CN111600884B - Network authentication smart card and method - Google Patents

Network authentication smart card and method Download PDF

Info

Publication number
CN111600884B
CN111600884B CN202010414081.5A CN202010414081A CN111600884B CN 111600884 B CN111600884 B CN 111600884B CN 202010414081 A CN202010414081 A CN 202010414081A CN 111600884 B CN111600884 B CN 111600884B
Authority
CN
China
Prior art keywords
authentication
terminal
credibility
cluster
network card
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010414081.5A
Other languages
Chinese (zh)
Other versions
CN111600884A (en
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Guang Runtong Technology Development Co ltd
Original Assignee
Beijing Guang Runtong Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Guang Runtong Technology Development Co ltd filed Critical Beijing Guang Runtong Technology Development Co ltd
Priority to CN202010414081.5A priority Critical patent/CN111600884B/en
Publication of CN111600884A publication Critical patent/CN111600884A/en
Application granted granted Critical
Publication of CN111600884B publication Critical patent/CN111600884B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention belongs to the technical field of data transmission, and particularly relates to a network authentication smart card and a method. The invention provides a new network authentication intelligent card and a method thereof, the network authentication intelligent card and the method are independent of a central server on line, thereby realizing decentralization thoroughly, and reducing the complexity of system deployment and implementation cost; the security of the terminal is not ensured only by the communication with the central server, but is shared by the credible body clusters in the system, so that the security and the reliability of the system are enhanced; this arrangement makes access authentication more efficient and flexible. The multipoint authentication is really realized, and the malicious attack to the service system is effectively prevented. Any one login request may initiate authentication to the terminal from multiple points simultaneously. The single sign-on deception behavior is fundamentally prevented.

Description

Network authentication smart card and method
Technical Field
The invention belongs to the technical field of data transmission, and particularly relates to a network authentication smart card and a method.
Background
In the traditional mode, after the local terminal is started, the system needing to be logged in can be logged in by inputting an identity credential, usually a user name and a password. The validity of the authentication information can be obtained only after the local computer communicates with the intranet server for a plurality of times in a limited way; in addition, the traditional login authentication system is a single-point pair authentication server, and the participating authentication party only has one server and one host, so the following unreliable situations can occur: 1) if the server has sudden failure, the authentication requests of the terminal and the subsequent terminals are influenced; 2) if the server is subject to a malicious attack, the authentication process will not be trusted; 3) if the request authentication information of the terminal includes a plurality of request authentication blocks, the single authentication server can process only the plurality of request blocks sequentially, and delay processing is inevitable.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a novel network authentication smart card and a method thereof.
The specific technical scheme of the invention is as follows:
the invention provides a network authentication method, which comprises the following steps:
s1: when a terminal requests to log in, starting a network card authentication system according to the self certificate of the network card of the terminal;
s2: after a network card authentication system is started, the terminal sends an identity authentication request to the network card authentication system;
s3: after receiving the information of successful identity authentication fed back by the network card authentication system, binding and encrypting the user credential and the SID of the network card, broadcasting in the network card authentication system, and authenticating by other credible bodies in the cluster;
s4: and simultaneously receiving authentication results of other credibles of the network card authentication system, calculating a credibility value according to all the authentication results, and finally judging whether login can be performed or not according to the size of the credibility value.
A network authentication smart card comprising the following components:
the authentication starting module is configured to start a network card authentication system according to the self-certificate of the network card of a terminal when the terminal requests login;
the terminal comprises a request sending module, a network card authentication system and a terminal, wherein the request sending module is configured to send an identity authentication request to the network card authentication system after the network card authentication system is started;
the credible body authentication module is configured to bind and encrypt the user credential and the SID of the network card after receiving the information of successful identity authentication fed back by the network card authentication system, broadcast the user credential and the SID of the network card in the network card authentication system and authenticate the user credential and the SID of the network card by other credible bodies in the cluster;
and the login management module is configured to receive the authentication results of other credible bodies of the network card authentication system at the same time, calculate a credible value according to all the authentication results, and finally judge whether login can be performed according to the size of the credible value.
The invention has the following beneficial effects:
the invention provides a new network authentication intelligent card and a method thereof, the network authentication intelligent card and the method are independent of a central server on line, thereby realizing decentralization thoroughly, and reducing the complexity of system deployment and implementation cost; the security of the terminal is not ensured only by the communication with the central server, but is shared by the credible body clusters in the system, so that the security and the reliability of the system are enhanced; this arrangement makes access authentication more efficient and flexible. The multipoint authentication is really realized, and the malicious attack to the service system is effectively prevented. Any one login request may initiate authentication to the terminal from multiple points simultaneously. The single sign-on deception behavior is fundamentally prevented.
Drawings
FIG. 1 is a flow chart of a network authentication method of the present invention;
FIG. 2 is a diagram illustrating a network authentication method according to the present invention;
FIG. 3 is a flowchart illustrating steps S41-S44 according to the present invention;
FIG. 4 is a schematic diagram of cluster authentication according to the present invention;
FIG. 5 is a flowchart illustrating steps S45-S48 according to the present invention;
FIG. 6 is a block diagram of the network authentication smart card of the present invention;
FIGS. 7-8 are block diagrams of the login management module according to the present invention;
fig. 9 is a block diagram of a structure of a management and control chain constructed by using a network authentication smart card according to the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following examples and drawings.
The invention provides a network authentication method, as shown in fig. 1, comprising the following steps:
s1: when a terminal requests for login, a network card authentication system is started according to the self-certificate of the network card of the terminal, wherein the self-certificate of the network card is whether the network card is inserted, namely an intelligent card, and only the terminal inserted with the intelligent card can become a credible body to construct a cluster of the network authentication system;
s2: after a network card authentication system is started, the terminal sends an identity authentication request to the network card authentication system;
s3: after receiving the information of successful identity authentication fed back by the network card authentication system, binding and encrypting the user credentials and the SID of the network card, broadcasting the user credentials and the SID in the network card authentication system, and authenticating the user credentials by other trusted bodies in the cluster, wherein the user credentials comprise one or more of a user name, a password and a user ID;
s4: and simultaneously receiving authentication results of other credibles of the network card authentication system, calculating a credibility value according to all the authentication results, and finally judging whether login can be performed or not according to the size of the credibility value.
Each credible body in the cluster is stored with an authentication table, and the table content comprises SIDs of all network cards and user credentials of terminals which are inserted with corresponding network cards and are associated with the SIDs; when a terminal can start a network card authentication system, the fact that a network card is necessarily inserted into the terminal is proved, and the SID of the network card on the terminal is also necessarily stored in an authentication table; binding and encrypting the user credential and the SID of the network card, and when the network card authentication system broadcasts, matching and authenticating the received user credential and the SID of the network card with the content stored in the authentication table by other credible bodies, and sending the authentication result to each requested terminal; after receiving the matching results of other credibility bodies, the terminal requesting login calculates the credibility value according to the principle that the minority credibility bodies obey the majority, if the matching authentication success of the majority credibility bodies is that the credibility value is greater than 0.5, and if the matching authentication success of the minority credibility bodies is that the credibility value is less than 0.5, the terminal can log in only if the credibility value is greater than 0.5.
The invention provides a new network authentication method, which is free from the online dependence on a central server, thoroughly realizes decentralization, and reduces the complexity of system deployment and implementation cost; the security of the terminal is not ensured only by the communication with the central server, but is shared by the credible body clusters in the system, so that the security and the reliability of the system are enhanced; this arrangement makes access authentication more efficient and flexible. The multipoint authentication is really realized, and the malicious attack to the service system is effectively prevented. Any one login request may initiate authentication to the terminal from multiple points simultaneously. The single sign-on deception behavior is fundamentally prevented.
As shown in fig. 2, the description will be made by taking the login intranet security management system as an example:
the premise that the terminal wants to log in the intranet safety management system is to log in the network card authentication system firstly. The terminal starts the network card authentication system by means of the self smooth smart card. The intelligent card SID is broadcasted in the network card authentication system and authenticated by the credible bodies in other clusters. And if the hardware identity authentication of the intelligent card passes, entering a user identity authentication process. The terminal binds and encrypts the user credential and the hardware SID, and sends the user credential and the hardware SID to other credible bodies for further authentication. Only after the two steps are authenticated, the enterprise business service system or the intranet safety management system can be carried out. It can be seen that the network card authentication system can completely replace the login authentication function of the intranet security management system and serve as a preposed access system of an enterprise business system.
Preferably, in this embodiment, after the terminal successfully logs in, the terminal may monitor the reliability of any trusted entity in the cluster through the cluster authentication algorithm within a period of time, and control the access right of the logged-in terminal according to the reliability result; as shown in fig. 3, the monitoring of any trusted entity in the cluster by the terminal includes the following steps:
s41: the terminal initiates a credibility authentication request R to any credible Ea in the cluster at any moment;
s42: receiving an execution result Pa of the credible bodies Ea executing the self-detection functions, wherein each credible body is provided with M self-detection functions, and when a credibility authentication request is received, a group of detection functions in the M self-detection functions need to be executed according to the request;
s43: the terminal starts to execute a credibility calculation formula F after initiating a credibility authentication request, and obtains the credibility Ca of the terminal Ea according to the credibility calculation formula F, wherein Ca is F (Ps, Pa, Pt) T, wherein Ps represents the last detection result, Pt represents the period in which the terminal initiates a credibility authentication request R to any credible body Ea in the cluster, T is a credibility table which is arranged in each credible body in the cluster, the credibility table is referred to in real time in the calculation period of F, and in the formula, T represents the credibility of the terminal Ea at the current moment in the credibility table; ps, Pa and Pt are input parameters of a formula F, wherein Ca represents the current credibility obtained by calculation according to the formula; ps represents the last calculated reliability value Ca', i.e. the last detection result; pa represents the feedback value Pa < ═ 1 of the last self detection of all other credibility entities, namely the credibility weight; pt is the last period of sending a detection request to another trusted body; t is a reference coefficient (calibration coefficient) of the local confidence list, namely the confidence of the terminal Ea at the current moment in the confidence table, and T < ═ 1; the confidence calculation formula F { (Pa1+ Pa2+ Pa3+.. + Pan-1)/(n-1) } { (Pt1+ Pt2+ Pt3+.. + ptn-1)/(n-1)/Pt '}, i.e., the confidence Ca { (Pa1+ Pa2+ Pa3+.. + Pan-1)/(n-1) } { (Pt1+ Pt2+ Pt3+. + ptn-1)/(n-1)/Pt' } T, where Ca 'is the last calculated confidence value, i.e., Ps, Pt' is the last calculated Pt mean, n represents the number of truths Ea, Pa1 represents the last time of self-test feedback value of the first individual, and so on, Pan-1 represents the last-1 individual of the confidence-test feedback value, and n represents the last time of self-test feedback value of the first confidence-test cluster R1, and in turn, ptn-1 represents the period for the terminal to initiate a trust authentication request R to the (n-1) th trust body in the cluster.
S44: broadcasting is carried out in the cluster based on the reliability Ca, and the reliability table T stored by the user is updated according to the reliability Ca.
In step S44, the reliability Ca is compared with a threshold value a; broadcasting a credibility Ea credibility within the cluster when Ca > a or Ca ═ a; when Ca < a, the credible Ea is broadcasted in the cluster and is not credible, and Ea is deleted from the cluster.
The network card authentication system in the embodiment provides a terminal credibility query means. As shown in fig. 4, the credibility of each terminal is calculated by other terminals (credibles) in the same time period according to a certain algorithm. Since the authentication is randomly released between the partial trusts, the other trusts (terminals) can still maintain the authentication capability even if any one or more terminals (trusts) are paralyzed. The reliability and authority of the authentication are fundamentally ensured. The specific algorithm is illustrated as follows:
1) the cluster is composed of N terminals, each terminal is assigned with M self-detection functions, wherein the self-detection functions comprise detection of self-software of the terminal, and the detection adopts the conventional detection method.
2) The communication between the terminals in the cluster is random and does not depend on a uniform clock interval, so that the terminals are effectively prevented from being tampered.
3) Any terminal Er has the right to initiate a trust authentication request R to any terminal at any time.
4) Any one terminal Ea need not immediately respond when it receives a request from any other terminal. Ea only needs to execute a group of detection functions in the M self-detection functions according to the request R and returns the execution result of the detection functions.
5) Er starts executing a confidence calculation formula F after sending the request. And F, taking the last detection result Ps as an input parameter of the current time, wherein each terminal is internally provided with a cluster terminal credibility table T. This T is referenced in real time during the calculation cycle of F. The response result Pa of Ea and the response time Pt are used as the calculation input parameters of F. The final Ea confidence Ca ═ F (Ps, Pa, Pt) × T. Finally, the Ca is used to update the table T and simultaneously send the table T to other terminals.
Confidence is tabulated below: en represents a terminal, tn represents a time, and Ctnen represents the reliability C of the terminal en at the time of tn
Figure BDA0002494395070000071
Figure BDA0002494395070000081
The calculation period shown in this embodiment is determined according to actual conditions, preferably 1min-2min, and the threshold a is preferably 0.5.
Preferably, as shown in fig. 5, after the login is successful, the terminal may control the access of other terminals, which specifically includes the following steps:
s45: after receiving the access authentication request of at least one other terminal, judging whether the other terminal is a trusted body in the cluster, if so, performing step S46, otherwise, performing step S47;
s46: calculating the reliability Ca of other terminals according to a cluster authentication algorithm, broadcasting the reliability value in a network card authentication system, judging the size between the Ca and a threshold a, if the Ca is greater than or equal to the threshold a, feeding back the information of granting access to other terminals, and if the Ca is less than the threshold a, refusing the information of granting access to other terminals;
s47: the terminal collects the encrypted user credentials bound by other terminals and the SID of the network card, and broadcasts the credibility for authenticating other terminals according to the user credentials and the SID of the network card in the network card authentication system;
s48: and receiving authentication results of other credibility bodies in the cluster, judging the credibility of other terminals based on a minority obeying majority principle, judging whether to grant access of other terminals according to the credibility, and broadcasting the credibility value in the network card authentication system.
In this embodiment, through the intra-cluster authentication algorithm, for the accessed terminals, the credibility of any terminal (trusted body) accessing the terminal can be determined at any time, and accordingly, the feedback of permission or denial is made. Through the interaction of the intelligent cards bound to the terminal, the integrity and the reliability of the terminal can be rapidly judged. When a plurality of terminals simultaneously request access, different access authority control and monitoring can be given according to the internal terminal credibility list.
In some embodiments, as shown in fig. 6, there is provided a network authentication smart card, comprising:
the authentication starting module 1 is configured to start a network card authentication system according to a self-certificate of a network card of a terminal when the terminal requests login, wherein the self-certificate of the network card is whether the network card is inserted, namely an intelligent card, and only the terminal inserted with the intelligent card can become a trusted body to construct a cluster of the network authentication system;
the request sending module 2 is configured to send an identity authentication request to the network card authentication system by the terminal after the network card authentication system is started;
the trusted body authentication module 3 is configured to, after receiving information that identity authentication is successful, fed back by the network card authentication system, bind and encrypt user credentials and a network card SID, broadcast the encrypted user credentials and the network card SID in the network card authentication system, and authenticate the network card SID by other trusted bodies in the cluster, where the user credentials include one or more of a user name, a password, and a user ID;
and the login management module 4 is configured to receive the authentication results of other credible bodies of the network card authentication system at the same time, calculate a credible value according to all the authentication results, and finally judge whether login can be performed according to the size of the credible value.
The invention provides a new network authentication intelligent card, which is free from on-line dependence on a central server, thoroughly realizes decentralization, and reduces the complexity of system deployment and implementation cost; the security of the terminal is not ensured only by the communication with the central server, but is shared by the credible body clusters in the system, so that the security and the reliability of the system are enhanced; this arrangement makes access authentication more efficient and flexible. The multipoint authentication is really realized, and the malicious attack to the service system is effectively prevented. Any one login request may initiate authentication to the terminal from multiple points simultaneously. The single sign-on deception behavior is fundamentally prevented.
As shown in fig. 2, the description will be made by taking the login intranet security management system as an example:
the premise that the terminal wants to log in the intranet safety management system is to log in the network card authentication system firstly. The terminal starts the network card authentication system by means of the self smooth smart card. The intelligent card SID is broadcasted in the network card authentication system and authenticated by the credible bodies in other clusters. And if the hardware identity authentication of the intelligent card passes, entering a user identity authentication process. The terminal binds and encrypts the user credential and the hardware SID, and sends the user credential and the hardware SID to other credible bodies for further authentication. Only after the two steps are authenticated, the enterprise business service system or the intranet safety management system can be carried out. It can be seen that the network card authentication system can completely replace the login authentication function of the intranet security management system and serve as a preposed access system of an enterprise business system.
Preferably, as shown in fig. 7, after the login is successful, the terminal in this embodiment may monitor the reliability of any trusted entity in the cluster through the cluster authentication algorithm within a period time, and control the access right of the logged-in terminal according to the reliability result, specifically including the following steps:
an authentication request initiating unit 41 configured to initiate, by the terminal, a trust level authentication request R to any trusted body Ea in the cluster at any time;
a result receiving unit 42 configured to receive an execution result Pa of the trusted body Ea executing the self-detection function, where each trusted body is configured with M self-detection functions, and when receiving the trust authentication request, a group of detection functions in the M self-detection functions needs to be executed as requested;
a first reliability calculation unit 43, configured to start executing a reliability calculation formula F by the terminal after initiating the reliability authentication request, and obtain a reliability Ca of the terminal Ea according to the reliability calculation formula F, where Ca is F (Ps, Pa, Pt) × T, where Ps represents a last detection result, Pt represents a period in which the terminal initiates a reliability authentication request R to any of the trusted bodies Ea in the cluster, and T is a reliability table, which is set in each trusted body in the cluster, and the reliability table is referred to in real time in a calculation period of F, where in the formula, T represents a reliability of the terminal Ea at a current time in the reliability table; ps, Pa and Pt are input parameters of a formula F, wherein Ca represents the current credibility obtained by calculation according to the formula; ps represents the last calculated reliability value Ca', i.e. the last detection result; pa represents the feedback value Pa < ═ 1 of the last self detection of all other credibility entities, namely the credibility weight; pt is the last period of sending a detection request to another trusted body; t is a reference coefficient (calibration coefficient) of the local confidence list, namely the confidence of the terminal Ea at the current moment in the confidence table, and T < ═ 1; the confidence calculation formula F { (Pa1+ Pa2+ Pa3+.. + Pan-1)/(n-1) } { (Pt1+ Pt2+ Pt3+.. + ptn-1)/(n-1)/Pt '}, i.e., the confidence Ca { (Pa1+ Pa2+ Pa3+.. + Pan-1)/(n-1) } { (Pt1+ Pt2+ Pt3+. + ptn-1)/(n-1)/Pt' } T, where Ca 'is the last calculated confidence value, i.e., Ps, Pt' is the last calculated Pt mean, n represents the number of truths Ea, Pa1 represents the last time of self-test feedback value of the first individual, and so on, Pan-1 represents the last-1 individual of the confidence-test feedback value, and n represents the last time of self-test feedback value of the first confidence-test cluster R1, and in turn, ptn-1 represents the period for the terminal to initiate a trust authentication request R to the (n-1) th trust body in the cluster.
And the table updating unit 44 is configured to broadcast in the cluster based on the reliability Ca and update the reliability table T stored in the table updating unit according to the Ca.
The reliability Ca is compared with a threshold a in the table updating unit 44; broadcasting a credibility Ea credibility within the cluster when Ca > a or Ca ═ a; when Ca < a, the credible Ea is broadcasted in the cluster and is not credible, and Ea is deleted from the cluster.
The network card authentication system in the embodiment provides a terminal credibility query means. As shown in fig. 4, the credibility of each terminal is calculated by other terminals (credibles) in the same time period according to a certain algorithm. Since the authentication is randomly released between the partial trusts, the other trusts (terminals) can still maintain the authentication capability even if any one or more terminals (trusts) are paralyzed. The reliability and authority of the authentication are fundamentally ensured. The specific algorithm is illustrated as follows:
1) the cluster is composed of N terminals, each terminal is assigned with M self-detection functions, wherein the self-detection functions comprise detection of self-software of the terminal, and the detection adopts the conventional detection method.
2) The communication between the terminals in the cluster is random and does not depend on a uniform clock interval, so that the terminals are effectively prevented from being tampered.
3) Any terminal Er has the right to initiate a trust authentication request R to any terminal at any time.
4) Any one terminal Ea need not immediately respond when it receives a request from any other terminal. Ea only needs to execute a group of detection functions in the M self-detection functions according to the request R and returns the execution result of the detection functions.
5) Er starts executing a confidence calculation formula F after sending the request. And F, taking the last detection result Ps as an input parameter of the current time, wherein each terminal is internally provided with a cluster terminal credibility table T. This T is referenced in real time during the calculation cycle of F. The response result Pa of Ea and the response time Pt are used as the calculation input parameters of F. The final Ea confidence Ca ═ F (Ps, Pa, Pt) × T. Finally, the Ca is used to update the table T and simultaneously send the table T to other terminals.
The calculation period shown in this embodiment is determined according to actual conditions, preferably 1min-2min, and the threshold a is preferably 0.5.
The network authentication smart card is also configured with a module for transmitting normal data and a module for real-time synchronous communication within the trusted body cluster.
Preferably, as shown in fig. 8, after the terminal successfully logs in, the terminal may control access of other terminals, and specifically includes the following components:
an access request receiving unit 45, configured to determine whether another terminal is a trusted entity in the cluster after receiving an access authentication request of at least one other terminal, and if so, send a trust level calculation instruction to the second trust level calculation unit 46, otherwise, send an authentication instruction to the authentication unit 47;
the second reliability calculation unit 46: calculating the reliability Ca of other terminals according to a cluster authentication algorithm, broadcasting the reliability value in a network card authentication system, judging the size between the Ca and a threshold a, if the Ca is greater than or equal to the threshold a, feeding back the information of granting access to other terminals, and if the Ca is less than the threshold a, refusing the information of granting access to other terminals;
the authentication unit 47: the terminal collects the encrypted user credentials bound by other terminals and the SID of the network card, and broadcasts the credibility for authenticating other terminals according to the user credentials and the SID of the network card in the network card authentication system;
the result management unit 48: and receiving authentication results of other credibility bodies in the cluster, judging the credibility of other terminals based on a minority obeying majority principle, judging whether to grant access of other terminals according to the credibility, and broadcasting the credibility value in the network card authentication system.
In this embodiment, through the intra-cluster authentication algorithm, for the accessed terminals, the credibility of any terminal (trusted body) accessing the terminal can be determined at any time, and accordingly, the feedback of permission or denial is made. Through the interaction of the intelligent cards bound to the terminal, the integrity and the reliability of the terminal can be rapidly judged. When a plurality of terminals simultaneously request access, different access authority control and monitoring can be given according to the internal terminal credibility list.
In some embodiments, as shown in fig. 9, there is provided a method for building a regulatory chain by using the network authentication smart card, which includes the following steps:
the cluster building module 10 is configured to form a cluster by a plurality of credible terminals which are positioned in the same local area network, inserted with the network authentication smart cards and synchronously communicate in real time;
the synchronization authentication module 20: the terminal is configured to perform synchronous authentication based on a received authentication request sent by an external terminal;
confidence calculation module 30: and calculating the reliability based on a principle that a small number of synchronous authentication results obey majority, and judging whether the external terminal is allowed to be added into the cluster according to the reliability.
In the embodiment, the integrity of each credible body is ensured by real-time synchronous communication with other credible bodies in the credible body cluster, and other credible bodies are reversely authenticated on the basis of the integrity. The traditional central server centralized authentication mode is abandoned. The pressure brought by the authentication mechanism is dispersed to each node, and meanwhile, the authority and the reliability of the authentication are increased.
Preferably, the specific construction of the cluster comprises the following steps:
the method comprises the steps that a terminal inserted with an intelligent card receives n commands sent by an initialization server;
the terminal executes the received n commands and sends an execution result to the initialization server;
the initialization server judges the execution completion A of the terminal on the n commands, and the initial credibility value CO is positively correlated with the execution completion A;
all the terminals which are positively correlated with the execution completion degree A form a credible body and are all linked in a cluster;
and the initialization server sends the obtained initial credibility value CO to other credibility bodies in the cluster, and the credibility bodies establish an initial credibility list according to the received initial credibility values CO of the other credibility bodies.
Preferably, after the terminal Ea is deleted from the cluster, the terminal Ea enters a self-detection and recovery mode, and specifically includes the following steps:
formatting operation of the intelligent card is carried out, and then the intelligent card is bound with the corresponding terminal again;
the terminal randomly sends a recovery authentication request to at least two credible bodies in the cluster;
after receiving at least one credible value replied by each credible body, calculating the credibility of the terminal according to the credible value;
and when the credibility is greater than or equal to the threshold a, the terminal is credible, is linked with other credible bodies in the cluster, and sends the credibility to the other credible bodies to update the credibility table of the terminal.
The above-mentioned embodiments are merely illustrative of the preferred embodiments of the present invention, and do not limit the scope of the present invention, and various modifications and improvements of the technical solution of the present invention by those skilled in the art should fall within the protection scope defined by the claims of the present invention without departing from the spirit of the present invention.

Claims (7)

1. A network authentication method, comprising the steps of:
s1: when a terminal requests to log in, starting a network card authentication system according to the self certificate of the network card of the terminal;
s2: after a network card authentication system is started, the terminal sends an identity authentication request to the network card authentication system;
s3: after receiving the information of successful identity authentication fed back by the network card authentication system, binding and encrypting the user credential and the SID of the network card, broadcasting in the network card authentication system, and authenticating by other credible bodies in the cluster;
s4: meanwhile, receiving authentication results of other credible bodies of the network card authentication system, calculating a credible value according to all the authentication results, and finally judging whether login can be performed or not according to the size of the credible value;
after the terminal successfully logs in, reliability monitoring can be carried out on any credible body in the cluster through a cluster authentication algorithm within a period of time, and access authority of the logged-in terminal is controlled according to a reliability result;
the monitoring of any credible body in the cluster by the terminal comprises the following steps:
s41: the terminal initiates a credibility authentication request R to any credible Ea in the cluster at any moment;
s42: receiving an execution result Pa of the credible bodies Ea executing the self-detection functions, wherein each credible body is provided with M self-detection functions, and when a credibility authentication request is received, a group of detection functions in the M self-detection functions need to be executed according to the request;
s43: the terminal starts to execute a credibility calculation formula F after initiating a credibility authentication request, and obtains the credibility Ca of the terminal Ea according to the credibility calculation formula F, wherein Ca is F (Ps, Pa, Pt) T, wherein Ps represents the last detection result, Pt represents the period in which the terminal initiates a credibility authentication request R to any credible body Ea in the cluster, the credibility tables are arranged in each credible body in the cluster, the credibility tables are referenced in real time in the calculation period of F, and in the formula, T represents the credibility of the current time of the terminal Ea in the credibility tables;
s44: broadcasting is carried out in the cluster based on the reliability Ca, and the reliability table stored in the cluster is updated according to the Ca.
2. The network authentication method according to claim 1, wherein the reliability Ca is compared with a threshold value a in step S44; broadcasting a credibility Ea credibility within the cluster when Ca > a or Ca ═ a; when Ca < a, the credible Ea is broadcasted in the cluster and is not credible, and Ea is deleted from the cluster.
3. The network authentication method according to claim 2, wherein the terminal can control access of other terminals after successful login, specifically comprising the following steps:
s45: after receiving the access authentication request of at least one other terminal, judging whether the other terminal is a trusted body in the cluster, if so, performing step S46, otherwise, performing step S47;
s46: calculating the reliability Ca of other terminals according to a cluster authentication algorithm, broadcasting the reliability value in a network card authentication system, judging the size between the Ca and a threshold a, if the Ca is greater than or equal to the threshold a, feeding back the information of granting access to other terminals, and if the Ca is less than the threshold a, refusing the information of granting access to other terminals;
s47: the terminal collects the encrypted user credentials bound by other terminals and the SID of the network card, and broadcasts the credibility for authenticating other terminals according to the user credentials and the SID of the network card in the network card authentication system;
s48: and receiving authentication results of other credibility bodies in the cluster, judging the credibility of other terminals based on a minority obeying majority principle, judging whether to grant access of other terminals according to the credibility, and broadcasting the credibility value in the network card authentication system.
4. A network authentication smart card, comprising:
the authentication starting module (1) is configured to start a network card authentication system according to the self-certificate of the network card of a terminal when the terminal requests login;
the terminal comprises a request sending module (2) and a network card authentication system, wherein the request sending module is configured to send an identity authentication request to the network card authentication system after the network card authentication system is started;
the credible body authentication module (3) is configured to bind and encrypt the user credential and the SID of the network card after receiving the information of successful identity authentication fed back by the network card authentication system, broadcast the encrypted user credential and the SID of the network card in the network card authentication system and authenticate other credible bodies in the cluster;
the login management module (4) is configured to receive authentication results of other credible bodies of the network card authentication system at the same time, calculate a credible value according to all the authentication results, and finally judge whether login can be performed according to the credible value;
after the terminal successfully logs in, the terminal can monitor the reliability of any credible body in the cluster through a cluster authentication algorithm in a period time, and controls the access authority of the logged-in terminal according to a reliability result, and the method specifically comprises the following steps:
an authentication request initiating unit (41) configured to initiate a credibility authentication request R to any credible body Ea in the cluster at any time by the terminal;
a result receiving unit (42) configured to receive an execution result Pa of the trusted body Ea executing the self-detection function, wherein each trusted body is configured with M self-detection functions, and when receiving a trust level authentication request, a group of detection functions in the M self-detection functions needs to be executed as requested;
a first credibility calculation unit (43) configured to start executing a credibility calculation formula F after the terminal initiates a credibility authentication request, and obtain the credibility Ca of the terminal Ea according to the credibility calculation formula F, wherein Ca is F (Ps, Pa, Pt) T, where Ps represents the last detection result, Pt represents the period in which the terminal initiates a credibility authentication request R to any credible body Ea in the cluster, a credibility table is set in each credible body in the cluster, the credibility table is referred to in real time in the calculation period of F, and in the formula, T represents the credibility of the terminal Ea at the current time in the credibility table;
and a table updating unit (44) configured to broadcast within the cluster based on the reliability Ca and update the reliability table stored by itself according to the Ca.
5. A network authentication smart card according to claim 4, characterized in that the table updating unit (44) compares the confidence level Ca with a threshold value a; broadcasting a credibility Ea credibility within the cluster when Ca > a or Ca ═ a; when Ca < a, the credible Ea is broadcasted in the cluster and is not credible, and Ea is deleted from the cluster.
6. The network authentication smart card of claim 5, wherein the terminal can control access of other terminals after successful login, and specifically comprises the following components:
the access request receiving unit (45) judges whether other terminals are trusts in the cluster after receiving the access authentication request of at least one other terminal, if so, the access request receiving unit sends a trusting degree calculation instruction to the second trusting degree calculation unit (46), and if not, the access request receiving unit sends an authentication instruction to the authentication unit (47);
second reliability calculation unit (46): calculating the reliability Ca of other terminals according to a cluster authentication algorithm, broadcasting the reliability value in a network card authentication system, judging the size between the Ca and a threshold a, if the Ca is greater than or equal to the threshold a, feeding back the information of granting access to other terminals, and if the Ca is less than the threshold a, refusing the information of granting access to other terminals;
authentication unit (47): the terminal collects the encrypted user credentials bound by other terminals and the SID of the network card, and broadcasts the credibility for authenticating other terminals according to the user credentials and the SID of the network card in the network card authentication system;
result management unit (48): and receiving authentication results of other credibility bodies in the cluster, judging the credibility of other terminals based on a minority obeying majority principle, judging whether to grant access of other terminals according to the credibility, and broadcasting the credibility value in the network card authentication system.
7. A management and control chain is constructed by adopting the network authentication smart card of any one of claims 4 to 6, which is characterized by comprising the following parts:
the cluster building module (10) is configured to form a cluster by a plurality of credible body terminals which are positioned in the same local area network, inserted with the network authentication intelligent cards and synchronously communicated in real time;
synchronization authentication module (20): the terminal is configured to perform synchronous authentication based on a received authentication request sent by an external terminal;
reliability calculation module (30): and calculating the reliability based on a principle that a small number of synchronous authentication results obey majority, and judging whether the external terminal is allowed to be added into the cluster according to the reliability.
CN202010414081.5A 2020-05-15 2020-05-15 Network authentication smart card and method Active CN111600884B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010414081.5A CN111600884B (en) 2020-05-15 2020-05-15 Network authentication smart card and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010414081.5A CN111600884B (en) 2020-05-15 2020-05-15 Network authentication smart card and method

Publications (2)

Publication Number Publication Date
CN111600884A CN111600884A (en) 2020-08-28
CN111600884B true CN111600884B (en) 2022-03-15

Family

ID=72189688

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010414081.5A Active CN111600884B (en) 2020-05-15 2020-05-15 Network authentication smart card and method

Country Status (1)

Country Link
CN (1) CN111600884B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115314262B (en) * 2022-07-20 2024-04-23 杭州熠芯科技有限公司 Design method of trusted network card and networking method thereof

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951607A (en) * 2010-10-14 2011-01-19 中国电子科技集团公司第三十研究所 Reliability-based wireless local area network trusted accessing method and system
GB2524010A (en) * 2014-03-10 2015-09-16 Ibm User authentication
CN105426734B (en) * 2015-11-12 2018-04-13 山东超越数控电子股份有限公司 A kind of identity identifying method and device based on trust computing
CN106686004B (en) * 2017-02-28 2019-07-12 飞天诚信科技股份有限公司 A kind of login authentication method and system
CN107766261A (en) * 2017-09-22 2018-03-06 华为技术有限公司 The method, apparatus and network interface card of data check
CN111092820B (en) * 2018-10-23 2023-04-07 ***通信有限公司研究院 Equipment node authentication method, device and system
CN109815010A (en) * 2018-12-29 2019-05-28 深圳供电局有限公司 A kind of cloud platform unified identity authentication method and system
CN109495516A (en) * 2019-01-07 2019-03-19 国网江苏省电力有限公司无锡供电分公司 Electric power internet-of-things terminal cut-in method based on block chain

Also Published As

Publication number Publication date
CN111600884A (en) 2020-08-28

Similar Documents

Publication Publication Date Title
CN108964885B (en) Authentication method, device, system and storage medium
US20170289134A1 (en) Methods and apparatus for assessing authentication risk and implementing single sign on (sso) using a distributed consensus database
US7231526B2 (en) System and method for validating a network session
US7886346B2 (en) Flexible and adjustable authentication in cyberspace
CN111211908B (en) Access control method, system, computer device and storage medium
US7127607B1 (en) PKI-based client/server authentication
CN101453458B (en) Personal identification process for dynamic cipher password bidirectional authentication based on multiple variables
US9781096B2 (en) System and method for out-of-band application authentication
EP3226506B1 (en) Sophisitcated preparation of an authorization token
US20060037064A1 (en) System, method and program to filter out login attempts by unauthorized entities
US11477028B2 (en) Preventing account lockout through request throttling
KR20040049272A (en) Methods and systems for authentication of a user for sub-locations of a network location
WO2016035015A1 (en) System, method and process for detecting advanced and targeted attacks with the recoupling of kerberos authentication and authorization
US9237143B1 (en) User authentication avoiding exposure of information about enumerable system resources
CN103685204A (en) Resource authentication method based on internet of things resource sharing platform
CN112436940A (en) Internet of things equipment trusted boot management method based on zero-knowledge proof
CN110912929A (en) Safety control middle platform system based on regional medical treatment
CN103152351A (en) Network equipment and AD (Active Directory) domain single sign on method and system
US20180331886A1 (en) Systems and methods for maintaining communication links
CN111600884B (en) Network authentication smart card and method
CN112929388B (en) Network identity cross-device application rapid authentication method and system, and user agent device
CN112261103A (en) Node access method and related equipment
US7631344B2 (en) Distributed authentication framework stack
GB2582180A (en) Distributed authentication
CN117318969A (en) Service communication method, device and system for realizing disaster recovery

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant