity information indicate and the public key of the second cipher key pair is encrypted;And it will obtain
Authentication result be sent to it is described first application.
In order to guarantee the safety of downlink transfer link between certificate server and the first application, to needing to be sent to first
The data of application are encrypted, to ensure that the safety of downlink transfer link data;In addition, in order to guarantee that first answers
With between intermediate server in uplink link data safety, certificate server to the public key of the second cipher key pair into
Row encryption utilizes the second cipher key pair decrypted so that first applies when sending data to intermediate server
Public key the data that send of needs are encrypted, the data for thus avoiding being sent to intermediate server are stolen situation
Generation.
The third aspect, the embodiment of the present invention provide a kind of method for logging in application, are applied in certificate server, Yi Jisuo
The method of stating includes:
After the certification request that the first application is sent in receiving terminal, in the terminal carried in the certification request the
The identification information of two applications is authenticated;And
To the first application return authentication as a result, the legitimacy comprising the second application in terminal in the authentication result is recognized
The encryption information of result is demonstrate,proved, so that legitimacy authentication result confirmation described second of first application according to second application
Using it is legal when, send access token acquisition request to service server, and the access token that will acquire is sent to the second application,
So that described second obtains the business datum of user from the service server using the access token and allows user
The business datum is used when carrying out the business of second application;Wherein the certification request is applied for described first and is being obtained
It gets after user logs in the license confirmation of the second application and sends, the license confirmation, which is used to indicate user, to be allowed using described the
The subscriber identity information of one application logs in second application.
In this way, first apply getting user allow using first application subscriber identity information log in second application
After license confirmation, by the way that the sensitive data for being sent to certificate server is encrypted, it ensure that data in transmission process
Safety, so as to avoid in the prior art because transmit plaintext sensitive data due to caused by user recorded on service server
Data generation the problems such as being stolen.
Preferably, the subscriber identity information includes account information and encrypted message, the authenticated encryption information further includes
The encryption information of the public key of the first key centering of acquisition;And the authentication result is obtained by the following method:
According to the corresponding relationship of the account information of storage and encrypted message, the account information pair carried in certification request is determined
The encrypted message answered;
According to the encrypted message, if to the authenticated encryption information successful decryption, it is determined that believe the user identity
Breath certification passes through;And
The identification information of decrypt second application is sent to open platform;And
The open platform is received to the legitimacy authentication result of second application;
Legitimacy authentication result, the user using the public key of the first key centering decrypted to second application
Authentication result, the access permission of identity information indicate and the public key of the second cipher key pair is encrypted, and obtains authentication result.
Certificate server can just allow the by authenticating to the identification information of the second application only after certification passes through
One application to service server send access token acquisition request, just can guarantee so reliable second using user in industry
The business datum of business server;In addition, ensure that certificate server by the way that the data for being sent to the first application are encrypted
The safety of the data of downlink transfer link transmission between the first application.
Fourth aspect, the embodiment of the present invention provide a kind of method for logging in application, are applied in service server, Yi Jisuo
State method, comprising:
Receive the access token acquisition request that the first application is sent in terminal;
Access token is sent to first application, so that the access token that first application will acquire is sent to second
Using obtaining the business datum of user from the service server using the access token by described second and allow to use
Family uses the business datum when carrying out the business of second application, wherein the access token acquisition request is described the
When legitimacy authentication result confirmation second application for second application that one application is returned according to certificate server is legal
It sends.
In this way, first apply getting user allow using first application subscriber identity information log in second application
After license confirmation, by the way that the sensitive data for being sent to certificate server is encrypted, it ensure that data in transmission process
Safety, so as to avoid in the prior art because transmit plaintext sensitive data due to caused by user recorded on service server
Data generation the problems such as being stolen.
Preferably, carrying license ticket in the access token acquisition request;And it is sent to first application
Before access token, further includes:
The license ticket is verified.
Further, timestamp is carried in the license ticket, the timestamp is used to indicate the license ticket
Generate the time;And determination is verified the license ticket by the following method:
Determine the license ticket carried from the license ticket and the access token acquisition request that intermediate server obtains
It is whether consistent;
If consistent, the timestamp in the license ticket is extracted, however, it is determined that go out the timestamp before the deadline, then really
It is fixed that the license ticket is verified.
By carrying out validation verification to license ticket, when determining that license ticket is invalid without being sent to the first application
Access token can prevent illegal application from holding invalid license ticket and obtain access token, in this way to ensure that user's
The safety of business datum.
5th aspect, the embodiment of the present invention provide a kind of terminal for logging in application, comprising:
Acquiring unit, the license confirmation of the second application is logged in for obtaining user, and the license confirmation is used to indicate user
The subscriber identity information for allowing to apply using described first logs in second application;
First transmission unit, for sending certification request to certificate server, the certification request carries described second and answers
The authenticated encryption information of identification information;
First receiving unit, the authentication result returned for receiving the certificate server include in the authentication result
The encryption information of the legitimacy authentication result of second application;
Second transmission unit, it is legal for legitimacy authentication result confirmation second application according to second application
When, access token acquisition request is sent to service server, and the access token that will acquire is sent to the second application, so that described
Second obtains the business datum of user from the service server using the access token and user is allowed to carry out institute
The business datum is used when stating the business of the second application.
In this way, first apply getting user allow using first application subscriber identity information log in second application
After license confirmation, by the way that the sensitive data for being sent to certificate server is encrypted, it ensure that data in transmission process
Safety, so as to avoid in the prior art because transmit plaintext sensitive data due to caused by user recorded on service server
Data generation the problems such as being stolen.
Preferably, the subscriber identity information includes account information and encrypted message;And
The authenticated encryption information are as follows: using the encrypted message to the identification information and first key of second application
The encryption information that the public key of centering is encrypted.
By being encrypted in the encrypted message of the first upper registration of application to sensitive data using user, even if encryption
Obtained authenticated encryption information is stolen, and since stolen party does not know decipherment algorithm and decruption key, is also impossible to crack
Sensitive data out, to ensure that the safety of data in transmission process.
Preferably, the authentication result also includes the encryption information of the public key of access permission instruction and the second cipher key pair,
The access permission instruction, which is used to indicate, allows the user to access intermediate server using the subscriber identity information of the first application;
And the terminal, further includes:
Third transmission unit, for second transmission unit to service server send access token acquisition request it
Before, the acquisition of credentials request of access service server is sent to intermediate server, carries documentary in the acquisition of credentials request
Encryption information, the credentials encryption information are to be encrypted using the second cipher key pair public key to access permission instruction
What processing obtained, the public key of second cipher key pair and access permission instruction are to utilize the private of the first key centering
Key decrypts what the authentication result obtained;
Second receiving unit, for receiving the acquisition of credentials of the intermediate server transmission as a result, the acquisition of credentials knot
Allowed results encryption information is carried in fruit, the allowed results encryption information is utilized for intermediate server and obtained from certificate server
After the private key of the second cipher key pair obtained is decrypted the credentials encryption information and is verified to the access permission instruction decrypted,
The public key of license ticket and third cipher key pair is encrypted using the private key of the second cipher key pair;
First processing units carry out the allowed results encryption information for the public key using second cipher key pair
Decryption, and the license ticket is encrypted to obtain access permission using the public key of third cipher key pair decrypted and is added
Confidential information;
4th transmission unit is sent out in the access token acquisition request for carrying the access permission encryption information
Service server is given, so that after the service server receives the access token acquisition request, using from intermediary service
The access permission encryption information is decrypted in the private key of third cipher key pair that device obtains, and to the license with
After card is verified, the access token is distributed for second application, and using the private key of third cipher key pair to the visit
It asks that token is encrypted to obtain access permission result information, the access permission result information is sent to the first application.
First application with transmitted by way of encryption between certificate server, intermediate server and service server plus
Close data thus it can be prevented that stolen party after obtaining encryption data, due to that can not know decipherment algorithm reconciliation Migong key then
Encryption data can not be decrypted, which thereby enhance the safety of transmission link, and then also ensure that subscriber identity information
Safety, further avoid what user caused by due to subscriber identity information is stolen recorded on service server
The loss of business datum and so on.
Preferably, the terminal, further includes:
The second processing unit, for before the access token is sent to the second application by second transmission unit,
After receiving the access permission result information, the access permission result is believed using the public key of the third cipher key pair
Breath is decrypted, and obtains the access token.
Since data are encryptions in the downlink transfer link of service server to the first application, therefore the first application needs pair
Access permission result information is decrypted, and access token could be obtained only after successful decryption, thereby ensures that visit
The safety of token is asked, if decryption is unsuccessful to indicate that the application for receiving access permission result information may be illegal, but due to this
Using that can not decrypt access token, which is also impossible to obtain user in the business number of service server using access token
According to also avoid the leakage of business datum.
Preferably, the terminal, further includes:
Third processing unit, for connecing before the license confirmation that the acquiring unit obtains that user logs in the second application
Receive the cipher key acquisition request that the second application is sent;The public key that the 4th cipher key pair is sent to second application, so that described the
Two applications are encrypted the identification information of second application using the public key of the 4th cipher key pair, and will obtain
Information to be verified carrying be sent in logging request it is described first application;It is close using the 4th after receiving logging request
The information to be verified is decrypted in the private key of key centering, obtains the identification information of second application.
The transmission link between first the second application of application causes loss of data because monitored in order to prevent, and the present invention mentions
Out when sending data to the first application, the sensitive datas such as the identification information of the second application are encrypted, by encryption
Data are transmitted between the second application and the first application, avoid the occurrence of sensitive data is stolen.
Preferably, the information to be verified further includes the encryption information of the public key of the 5th cipher key pair;And
Second transmission unit, specifically for the public key using the 5th cipher key pair decrypted to the access token
It is encrypted, obtains password information;And the password information is sent to second application.
The second application is sent to for the access token safety that will acquire, and the first application carries out at encryption access token
Reason, be stolen so as to avoid access token in transmission process and so on, and then also avoid illegal application utilization
The case where access token acquisition business datum, occurs.
6th aspect, the embodiment of the present invention provide a kind of device for logging in application, are set in certificate server, Yi Jisuo
Stating device includes:
Authentication unit, after the certification request of the first application transmission in receiving terminal, in the certification request
The identification information of the second application is authenticated in the terminal of carrying;
Transmission unit, for the first application return authentication as a result, including in terminal second in the authentication result
The encryption information of the legitimacy authentication result of application, so that first application authenticates knot according to the legitimacy of second application
When fruit confirmation second application is legal, access token acquisition request, and the access token that will acquire are sent to service server
It is sent to the second application, so that described second obtains the business of user using the access token from the service server
Data simultaneously allow user to use the business datum when carrying out the business of second application;Wherein the certification request is institute
It states first and applies and sent after the license confirmation for getting user and logging in the second application, the license confirmation is used to indicate user
The subscriber identity information for allowing to apply using described first logs in second application.
In this way, first apply getting user allow using first application subscriber identity information log in second application
After license confirmation, by the way that the sensitive data for being sent to certificate server is encrypted, it ensure that data in transmission process
Safety, so as to avoid in the prior art because transmit plaintext sensitive data due to caused by user recorded on service server
Data generation the problems such as being stolen.
Preferably, the subscriber identity information includes account information and encrypted message, the authenticated encryption information further includes
The encryption information of the public key of the first key centering of acquisition;And
The transmission unit, specifically for determining certification according to the account information of storage and the corresponding relationship of encrypted message
The corresponding encrypted message of the account information carried in request;According to the encrypted message, if being decrypted to the authenticated encryption information
Success, it is determined that subscriber identity information certification is passed through;And the identification information of the decrypt second application is sent to out
It is laid flat platform;And the open platform is received to the legitimacy authentication result of second application;It is close using decrypt first
The public key of key centering permits the legitimacy authentication result, the authentication result of the subscriber identity information, access of second application
It can indicate to be encrypted with the public key of the second cipher key pair, obtain authentication result.
Certificate server can just allow the by authenticating to the identification information of the second application only after certification passes through
One application to service server send access token acquisition request, just can guarantee so reliable second using user in industry
The business datum of business server;In addition, ensure that certificate server by the way that the data for being sent to the first application are encrypted
The safety of the data of downlink transfer link transmission between the first application.
7th aspect, the embodiment of the present invention provide a kind of device for logging in application, are set to service server and described
Device, comprising:
Receiving unit, for receiving the access token acquisition request that the first application is sent in terminal;
Transmission unit, for sending access token to first application, so that the access that first application will acquire
Token is sent to the second application, obtains the industry of user from the service server using the access token by described second
Business data simultaneously allow user when carrying out the business of second application using the business datum, wherein the access token obtains
Taking request is described in the described second legitimacy authentication result applied that first application is returned according to certificate server confirms
What the second application was sent when legal.
In this way, first apply getting user allow using first application subscriber identity information log in second application
After license confirmation, by the way that the sensitive data for being sent to certificate server is encrypted, it ensure that data in transmission process
Safety, so as to avoid in the prior art because transmit plaintext sensitive data due to caused by user recorded on service server
Data generation the problems such as being stolen.
Preferably, carrying license ticket in the access token acquisition request;And described device, further includes:
Processing unit is used for before the transmission unit sends access token to first application, to the license
Credential verification passes through.
Preferably, timestamp is carried in the license ticket, the timestamp is used to indicate the life of the license ticket
At the time;And
The processing unit, specifically for determining that the license ticket obtained from intermediate server and the access token obtain
Whether the license ticket carried in request is consistent;If consistent, the timestamp in the license ticket is extracted, however, it is determined that go out described
Timestamp is before the deadline, it is determined that is verified to the license ticket.
By carrying out validation verification to license ticket, when determining that license ticket is invalid without being sent to the first application
Access token can prevent illegal application from holding invalid license ticket and obtain access token, in this way to ensure that user's
The safety of business datum.
Eighth aspect, the embodiment of the present invention provide a kind of electronic equipment, comprising:
At least one processor;And
The memory being connect at least one described processor communication;Wherein,
The memory is stored with the instruction that can be executed by least one described processor, and described instruction is by described at least one
A processor executes, so that at least one described processor is able to carry out the method that terminal side provided by the present application logs in application,
Perhaps it is able to carry out the method for the login application of certificate server side provided by the present application or is able to carry out provided by the present application
The method of the login application of service server side.
9th aspect, the embodiment of the present invention provide a kind of nonvolatile computer storage media, and being stored with computer can hold
Row instruction, the computer executable instructions are used to execute the method that terminal side provided by the present application logs in application, or are used for
The method for executing the login application of certificate server side provided by the present application, or for executing business service provided by the present application
The method of the login application of device side.
The invention has the advantages that:
Provided in an embodiment of the present invention to log in method, system, terminal and the electronic equipment applied, the first application is worked as in terminal
After getting the license confirmation that the subscriber identity information that user allows to apply using described first logs in the second application, taken to certification
Business device sends the certification request for carrying the authenticated encryption information of identification information of the second application, returns according to certificate server
Authentication result when determining that the second application is legal, obtain access token and the access that will acquire from the service server of the first application
Token is sent to the second application, so that the second application can use the business that access token obtains user from service server
Data, while user being allowed to use the business datum in the business that carry out second is applied.The present invention is by way of encryption
Data are transmitted, information in transmission process is avoided and is stolen, to ensure that the data that user records on service server
Safety.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation
Specifically noted structure is achieved and obtained in book, claims and attached drawing.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes a part of the invention, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 a is one of the configuration diagram of system provided in an embodiment of the present invention for logging in application;
Fig. 1 b is provided in an embodiment of the present invention based on equipment room each in the system for logging in application shown in Fig. 1 a interaction
Realize one of the flow diagram of method for logging in application;
Fig. 1 c is the schematic diagram of the login interface of the second application provided in an embodiment of the present invention;
Fig. 1 d is the authorization login interface figure that the first application provided in an embodiment of the present invention is shown to terminal user;
Fig. 1 e is that terminal user provided in an embodiment of the present invention shows when applying currently without login first to terminal user
Login interface figure;
Fig. 1 f is the interface schematic diagram that the first application provided in an embodiment of the present invention allows terminal user's switching account;
Fig. 2 is the method flow schematic diagram provided in an embodiment of the present invention for obtaining authentication result;
Fig. 3 is the flow diagram provided in an embodiment of the present invention that the information such as access token are sent to the second application;
Fig. 4 a is the two of the configuration diagram of the system provided in an embodiment of the present invention for logging in application;
Fig. 4 b is provided in an embodiment of the present invention based on equipment room each in the system for logging in application shown in Fig. 4 a interaction
Realize the flow diagram for logging in the method for application;
Fig. 5 is the flow diagram that service server provided in an embodiment of the present invention verifies license ticket;
Fig. 6 is the structural schematic diagram of the device of the login application of terminal side provided in an embodiment of the present invention;
Fig. 7 is the structural schematic diagram of the device of the login application of certificate server side provided in an embodiment of the present invention;
Fig. 8 is the structural schematic diagram of the device of the login application of service server side provided in an embodiment of the present invention;
Fig. 9 is the structural schematic diagram of user terminal provided in an embodiment of the present invention;
Figure 10 is the structural schematic diagram of computing device provided in an embodiment of the present invention.
Specific embodiment
Third-party application is being used using terminal user when subscriber identity information in another application logs in order to prevent
Unsafe problems caused by the leakage of family identity information occur, the embodiment of the invention provides it is a kind of log in application method,
System, terminal and electronic equipment.
Below in conjunction with Figure of description, preferred embodiment of the present invention will be described, it should be understood that described herein
Preferred embodiment only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention, and in the absence of conflict, this hair
The feature in embodiment and embodiment in bright can be combined with each other.
In order to solve the problems, such as that the information security proposed by the present invention for improving user, the embodiment of the present invention are based on shown in Fig. 1 a
The framework of authenticated login system propose a solution.For convenience, the present invention in terminal be arranged there are two
It is illustrated for, one of application is referred to as the first application, another application is referred to as the second application.Second application
Using terminal user first application upper registration subscriber identity information log in when, by adding to the data of transmission
Close mode, to prevent subscriber identity information to be ravesdropping or steal, thus guarantee the safety of subscriber identity information in transmission process,
And then user is also avoided in the leakage of the customer information of the first upper management of application.As shown in Figure 1a, login application is
System includes certificate server 11 and service server 21.The system provided in an embodiment of the present invention for logging in application is used for in terminal
Second apply using user first using upper subscriber identity information log in when controlling.In conjunction with Fig. 1 a, first
Using corresponding service server 21, terminal user applies using first and is registered in advance on service server 21;Second
Using the server 41 with oneself, but the second application is not registered on the server of oneself 41, main reason is that,
If user is just registered once with an application, larger burden, therefore this can be brought to the memory capability of user by registering too many account
Invention application scenarios can carry out authorization login using upper subscriber identity information first using user for the second application.It needs
Illustrate, if applying in terminal comprising multiple second, will increase the server of respective numbers in Fig. 1 a.
Firstly, user open a terminal in second in application, user based on second application using user first application
On subscriber identity information can trigger a logging request when being logged in, thus first apply after getting logging request,
An authorization login interface can be shown to user in the first application, when choosing authorization to log in, the first application can receive user
It is directed to the license confirmation of logging request triggering to user, then sends certification request to certificate server 11.Authentication service
Device 11 is after receiving certification request, after the completion of the legitimacy certification to the second application, can issue certification knot to the first application
Fruit.First applies after determining that certificate server 11 passes through the legitimacy certification of second application, to the first application pair
The service server 21 answered sends access token acquisition request.Service server 21 after receiving access token acquisition request,
The access token is sent into the first application.The access token is sent to the second application again by the first application, so that second answers
With obtaining the business datum of user from service server 21 using the access token and user allowed to answer carrying out described second
The business datum is used when business, for example, the second application can use the business datum got and access token is stepped on
The server 41 of the second application of record.
The leakage for the data that user records on service server 21 in order to prevent, first applies in the embodiment of the present invention
Before sending certification request to certificate server 11, the information carried can will be needed to be encrypted, as to the second application
Identification information is encrypted to obtain authenticated encryption information, then again carries authenticated encryption information and sends in certification request
To certificate server 11, thus during certification request is transmitted to certificate server 11, even if certification request is stolen,
It is unable to get the information of user due to not knowing enciphering and deciphering algorithm, to prevent the information leakage of user.
Wherein, it is communicatively coupled between user terminal and certificate server 11 and service server 21 by network, it should
Network can be local area network, wide area network etc..User terminal can for portable equipment (such as: mobile phone, plate, laptop
Deng), or PC (PC, Personal Computer).
Below with reference to system framework figure shown in Fig. 1 a, the method provided by the invention for logging in application is introduced, is joined
Interaction flow schematic diagram shown in Fig. 1 b is examined, may comprise steps of:
S11, the second application send communication request to the first application.
When it is implemented, user opens second in application, the second application can be shown as illustrated in figure 1 c to user at the terminal
Login interface, be that the subscriber identity information that the second application can be applied based on two first be logged in shown in Fig. 1 c.
When the second application can be logged in based on multiple first applications, then multiple be filled with can be shown in the login interface of the second application
" first application log in " to favored area, when user press one " the first application logs in " it is corresponding when favored area, then show
User logs in the server 41 of the second application using the subscriber identity information for the first application chosen.Login interface shown in Fig. 1 c
An only illustrative displaying interface, can be shown with transverse screen and also be shown with vertical screen, specifically can be according to the category of the second application
Depending on property.
Preferably, can then be stepped on to first using transmission when user's pressing any " the first application logs in " is after favored area
Record request.During sending logging request, in order to guarantee the safety of sensitive data between applying, the present invention proposes that second answers
With that first can send communication request to the first application, which is used to indicate the public affairs that the first application issues the 4th cipher key pair
Key.
The public key for the 4th cipher key pair that S12, the first application will acquire is sent to the second application.
It preferably, the 4th key pair is the first application generation, or is the service server of the first application
It generates;
In this step, the 4th key pair can be generated by the first application and be stored in terminal local, and then the first application can
To be sent to the second application from the public key that the 4th cipher key pair is locally extracted.
When terminal local stores key, higher requirement is proposed to the storage security of terminal, it may be necessary to eventually
It holds and a series of process flows is carried out to the key of storage, also need to be implemented a series of inverse processing when extracting key in this way, compare
It is cumbersome.For this purpose, the embodiment of the present invention proposes that key can be issued by the server dynamic of the first application.Executing this step
When, first applies after receiving communication request, can send to the server of the first application and obtain key request, server exists
It receives after obtaining key request, then the public key of the 4th cipher key pair generated to first using transmission by server, so that the
The above-mentioned public key that one application issues server is sent to the second application.
Preferably, can use rivest, shamir, adelman RSA Algorithm generates the 4th key pair, generated using RSA Algorithm
Data key is encrypted, and encryption data can be improved cracks difficulty, ensure that the safety of downstream transmission data.
S13, the second application are encrypted using identification information of the public key to second application, are obtained to be tested
Demonstrate,prove information.
Subscriber identity information in order to permit the second application that user is utilized to apply first logs in the server of oneself,
The legitimacy to the second application is needed to verify, therefore the second application needs to send the mark letter of the second application to the first application
Breath.Preferably, the identity that the identification information can be, but not limited to as the second application, abbreviation appid.The appid is second
After applying successfully on an open platform, open platform is that the second application uniquely distributes.It should be noted that any application
It after the completion of exploitation, is intended to use in the market, needs first to be applied on an open platform, after applying successfully, open platform is
It can be one unique appid of the application distribution.Therefore, second can be verified with appid using legitimacy.Therefore in this step
In the appid that described second applies can be sent to the first application as its identification information.
In order to guarantee to transmit the safety of data between applying, it can use the public affairs for the 4th cipher key pair that the first application returns
The identification information of second application is encrypted in key, obtains information to be verified.
S14, the second application carry the information to be verified is sent to first application in logging request.
In this step, in order to allow the service server 21 of the first application that the second application access user is allowed to be based on first
The information recorded on service server 21 is applied, second answers using the verifying second that can be used in for needing to obtain step S13
The information to be verified carrying of legitimacy is sent to the first application in logging request, so that the first application is according to the second application
Identification information know the legitimacy of the second application.
Preferably, second applies while sending logging request to the first application, other than carrying information to be verified, also
The api list of the second application can be carried in the logging request, include to request access to user first in the api list
The details of the user registered in the service server 21 of application, for example, the details can be, but not limited to for user it is close
Title, user's head portrait and buddy list etc..
Specifically, the second application can send logging request to the first application in such a way that scheme is jumped, and second answers
With a scheme identification code can be generated, is then carried and send jointly to first together with api list in logging request and answer
With, wherein the identification code is used to indicate the first application and shows authorization login interface to user.
Preferably, second applies when sending api list, needs can be added in local pasting boards pasteBoard and are asked
Then the content for the api list asked is named the pasting boards for the content for being stored with api list, by it is described name and it is described
Identification code carrying is sent to the first application in logging request.
Specifically, there is SDK kit in second application, the interface of the first application can be called by SDK, is realized
Logging request is sent to the first application.
S15, first are applied after receiving the logging request, using the private key of the 4th cipher key pair to the logging request
In information to be verified be decrypted, obtain it is described second application identification information.
In this step, since the public key encryption that information to be verified is the 4th cipher key pair sent using the first application obtains
, therefore first applies after receiving the logging request, it can be from the private key that the 4th cipher key pair is locally extracted out, to described
Information to be verified is decrypted, so as to obtain the identification information of the second application.
If the 4th key pair is stored in server side, the information to be verified can be sent to clothes by the first application
Business device, is decrypted the information to be verified by the public key of the 4th cipher key pair of server by utilizing, so as to decrypt
To second application identification information be sent to the first application, thus first application can also obtain the second application mark letter
Breath.
Specifically, it first applies after receiving the logging request, extracts identification code from the logging request, according to
The corresponding relationship of identification code and address determines the address letter of the corresponding authorization login page of identification code in the logging request
Breath, first jumps to the corresponding authorization login interface of the address information using according to the address information determined, can specifically join
It examines and authorizes login interface shown in Fig. 1 d.
Preferably, first applies after receiving the logging request, it can be first according to the second application decrypted
Identification information obtains second to open platform and applies the api list applied when open platform is registered.Obtaining the api column
After table, further according to the name of the pasting boards carried in the logging request, it is corresponding that the name is searched from the terminal local
Then pasting boards obtain the second application and are intended to the api list requested from the service server 21 of the first application, compare the two api
List, if request api list in have not from the api list that open platform obtains, show the second application
Requesting it does not have the content of permission, then the no longer first application is upper shows authorization login interface as shown in Figure 1 d.For example, second
Comprising the pet name, head portrait, buddy list and bank in the first api list requested using the service server 21 for being intended to apply from first
Transaction Information, but described second only has the pet name, head portrait and buddy list using the permission applied when registering on an open platform
Three contents, i.e., first application from obtained in open platform second application the 2nd api list in only comprising the pet name, head portrait and
Three contents of buddy list, so, the second application are intended to the bank transaction letter requested from the service server 21 of the first application
Breath then shows that the second application does not have the permission for the bank transaction information for obtaining terminal user, then not in the 2nd api list
First application will not show authorization login interface to user, also the just not no authenticated login process of back.Only when the second application
Content in the api list of request is included in from the api list that open platform obtains, and Cai Huixiang user shows that authorization logs in boundary
Face, and then have subsequent authenticated login process.
Preferably, second apply to first application send logging request in can also carry the second application title and
The information such as icon, while the first application can also get the app information of the second application from open platform, the app information can
With but title and the icon etc. that are not limited to the second application, the first application may determine that the title of the second application in logging request
It is whether consistent with the app information of the second application obtained from open platform with the information such as icon, it can be executed if consistent
Follow-up process is caused by that can prevent the second application from executing follow-up process because being forged the second application progress comprehensive verification
The case where information leakage, occurs.
Preferably, first applies after receiving the logging request, the logging request can also be sent to first
Using corresponding service server, the information to be verified is decrypted by service server, on the one hand returns to decryption
Data out, i.e., the appid of the second application;On the other hand, the appid by the decrypt second application is sent to open platform,
The second application is authenticated by development platform, while obtaining api list and app information from development platform.
S16, the first application show authorization login interface to user.
In this step, after the first application passes through the api list verification that second application request obtains, then terminal meeting
The first application of starting simultaneously authorizes login interface using shown in display diagram 1d first, for example, authorization shown in Fig. 1 d logs in boundary
The pet name, head portrait, particulars and basic document in face are all the content for including in api list, when the user clicks in Fig. 1 d
After authorizing and logging in, it is close to indicate that user permits that the second application access user registers on the service server 21 of the first application
The information such as title, head portrait, particulars and basic document.
It should be noted that showing that the premise of authorization login interface is that user currently logged first answers to user
With, it, can be first using the upper login interface occurred as shown in fig. le if user applies currently without login first, prompt is used
Family is logged in using pre-registered subscriber identity information.
Preferably, some applications can attend to anything else or user has multiple cell-phone numbers, then user can be upper in the first application
More than one account information is had registered, then when user is when the first application above has registered multiple account informations, user can awarded
" the switching account " that the upper right corner is clicked on login interface is weighed, the switching command of the first application response user is shown to user as schemed
Interface shown in 1f, user can arbitrarily switch the account of oneself, so that the account after the second application access user switching is the
The information registered on the service server 21 of one application.For example, being illustrated so that the first application is enterprise's point application as an example, Yong Hu
Two account informations are had registered on enterprise's point, one of account information is that user is commonly used, and exists based on the account information
Describe more customer data on the corresponding service server 21 of enterprise's point, and another account information on service server 21 only
The data of common customer is had recorded, in order to avoid the loss of some important customer datas, user may switch another account
Number information executes subsequent authenticated login process, not only can allow the second application access that can also keep away to the data of needs
Exempt from the case where some Very Important Person data are lost.
S17, the first application obtain the license confirmation that user logs in the second application.
Wherein, the subscriber identity information that the license confirmation is used to indicate that user allows to apply using described first logs in institute
State the second application.
Specifically, if user allows its business number for recording on the service server 21 of the first application of the second application access
According to then user can click " log in and authorize " in authorization login interface shown in Fig. 1 d, and thus the first application can detect
The license confirmation of user's triggering.
S18, the first application send certification request to certificate server 11.
The certification request carries the authenticated encryption information of the identification information of second application.
Preferably, subscriber identity information includes account information and encrypted message, in order to improve the peace of data in transmission process
Quan Xing, the encrypted message in subscriber identity information registered when using the first application in this step using user are applied to second
Identification information be encrypted, by the authenticated encryption information and subscriber identity information that are obtained after encryption account believe
Breath carries and is sent to certificate server 11 in certification request, even if in this way, the certification request is ravesdropping in transmission process, by
The Encryption Algorithm used by eavesdropping side does not know that this is transmitted, therefore the identification information of the second application can not be decrypted, thus anti-
Stop eavesdropping side and carries out illegal operation using the identification information of the second application;In addition, even if eavesdropping is known
Encryption Algorithm, but because eavesdropping side can not obtain the encrypted message of the application of user's registration first, eavesdropping side can not also decrypt described
Identification information, and then also just illegal operation can not be carried out using the identification information, not only prevent the mark letter of the second application
The leakage of the sensitive datas such as breath prevents user in the leakage of the subscriber identity information of the first upper registration of application, ensure that use
The safety of family identity information.
Preferably, the data that certificate server 11 returns in order to prevent are due to unencryption monitored,
Present invention proposition is during obtaining authenticated encryption information, the public key of the first available first key centering of application, then
The public key of identification information and first key centering that described second applies is encrypted together using encrypted message, is obtained
Authenticated encryption information, so that certificate server 11 utilizes first decrypted after to the authenticated encryption information successful decryption
The data that the public key encryption of cipher key pair returns can guarantee the safety of the downlink data of transmission in this way.
After obtaining authenticated encryption information, the authenticated encryption information and account information carrying are being recognized in the first application
Certificate server 11 is sent in card request.Specifically, although the first application is to transmit the account information with the mode of plaintext,
It, still can not decrypted authentication encryption due to not knowing enciphering and deciphering algorithm and encrypted message even if eavesdropping side obtains account information
Information, therefore the safety of subscriber identity information is also available guarantee.
S19, certificate server 11 are after receiving certification request, to the mark of the second application carried in the certification request
Know information to be authenticated.
S110, certificate server 11 apply return authentication result to described first.
Encryption information comprising the legitimacy authentication result of the second application in terminal in the authentication result.
In step S19 and S110 of the present invention, certificate server 11, can be according to shown in Fig. 2 after receiving certification request
Method obtain authentication result, may comprise steps of:
S21, certificate server 11 determine in certification request according to the account information of storage and the corresponding relationship of encrypted message
The corresponding encrypted message of the account information of carrying.
In this step, certificate server 11 can be according to the account information carried in certification request, from the account being locally stored
In the corresponding relationship of number information and encrypted message, the corresponding encrypted message of the account information carried in the certification request is determined.
It should be noted that account information and encrypted message of the user based on multiple applications may be stored on certificate server 11, and
Each to apply when user registers, respectively the account format of user's distribution or digit are different.Such as authentication service
Device 11 stores the subscriber identity information that user is registered in the applications such as wechat, QQ and enterprise's point respectively, authentication authorization and accounting server
11 maintain multiple different account informations and the list of encrypted message corresponding relationship, for the ease of accelerating to test user identity
The speed of card, when registering on these are applied, server is user for the format or digit of the account information of its distribution
It is distinguishing, in this way, when obtaining account information from certification request, it is easy to determine this according to the format of account information
Account information belongs to the account information of which application, then is determining to recognize using searching in corresponding corresponding relationship list again
The corresponding encrypted message of account information in card request, it is possible thereby to quickly find the corresponding encrypted message of account information.
S22, certificate server 11 are according to the encrypted message, if to the authenticated encryption information successful decryption, it is determined that
Subscriber identity information certification is passed through.
Specifically, certificate server 11, can be according to the decipherment algorithm pair set in advance after determining the encrypted message
Authenticated encryption information is decrypted.The encrypted message of authenticated encryption information and the password determined are indicated if successful decryption
Information is consistent, to pass through to user in the subscriber identity information certification of the first upper registration of application.
The identification information of decrypt second application is sent to open platform by S23, certificate server 11.
In this step, based on the decrypting process of step S22, it can be obtained from authenticated encryption information when successful decryption
The identification information of second application.In order to verify the legitimacy of second application, then the identification information can be sent to open
It is laid flat platform.
S24, open platform verify the legitimacy of second application, and legitimacy authentication result are sent to and is recognized
Demonstrate,prove server 11.
In this step, open platform distributes an appid for its opposite application applied for the registration of, and the appid is used for
Unique identification application.Therefore when the identification information for the second application that the first application carries is appid, then open platform is to the mark
Know information to be verified, specifically: if open platform finds the appid from the appid list distributed, then it represents that second
Using being registered on an open platform, so show the second application be it is legal, that is, indicate to second application
Certification passes through.
Further, in order to guarantee open platform to second application legitimate verification result reliability, second application
Multiple information for verifying its legitimacy, which can be carried, can also carry title, application time such as other than carrying appid
It is sent to certificate server 11 etc. as identification information, so certificate server 11 can be sent multiple to open platform
For authenticating the identification information of the legitimacy of the second application, so that open platform can comprehensively authenticate the second application,
Only when the multiple information received stored to open platform with it is described second application relevant information it is all consistent when, ability table
It is bright second application be it is legal, which thereby enhance the reliability of verification result, when second application legitimate verification confidence level
When increase, subsequent license the second application access first, which is applied, can also reduce business information in the business information of service server 21
The risk of leakage.
S25, certificate server 11 are legal to what is obtained from open platform using the public key of the first key centering decrypted
Property authentication result is encrypted, and obtains authentication result.
In order to guarantee the safety of data in downlink transfer link between the application of certificate server 11 to the first, authentication service
The legitimacy authentication result of the second application is encrypted in the public key that device 11 can use the first key centering decrypted
Authentication result is obtained, steals authentication result even if existing and forging application, due to not knowing decipherment algorithm and decruption key, forgery is answered
Be also can not be to authentication result successful decryption, to increase the safety of data in transmission process.
When S111, the first application are legal according to legitimacy authentication result confirmation second application of second application,
Access token acquisition request is sent to service server 21.
In this step, after the first application receives authentication result, since authentication result is sent to using the first application
What the public key of the first key centering of certificate server 11 was encrypted, therefore can use the private key of first key centering to certification
As a result it is decrypted, the legitimacy authentication result of the second application can be obtained.
A kind of possible embodiment is, if determining that the second application is legal according to the legitimacy authentication result of the second application
, then the first application directly can send access token acquisition request to the service server 21 of the first application, i.e. execution step
S112, this embodiment, though the simple safety of process is ensured.
Alternatively possible embodiment is that, in order to increase the safety for the process for logging in application, the embodiment of the present invention mentions
Intermediate server is set in the system for logging in application out, and certificate server 11 is applying return authentication result to first
When, access permission voucher can be carried in authentication result, which is used to indicate first and applies accessible centre
Server.It is further authenticated by intermediate server and issues license ticket to the first application, the first application could carry
The license ticket sends access token acquisition request to its corresponding service server 21, may further ensure that login is answered in this way
The safety of process, being discussed in detail can be with reference to shown in Fig. 4 a and 4b.
After receiving access token acquisition request, the application of Xiang Suoshu first sends access and enables for S112, service server 21
Board.
Service server 21 is after receiving the access token acquisition request that the first application is sent, you can learn that authentication service
Device 11 passes through the legitimacy certification that subscriber identity information and second are applied, and then can send access to the first application and enable
Board.
It further, can also will be described when the first application sends access token acquisition request to service server 21
The identification information of second application is transmitted to service server 21 with the license ticket together, and such service server 21 is being the
When two application distribution access tokens, it is known that for which the second application distribution.Because there may be multiple second application benefits
With user it is same first application service server 21 on information the case where, in this way in order to distinguish it is each second application,
The identification information of second application can be sent to service server 21.In this way, service server 21 can recorde its distribution
The corresponding relationship of access token and the identification information of the second application, to receive the access request of the second application in terminal next time
When, quickly the access token of the second application is verified.
Preferably, service server 21 can also send identification access token when sending access token to the first application
Openid, access token and openid are corresponded.For example, the access token 1 for 1 distribution of the second application is corresponding
Openid1, for the corresponding openid2 of access token 2 etc. of 2 distribution of the second application.When the second application is to service server 21
When sending access request acquisition business datum, by carrying the openid of access token, service server 21 can be from local express
The corresponding access token of openid is found in quick checking, and the access for then comparing the access token found and the second application transmission again enables
Whether board is consistent, business datum required for returning if consistent to the second application.
The access token that S113, the first application will acquire is sent to the second application.
It, can also be to getting preferably, second applies when its identification information is encrypted in step S13
The public key of the 5th cipher key pair be encrypted, obtain information to be verified;And obtained information to be verified is sent to
One application, first applies the public key that the 5th cipher key pair can be also decrypted when executing the decrypting process of step S15.In order to guarantee
First application sends the safety of access token to the second application, and the first application can enable access according to process shown in Fig. 3
The information such as board are sent to the second application, with first application from service server 21 obtain access token, openid and
It is illustrated, may comprise steps of for encrytoken:
S1131, the first application are using the public key of the 5th cipher key pair to the access token, openid and encrytoken
It is encrypted to obtain password information.
Specifically, the 5th key pair can be locally generated by the application of second in terminal and be carried out in terminal local
Storage can also be generated by service side, be locally generated, need to claim to the safety of storage.When raw in server side
At, since server side safety is relatively high, therefore can be not concerned about key pair leakage the problems such as.
Preferably, when executing step S1131, access token that the first application can will acquire, openid and
Encrytoken is written in pasting boards pasteBoard, then carries out storage name, then need to only visit being stored in this step
It asks that the title of the pasteBoard of the information such as token is encrypted, obtains password information, then send obtained password information
To the second application, it is possible thereby to which important data is avoided directly to transmit.
The password information is sent to the second application by S1132, the first application.
In this step, it equally can use scheme and jump the application interface that mode jumps to the second application.Specifically, base
When the second application sends logging request to the first application in step S14 in addition to carrying identification code, second can also be carried and answered
The address information of login interface, the first application can generate a new identification code based on the identification code, then establish new
Identification code and login interface address information corresponding relationship, when need to second application send password information when, by new
Identification code determine the address of login interface, the address that login interface then can be jumped in such a way that scheme is jumped is corresponding
The second application login interface, it is thus achieved that password information is sent to the second application, not only fast but also conveniently.
S1133, the second application are decrypted the password information using the private key of the 5th cipher key pair, must visit
Ask token, openid and encrytoken.
It, can be from being locally extracted out if the 5th key pair is being locally stored after the second application receives password information
The password information is decrypted in the private key of 5th cipher key pair, so as to decrypt the information such as access token.If
5th key pair is generated and is stored in server side, then password information can be sent to server by the second application, by server
The password information is decrypted to obtain the information such as access token and is sent to the second application.
Preferably, what is decrypted when the password information that receive is the title for being stored with the pasting boards of the information such as access token
When, then the second application can find corresponding pasting boards according to the title, then obtain access token from the pasting boards
Etc. information.
Specifically, when access token is taken in the second application, that is, the service server 21 of the first application is represented to described the
Two application authorizations are completed, and second applies and needing to obtain user in the business datum on service server 21, carries the visit
Ask that token can be got.
Preferably, can use rivest, shamir, adelman RSA Algorithm generates the 5th key pair, increases and crack difficulty, mention
The high safety of data transmission.
S114, the second application send business datum acquisition request to the service server 21, and the business datum obtains
Access token is carried in request.
In this step, the second application can use the access token access user and apply using first in its business service
The business datum stored in device 21.
Second applies when obtaining business datum using the access token, can by the mark of information for needing obtain and
Access token and openid are encrypted using encrytoken, and the information after encryption is sent to service server
21。
After service server 21 receives encrypted information, it is decrypted using the private key of encrytoken, i.e.,
The mark and access token of available second information obtained using needs.Service server 21 is decrypting the letter such as access token
After breath, first with openid from the local access token for searching storage, however, it is determined that go out the access token and the visit that decrypts
It asks that token is consistent, then recycles openid to search the corresponding expire_in of the access token, according to the expire_in to visit
Ask that the validity of token is verified, if before the deadline, service server 21 is identified further according to the identifier lookup decrypted
Corresponding information.Service server 21 also needs to utilize when returning to the corresponding information of mark to the second application
The private key of encrytoken is encrypted, and can guarantee the safety of information when transmitted in both directions in this way, avoid user and exist
The leakage of the business datum stored on service server 21.After second application receives the business datum of return, need to utilize
The information of return is decrypted in the public key of encrytoken, so that the business datum of needs can be obtained.
S115, service server 21 return to the business datum of user to the second application and user are allowed to carry out described second
The business datum is used when the business of application.
By implementing the method provided by the invention for logging in application, first using the utilization terminal according to the second applications trigger
The logging request that user is logged in first using upper subscriber identity information shows authorization login interface to terminal user;
After detecting terminal user for the license confirmation of logging request triggering, in order to guarantee the safety of information in transmission process
Property, the identification information of the second application is encrypted, it then will be in obtained authenticated encryption information and subscriber identity information
Account information carrying certificate server 11 is sent in certification request, by certificate server 11 to it is described second application conjunction
Method is authenticated, and authentication result is sent to the first application so that first apply according to second application legitimacy recognize
When card result determines that the second application is legal, access token, and the access that will acquire are obtained to the service server 21 of the first application
Token is sent to the second application, obtains the business of user from the service server 21 using the access token by second
Data simultaneously allow user when carrying out the business of second application using the business datum, due to when certified transmission is requested
Encryption is carried out to sensitive data, to ensure that the safety of data in transmission process.
Preferably, the system of login application further includes intermediate server 31, with reference to shown in Fig. 4 a.The system of Fig. 4 a be
Intermediate server 31 is extended in the system of Fig. 1 a.Wherein, led between user terminal and intermediate server 31 by network
Letter connection, the network can be local area network, wide area network etc..User terminal can for portable equipment (such as: mobile phone, plate, notes
This computer etc.), or PC (PC, Personal Computer).Based on the system for logging in application shown in Fig. 4 a
In the interaction of each equipment room realize that the method for logging in application can be with reference to shown in Fig. 4 b.It should be noted that intermediate server 31
It participates in compared with realizing the process for logging in application process shown in Fig. 1 b, difference is the authentication result that certificate server 11 obtains
Content it is different, therefore the process of subsequent execution is also corresponding different.Only different processes is illustrated in Fig. 4 b, as identical
The process that can implement with reference to step S11~S19 in Fig. 1 b of part.
Preferably, it further includes the legitimacy of subscriber identity information that certificate server 11, which applies the authentication result returned to first,
The encryption information of the public key of authentication result, access permission instruction and the second cipher key pair, wherein the access permission instruction is used for
It indicates that the user is allowed to access intermediate server 31 using the subscriber identity information of the first application.
In this step, certificate server 11 is after determining that the subscriber identity information and the second application authorization pass through, then
Sending user to the first application can use the instruction of the first application access intermediate server 31, which can be equivalent to one
Bill evidence, the first application may have access to intermediate server 31 after taking this bill evidence.In order to avoid number in transmission process
According to leakage, certificate server 11 can use the public key of the first key centering that step S22 is decrypted and indicates access permission
It is encrypted, obtains authentication result, when certified transmission result, even if being stolen, since stolen party does not know that decryption is calculated
The private key that method and decryption need is also illegal to obtain access permission instruction information etc., and then also avoids stolen party and be intended to steal use
The generation of the case where information registered on the service server 21 that family is applied first.
Further, indicate it is that its is accessible for informing the first application due to being sent to the access permission of the first application
Intermediate server 31.So, the first application permits the second application access to record thereon to take service server 21
Business datum when, it is necessary to intermediate server 31 send request, and this transmission process be also it is very likely monitored,
Therefore the safety in order to guarantee the first application with transmit data between intermediate server 31, certificate server 11 are applied to first
When sending the information such as authentication result, the public key that can use first key centering carries out at encryption the public key of the second cipher key pair
Reason, and carry and be sent to the first application in authentication result.
Due to transmitting the data of encryption between certificate server 11 and the first application, and the public key of encryption is legal
The public key for the first key centering that first application obtains, therefore application is forged even if existing, do not know that decryption is calculated due to forging application
Method and the private key that can not get first key centering steal the authentication result that certificate server 11 returns when forging application,
It is also not decrypt, therefore increase the safety of data in transmission process.Further, since visit can not be decrypted by forging application
It asks license ticket, also can not just carry out follow-up process, and then also avoid the letter that user stores on service server 21
The leakage of breath.
S31, the first application are decrypted the authentication result received using the private key of first key centering, obtain
Access permission instruction.
First applies after the authentication result issued to certificate server 11 is decrypted, available user identity
The legitimacy authentication result of information, the legitimacy authentication result of the second application, the public affairs of access permission instruction and the second cipher key pair
Key, however, it is determined that the legitimacy authentication result of the legitimacy authentication result and the second application that go out subscriber identity information is that certification is logical
It crosses, then can use access permission and indicate the license ticket for obtaining access service server 21 to intermediate server 31.
S32, the first application encrypt access permission instruction using the public key of the second cipher key pair decrypted
Processing, obtains credentials encryption information.
In this step, first in terminal is applied after obtaining access permission instruction, is accessed in transmission process in order to prevent
License instruction is stolen, then indicates to carry out to the access permission using the public key of step S31 the second cipher key pair decrypted
Encryption obtains credentials encryption information, even if in this way, being stolen in transmission process, since the side of stealing does not know that decryption is calculated
Method and decrypted private key, then can not successful decryption, ensure that the safety of data in transmission process.
S33, the first application send the acquisition of credentials request of access service server 21, the voucher to intermediate server 31
The credentials encryption information is carried in acquisition request.
S34, intermediate server 31 receive the second key pair that certificate server 11 issues.
S35, intermediate server 31 are using the private key of second cipher key pair to carrying in the acquisition of credentials request received
Credentials encryption information is decrypted, and verifies to the access permission instruction decrypted.
In step S33~S35, the first application in terminal needs to obtain the license ticket for accessing service server 21
Credentials encryption information is sent to intermediate server 31, intermediate server 31 is encrypted information due to what is received, is needed
The information of encryption is decrypted.Specifically, the second password clock synchronization is got in certificate server 11, in addition to first
Outside using the public key for sending the second cipher key pair, it is also necessary to be indicated by the second key pair and to the access permission that the first application is sent
It is sent to intermediate server 31, so that intermediate server 31 solves credentials encryption information using the private key of the second cipher key pair
Thus close processing can obtain access permission instruction.Intermediate server 31 can will be decrypted after getting access permission instruction
Access permission instruction out is compared with the access permission instruction that certificate server 11 issues, and determines if consistent to the visit
Ask that license instruction is verified.
Further, it first applies when sending access permission instruction to intermediate server 31, certification clothes can also be carried
The legitimacy authentication result that business device 11 applies the subscriber identity information of user and second, when intermediate server 31 is determined to authenticate
As a result pass through for certification, then access permission instruction is verified.
It is worth noting that, transmission network belongs to Intranet, safety phase between certificate server 11 and intermediate server 31
To higher, therefore certificate server 11 is when sending the second key pair to intermediate server 31 and access permission indicates, do not need into
Row encryption also can guarantee the safety of data.
If S36, intermediate server 31 are verified access permission instruction, the private key of the second cipher key pair is utilized
The public key of the third cipher key pair of license ticket and acquisition is encrypted to obtain allowed results encryption information.
Wherein, it is that the first application issues that the license ticket, which is intermediate server 31,.
It is worth noting that, the first application is different, intermediate server 31 is also different for the license ticket that it is issued.Example
Such as, if the first application is applied for enterprise's point, intermediate server 31 is that enterprise's point application issues its accessible enterprise point using corresponding
The license ticket of service server;If the first application is wechat application, intermediate server 31 be wechat application issue it can be with
Access the license ticket that wechat applies corresponding service server.
It can be the after intermediate server 31, which is based on step S35, to be determined to indicate to be verified to the access permission
One application determines the license ticket of its accessible corresponding service server 21.
In order to guarantee that downlink transfer to the safety of the license ticket of the first application, then can use under certificate server 11
License ticket is encrypted in the private key of second cipher key pair of hair, is then sent to the first application.
Further, it first applies after obtaining license ticket and can send access to its corresponding service server 21 and enable
Board acquisition request, for the safety for guaranteeing the first application with transmitting data between service server 21, service server 21 can
It is encrypted jointly with the public key and license ticket for the third cipher key pair that will locally generate, it is possible thereby to guarantee subsequent
One application and the transmission safety between service server 21.
The carrying of allowed results encryption information is sent to the first application by S37, intermediate server 31 in acquisition of credentials result.
S38, first, which are applied, is permitted in the public key using the second cipher key pair what is carried in the acquisition of credentials result received
License ticket can be encrypted using the public key of the third cipher key pair decrypted after result encryption information successful decryption
Obtain access permission encryption information;
In this step, first is applied after obtaining allowed results encryption information, can use step S31 is decrypted second
Allowed results encryption information is decrypted in the public key of cipher key pair, thus can be obtained for accessing service server 21
License ticket.In order to guarantee to be transferred to service server 21 license ticket safety, first application can use decryption
License ticket is encrypted in the public key of third cipher key pair out, obtains access permission encryption information, even if being transmitted across
Access permission encryption information is stolen in journey, stolen party due to do not know decipherment algorithm conciliate Migong key, also can not successful decryption,
To ensure that the safety of license ticket.
S39, the first application carry the access permission encryption information in the access token acquisition request, to business
Server 21 sends access token acquisition request.
In this step, the access permission encryption information encrypted is sent to the first corresponding business of application and taken by the first application
Business device 21, can be to avoid the leakage of information in transmission process.
S310, service server 21 are issued after receiving the access token acquisition request using intermediate server 31
The private key of third cipher key pair the access permission encryption information in the access token acquisition request is decrypted, obtain
To license ticket.
In this step, since access permission encryption information is the public affairs of the third cipher key pair generated using intermediate server 31
What key encrypted, while the public key of third cipher key pair is sent to the first application in step S36 by intermediate server 31,
Third key pair and the license ticket determined can be sent to service server 21, since transmission belongs to Intranet biography between server
Defeated, Intranet transmission security is relatively high, therefore the license ticket for not needing encrypted transmission third key pair and determining, can also protect
Demonstrate,prove its safety.
After service server 21 receives the third key pair that intermediate server 31 issues, the private of third cipher key pair is utilized
Access permission encryption information is decrypted in key, available license ticket.
It is unique for the second application distribution if S311, service server 21 are verified the license ticket
Access token.
Specifically, service server 21 is after obtaining license ticket, can according to method shown in fig. 5 to the license with
Card is verified, and may comprise steps of:
S41, determine whether the license ticket that intermediate server 31 issues is consistent with the license ticket decrypted, if consistent
Execute step S42;It is no to then follow the steps S45.
The license ticket for the first application that service server 21 is issued according to intermediate server 31, determines itself and the first application
Whether the license ticket of transmission is identical, then shows that license ticket is legal true, i.e. execution step S42 if they are the same.
Timestamp in S42, the extraction license ticket.
In order to protect the safety of subscriber identity information, requirement is proposed to the timeliness of license ticket, therefore is being received perhaps
It can be after voucher, even if license ticket is legal, it is also desirable to be verified to the timeliness of license ticket, it is therefore desirable to from license
Extraction time stabs in voucher, which is the generation time of the license ticket.
S43, whether before the deadline the timestamp is determined, if so then execute step S44;It is no to then follow the steps S45.
After the generation time for obtaining license ticket in step S42, whether before the deadline the timestamp can be determined, have
Body, it can be determined that whether the timestamp is less than present system time, and the timestamp and current system are further determined that if being less than
The time difference of system time, judge whether the time difference determined is less than preset timestamp, if then determining that the timestamp exists
In validity period, otherwise determine that timestamp has failed.If license ticket continuously effective, undesirable spends the time to crack and take
After the license ticket, also its accessible service server 21, equally exists the risk of information leakage, when provided with validity period
Afterwards, even if undesirable, which cracks, has taken license ticket, but when may take license ticket, license ticket is no longer valid, this
Sample also can guarantee the safety for the business datum that user records on service server 21.
S44, determination are verified the license ticket.
When the license ticket that terminal is sent is consistent with the license ticket that intermediate server 31 issues, and time of license ticket
Stamp is before the deadline, it is determined that is verified to the license ticket.
S45, determining verify to the license ticket do not pass through.
If step S41 or any judging result of step S43 be it is no, i.e., characterization to the license ticket verifying do not pass through.
Further, after the license ticket that service server 21 sends the first application is verified, it can permit the
Two application access users apply the information stored on its service server 21 based on first, are needed thus for the second application distribution
One access token.In this way, the second application may have access to the information recorded on service server 21 after taking the access token.
It should be noted that first applies when sending access token acquisition request to service server, can equally take
Identification information with the second application, particular use can refer to the description of step 112, and details are not described herein.Similarly, business service
Device can also send the openid of identification access token, as the purposes of openid when to the first application backward reference token
With reference also to step S112, also it is not described in detail herein.
S312, service server 21 are encrypted to obtain using the private key of third cipher key pair to the access token
Access permission result information.
In this step, in order to guarantee the safety of downlink transmission data between the application of service server 21 to the first,
When sending access token, the private key of the third cipher key pair obtained from intermediate server 31 can use to the access token
It is encrypted to obtain access permission result information.Even if thus access permission result information is stolen in transmission process, surreptitiously
The side of taking also is impossible to occur utilizing access due to not knowing that decipherment algorithm conciliates Migong key, also illegal successful decryption
Token obtains user the business datum stored on service server 21 the case where, to also can not just lead to the business number of user
According to leakage.
Further, if service server 21 to second application have sent openid, can also by the openid with
Access token is encrypted together.
Further, in order to guarantee second application and transmission link between service server 21 safety, business service
Device 21 can send crypto token encrytoken to the second application by the first application, by the crypto token with openid and
Access token carries out encryption jointly and is sent to the second application, when so that the second application sending data to service server 21, utilizes
The crypto token is encrypted the data and transmits again, thereby may be ensured that the safety of data.
Preferably, access token also has a validity period, i.e. service server 21 when for the second application distribution access token,
Also to the access token be provided with validity period evaluation parameter expire_in, so as to it is subsequent second application carry the access token to
When service server 21 obtains business datum, verified using validity of the expire_in to access token.Can specifically it join
The process of test card license ticket, details are not described herein.In addition, existing validation verification method also can use the present invention
In embodiment, the invention does not limit this.
The access permission result information is sent to the first application by S313, service server 21.
In this step, the access permission result information encrypted in step S312 is sent to first by service server 21
Using even if access permission result information is stolen, since stolen party can not obtain decipherment algorithm reconciliation Migong key, also just not
Possible successful decryption ensure that the safety of information in transmission process.
S314, the first application are decrypted the access permission result information received using the public key of third cipher key pair
Processing, obtains access token.
First applies after getting access permission result information, can use the third key pair that step S38 is decrypted
In public key the access permission result information is decrypted, access token can be extracted after successful decryption.If
Encryption is also performed to openid and encrytoken in step S312, then can be decrypted in this step openid and
encrytoken。
S315, the first application will decrypt access token and be sent to the second application.
The implementation process for implementing to refer to step S113 of this step, is not described in detail herein.
S316, the second application obtain the business number of the user according to the access token to the service server 21
According to.
Specifically, remember on service server 21 if the second application obtains user and apply using first to service server 21
When the buddy list of record, if the buddy list is identified as " 1 ", mark " 1 ", access token and openid are utilized
The public key of encrytoken, which is encrypted, is sent to service server 21, after service server 21 receives above- mentioned information,
It is decrypted first with the private key of encrytoken, after successful decryption, using openid according to the description pair of step S114
Access token is verified, and determines that user records good on service server 21 further according to mark " 1 " after being verified
Friendly list;It recycles the private key of encrytoken that buddy list is encrypted, encrypted buddy list is sent to
Second application.
S317, the second application log in the server of second application using the access token and the business datum
41。
In this step, when the second application logs in its corresponding server 41 using access token and business datum, it can adjust
Logging request is sent to server 41 with the third party login interface of the second application, access is carried in the logging request and is enabled
The information such as board, openid and business datum.Server 41 can use third party application interface API and obtain the first application
Then subscriber identity information automatically creates an account, which meets requirement of second application to account, and uses business number
According to come the account that initializes creation, the business datum be can be, but not limited to as head portrait and pet name etc., while returning to second and answering
With a subscriber identity information comprising information such as the pet name and head portraits, it can indicate that the second application success has logged in the service of oneself
Device 41.
Step S317 is only an exemplary embodiment, and the second application can also utilize the industry obtained from service server 21
Data of being engaged in execute other operations, will not enumerate herein.
In addition, the present invention is separated certificate server, service server and intermediate server, only need in the terminal
Second application SDK in increase corresponding permission, it will be able to the second application and development first application it is more multi-functional, scalability compared with
By force.
Preferably, first application can be, but not limited to as wechat, QQ and enterprise's point application etc..
Preferably, the first, second, third key pair in the embodiment of the present invention, can use asymmetric RSA Algorithm or benefit
It is obtained with md5 algorithm.
It is provided in an embodiment of the present invention log in application method, first application with certificate server, intermediate server and
The data of encryption are transmitted between service server by way of encryption, though stolen party after obtaining encryption data, due to nothing
Method knows that decipherment algorithm reconciliation Migong key can not then be decrypted encryption data, which thereby enhances the safety of transmission link,
And then also ensure that the safety of subscriber identity information.
Based on the same inventive concept, a kind of device of the login application of terminal side is additionally provided in the embodiment of the present invention, by
It is similar to the method for login application that terminal side provides in the principle that above-mentioned apparatus solves the problems, such as, therefore the implementation of above-mentioned apparatus can
With referring to the implementation of method, overlaps will not be repeated.
As shown in fig. 6, the structural schematic diagram of the device for the login application of terminal side provided in an embodiment of the present invention, packet
It includes:
Acquiring unit 51, the license confirmation of the second application is logged in for obtaining user, and the license confirmation is used to indicate use
The subscriber identity information that family allows to apply using described first logs in second application;
First transmission unit 52, for sending certification request to certificate server, the certification request carries described second
The authenticated encryption information of the identification information of application;
First receiving unit 53 wraps in the authentication result for receiving the authentication result of the certificate server return
The encryption information of legitimacy authentication result containing second application;
Second transmission unit 54 is closed for legitimacy authentication result confirmation second application according to second application
When method, access token acquisition request is sent to service server, and the access token that will acquire is sent to the second application, so that institute
Second is stated to obtain the business datum of user from the service server using the access token and user is allowed to carry out
The business datum is used when the business of second application.
Preferably, the subscriber identity information includes account information and encrypted message;And
The authenticated encryption information are as follows: using the encrypted message to the identification information and first key of second application
The encryption information that the public key of centering is encrypted.
Preferably, the authentication result also includes the encryption information of the public key of access permission instruction and the second cipher key pair,
The access permission instruction, which is used to indicate, allows the user to access intermediate server using the subscriber identity information of the first application;
And described device, further includes:
Third transmission unit, for second transmission unit to service server send access token acquisition request it
Before, the acquisition of credentials request of access service server is sent to intermediate server, carries documentary in the acquisition of credentials request
Encryption information, the credentials encryption information are to be encrypted using the second cipher key pair public key to access permission instruction
What processing obtained, the public key of second cipher key pair and access permission instruction are to utilize the private of the first key centering
Key decrypts what the authentication result obtained;
Second receiving unit, for receiving the acquisition of credentials of the intermediate server transmission as a result, the acquisition of credentials knot
Allowed results encryption information is carried in fruit, the allowed results encryption information is utilized for intermediate server and obtained from certificate server
After the private key of the second cipher key pair obtained is decrypted the credentials encryption information and is verified to the access permission instruction decrypted,
The public key of license ticket and third cipher key pair is encrypted using the private key of the second cipher key pair;
First processing units carry out the allowed results encryption information for the public key using second cipher key pair
Decryption, and the license ticket is encrypted to obtain access permission using the public key of third cipher key pair decrypted and is added
Confidential information;
4th transmission unit is sent out in the access token acquisition request for carrying the access permission encryption information
Service server is given, so that after the service server receives the access token acquisition request, using from intermediary service
The access permission encryption information is decrypted in the private key of third cipher key pair that device obtains, and to the license with
After card is verified, the access token is distributed for second application, and using the private key of third cipher key pair to the visit
It asks that token is encrypted to obtain access permission result information, the access permission result information is sent to the first application.
Optionally, described device, further includes:
The second processing unit, for before the access token is sent to the second application by second transmission unit,
After receiving the access permission result information, the access permission result is believed using the public key of the third cipher key pair
Breath is decrypted, and obtains the access token.
Preferably, described device, further includes:
Third processing unit, for connecing before the license confirmation that the acquiring unit obtains that user logs in the second application
Receive the cipher key acquisition request that the second application is sent;The public key that the 4th cipher key pair is sent to second application, so that described the
Two applications are encrypted the identification information of second application using the public key of the 4th cipher key pair, and will obtain
Information to be verified carrying be sent in logging request it is described first application;It is close using the 4th after receiving logging request
The information to be verified is decrypted in the private key of key centering, obtains the identification information of second application.
Preferably, the information to be verified further includes the encryption information of the public key of the 5th cipher key pair;And
Second transmission unit, specifically for the public key using the 5th cipher key pair decrypted to the access token
It is encrypted, obtains password information;And the password information is sent to second application.
For convenience of description, above each section is divided by function describes respectively for each module (or unit).Certainly, exist
Implement to realize the function of each module (or unit) in same or multiple softwares or hardware when the present invention.
As shown in fig. 7, the structural representation of the device for the login application of certificate server side provided in an embodiment of the present invention
Figure, comprising:
Authentication unit 61, after the certification request of the first application transmission in receiving terminal, to the certification request
The identification information of the second application is authenticated in the terminal of middle carrying;
Transmission unit 62, for the first application return authentication as a result, including in terminal the in the authentication result
The encryption information of the legitimacy authentication result of two applications, so that first application is authenticated according to the legitimacy of second application
When as a result confirming that second application is legal, the access that sends access token acquisition request to service server, and will acquire is enabled
Board is sent to the second application, so that described second obtains the industry of user using the access token from the service server
Business data simultaneously allow user to use the business datum when carrying out the business of second application;Wherein the certification request is
Described first applies and sends after the license confirmation for getting user and logging in the second application, and the license confirmation is used to indicate use
The subscriber identity information that family allows to apply using described first logs in second application.
Optionally, the subscriber identity information includes account information and encrypted message, and the authenticated encryption information further includes
The encryption information of the public key of the first key centering of acquisition;And
The transmission unit 62, specifically for according to the account information of storage and the corresponding relationship of encrypted message, determination is recognized
The corresponding encrypted message of account information carried in card request;According to the encrypted message, if to the authenticated encryption information solution
Close success, it is determined that subscriber identity information certification is passed through;And the identification information of the decrypt second application is sent to
Open platform;And the open platform is received to the legitimacy authentication result of second application;Utilize first decrypted
Legitimacy authentication result, the authentication result of the subscriber identity information, access of the public key of cipher key pair to second application
The public key of license instruction and the second cipher key pair is encrypted, and obtains authentication result.
For convenience of description, above each section is divided by function describes respectively for each module (or unit).Certainly, exist
Implement to realize the function of each module (or unit) in same or multiple softwares or hardware when the present invention.
As shown in figure 8, the structural representation of the device for the login application of service server side provided in an embodiment of the present invention
Figure, comprising:
Receiving unit 71, for receiving the access token acquisition request that the first application is sent in terminal;
Transmission unit 72, for sending access token to first application, so that the visit that first application will acquire
It asks that token is sent to the second application, obtains user's from the service server using the access token by described second
Business datum simultaneously allows user when carrying out the business of second application using the business datum, wherein the access token
Acquisition request confirms institute for the legitimacy authentication result for second application that first application is returned according to certificate server
State the second application it is legal when send.
Optionally, license ticket is carried in the access token acquisition request;And described device, further includes:
Processing unit is used for before the transmission unit sends access token to first application, to the license
Credential verification passes through.
Further, timestamp is carried in the license ticket, the timestamp is used to indicate the license ticket
Generate the time;And
The processing unit, specifically for determining that the license ticket obtained from intermediate server and the access token obtain
Whether the license ticket carried in request is consistent;If consistent, the timestamp in the license ticket is extracted, however, it is determined that go out described
Timestamp is before the deadline, it is determined that is verified to the license ticket.
Based on the same inventive concept, the embodiment of the present invention provides a kind of user terminal, and structural schematic diagram can refer to Fig. 9
It is shown, user terminal provided by the invention can be but be not limited to mobile phone, tablet computer etc..The user terminal may include: to deposit
Reservoir 81, input module 82, sending module 83, receiving module 84, output module 85, wireless communication module 86 and processor 87
Deng.Specifically:
Memory 81 may include read-only memory (ROM) and random access memory (RAM), and provide to processor 87
The program instruction and data stored in memory 81 can also store operating system, the application program of user terminal
Various data used in (Application, APP) (for example, reading APP), module and user terminal etc..
Input module 82 may include keyboard, mouse, touch screen etc., for receiving number, the character information of user's input
Or touch operation, and the input etc. of key signals related with the user setting of user terminal and function control is generated, for example,
In the embodiment of the present invention, input module 82 can receive the point that user executes on the login interface that the first application is shown to user
Hit operation etc..
Sending module 83 can provide the interface between user terminal and server.
Receiving module 84 equally provides the interface between user terminal and server.
Output module 85 may include display module, as liquid crystal display (Liquid Crystal Display, LCD),
Cathode-ray tube (Cathode Ray Tube, CRT) etc., wherein display module is displayed for information input by user
Or it is supplied to the information or various user terminals or menu, the user interface of payment platform etc. of user.For example, the present invention is implemented
In example, it can be used for showing the login interface of the first application and the authorization login interface etc. of the second application to user.
Wireless communication module 86 includes but is not limited to Wireless Fidelity (wireless fidelity, WiFi) module, bluetooth mould
Block, infrared communication module etc..
Processor 87 is the control centre of user terminal, utilizes each of various interfaces and the entire user terminal of connection
Part by running or execute the software program and/or module that are stored in memory 81, and calls and is stored in memory 81
Interior data execute the various functions and processing data of user terminal, to carry out integral monitoring to user terminal.
Certainly, the structure of user terminal shown in Fig. 9, only one of example, may include more than illustrating
Or less component, perhaps combine certain components or different component layouts.
After the method, system and relevant apparatus for the login application for describing exemplary embodiment of the invention, connect down
Come, introduces the computing device of another exemplary embodiment according to the present invention.
Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as system, method or
Program product.Therefore, various aspects of the invention can be embodied in the following forms, it may be assumed that complete hardware embodiment, complete
The embodiment combined in terms of full Software Implementation (including firmware, microcode etc.) or hardware and software, can unite here
Referred to as circuit, " module " or " system ".
In some possible embodiments, it is single can to include at least at least one processing for computing device according to the present invention
Member and at least one storage unit.Wherein, the storage unit is stored with program code, when said program code is described
When processing unit executes, so that the processing unit executes the exemplary implementations various according to the present invention of this specification foregoing description
Step in the method for the login application of mode.For example, the processing unit can execute step S11 as shown in Figure 1 b~
The process or execute the process that service server 21 is implemented in step S11~S115 that certificate server 11 is implemented in S115,
Or execute certificate server 11 is implemented in step S31~S317 shown in Fig. 4 b process or execute step S31~S317
The process that middle service server 21 is implemented.
The computing device 91 of this embodiment according to the present invention is described referring to Figure 10.The calculating that Figure 10 is shown
Device 91 is only an example, should not function to the embodiment of the present invention and use scope bring any restrictions.
As shown in Figure 10, computing device 91 is showed in the form of universal computing device.The component of computing device 91 can wrap
It includes but is not limited to: at least one above-mentioned processing unit 911, at least one above-mentioned storage unit 912, the different system components of connection
The bus 913 of (including storage unit 912 and processing unit 911).
Bus 913 indicates one of a few class bus structures or a variety of, including memory bus or Memory Controller,
Peripheral bus, processor or the local bus using any bus structures in a variety of bus structures.
Storage unit 912 may include the readable medium of form of volatile memory, such as random access memory (RAM)
9121 and/or cache memory 9122, it can further include read-only memory (ROM) 9123.
Storage unit 912 can also include program/utility with one group of (at least one) program module 9124
9125, such program module 9124 includes but is not limited to: operating system, one or more application program, other program moulds
It may include the realization of network environment in block and program data, each of these examples or certain combination.
Computing device 91 can also be communicated with one or more external equipments 914 (such as keyboard, sensing equipment etc.), may be used also
Enable a user to the equipment interacted with computing device 91 communication with one or more, and/or with enable the computing device 91
Any equipment (such as router, modem etc.) communicated with one or more of the other calculating equipment communicates.This
Kind communication can be carried out by input/output (I/O) interface 915.Also, computing device 91 can also pass through network adapter
916 is logical with one or more network (such as local area network (LAN), wide area network (WAN) and/or public network, such as internet)
Letter.As shown, network adapter 916 is communicated by bus 913 with other modules for computing device 91.It should be appreciated that
Although not shown in the drawings, other hardware and/or software module can be used in conjunction with computing device 91, including but not limited to: micro- generation
Code, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and data backup are deposited
Storage system etc..
In some possible embodiments, the various aspects of the method provided by the invention for logging in application can also be realized
For a kind of form of program product comprising program code, when described program product is run on a computing device, the journey
The illustrative embodiments various according to the present invention that sequence code is used to that the computer equipment to be made to execute this specification foregoing description
Login application method in step, for example, the computer equipment can execute step S11~S115 as shown in Figure 1 b
The process or execute the process that service server 21 is implemented in step S11~S115 that middle certificate server 11 is implemented, or
Execute the process or execute industry in step S31~S317 that certificate server 11 is implemented in step S31~S317 shown in Fig. 4 b
The process that business server 21 is implemented.
Described program product can be using any combination of one or more readable mediums.Readable medium can be readable letter
Number medium or readable storage medium storing program for executing.Readable storage medium storing program for executing for example may be-but not limited to-electricity, magnetic, optical, electromagnetic, red
The system of outside line or semiconductor, device or device, or any above combination.The more specific example of readable storage medium storing program for executing
(non exhaustive list) includes: the electrical connection with one or more conducting wires, portable disc, hard disk, random access memory
(RAM), read-only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc
Read memory (CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.
The program product of the method for logging in application of embodiments of the present invention can be using portable compact disc only
It reads memory (CD-ROM) and including program code, and can run on the computing device.However, program product of the invention is not
It is limited to this, in this document, it includes or the tangible medium of storage program that the program can be by that readable storage medium storing program for executing, which can be any,
Instruction execution system, device or device use or in connection.
Readable signal medium may include in a base band or as the data-signal that carrier wave a part is propagated, wherein carrying
Readable program code.The data-signal of this propagation can take various forms, including --- but being not limited to --- electromagnetism letter
Number, optical signal or above-mentioned any appropriate combination.Readable signal medium can also be other than readable storage medium storing program for executing it is any can
Read medium, the readable medium can send, propagate or transmit for by instruction execution system, device or device use or
Program in connection.
The program code for including on readable medium can transmit with any suitable medium, including --- but being not limited to ---
Wirelessly, wired, optical cable, RF etc. or above-mentioned any appropriate combination.
The program for executing operation of the present invention can be write with any combination of one or more programming languages
Code, described program design language include object oriented program language-Java, C++ etc., further include conventional
Procedural programming language-such as " C " language or similar programming language.Program code can be fully in user
It calculates and executes in equipment, partly executes on a user device, being executed as an independent software package, partially in user's calculating
Upper side point is executed on a remote computing or is executed in remote computing device or server completely.It is being related to far
Journey calculates in the situation of equipment, and remote computing device can pass through the network of any kind --- including local area network (LAN) or extensively
Domain net (WAN)-be connected to user calculating equipment, or, it may be connected to external computing device (such as utilize Internet service
Provider is connected by internet).
It should be noted that although being referred to several unit or sub-units of device in the above detailed description, this stroke
It point is only exemplary not enforceable.In fact, embodiment according to the present invention, it is above-described two or more
The feature and function of unit can embody in a unit.Conversely, the feature and function of an above-described unit can
It is to be embodied by multiple units with further division.
In addition, although describing the operation of the method for the present invention in the accompanying drawings with particular order, this do not require that or
Hint must execute these operations in this particular order, or have to carry out shown in whole operation be just able to achieve it is desired
As a result.Additionally or alternatively, it is convenient to omit multiple steps are merged into a step and executed by certain steps, and/or by one
Step is decomposed into execution of multiple steps.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications can be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (15)
1. a kind of method for logging in application characterized by comprising
First application obtains the license confirmation that user logs in the second application, and the license confirmation, which is used to indicate user, to be allowed using institute
The subscriber identity information for stating the first application logs in second application;
First application sends certification request to certificate server and receives the authentication result that the certificate server returns, described to recognize
Card request carries the authenticated encryption information of the identification information of second application, includes second application in the authentication result
Legitimacy authentication result encryption information;
When first application is legal according to legitimacy authentication result confirmation second application of second application, to business service
Device sends access token acquisition request, and the access token that will acquire is sent to the second application so that described second using
The access token obtains the business datum of user from the service server and user is allowed to carry out second application
The business datum is used when business.
2. the method as described in claim 1, which is characterized in that the subscriber identity information includes account information and message in cipher
Breath;And
The authenticated encryption information are as follows: identification information and first key centering using the encrypted message to second application
The encryption information that is encrypted of public key.
3. method according to claim 2, which is characterized in that the authentication result also includes that access permission instruction and second are close
The encryption information of the public key of key centering, the access permission instruction are used to indicate the user for allowing the user to utilize the first application
Identity information accesses intermediate server;And
It is described to service server send access token acquisition request before, further includes:
First application sends the acquisition of credentials request of access service server to intermediate server, takes in the acquisition of credentials request
With credentials encryption information, the credentials encryption information is to be indicated using the second cipher key pair public key the access permission
It is encrypted, the public key of second cipher key pair and access permission instruction are to utilize the first key
The private key of centering decrypts what the authentication result obtained;And
First application receives the acquisition of credentials of the intermediate server transmission as a result, carrying license in the acquisition of credentials result
As a result encryption information, the allowed results encryption information are that intermediate server utilizes the second key pair obtained from certificate server
In private key decrypt the credentials encryption information and to decrypt access permission instruction be verified after, utilize the second key pair
In private key the public key of license ticket and third cipher key pair is encrypted;
First application is decrypted the allowed results encryption information using the public key of second cipher key pair, and utilizes solution
The public key of close third cipher key pair out is encrypted the license ticket to obtain access permission encryption information;And
First application, which carries the access permission encryption information, is sent to business service in the access token acquisition request
Device, so as to utilize the third obtained from intermediate server after the service server receives the access token acquisition request
The access permission encryption information is decrypted in the private key of cipher key pair, and is verified to the license ticket
Afterwards, the access token is distributed for second application, and the access token is carried out using the private key of third cipher key pair
Encryption obtains access permission result information, and the access permission result information is sent to the first application.
4. method as claimed in claim 3, which is characterized in that before the access token is sent to the second application, also
Include:
First applies after receiving the access permission result information, using the public key of the third cipher key pair to the visit
It asks that allowed results information is decrypted, obtains the access token.
5. the method as described in Claims 1 to 4 is any, which is characterized in that the first application obtains user and logs in the second application
Before license confirmation, further includes:
Receive the cipher key acquisition request that the second application is sent;
The public key of the 4th cipher key pair is sent to second application, so that second application utilizes the 4th cipher key pair
Public key to it is described second application identification information be encrypted, and by obtained information to be verified carry in logging request
In be sent to it is described first application;
After receiving logging request, the information to be verified is decrypted using the private key of the 4th cipher key pair, is obtained
To the identification information of second application.
6. method as claimed in claim 5, which is characterized in that the information to be verified further includes the public key of the 5th cipher key pair
Encryption information;And the access token is sent to the second application, it specifically includes:
The access token is encrypted using the public key of the 5th cipher key pair decrypted, obtains password information;And
The password information is sent to second application.
7. method as claimed in claim 6, which is characterized in that the 4th key pair is the first application generation, or
Person is that the service server of the first application generates;5th key pair is the second application generation, or is second
What the service server of application generated.
8. a kind of system for logging in application characterized by comprising certificate server and service server, in which:
Certificate server, for after the first application is sent in receiving terminal certification request, to being taken in the certification request
The identification information of the second application is authenticated in the terminal of band, and to the first application return authentication as a result, the certification is tied
Encryption information comprising the legitimacy authentication result of the second application in terminal in fruit, wherein the certification request is answered for described first
Sent after the license confirmation for getting user and logging in the second application, the license confirmation be used to indicate user allow using
The subscriber identity information of first application logs in second application;
Service server, for after receiving the access token acquisition request that first application is sent, Xiang Suoshu first to be answered
With access token is sent, so that the access token that first application will acquire is sent to the second application, applied by described second
The business datum of user is obtained from the service server using the access token and user is allowed to answer in progress described second
The business datum is used when business, wherein the access token acquisition request is first application according to the certification
The legitimacy authentication result for second application that server returns confirms to be sent when second application is legal.
9. system as claimed in claim 8, which is characterized in that the system also includes intermediate servers;And the certification
As a result the encryption information of the public key in also comprising access permission instruction and the second cipher key pair, the access permission instruction is for referring to
Showing allows the user to access intermediate server using the subscriber identity information of the first application;And
The intermediate server, in the acquisition of credentials request for receiving the access service server that first application is sent
Afterwards, the credentials encryption information is decrypted and the visit to decrypting using the private key of the second cipher key pair obtained from certificate server
After asking that license instruction is verified, the public key of license ticket and third cipher key pair is carried out using the private key of the second cipher key pair
Encryption obtains allowed results encryption information;And the allowed results encryption information is carried and is sent in acquisition of credentials result
To the first application, wherein the public key of second cipher key pair and access permission instruction are described in first application utilizes
The private key of first key centering decrypts what the authentication result obtained;
The service server, specifically for being obtained using from intermediate server after receiving the access token acquisition request
The access permission encryption information carried in the access token acquisition request is decrypted in the private key of the third cipher key pair obtained
Processing distributes the access token for second application and after being verified to the license ticket decrypted, and utilizes the
The private key of three cipher key pairs is encrypted the access token to obtain access permission result information, by the access permission
Result information is sent to the first application, wherein the access permission encryption information is that first application utilizes second key
The allowed results encryption information carried in the acquisition of credentials result is decrypted in the public key of centering, and utilizes the decrypted
The public key of three cipher key pairs is encrypted to obtain to the license ticket.
10. system as claimed in claim 9, which is characterized in that carry timestamp, the timestamp in the license ticket
It is used to indicate the generation time of the license ticket;And
The service server, the license ticket obtained specifically for determination from intermediate server are with the license ticket decrypted
It is no consistent;If consistent, the timestamp in the license ticket is extracted, however, it is determined that go out the timestamp before the deadline, then really
It is fixed that the license ticket is verified.
11. the system as described in claim 9 or 10, which is characterized in that the subscriber identity information includes account information and close
Code information;And the authenticated encryption information further includes the encryption information of the public key of the first key centering obtained;And
The certificate server, specifically for after receiving the certification request, according to the account information and message in cipher of storage
The corresponding relationship of breath determines the corresponding encrypted message of the account information carried in certification request;And according to the encrypted message, if
To the authenticated encryption information successful decryption, it is determined that pass through to subscriber identity information certification;And second will decrypted
The identification information of application is sent to open platform;And it receives the open platform and knot is authenticated to the legitimacy of second application
Fruit;And the legitimacy authentication result using the public key of first key centering decrypted to second application, the user
Authentication result, the access permission of identity information indicate and the public key of the second cipher key pair is encrypted;And recognize what is obtained
Card result is sent to first application.
12. a kind of terminal for logging in application characterized by comprising
Acquiring unit, the license confirmation of the second application is logged in for obtaining user, and the license confirmation is used to indicate user's permission
The subscriber identity information applied using described first logs in second application;
First transmission unit, for sending certification request to certificate server, the certification request carries second application
The authenticated encryption information of identification information;
First receiving unit includes described in the authentication result for receiving the authentication result of the certificate server return
The encryption information of the legitimacy authentication result of second application;
Second transmission unit, when legal for legitimacy authentication result confirmation second application according to second application,
Access token acquisition request is sent to service server, and the access token that will acquire is sent to the second application, so that described the
Two obtain the business datum of user from the service server using the access token and allow user described in the progress
The business datum is used when the business of the second application.
13. terminal as claimed in claim 12, which is characterized in that the authentication result also includes access permission instruction and second
The encryption information of the public key of cipher key pair, the access permission instruction are used to indicate the use for allowing the user to utilize the first application
Family identity information accesses intermediate server;And further include:
Third transmission unit is used for before second transmission unit sends access token acquisition request to service server,
The acquisition of credentials request of access service server is sent to intermediate server, carries credentials encryption in the acquisition of credentials request
Information, the credentials encryption information are that access permission instruction is encrypted using the second cipher key pair public key
It obtains, the public key of second cipher key pair and access permission instruction are to utilize the private key solution of the first key centering
What the close authentication result obtained;
Second receiving unit, for receiving the acquisition of credentials of the intermediate server transmission as a result, in the acquisition of credentials result
Carry allowed results encryption information, the allowed results encryption information is that intermediate server is utilized and obtained from certificate server
After the private key of second cipher key pair is decrypted the credentials encryption information and is verified to the access permission instruction decrypted, utilize
The public key of license ticket and third cipher key pair is encrypted in the private key of second cipher key pair;
First processing units solve the allowed results encryption information for the public key using second cipher key pair
It is close, and the license ticket is encrypted using the public key of the third cipher key pair decrypted to obtain access permission encryption
Information;
4th transmission unit is sent in the access token acquisition request for carrying the access permission encryption information
Service server, so as to be obtained after the service server receives the access token acquisition request using from intermediate server
The access permission encryption information is decrypted in the private key of the third cipher key pair obtained, and tests to the license ticket
After card passes through, the access token is distributed for second application, and enable to the access using the private key of third cipher key pair
Board is encrypted to obtain access permission result information, and the access permission result information is sent to the first application.
14. terminal as claimed in claim 13, which is characterized in that further include:
The second processing unit, for connecing before the access token is sent to the second application by second transmission unit
After receiving the access permission result information, using the third cipher key pair public key to the access permission result information into
Row decryption processing obtains the access token.
15. a kind of electronic equipment characterized by comprising
At least one processor;And
The memory being connect at least one described processor communication;Wherein,
The memory is stored with the instruction that can be executed by least one described processor, and described instruction is by described at least one
It manages device to execute, so that at least one described processor is able to carry out the method as described in claim 1 to 7 any claim.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810266079.0A CN110324276B (en) | 2018-03-28 | 2018-03-28 | Method, system, terminal and electronic device for logging in application |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810266079.0A CN110324276B (en) | 2018-03-28 | 2018-03-28 | Method, system, terminal and electronic device for logging in application |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110324276A true CN110324276A (en) | 2019-10-11 |
CN110324276B CN110324276B (en) | 2022-01-07 |
Family
ID=68110219
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810266079.0A Active CN110324276B (en) | 2018-03-28 | 2018-03-28 | Method, system, terminal and electronic device for logging in application |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110324276B (en) |
Cited By (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110716441A (en) * | 2019-11-08 | 2020-01-21 | 北京金茂绿建科技有限公司 | Method for controlling intelligent equipment, intelligent home system, equipment and medium |
CN111062024A (en) * | 2019-11-25 | 2020-04-24 | 泰康保险集团股份有限公司 | Application login method and device |
CN111259363A (en) * | 2020-01-19 | 2020-06-09 | 数字广东网络建设有限公司 | Service access information processing method, system, device, equipment and storage medium |
CN111400690A (en) * | 2020-03-25 | 2020-07-10 | 支付宝(杭州)信息技术有限公司 | Biological verification method and device |
CN111538965A (en) * | 2020-04-15 | 2020-08-14 | 支付宝(杭州)信息技术有限公司 | Authorized login method, device and system of application program |
CN111541656A (en) * | 2020-04-09 | 2020-08-14 | 中央电视台 | Identity authentication method and system based on converged media cloud platform |
CN111552928A (en) * | 2020-04-26 | 2020-08-18 | 北京学之途网络科技有限公司 | Authentication method and device |
CN111582869A (en) * | 2020-04-21 | 2020-08-25 | 海南电网有限责任公司 | Information security protection method, device and equipment |
CN111639319A (en) * | 2020-06-02 | 2020-09-08 | 北京字节跳动网络技术有限公司 | User resource authorization method, device and computer readable storage medium |
CN111698312A (en) * | 2020-06-08 | 2020-09-22 | 中国建设银行股份有限公司 | Service processing method, device, equipment and storage medium based on open platform |
CN111741115A (en) * | 2020-06-24 | 2020-10-02 | 支付宝(杭州)信息技术有限公司 | Service processing method, device and system and electronic equipment |
CN111917773A (en) * | 2020-07-31 | 2020-11-10 | 中国工商银行股份有限公司 | Service data processing method and device and server |
CN112738025A (en) * | 2020-12-09 | 2021-04-30 | 青岛海尔科技有限公司 | Device control method and apparatus, storage medium, and electronic apparatus |
WO2021093722A1 (en) * | 2019-11-13 | 2021-05-20 | 华为技术有限公司 | Control method, apparatus, and system |
CN112948143A (en) * | 2021-03-04 | 2021-06-11 | 北京奇艺世纪科技有限公司 | Application program calling method and device and calling system |
CN113132973A (en) * | 2019-12-31 | 2021-07-16 | 佛山市云米电器科技有限公司 | Equipment network distribution method and system and computer readable storage medium |
CN113378153A (en) * | 2021-08-12 | 2021-09-10 | 中移(上海)信息通信科技有限公司 | Authentication method, first service device, second service device and terminal device |
CN113746857A (en) * | 2021-09-09 | 2021-12-03 | 深圳市腾讯网域计算机网络有限公司 | Login method, device, equipment and computer readable storage medium |
CN113872974A (en) * | 2021-09-29 | 2021-12-31 | 深圳市微购科技有限公司 | Method, server and computer-readable storage medium for network session encryption |
CN114158046A (en) * | 2021-12-30 | 2022-03-08 | 支付宝(杭州)信息技术有限公司 | Method and device for realizing one-key login service |
CN114268506A (en) * | 2021-12-28 | 2022-04-01 | 优刻得科技股份有限公司 | Method for accessing server side equipment, access side equipment and server side equipment |
CN114338149A (en) * | 2021-12-28 | 2022-04-12 | 北京深思数盾科技股份有限公司 | Login credential authorization method of server, terminal and key escrow platform |
CN114640880A (en) * | 2020-11-30 | 2022-06-17 | 腾讯科技(深圳)有限公司 | Account login control method, device and medium |
CN114745167A (en) * | 2022-04-02 | 2022-07-12 | 中科曙光国际信息产业有限公司 | Identity authentication method and device, computer equipment and computer readable storage medium |
CN114900344A (en) * | 2022-04-26 | 2022-08-12 | 四川智能建造科技股份有限公司 | Identity authentication method, system, terminal and computer readable storage medium |
CN115037453A (en) * | 2021-11-19 | 2022-09-09 | 荣耀终端有限公司 | Data protection method and system and electronic equipment |
CN115146252A (en) * | 2022-09-05 | 2022-10-04 | 深圳高灯计算机科技有限公司 | Authorization authentication method, system, computer device and storage medium |
EP4135331A1 (en) * | 2021-08-10 | 2023-02-15 | Beijing Dajia Internet Information Technology Co., Ltd. | Method for processing live broadcast information stream, electronic device |
CN115733672A (en) * | 2022-11-03 | 2023-03-03 | 支付宝(杭州)信息技术有限公司 | Data processing method, device and equipment |
EP4149053A1 (en) * | 2021-09-10 | 2023-03-15 | Apollo Intelligent Connectivity (Beijing) Technology Co., Ltd. | Authorization processing method and apparatus, and storage medium |
CN116800546A (en) * | 2023-08-24 | 2023-09-22 | 北京建筑大学 | User switching method, system, terminal and storage medium |
CN116915520A (en) * | 2023-09-14 | 2023-10-20 | 南京龟兔赛跑软件研究院有限公司 | Agricultural product informatization data security optimization method based on distributed computing |
WO2024037040A1 (en) * | 2022-08-17 | 2024-02-22 | 荣耀终端有限公司 | Data processing method and electronic device |
WO2024067419A1 (en) * | 2022-09-28 | 2024-04-04 | 中移(成都)信息通信科技有限公司 | Authorization information acquisition method and apparatus, related device, and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2014038608A (en) * | 2012-08-20 | 2014-02-27 | Naver Corp | Application log-in system due to authentication sharing, method and computer readable recording medium |
CN104125063A (en) * | 2013-04-28 | 2014-10-29 | 腾讯科技(深圳)有限公司 | Authentication method, equipment and system |
CN105282126A (en) * | 2014-07-24 | 2016-01-27 | 腾讯科技(北京)有限公司 | Login authentication method, terminal and server |
CN106888202A (en) * | 2016-12-08 | 2017-06-23 | 阿里巴巴集团控股有限公司 | Authorize login method and device |
US20170192764A1 (en) * | 2015-12-30 | 2017-07-06 | Dropbox, Inc. | Automated application installation |
CN107045603A (en) * | 2017-04-11 | 2017-08-15 | 北京深思数盾科技股份有限公司 | Control method and device are called in a kind of application |
-
2018
- 2018-03-28 CN CN201810266079.0A patent/CN110324276B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2014038608A (en) * | 2012-08-20 | 2014-02-27 | Naver Corp | Application log-in system due to authentication sharing, method and computer readable recording medium |
CN104125063A (en) * | 2013-04-28 | 2014-10-29 | 腾讯科技(深圳)有限公司 | Authentication method, equipment and system |
CN105282126A (en) * | 2014-07-24 | 2016-01-27 | 腾讯科技(北京)有限公司 | Login authentication method, terminal and server |
US20170192764A1 (en) * | 2015-12-30 | 2017-07-06 | Dropbox, Inc. | Automated application installation |
CN106888202A (en) * | 2016-12-08 | 2017-06-23 | 阿里巴巴集团控股有限公司 | Authorize login method and device |
CN107045603A (en) * | 2017-04-11 | 2017-08-15 | 北京深思数盾科技股份有限公司 | Control method and device are called in a kind of application |
Cited By (52)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110716441A (en) * | 2019-11-08 | 2020-01-21 | 北京金茂绿建科技有限公司 | Method for controlling intelligent equipment, intelligent home system, equipment and medium |
US12010105B2 (en) | 2019-11-13 | 2024-06-11 | Huawei Technologies Co., Ltd. | Control method, apparatus, and system |
WO2021093722A1 (en) * | 2019-11-13 | 2021-05-20 | 华为技术有限公司 | Control method, apparatus, and system |
CN111062024A (en) * | 2019-11-25 | 2020-04-24 | 泰康保险集团股份有限公司 | Application login method and device |
CN111062024B (en) * | 2019-11-25 | 2022-07-19 | 泰康保险集团股份有限公司 | Application login method and device |
CN113132973B (en) * | 2019-12-31 | 2022-05-24 | 佛山市云米电器科技有限公司 | Equipment network distribution method and system and computer readable storage medium |
CN113132973A (en) * | 2019-12-31 | 2021-07-16 | 佛山市云米电器科技有限公司 | Equipment network distribution method and system and computer readable storage medium |
CN111259363A (en) * | 2020-01-19 | 2020-06-09 | 数字广东网络建设有限公司 | Service access information processing method, system, device, equipment and storage medium |
CN111400690A (en) * | 2020-03-25 | 2020-07-10 | 支付宝(杭州)信息技术有限公司 | Biological verification method and device |
CN111400690B (en) * | 2020-03-25 | 2022-03-29 | 支付宝(杭州)信息技术有限公司 | Biological verification method and device |
CN111541656B (en) * | 2020-04-09 | 2022-09-16 | 中央电视台 | Identity authentication method and system based on converged media cloud platform |
CN111541656A (en) * | 2020-04-09 | 2020-08-14 | 中央电视台 | Identity authentication method and system based on converged media cloud platform |
CN111538965B (en) * | 2020-04-15 | 2021-10-12 | 支付宝(杭州)信息技术有限公司 | Authorized login method, device and system of application program |
CN111538965A (en) * | 2020-04-15 | 2020-08-14 | 支付宝(杭州)信息技术有限公司 | Authorized login method, device and system of application program |
CN111582869A (en) * | 2020-04-21 | 2020-08-25 | 海南电网有限责任公司 | Information security protection method, device and equipment |
CN111552928A (en) * | 2020-04-26 | 2020-08-18 | 北京学之途网络科技有限公司 | Authentication method and device |
CN111639319B (en) * | 2020-06-02 | 2023-04-25 | 抖音视界有限公司 | User resource authorization method, device and computer readable storage medium |
CN111639319A (en) * | 2020-06-02 | 2020-09-08 | 北京字节跳动网络技术有限公司 | User resource authorization method, device and computer readable storage medium |
CN111698312B (en) * | 2020-06-08 | 2022-10-21 | 中国建设银行股份有限公司 | Service processing method, device, equipment and storage medium based on open platform |
CN111698312A (en) * | 2020-06-08 | 2020-09-22 | 中国建设银行股份有限公司 | Service processing method, device, equipment and storage medium based on open platform |
CN111741115B (en) * | 2020-06-24 | 2022-12-16 | 支付宝(杭州)信息技术有限公司 | Service processing method, device and system and electronic equipment |
CN111741115A (en) * | 2020-06-24 | 2020-10-02 | 支付宝(杭州)信息技术有限公司 | Service processing method, device and system and electronic equipment |
CN111917773A (en) * | 2020-07-31 | 2020-11-10 | 中国工商银行股份有限公司 | Service data processing method and device and server |
CN111917773B (en) * | 2020-07-31 | 2022-07-19 | 中国工商银行股份有限公司 | Service data processing method and device and server |
CN114640880B (en) * | 2020-11-30 | 2023-06-30 | 腾讯科技(深圳)有限公司 | Account login control method, device and medium |
CN114640880A (en) * | 2020-11-30 | 2022-06-17 | 腾讯科技(深圳)有限公司 | Account login control method, device and medium |
CN112738025A (en) * | 2020-12-09 | 2021-04-30 | 青岛海尔科技有限公司 | Device control method and apparatus, storage medium, and electronic apparatus |
CN112738025B (en) * | 2020-12-09 | 2023-02-03 | 青岛海尔科技有限公司 | Device control method and apparatus, storage medium, and electronic apparatus |
CN112948143A (en) * | 2021-03-04 | 2021-06-11 | 北京奇艺世纪科技有限公司 | Application program calling method and device and calling system |
CN112948143B (en) * | 2021-03-04 | 2024-01-12 | 北京奇艺世纪科技有限公司 | Application program calling method, device and system |
EP4135331A1 (en) * | 2021-08-10 | 2023-02-15 | Beijing Dajia Internet Information Technology Co., Ltd. | Method for processing live broadcast information stream, electronic device |
CN113378153A (en) * | 2021-08-12 | 2021-09-10 | 中移(上海)信息通信科技有限公司 | Authentication method, first service device, second service device and terminal device |
CN113746857A (en) * | 2021-09-09 | 2021-12-03 | 深圳市腾讯网域计算机网络有限公司 | Login method, device, equipment and computer readable storage medium |
EP4149053A1 (en) * | 2021-09-10 | 2023-03-15 | Apollo Intelligent Connectivity (Beijing) Technology Co., Ltd. | Authorization processing method and apparatus, and storage medium |
CN113872974A (en) * | 2021-09-29 | 2021-12-31 | 深圳市微购科技有限公司 | Method, server and computer-readable storage medium for network session encryption |
CN115037453A (en) * | 2021-11-19 | 2022-09-09 | 荣耀终端有限公司 | Data protection method and system and electronic equipment |
CN114338149B (en) * | 2021-12-28 | 2022-12-27 | 北京深盾科技股份有限公司 | Login credential authorization method of server, terminal and key escrow platform |
CN114268506A (en) * | 2021-12-28 | 2022-04-01 | 优刻得科技股份有限公司 | Method for accessing server side equipment, access side equipment and server side equipment |
CN114338149A (en) * | 2021-12-28 | 2022-04-12 | 北京深思数盾科技股份有限公司 | Login credential authorization method of server, terminal and key escrow platform |
CN114158046A (en) * | 2021-12-30 | 2022-03-08 | 支付宝(杭州)信息技术有限公司 | Method and device for realizing one-key login service |
CN114158046B (en) * | 2021-12-30 | 2024-04-23 | 支付宝(杭州)信息技术有限公司 | Method and device for realizing one-key login service |
CN114745167A (en) * | 2022-04-02 | 2022-07-12 | 中科曙光国际信息产业有限公司 | Identity authentication method and device, computer equipment and computer readable storage medium |
CN114900344A (en) * | 2022-04-26 | 2022-08-12 | 四川智能建造科技股份有限公司 | Identity authentication method, system, terminal and computer readable storage medium |
WO2024037040A1 (en) * | 2022-08-17 | 2024-02-22 | 荣耀终端有限公司 | Data processing method and electronic device |
CN115146252B (en) * | 2022-09-05 | 2023-02-21 | 深圳高灯计算机科技有限公司 | Authorization authentication method, system, computer device and storage medium |
CN115146252A (en) * | 2022-09-05 | 2022-10-04 | 深圳高灯计算机科技有限公司 | Authorization authentication method, system, computer device and storage medium |
WO2024067419A1 (en) * | 2022-09-28 | 2024-04-04 | 中移(成都)信息通信科技有限公司 | Authorization information acquisition method and apparatus, related device, and storage medium |
CN115733672A (en) * | 2022-11-03 | 2023-03-03 | 支付宝(杭州)信息技术有限公司 | Data processing method, device and equipment |
CN116800546B (en) * | 2023-08-24 | 2023-11-03 | 北京建筑大学 | User switching method, system, terminal and storage medium |
CN116800546A (en) * | 2023-08-24 | 2023-09-22 | 北京建筑大学 | User switching method, system, terminal and storage medium |
CN116915520B (en) * | 2023-09-14 | 2023-12-19 | 南京龟兔赛跑软件研究院有限公司 | Agricultural product informatization data security optimization method based on distributed computing |
CN116915520A (en) * | 2023-09-14 | 2023-10-20 | 南京龟兔赛跑软件研究院有限公司 | Agricultural product informatization data security optimization method based on distributed computing |
Also Published As
Publication number | Publication date |
---|---|
CN110324276B (en) | 2022-01-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110324276A (en) | A kind of method, system, terminal and electronic equipment logging in application | |
US11665200B2 (en) | System and method for second factor authentication to perform services | |
TWI667585B (en) | Method and device for safety authentication based on biological characteristics | |
CN109150548B (en) | Digital certificate signing and signature checking method and system and digital certificate system | |
JP6586446B2 (en) | Method for confirming identification information of user of communication terminal and related system | |
CN105991287B (en) | A kind of generation of signed data and finger print identifying requesting method and device | |
US9787672B1 (en) | Method and system for smartcard emulation | |
US20170244676A1 (en) | Method and system for authentication | |
JP2018532301A (en) | User authentication method and apparatus | |
CN109600223A (en) | Verification method, Activiation method, device, equipment and storage medium | |
CN104219196B (en) | Business locking means, business unlocking method, apparatus and system | |
CN106850699A (en) | A kind of mobile terminal login authentication method and system | |
CN112953970B (en) | Identity authentication method and identity authentication system | |
CN109274652A (en) | Identity information verifies system, method and device and computer storage medium | |
CN106302606B (en) | Across the application access method and device of one kind | |
US11424915B2 (en) | Terminal registration system and terminal registration method with reduced number of communication operations | |
CN107609878B (en) | Security authentication method and system for shared automobile | |
CN105430649B (en) | WIFI cut-in method and equipment | |
CN109618313A (en) | A kind of vehicle-mounted Bluetooth equipment and attaching method thereof, system | |
CN109460993A (en) | A kind of information processing method, device and storage medium | |
CN102143190A (en) | Safe login method and device | |
CN109474431A (en) | Client certificate method and computer readable storage medium | |
CN109587098A (en) | A kind of Verification System and method, authorization server | |
CN114338201B (en) | Data processing method and device, electronic equipment and storage medium | |
CN109618194A (en) | A kind of authentication order method and its device based on program request platform end |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |