Nothing Special   »   [go: up one dir, main page]

WO2006024216A1 - A method for implementing certificating and a system thereof - Google Patents

A method for implementing certificating and a system thereof Download PDF

Info

Publication number
WO2006024216A1
WO2006024216A1 PCT/CN2005/001157 CN2005001157W WO2006024216A1 WO 2006024216 A1 WO2006024216 A1 WO 2006024216A1 CN 2005001157 W CN2005001157 W CN 2005001157W WO 2006024216 A1 WO2006024216 A1 WO 2006024216A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
authentication
identifier
application server
authentication center
Prior art date
Application number
PCT/CN2005/001157
Other languages
French (fr)
Chinese (zh)
Inventor
Long Luo
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2006024216A1 publication Critical patent/WO2006024216A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Definitions

  • the present invention relates to the field of network security, and in particular to a method and system for implementing authentication. Background of the invention
  • the Internet has become a popular communication method.
  • the servers in the network are often subjected to malicious attacks by illegal users through the client, resulting in a large amount of data loss and damage in the server.
  • a method for implementing authentication, setting a client authentication center comprising the following steps:
  • the client sends the authentication identifier to the client authentication center;
  • the client will access the request. Send to the client authentication center;
  • A2 The client authentication center generates an authentication parameter, and then carries the generated authentication parameter in the client authentication request and sends the authentication parameter to the client;
  • the client obtains the authentication identifier according to the authentication parameter carried in the client authentication request.
  • the method further includes: setting a keystore including a plurality of keys, and storing the set keystore in a client authentication center and each client software, wherein different keys are correspondingly different in the keystore Key serial number;
  • step A2 the step of generating the authentication parameter by the client authentication center includes: the client authentication center selects a key from the keystore saved by itself, and obtains the key sequence number corresponding to the selected key, and then generates a key. a random number, and an encryption algorithm selected by itself; the authentication parameter includes a key sequence number, a random number, and an encryption algorithm;
  • the method further includes: setting a private key corresponding to the client authentication center in the client authentication center, and setting a public key corresponding to the client authentication center in each client software; in step A2, the client authentication
  • the step of generating a random number by the center further includes: the client authentication center signatures the generated random number by using the set private key;
  • the random number included in the authentication parameter is a signed random number
  • the secret is a client software version identifier used by the client to use the software
  • step B the step of the client authentication center determining whether the authentication is successful by determining whether the decrypted secret is legal or not includes: determining, by the client authentication center, whether the client with the same client software version identifier as the decrypted client is saved. End software version identifier, if yes, the authentication is successful.
  • the client software version identifier includes: a client software version serial number, or a client software version serial number and a issuing company identifier.
  • the different client software includes not
  • the client authentication center is connected to an application server;
  • the step A includes: the client sends the authentication identifier to the application server, and the application server sends the authentication identifier to the client authentication center.
  • the method further includes: pre-storing the user name and password of the registered user in the application server; the client sends the user name and password input by the user to the application server, and the application server determines whether the user name and password are the same as the received user name and password. Username and password. If yes, the authentication is successful. Otherwise, the authentication fails.
  • the method further includes: setting a trigger authentication policy in the application server;
  • the step A further includes: the application server determining, according to the set trigger authentication policy Whether the client authentication process should be performed currently, and if so, the step of transmitting the authentication identifier to the client authentication center is continued, otherwise, the current process is ended.
  • the triggering authentication policy includes: whether the number of consecutively receiving the same client access request exceeds the set number of times threshold, or, periodically detecting, or randomly detecting, or, unconditionally detecting, or detecting a specific service, or, Billing detection.
  • the triggering authentication policy is whether the number of consecutively receiving the same client access request exceeds the set threshold value
  • the step of determining, by the application server, whether the client authentication process should be performed currently includes: determining, by the application server, whether the number of times the client access request has been continuously received exceeds a preset threshold value, and if yes, determining that the current response should be Perform the client authentication process.
  • the method further includes: setting a correspondence between different authentication identifiers and different user identifiers in the client authentication center;
  • the step A further includes: the client acquiring the user identifier input by the user, and obtaining the obtained The extracted user ID is sent to the client authentication center;
  • the step B further includes: the client authentication center authenticating the client according to whether the received authentication identifier and the user identifier meet the set correspondence relationship.
  • the user identifier is a mobile phone number or a user name of the user.
  • the client accesses the visited area
  • the step A includes: the client sends the authentication identifier to the client authentication center of the visited area, and the client authentication center of the visiting area sends the authentication identifier to the client authentication center of the home zone;
  • the client authentication center is a client authentication center of the client home zone.
  • a system for implementing authentication comprising a client, an application server, and a client authentication center, wherein the application server is connected to the client and the client authentication center respectively.
  • the client authentication center sends the client authentication request to the application server, receives the authentication identifier sent by the application server, and then authenticates the client according to the received authentication identifier;
  • the application server sends a client authentication request from the client authentication center to the client, and sends the authentication identifier from the client to the client authentication center;
  • the client obtains the authentication identifier after receiving the client authentication request from the application server, and sends the obtained authentication identifier to the application server.
  • the client authentication center is a separate network entity
  • the client authentication center and the application server are connected through a customized Ca interface.
  • the client authentication center and the existing entities in the network are combined into one physical entity.
  • the existing entities in the network are home location registers or application servers.
  • the present invention has the following advantages:
  • the operator assigns different client software version identifiers to different client softwares, and
  • the authentication process is performed according to the client software version identifier, and the client software version identifier is difficult to be obtained by the illegal user. Therefore, the security and reliability of the authentication are greatly improved, and the malicious user is prevented from establishing a connection with the server. Attack, standardizing the network order.
  • the CCC in addition to authenticating the client, the CCC further authenticates the user identity and authenticates successfully if both the client and the user are authenticated. Therefore, the security and reliability of authentication are further improved through the two-factor authentication process.
  • the key information of the client software that is, the client software version identifier, can be grasped, and the client software can be uniformly upgraded and charged, and the user behavior can be easily regulated and managed.
  • Figure 1 is a schematic view showing the structure of the system of the present invention.
  • FIG. 2 is a flow chart of authenticating a client in an embodiment of the present invention.
  • the present invention proposes a new method and system for implementing authentication.
  • the core idea of the method is: setting a client authentication center; the client sends the authentication identifier to the client authentication center; the client authentication center The client is authenticated according to the received authentication identifier.
  • the authentication identifier is information that uniquely identifies the client, for example, encrypting the client software version identifier previously allocated for the software used by the client as the authentication identifier.
  • the core idea of the present invention is to authenticate the client, that is, to verify the legality of the client software used by the client. Moreover, in order to further ensure the security of the authentication process, it may further include authenticating the identity of the user.
  • the trigger authentication policy may be preset.
  • the AS receives the access request sent by the client, the AS does not immediately instruct the client authentication center to perform the authentication process, but firstly according to the set trigger.
  • the authentication policy determines whether the subsequent authentication process should be performed on the client. If it is determined that the subsequent process of authenticating the client should be performed, the process of instructing the client authentication center to perform authentication is continued.
  • FIG. 1 is a schematic view showing the structure of the system of the present invention.
  • the system of the present invention includes: a client, an AS, and a Client Certification Center (CCC).
  • the CCC may be a separate network entity set up by the present invention, or may be combined with an existing entity in the network into a physical entity.
  • the CCC may be combined with a Home Location Register (HLR) or an AS as a network entity.
  • HLR Home Location Register
  • AS Serving Authentication Service
  • 2 is a flow chart of authenticating a client in an embodiment of the present invention. .
  • FIG. 1 and FIG. 2 applying the system of the present invention, the process of implementing the authentication by the method of the present invention specifically includes the following steps:
  • Step 201 Allocate different client software version identifiers for each different client software in advance, and save each of the allocated client software version identifiers in the CCC.
  • the client software version identifier includes a client software version serial number, and may further include information such as a company logo.
  • Step 202 Pre-set a keystore including a plurality of keys, and save the set keystore in the CCC.
  • Step 203 Pre-storing each of the allocated client software version identifiers in the corresponding client software, and storing the keystores in each client software separately.
  • Step 204 Set a trigger authentication policy in the AS in advance.
  • the triggering authentication policy may be set according to the actual service requirement.
  • the triggered authentication policy may be: whether the number of consecutively receiving the same client access request exceeds the set number of times threshold, and/or the periodicity set by the operator. Detection, random detection, unconditional detection, detection of specific services, billing detection, etc.
  • steps 201 to 204 are a series of initial setting processes performed by the present invention to implement the subsequent actual authentication process.
  • may further set a private key corresponding to the CCC in the CCC, and set a public key corresponding to the CCC in each client software, for verifying the identity of the CCC in the subsequent authentication process. .
  • Step 205 The client sends an access request carrying the identifier of the client software version to the AS.
  • Step 206 The AS obtains the client software version identifier from the received access request, and then determines whether the current client should be authenticated according to the acquired client software version identifier and the triggering authentication policy. If yes, step 207 is performed. Otherwise, perform the existing process of allowing the client to access and establish a connection, ending the current process.
  • the process of determining whether the current client should be authenticated may be: For example, if the preset trigger authentication policy is that the number of consecutively receiving the same client access request exceeds the set number of times threshold, the AS determines the current Whether the number of times the access request carrying the acquired client software version identifier has been continuously received exceeds the preset number of times, and if so, it is considered that the current client should be authenticated; for example, a preset trigger authentication policy For the periodic detection set by the operator, the AS determines whether it is currently in the period of periodic detection. If yes, it considers that the current client should be authenticated.
  • Step 207 The AS sends the obtained client software version identifier in the client authentication indication to the CCC through the Ca interface.
  • Step 208 The CCC selects a key from its saved keystore, generates a random number, and then uses the key number of the selected key in the keystore, the generated random number, and an encryption algorithm saved by itself.
  • the bearer is sent to the AS through the Ca interface in the client authentication request.
  • the CCC may further sign the generated random number using the set private key, and carry the signed random number in the client.
  • the random number carried in the client authentication request in this step may be a signed random number.
  • Step 209 The AS sends the received client authentication request to the client.
  • Step 210 The client obtains the key sequence number from the received client authentication request, and the Number of machines and encryption algorithms.
  • the client after receiving the client authentication request, the client obtains the signed random number from the client, and the client further uses the client.
  • the public key corresponding to the CCC set in itself is used to verify the signed random number. If the verification result is a CCC signature, the client can confirm that the random number is sent by the CCC, that is, the random number is considered to be legal. The subsequent authentication process is continued. Otherwise, the random number is not sent by the CCC. If the random number is considered illegal, the current authentication process is terminated.
  • Step 211 The client searches for the corresponding key from the stored keystore according to the obtained key sequence number, and then performs the secret in itself according to the found key, the obtained random number, and the encryption algorithm. Encryption, and then the encrypted secret is carried in the client authentication response message and sent to the AS.
  • the secret is selected from the client software version identifier. For example, if the client software version identifier includes the client software version serial number and the issuing company information, the client may select the client software version serial number as the secret for encryption.
  • Step 212 The AS sends the received client authentication response message to the ccc through the Ca interface.
  • Step 213 After receiving the client authentication response, the CCC obtains the encrypted secret therefrom, and then uses the key selected in step 208, the generated random number, and the decryption algorithm saved in itself to obtain the encrypted encrypted information.
  • the secret is decrypted, and then it is judged whether the decrypted secret is legal. If yes, step 214 is performed; otherwise, step 215 is performed.
  • the CCC determines whether the decrypted secret is legal by judging whether or not the same secret as the decrypted secret is stored in itself. For example, in step 211, the client selects the client software version serial number as the secret for encryption. In this step, the CCC decrypted secret is the client software version serial number of the client, and the CCC determines whether it is in the client. Has The decrypted client software version serial number is saved, and if so, the decrypted secret is considered legal.
  • Step 214 The CCC sends a client authentication success message to the AS through the Ca interface, and the AS notifies the client that the authentication is successful, performs a subsequent service connection process, and ends the current process.
  • the operator can also establish a corresponding relationship between the client software and the user in advance, that is, the operator can pre-agreed the user identifier with the user, and set different client software version identifiers in the CCC.
  • the client software version identifier includes a client software version serial number, and may further include information such as a company identifier, where the user identifier is an identifier that can uniquely prove the identity of the user, such as a mobile phone number or a user name of the user. Wait.
  • the method further includes: determining whether there is a correspondence between the current client software version identifier and the user identifier, and the specific implementation process can be seen in FIG. 3, including the following steps:
  • Steps 301 to 307 are the same as all descriptions of steps 201 to 207.
  • Step 308 The CCC selects a key from its saved keystore, generates a random number, and then serializes the selected key in the keystore, the generated random number, the encryption algorithm saved by itself, and The user identification information is required to be carried in the client authentication request and sent to the AS through the Ca interface.
  • the CCC may further sign the generated random number using the set private key, and carry the signed random number in the client.
  • the random number carried in the client authentication request in this step may be a signed random number.
  • Step 309 The AS sends the received client authentication request to the client.
  • Step 310 The client obtains the key sequence number from the received client authentication request, and the The number of machines and the encryption algorithm are provided, and the user identification information is provided according to the requirements carried in the client authentication request to prompt the user to input the user identifier, and obtain the user identifier input by the user.
  • the client after receiving the client authentication request, the client obtains the signed random number from the client, and the client further uses the client.
  • the public key corresponding to the CCC set in itself is used to verify the signed random number. If the verification result is a CCC signature, the client can confirm that the random number is sent by the CCC, that is, the random number is considered to be legal. The subsequent authentication process is continued. Otherwise, the random number is not sent by the CCC. If the random number is considered illegal, the current authentication process is terminated.
  • Step 311 The client searches for the corresponding key from the stored keystore according to the obtained key sequence number, and then performs the secret in itself according to the found key, the obtained random number, and the encryption algorithm. encryption.
  • Step 312 The client sends the encrypted secret and the obtained user identifier to the AS in the client authentication response message.
  • the secret is selected from the client software version identifier.
  • the client software version identifier includes the client software version serial number and the issuing company information, and the client can select the client software version serial number as the secret for encryption.
  • Step 313 The AS sends the received client authentication response message to the ccc through the Ca interface.
  • Step 314 After receiving the client authentication response, the CCC obtains the encrypted secret and the user identifier, and then uses the key selected in step 308, the generated random number, and the decryption algorithm saved in itself to obtain the acquired The encrypted secret is decrypted, and then it is judged whether the decrypted secret is legal. If yes, step 316 is performed; otherwise, step 315 is performed.
  • the CCC determines whether the decrypted secret is legal by judging whether or not the same secret as the decrypted secret is stored in itself. For example, in step 312, the client selects a guest.
  • the client software version serial number is encrypted as a secret.
  • the secret of the CCC decryption is the client software version serial number of the client, and the CCC determines whether the decrypted client software has been saved in the client software. The version serial number, if any, considers the decrypted secret to be legal.
  • Step 315 The CCC sends a client authentication failure message to the AS through the Ca interface, and the AS notifies the client that the authentication fails, denies the client access, and ends the current process.
  • Step 316 The CCC determines whether there is a preset correspondence between the decrypted secret and the acquired user identifier. If yes, step 317 is performed; otherwise, the process returns to step 315.
  • Step 317 The CCC sends a client authentication success message to the AS through the Ca interface, and the AS notifies the client that the authentication is successful, and performs a subsequent service connection process.
  • the client after receiving the client authentication request sent by the client authentication center, the client sends the encrypted password as the authentication identifier, that is, the encrypted client software version identifier to the encrypted client software version identifier.
  • the client may also actively send the authentication identifier to the AS in the access request, and the AS sends the authentication identifier to the client authentication center.
  • the principle is the same as that of the above embodiment.
  • the authentication process of the present invention may further include a currently existing process of authenticating the user identity by the AS.
  • the specific implementation can be implemented in multiple ways.
  • the user name and the secret of the registered user are saved in the application server in advance; when the authentication is performed, the client sends the user name and password input by the user to the AS, and the AS judges itself. Whether the user name and password with the same username and password are saved. If yes, the authentication of the current user is considered successful. Otherwise, the authentication fails.
  • the process of authenticating the user identity in the present invention may be performed after the client authentication is successful, or may be performed before the client is authenticated.
  • both the wired network and the mobile network can be divided into two types: the client accessing the home zone and the visiting zone.
  • the foregoing process describes the process of implementing authentication when the client accesses the home zone.
  • the process of implementing the authentication by the present invention is the same as the above process.
  • All the messages between the AS and the CCC need to be forwarded through the CCC (VCCC) of the visited area. That is, when the AS receives the access request sent by the client, it sends the client authentication indication to the VCCC.
  • the VCCC forwards the client authentication indication to the CCC of the client home zone according to the client software version identifier carried in the client authentication indication, and forwards the client authentication response sent by the VCCC to the CCC of the client home zone.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A method for implementing certificating and a system thereof. The system comprises a client, an application server and a client certification center (CCC) and the method comprises that the client sends the certification identifier to CCC through the application server; CCC certificates the client according to the received certification identifier. The present invention can improve the security and reliability substantially, enable the provider to control the key information of the client software, make it easy to update and charge the client software, and to unify and manage the behavior of the users.

Description

一种实现认证的方法和系统  Method and system for realizing authentication
技术领域 Technical field
本发明涉及网络安全领域,特别是涉及一种实现认证的方法和系统。 发明背景  The present invention relates to the field of network security, and in particular to a method and system for implementing authentication. Background of the invention
近年来, 随着信息技术和网络应用的不断延伸和发展, 网络已成为 人们普遍采用的通信方式。 但是^ I前, 网络中的服务器经常会受到非法 用户通过客户端进行的恶意攻击, 导致服务器中的数据大量丟失和损 坏。  In recent years, with the continuous extension and development of information technology and network applications, the Internet has become a popular communication method. However, before the server, the servers in the network are often subjected to malicious attacks by illegal users through the client, resulting in a large amount of data loss and damage in the server.
为了防止非法用户通过客户端对服务器进行的恶意攻击, 目前的主 要措施是对用户身份进行认证。 用户通过客户端将用户名和密码发送至 网络中的应用服务器( AS ), AS根据自身是否保存有该用户名和密码来 判断该用户是否合法, 如果合法, 则认证成功, 允许用户接入并通过客 户端与网络侧交互业务数据, 如果不合法, 则认证失败,拒绝用户接入。  In order to prevent malicious users from malicious attacks on the server through the client, the current main measure is to authenticate the user. The user sends the user name and password to the application server (AS) in the network through the client. The AS determines whether the user is legal according to whether the user name and password are saved. If it is legal, the authentication succeeds, and the user is allowed to access and pass the client. The terminal exchanges service data with the network side. If it is not legal, the authentication fails and the user is denied access.
但是, 现有技术在实现认证时, 只是针对用户身份进行认证, 也就 是说, 如果用户身份合法, 则可以通过客户端与 AS建立连接, 实现后 续业务。 然而, 由于用户名和密码容易被破译, 一旦非法用户破译了用 户名和密码, 则可认证成功, 建立与服务器的连接, 从而对服务器进行 恶意攻击。 因此, 仅仅对用户身份进行认证以保证用户的合法性, 并不 能有效地避免网络中的服务器受到恶意攻击。  However, in the prior art, when the authentication is implemented, only the user identity is authenticated, that is, if the user identity is legal, the client can establish a connection with the AS to implement the subsequent service. However, since the username and password are easily deciphered, once the illegal user deciphers the username and password, the authentication succeeds and a connection with the server is established, thereby maliciously attacking the server. Therefore, only authenticating the user's identity to ensure the legitimacy of the user does not effectively prevent the server in the network from being maliciously attacked.
由此可见, 如何采用一种更为安全可靠的认证方法已经成为一个亟 待解决.的问题。 发明内容 It can be seen that how to adopt a more secure and reliable authentication method has become an urgent problem to be solved. Summary of the invention
本发明的主要目的在于提供一种实现认证的方法, 本发明的另一目 的在于提供一种实现认证的系统, 以提高认证的安全性和可靠性。  It is a primary object of the present invention to provide a method of implementing authentication, and another object of the present invention is to provide a system for implementing authentication to improve the security and reliability of authentication.
为达到上述目的, 本发明的技术方案是这样实现的:  In order to achieve the above object, the technical solution of the present invention is achieved as follows:
一种实现认证的方法, 设置客户端认证中心, 该方法还包括以下步 骤:  A method for implementing authentication, setting a client authentication center, the method further comprising the following steps:
A、 客户端将认证标识发送至客户端认证中心; · A. The client sends the authentication identifier to the client authentication center;
B、 客户端认证中心根据接收到的认证标识对客户端进行认证。 在客户端将认证标识发送至客户端认证中心之前, 所述步骤 A进一 步包括以下步骤: B. The client authentication center authenticates the client according to the received authentication identifier. Before the client sends the authentication identifier to the client authentication center, the step A further includes the following steps:
Al、 客户端将接入请.求发送至客户端认证中心;  Al, the client will access the request. Send to the client authentication center;
A2、 客户端认证中心产生认证参数, 然后将所产生的认证参数携带 在客户端认证请求中发送至客户端;  A2: The client authentication center generates an authentication parameter, and then carries the generated authentication parameter in the client authentication request and sends the authentication parameter to the client;
A3、 客户端根据客户端认证请求中携带的认证参数获取认证标识。 该方法进一步包括: 设置包括多个密钥的密钥库, 并将所设置的密 钥库保存在客户端认证中心和每一个客户端软件中, 其中, 不同密钥在 密钥库中对应不同的密钥序号;  A3. The client obtains the authentication identifier according to the authentication parameter carried in the client authentication request. The method further includes: setting a keystore including a plurality of keys, and storing the set keystore in a client authentication center and each client software, wherein different keys are correspondingly different in the keystore Key serial number;
在步骤 A2 中, 所述客户端认证中心产生认证参数的步骤包括: 客 户端认证中心从自身保存的密钥库中选择一个密钥, 并获取所选择密钥 对应的密钥序号,然后产生一个随机数,以及选择自身保存的加密算法; 所述认证参数包括密钥序号、 随机数和加密算法;  In step A2, the step of generating the authentication parameter by the client authentication center includes: the client authentication center selects a key from the keystore saved by itself, and obtains the key sequence number corresponding to the selected key, and then generates a key. a random number, and an encryption algorithm selected by itself; the authentication parameter includes a key sequence number, a random number, and an encryption algorithm;
在步骤 A3中, 所述客户端根据认证参数获取认证标识的步骤包括: 客户端根据所获取的密钥序号从自身保存的密钥库中查找到相应的密 钥, 然后根据所查找到的密钥、 所获取的随机数和加密算法对在自身中 设置的秘密进行加密, 并将加密后的秘密作为所获取的认证标识; 所述步骤 B包括: 客户端认证中心根据所选择的密钥、 所产生的随 机数和自身中保存的解密算法对接收到的加密后的秘密进行解密, 然后 通过判断解密后的秘密是否合法来判断认证是否成功。 In step A3, the step of the client obtaining the authentication identifier according to the authentication parameter includes: the client searches for the corresponding key from the keystore saved by the client according to the obtained key sequence number, and then according to the found secret The key, the obtained random number, and the encryption algorithm encrypt the secret set in itself, and use the encrypted secret as the obtained authentication identifier; The step B includes: the client authentication center decrypts the received encrypted secret according to the selected key, the generated random number, and a decryption algorithm saved in itself, and then determines whether the decrypted secret is legal or not. Determine if the authentication is successful.
该方法进一步包括: 在客户端认证中心设置对应于客户端认证中心 的私钥, 并在每一个客户端软件中设置对应于客户端认证中心的公钥; 在步骤 A2中, 所述客户端认证中心产生随机数的步骤进一步包括: 客户端认证中心使用所设置的私钥对所产生的随机数进行签名;  The method further includes: setting a private key corresponding to the client authentication center in the client authentication center, and setting a public key corresponding to the client authentication center in each client software; in step A2, the client authentication The step of generating a random number by the center further includes: the client authentication center signatures the generated random number by using the set private key;
所述认证参数中包括的随机数为签名后的随机数;  The random number included in the authentication parameter is a signed random number;
在根据认证参数获取认证标识之前, 所述步骤 A3进一步包括: 客 户端使用在自身中所设置的公钥对签名后的随机数进行验证, 如果验证 结果为客户端认证中心签名, 则继续执行所述的根据认证参数获取认证 标识的步骤, 否则, 结束当前流程。  Before obtaining the authentication identifier according to the authentication parameter, the step A3 further includes: the client verifying the signed random number by using the public key set in itself, and if the verification result is the signature of the client authentication center, proceeding to execute the The step of obtaining the authentication identifier according to the authentication parameter, otherwise, ending the current process.
该方法进一步包括: 为每一个不同的客户端软件分配不同的客户端 软件版本标识, 并将所分配的每一个客户端软件版本标识保存在对应的 客户端软件中, 以及保存在客户端认证中心;  The method further includes: assigning different client software version identifiers to each different client software, and saving each of the allocated client software version identifiers in the corresponding client software, and saving in the client authentication center. ;
所述秘密为客户端使用软件的客户端软件版本标识;  The secret is a client software version identifier used by the client to use the software;
在步骤 B中, 所述客户端认证中心通过判断解密后的秘密是否合法 来判断认证是否成功的步骤包括: 客户端认证中心判断自身中是否保存 有与解密后的客户端软件版本标识相同的客户端软件版本标识, 如果 是, 则认证成功。  In step B, the step of the client authentication center determining whether the authentication is successful by determining whether the decrypted secret is legal or not includes: determining, by the client authentication center, whether the client with the same client software version identifier as the decrypted client is saved. End software version identifier, if yes, the authentication is successful.
所述客户端软件版本标识包括: 客户端软件版本序列号, 或, 客户 端软件版本序列号和发行公司标识。  The client software version identifier includes: a client software version serial number, or a client software version serial number and a issuing company identifier.
所述不同的客户端软件包括不 ί  The different client software includes not
开发商提供的不同版本的客户端软件。 Different versions of client software provided by the developer.
所述客户端认证中心与应用服务器相连; 所述步骤 A包括: 客户端将认证标识发送至应用服务器, 应用服务 器再将该认证标识发送至客户端认证中心。 The client authentication center is connected to an application server; The step A includes: the client sends the authentication identifier to the application server, and the application server sends the authentication identifier to the client authentication center.
该方法进一步包括: 预先在应用服务器中保存注册用户的用户名和 密码; 客户端将用户输入的用户名和密码发送至应用服务器, 应用服务 器判断自身中是否保存有与所接收到的用户名和密码相同的用户名和 密码, 如果是, 则认证成功, 否则, 认证失败。  The method further includes: pre-storing the user name and password of the registered user in the application server; the client sends the user name and password input by the user to the application server, and the application server determines whether the user name and password are the same as the received user name and password. Username and password. If yes, the authentication is successful. Otherwise, the authentication fails.
该方法进一步包括: 在应用服务器中设置触发认证策略;  The method further includes: setting a trigger authentication policy in the application server;
在步骤 A中,所述客户端将认证标识发送至应用服务器的步骤包括: 客户端将认证标识携带在接入请求中发送至应用服务器;  In step A, the step of the client sending the authentication identifier to the application server includes: the client carrying the authentication identifier in the access request and sending the method to the application server;
在客户端将认证标识携带在接入请求中发送至应用服务器之后, 并 在应用服务器将认证标识发送至客户端认证中心之前,所述步骤 A进一 步包括: 应用服务器根据所设置的触发认证策略判断当前是否应执行客 户端认证过程, 如果是, 则继续执行所述的将认证标识发送至客户端认 证中心的步骤, 否则, 结束当前流程。  After the client sends the authentication identifier to the application server in the access request, and before the application server sends the authentication identifier to the client authentication center, the step A further includes: the application server determining, according to the set trigger authentication policy Whether the client authentication process should be performed currently, and if so, the step of transmitting the authentication identifier to the client authentication center is continued, otherwise, the current process is ended.
所述触发认证策略包括: 连续接收到同一客户端接入请求的次数是 否超过所设置的次数阈值, 或, 定期检测, 或, 随机检测, 或, 无条件 检测, 或, 对特定业务检测, 或, 计费检测。  The triggering authentication policy includes: whether the number of consecutively receiving the same client access request exceeds the set number of times threshold, or, periodically detecting, or randomly detecting, or, unconditionally detecting, or detecting a specific service, or, Billing detection.
所述触发认证策略为连续接收到同一客户端接入请求的次数是否超 过所设置的次数阔值;  The triggering authentication policy is whether the number of consecutively receiving the same client access request exceeds the set threshold value;
所述应用服务器判断当前是否应执行客户端认证过程的步骤包括: 应用服务器判断当前已连续接收到所述客户端接入请求的次数是否超 过预先设置的次数阔值, 如果是, 则认为当前应执行客户端认证过程。  The step of determining, by the application server, whether the client authentication process should be performed currently includes: determining, by the application server, whether the number of times the client access request has been continuously received exceeds a preset threshold value, and if yes, determining that the current response should be Perform the client authentication process.
该方法进一步包括: 在客户端认证中心设置不同认证标识与不同用 户标识的对应关系;  The method further includes: setting a correspondence between different authentication identifiers and different user identifiers in the client authentication center;
所述步骤 A进一步包括: 客户端获取用户输入的用户标识, 将所获 取的用户标识发送至客户端认证中心; The step A further includes: the client acquiring the user identifier input by the user, and obtaining the obtained The extracted user ID is sent to the client authentication center;
所述步骤 B进一步包括: 客户端认证中心根据接收到的认证标识与 用户标识之间是否满足所设置的对应关系来对客户端进行认证。  The step B further includes: the client authentication center authenticating the client according to whether the received authentication identifier and the user identifier meet the set correspondence relationship.
所述用户标识为用户的手机号码或用户名。  The user identifier is a mobile phone number or a user name of the user.
所述客户端接入拜访区;  The client accesses the visited area;
所述步骤 A包括: 客户端将认证标识发送至拜访区的客户端认证中 心, 拜访区的客户端认证中心再将认证标识发送至归属区的客户端认证 中心;  The step A includes: the client sends the authentication identifier to the client authentication center of the visited area, and the client authentication center of the visiting area sends the authentication identifier to the client authentication center of the home zone;
在步骤 B中, 所述客户端认证中心为客户端归属区的客户端认证中 心。  In step B, the client authentication center is a client authentication center of the client home zone.
一种实现认证的系统, 包括客户端、应用服务器和客户端认证中心, 其中, 应用服务器与客户端和客户端认证中心分别相连,  A system for implementing authentication, comprising a client, an application server, and a client authentication center, wherein the application server is connected to the client and the client authentication center respectively.
客户端认证中心, 将客户端认证请求发送给应用服务器, 并接收应 用服务器发来的认证标识, 然后根据接收到的认证标识对客户端进行认 证;  The client authentication center sends the client authentication request to the application server, receives the authentication identifier sent by the application server, and then authenticates the client according to the received authentication identifier;
应用服务器, 将来自客户端认证中心的客户端认证请求发送给客户 端 , 并将来自客户端的认证标识发送给客户端认证中心;  The application server sends a client authentication request from the client authentication center to the client, and sends the authentication identifier from the client to the client authentication center;
客户端, 在接收到来自应用服务器的客户端认证请求后获取认证标 识, 并将所获取的认证标识发送给应用服务器。  The client obtains the authentication identifier after receiving the client authentication request from the application server, and sends the obtained authentication identifier to the application server.
所述客户端认证中心为单独的网络实体;  The client authentication center is a separate network entity;
所述客户端认证中心与应用服务器之间通过自定义的 Ca接口相连。 所述客户端认证中心与网络中已有的实体合成为一个物理实体。 所述网络中已有的实体为归属位置寄存器或应用服务器。  The client authentication center and the application server are connected through a customized Ca interface. The client authentication center and the existing entities in the network are combined into one physical entity. The existing entities in the network are home location registers or application servers.
由上述方案可以看出, 本发明具有以下优点:  As can be seen from the above scheme, the present invention has the following advantages:
1. 运营商对不同客户端软件分配不同的客户端软件版本标识, 并且 并根 据客户端软件版本标识进行认证过程, 而客户端软件版本标识很难被非 法用户所获取, 因此, 大大提高认证的安全性和可靠性, 避免了非法用 户通过与服务器建立连接而发起的恶意攻击, 规范了网络秩序。 1. The operator assigns different client software version identifiers to different client softwares, and The authentication process is performed according to the client software version identifier, and the client software version identifier is difficult to be obtained by the illegal user. Therefore, the security and reliability of the authentication are greatly improved, and the malicious user is prevented from establishing a connection with the server. Attack, standardizing the network order.
2. 在对安全性要求较高的情况下, CCC 除了对客户端进行认证之 外, 还进一步对用户身份进行认证, 在客户端和用户身份均合法的情况 下才能认证成功。 因此, 通过双重认证过程, 进一步提高了认证的安全 性和可靠性。  2. In the case of high security requirements, in addition to authenticating the client, the CCC further authenticates the user identity and authenticates successfully if both the client and the user are authenticated. Therefore, the security and reliability of authentication are further improved through the two-factor authentication process.
3. 本发明中只有供应商发布的正规客户端软件才能够通过认证, 因 此提高了各软件供应商的经济效益。  3. In the present invention, only the regular client software released by the supplier can be authenticated, thereby improving the economic efficiency of each software supplier.
4. 对于运营商而言, 通过本发明可以掌握客户端软件的关键信息, 即客户端软件版本标识, 能够较为方便地对客户端软件进行统一升级和 收费等, 容易规范和管理用户的行为。 附图简要说明  4. For the operator, the key information of the client software, that is, the client software version identifier, can be grasped, and the client software can be uniformly upgraded and charged, and the user behavior can be easily regulated and managed. BRIEF DESCRIPTION OF THE DRAWINGS
图 1是本发明系统的结构示意图。  Figure 1 is a schematic view showing the structure of the system of the present invention.
图 2是在本发明实施例中对客户端进行认证的流程图。  2 is a flow chart of authenticating a client in an embodiment of the present invention.
 Day
关系来实现认证的流程图 实施本发明的方式 Flowchart for implementing authentication to implement the method of the present invention
现有技术在实现认证时, 只是针对用户身份进行认证, 而合法的用 户身份极易被仿造, 因而使得认证过程缺乏安全性和可靠性。 由于用户 必须通过客户端与网络中的服务器进行通信, 因此, 客户端所使用的软 件是否合法将直接关系到整个通信过程的合法性, 并进而关系到网络中 的服务器是否会遭受恶意攻击。 针对这一特点, 本发明提出了一种全新 的实现认证的方法和系统,该方法的核心思想是:设置客户端认证中心; 由客户端将认证标识发送至客户端认证中心; 客户端认证中心根据接收 到的认证标识对客户端进行认证。 In the prior art, when the authentication is implemented, only the user identity is authenticated, and the legal user identity is easily copied, thereby making the authentication process lack security and reliability. Since the user must communicate with the server in the network through the client, whether the software used by the client is legal will directly affect the legitimacy of the entire communication process, and thus related to the network. Whether the server will be attacked maliciously. Aiming at this feature, the present invention proposes a new method and system for implementing authentication. The core idea of the method is: setting a client authentication center; the client sends the authentication identifier to the client authentication center; the client authentication center The client is authenticated according to the received authentication identifier.
其中, 所述的认证标识是唯一标识客户端的信息, 比如将预先为客 户端所使用软件分配的客户端软件版本标识进行加密后作为认证标识。  The authentication identifier is information that uniquely identifies the client, for example, encrypting the client software version identifier previously allocated for the software used by the client as the authentication identifier.
可见, 本发明的核心思想是对客户端进行认证, 即对客户端使用的 客户端软件进行合法性认证。 并且, 为了进一步确保认证过程的安全性 外, 还可进一步包括对用户身份进行认证。  It can be seen that the core idea of the present invention is to authenticate the client, that is, to verify the legality of the client software used by the client. Moreover, in order to further ensure the security of the authentication process, it may further include authenticating the identity of the user.
另外, 在具体的业务实现中, 如果必须针对所有的客户端均进行认 证, 则会大大增加网络侧的负荷。 因此, 优选的, 在本发明中, 可以预 先设置触发认证策略, 当 AS接收到客户端发来的接入请求后, 不是立 即指示客户端认证中心进行认证过程, 而是首先根据所设置的触发认证 策略来判断是否应进行后续的对客户端进行认证的过程, 如果判断出应 进行后续的对客户端进行认证的过程, 则继续执行指示客户端认证中心 进行认证的过程。  In addition, in the specific service implementation, if all the clients must be authenticated, the load on the network side will be greatly increased. Therefore, in the present invention, the trigger authentication policy may be preset. When the AS receives the access request sent by the client, the AS does not immediately instruct the client authentication center to perform the authentication process, but firstly according to the set trigger. The authentication policy determines whether the subsequent authentication process should be performed on the client. If it is determined that the subsequent process of authenticating the client should be performed, the process of instructing the client authentication center to perform authentication is continued.
为使本发明的目的、 技术方案和优点更加清楚明白, 以下参照附图 并举实施例, 对本发明做进一步地详细说明。  The present invention will be further described in detail below with reference to the accompanying drawings.
图 1是本发明系统的结构示意图。 参见图 1 , 本发明系统包括: 客 户端、 AS和客户端认证中心( Client Certification Center, CCC )。 CCC 可以是本发明设置的一个单独的网络实体, 也可以与网络中已有的实体 合成为一个物理上的实体,比如,可以将 CCC与归属位置寄存器(HLR ) 或 AS合成为一个网络实体。在本发明系统中, 如果 CCC为单独的网络 实体, 则 CCC与 AS之间通过本发明自定义的 Ca接口相连。 图 2是在本发明实施例中对客户端进行认证的流程图。。 参见图 1 和图 2, 应用本发明的系统, 本发明方法实现认证的过程具体包括以下 步骤: Figure 1 is a schematic view showing the structure of the system of the present invention. Referring to FIG. 1, the system of the present invention includes: a client, an AS, and a Client Certification Center (CCC). The CCC may be a separate network entity set up by the present invention, or may be combined with an existing entity in the network into a physical entity. For example, the CCC may be combined with a Home Location Register (HLR) or an AS as a network entity. In the system of the present invention, if the CCC is a separate network entity, the CCC and the AS are connected by the Ca interface of the present invention. 2 is a flow chart of authenticating a client in an embodiment of the present invention. . Referring to FIG. 1 and FIG. 2, applying the system of the present invention, the process of implementing the authentication by the method of the present invention specifically includes the following steps:
步骤 201 : 预先为每一个不同的客户端软件分配不同的客户端软件 版本标识, 并将所分配的每一个客户端软件版本标识保存在 CCC中。  Step 201: Allocate different client software version identifiers for each different client software in advance, and save each of the allocated client software version identifiers in the CCC.
这里, 不同开发商提供的客户端软件以及同一开发商提供的不同版 本的客户端软件均为本发明所述的不同的客户端软件。  Here, the client software provided by different developers and the different versions of the client software provided by the same developer are different client softwares described in the present invention.
另外, 在本步骤中, 所述的客户端软件版本标识包括客户端软件版 本序列号, 还可进一步包括发行公司标识等信息。  In addition, in this step, the client software version identifier includes a client software version serial number, and may further include information such as a company logo.
步骤 202: 预先设置包括多个密钥的密钥库, 并将所设置的密钥库 保存在 CCC中。  Step 202: Pre-set a keystore including a plurality of keys, and save the set keystore in the CCC.
这里, 不同密钥在密钥库中对应不同的密钥序号。  Here, different keys correspond to different key sequences in the keystore.
步骤 203: 预先将所分配的每一个客户端软件版本标识分别保存在 相应客户端软件中, 并将密钥库分别保存在每一个客户端软件中。  Step 203: Pre-storing each of the allocated client software version identifiers in the corresponding client software, and storing the keystores in each client software separately.
步骤 204: 预先在 AS中设置触发认证策略。  Step 204: Set a trigger authentication policy in the AS in advance.
这里, 可以根据实际业务需求来设置触发认证策略, 所设置的触发 认证策略可以为: 连续接收到同一客户端接入请求的次数是否超过所设 置的次数阈值, 和 /或, 运营商设置的定期检测, 随机检测, 无条件必须 检测, 对特定业务进行检测, 计费检测等。  Here, the triggering authentication policy may be set according to the actual service requirement. The triggered authentication policy may be: whether the number of consecutively receiving the same client access request exceeds the set number of times threshold, and/or the periodicity set by the operator. Detection, random detection, unconditional detection, detection of specific services, billing detection, etc.
上述步骤 201至步骤 204是本发明为了实现后续实际认证过程而进 行的一系列初始设置过程。 另外, 在上述初始设置过程中, 迩可以进一 步在 CCC中设置对应于 CCC的私钥, 并在每一个客户端软件中设置对 应于 CCC的公钥, 用于在后续认证过程中验证 CCC的身份。  The above steps 201 to 204 are a series of initial setting processes performed by the present invention to implement the subsequent actual authentication process. In addition, in the initial setting process, 迩 may further set a private key corresponding to the CCC in the CCC, and set a public key corresponding to the CCC in each client software, for verifying the identity of the CCC in the subsequent authentication process. .
另外, 将每一个不同的客户端软件安装到不同的客户端中后, 则可 进行后续的实际认证过程。 步骤 205: 客户端将携带自身客户端软件版本标识的接入请求发送 至 AS。 In addition, after installing each different client software into different clients, the subsequent actual authentication process can be performed. Step 205: The client sends an access request carrying the identifier of the client software version to the AS.
步骤 206: AS从接收到的接入请求中获取客户端软件版本标识, 然 后根据所获取的客户端软件版本标识和触发认证策略判断是否应对当 前的客户端进行认证, 如果是, 则执行步骤 207, 否则, 执行现有的允 许客户端接入并建立连接的过程, 结束当前流程。  Step 206: The AS obtains the client software version identifier from the received access request, and then determines whether the current client should be authenticated according to the acquired client software version identifier and the triggering authentication policy. If yes, step 207 is performed. Otherwise, perform the existing process of allowing the client to access and establish a connection, ending the current process.
这里, 所述判断是否应对当前的客户端进行认证的过程可以是: 比 如, 预先设置的触发认证策略为连续接收到同一客户端接入请求的次数 是否超过所设置的次数阈值, 则 AS判断当前已连续接收到携带所获取 的客户端软件版本标识的接入请求的次数是否超过预先设置的次数闹 值, 如果是, 则认为应对当前的客户端进行认证; 再如, 预先设置的触 发认证策略为运营商设置的定期检测, 则 AS判断当前是否处于定期检 测的时间段内, 如果是, 则认为应对当前的客户端进行认证。  Here, the process of determining whether the current client should be authenticated may be: For example, if the preset trigger authentication policy is that the number of consecutively receiving the same client access request exceeds the set number of times threshold, the AS determines the current Whether the number of times the access request carrying the acquired client software version identifier has been continuously received exceeds the preset number of times, and if so, it is considered that the current client should be authenticated; for example, a preset trigger authentication policy For the periodic detection set by the operator, the AS determines whether it is currently in the period of periodic detection. If yes, it considers that the current client should be authenticated.
步骤 207: AS通过 Ca接口将所获取的客户端软件版本标识携带在 客户端认证指示中发送至 CCC。  Step 207: The AS sends the obtained client software version identifier in the client authentication indication to the CCC through the Ca interface.
步骤 208: CCC从自身保存的密钥库中选择一个密钥, 并产生一个 随机数, 然后将所选择密钥在密钥库中的密钥序号、 所产生的随机数以 及自身保存的加密算法携带在客户端认证请求中通过 Ca接口发送至 AS。  Step 208: The CCC selects a key from its saved keystore, generates a random number, and then uses the key number of the selected key in the keystore, the generated random number, and an encryption algorithm saved by itself. The bearer is sent to the AS through the Ca interface in the client authentication request.
这里, 如果预先在 CCC中设置了对应于 CCC的私钥, 则在本步骤 中, CCC可以进一步使用所设置的私钥对所产生的随机数进行签名, 并 将签名后的随机数携带在客户端认证请求中, 也就是说, 本步骤中携带 在客户端认证请求中的随机数可以是经签名后的随机数。  Here, if the private key corresponding to the CCC is set in the CCC in advance, in this step, the CCC may further sign the generated random number using the set private key, and carry the signed random number in the client. In the end authentication request, that is, the random number carried in the client authentication request in this step may be a signed random number.
步骤 209: AS将接收到的该客户端认证请求发送至客户端。  Step 209: The AS sends the received client authentication request to the client.
步骤 210: 客户端从接收到的客户端认证请求中获取密钥序号、 随 机数和加密算法。 Step 210: The client obtains the key sequence number from the received client authentication request, and the Number of machines and encryption algorithms.
这里,如果预先在客户端软件中设置了对应于 CCC的公钥, 则在本 步骤中, 客户端在接收到客户端认证请求后, 从中获取的是签名后的随 机数, 客户端则进一步使用在自身中设置的对应于 CCC 的公钥对签名 后的随机数进行验证, 如果验证结果为 CCC签名, 则客户端可确认该 随机数是 CCC发来的, 即认为该随机数合法, 则可继续执行后续的认 证过程, 否则, 认为该随机数不是 CCC发来的, 即认为该随机数不合 法, 则结束当前的认证过程。  Here, if the public key corresponding to the CCC is set in the client software in advance, in this step, after receiving the client authentication request, the client obtains the signed random number from the client, and the client further uses the client. The public key corresponding to the CCC set in itself is used to verify the signed random number. If the verification result is a CCC signature, the client can confirm that the random number is sent by the CCC, that is, the random number is considered to be legal. The subsequent authentication process is continued. Otherwise, the random number is not sent by the CCC. If the random number is considered illegal, the current authentication process is terminated.
步骤 211 : 客户端根据所获取的密钥序号从自身保存的密钥库中查 找到相应的密钥, 然后根据所查找到的密钥、 所获取的随机数和加密算 法对自身中的秘密进行加密, 然后将加密后的秘密携带在客户端认证应 答消息中发送至 AS。  Step 211: The client searches for the corresponding key from the stored keystore according to the obtained key sequence number, and then performs the secret in itself according to the found key, the obtained random number, and the encryption algorithm. Encryption, and then the encrypted secret is carried in the client authentication response message and sent to the AS.
这里, 所述的秘密是从客户端软件版本标识中选取的。 比如, 客户 端软件版本标识包括客户端软件版本序列号和发行公司信息, 则客户端 可选取客户端软件版本序列号作为秘密来进行加密。  Here, the secret is selected from the client software version identifier. For example, if the client software version identifier includes the client software version serial number and the issuing company information, the client may select the client software version serial number as the secret for encryption.
步骤 212: AS通过 Ca接口将接收到的客户端认证应答消息发送至 ccc。  Step 212: The AS sends the received client authentication response message to the ccc through the Ca interface.
步骤 213: CCC接收到客户端认证应答后,从中获取加密后的秘密, 然后利用在步骤 208中所选择的密钥、 所产生的随机数和自身中保存的 解密算法对所获取的加密后的秘密进行解密, 然后判断解密后的秘密是 否合法, 如果是, 则执行步骤 214, 否则, 执行步骤 215。  Step 213: After receiving the client authentication response, the CCC obtains the encrypted secret therefrom, and then uses the key selected in step 208, the generated random number, and the decryption algorithm saved in itself to obtain the encrypted encrypted information. The secret is decrypted, and then it is judged whether the decrypted secret is legal. If yes, step 214 is performed; otherwise, step 215 is performed.
这里, CCC是通过判断自身中是否保存有与解密后的秘密相同的秘 密来判断解密后的秘密是否合法。 比如, 在步骤 211中, 客户端选取客 户端软件版本序列号作为秘密来进行加密, 则在本步骤中, CCC解密后 的秘密是该客户端的客户端软件版本序列号, CCC则判断自身中是否已 保存有该解密后的客户端软件版本序列号, 如果有, 则认为解密后的秘 密合法。 Here, the CCC determines whether the decrypted secret is legal by judging whether or not the same secret as the decrypted secret is stored in itself. For example, in step 211, the client selects the client software version serial number as the secret for encryption. In this step, the CCC decrypted secret is the client software version serial number of the client, and the CCC determines whether it is in the client. Has The decrypted client software version serial number is saved, and if so, the decrypted secret is considered legal.
步骤 214: CCC通过 Ca接口将客户端认证成功消息发送至 AS, AS 通知客户端认证成功, 执行后续的业务连接过程, 结束当前流程。  Step 214: The CCC sends a client authentication success message to the AS through the Ca interface, and the AS notifies the client that the authentication is successful, performs a subsequent service connection process, and ends the current process.
步骤 215: CCC通过 Ca接口将客户端认证失败消息发送至 AS, AS 通知客户端认证失败, 拒绝客户端接入。  Step 215: The CCC sends a client authentication failure message to the AS through the Ca interface, and the AS notifies the client that the authentication fails and denies the client access.
在具体的业务实现中, 运营商也可以预先将客户端软件与用户之间 建立对应关系, 也就是说, 运营商可以与用户预先约定用户标识, 并在 CCC中设置不同的客户端软件版本标识与不同用户标识的对应关系。这 里, 所述的客户端软件版本标识包括客户端软件版本序列号, 还可进一 步包括发行公司标识等信息, 所述的用户标识为可唯一证明用户身份的 标识, 比如用户的手机号或用户名等。 这样, 本发明在实现认证时, 还 进一步包括认证当前的客户端软件版本标识与用户标识之间是否存在 对应关系, 其具体实现过程可参见图 3 , 包括以下步骤:  In a specific service implementation, the operator can also establish a corresponding relationship between the client software and the user in advance, that is, the operator can pre-agreed the user identifier with the user, and set different client software version identifiers in the CCC. Correspondence with different user IDs. Here, the client software version identifier includes a client software version serial number, and may further include information such as a company identifier, where the user identifier is an identifier that can uniquely prove the identity of the user, such as a mobile phone number or a user name of the user. Wait. In this manner, when the authentication is implemented, the method further includes: determining whether there is a correspondence between the current client software version identifier and the user identifier, and the specific implementation process can be seen in FIG. 3, including the following steps:
步骤 301 ~步骤 307与步骤 201 ~步骤 207的所有描述均相同。 步骤 308: CCC从自身保存的密钥库中选择一个密钥, 并产生一个 随机数, 然后将所选择密钥在密钥库中的序列号、 所产生的随机数、 自 身保存的加密算法以及要求提供用户标识信息携带在客户端认证请求 中通过 Ca接口发送至 AS。  Steps 301 to 307 are the same as all descriptions of steps 201 to 207. Step 308: The CCC selects a key from its saved keystore, generates a random number, and then serializes the selected key in the keystore, the generated random number, the encryption algorithm saved by itself, and The user identification information is required to be carried in the client authentication request and sent to the AS through the Ca interface.
这里, 如果预先在 CCC中设置了对应于 CCC的私钥, 则在本步骤 中, CCC可以进一步使用所设置的私钥对所产生的随机数进行签名, 并 将签名后的随机数携带在客户端认证请求中, 也就是说, 本步骤中携带 在客户端认证请求中的随机数可以是经签名后的随机数。  Here, if the private key corresponding to the CCC is set in the CCC in advance, in this step, the CCC may further sign the generated random number using the set private key, and carry the signed random number in the client. In the end authentication request, that is, the random number carried in the client authentication request in this step may be a signed random number.
步骤 309: AS将接收到的该客户端认证请求发送至客户端。  Step 309: The AS sends the received client authentication request to the client.
步骤 310: 客户端从接收到的客户端认证请求中获取密钥序号、 随 机数和加密算法, 并根据客户端认证请求中携带的要求提供用户标识信 息提示用户输入用户标识, 并获取用户输入的用户标识。 Step 310: The client obtains the key sequence number from the received client authentication request, and the The number of machines and the encryption algorithm are provided, and the user identification information is provided according to the requirements carried in the client authentication request to prompt the user to input the user identifier, and obtain the user identifier input by the user.
这里,如果预先在客户端软件中设置了对应于 CCC的公钥, 则在本 步骤中, 客户端在接收到客户端认证请求后, 从中获取的是签名后的随 机数, 客户端则进一步使用在自身中设置的对应于 CCC 的公钥对签名 后的随机数进行验证, 如果验证结果为 CCC签名, 则客户端可确认该 随机数是 CCC发来的, 即认为该随机数合法, 则可继续执行后续的认 证过程, 否则, 认为该随机数不是 CCC发来的, 即认为该随机数不合 法, 则结束当前的认证过程。  Here, if the public key corresponding to the CCC is set in the client software in advance, in this step, after receiving the client authentication request, the client obtains the signed random number from the client, and the client further uses the client. The public key corresponding to the CCC set in itself is used to verify the signed random number. If the verification result is a CCC signature, the client can confirm that the random number is sent by the CCC, that is, the random number is considered to be legal. The subsequent authentication process is continued. Otherwise, the random number is not sent by the CCC. If the random number is considered illegal, the current authentication process is terminated.
步骤 311 : 客户端根据所获取的密钥序号从自身保存的密钥库中查 找到相应的密钥, 然后根据所查找到的密钥、 所获取的随机数和加密算 法对自身中的秘密进行加密。  Step 311: The client searches for the corresponding key from the stored keystore according to the obtained key sequence number, and then performs the secret in itself according to the found key, the obtained random number, and the encryption algorithm. encryption.
步骤 312: 客户端将加密后的秘密以及获取的用户标识携带在客户 端认证应答消息中发送至 AS。  Step 312: The client sends the encrypted secret and the obtained user identifier to the AS in the client authentication response message.
这里, 所述的秘密是从客户端软件版本标识中选取的。 比如, 客户 端软件版本标识包括客户端软件版本序列号和发行公司信息, ·则客户端 可选取客户端软件版本序列号作为秘密来进行加密。  Here, the secret is selected from the client software version identifier. For example, the client software version identifier includes the client software version serial number and the issuing company information, and the client can select the client software version serial number as the secret for encryption.
步骤 313: AS通过 Ca接口将接收到的客户端认证应答消息发送至 ccc。  Step 313: The AS sends the received client authentication response message to the ccc through the Ca interface.
步骤 314: CCC接收到客户端认证应答后, 从中获取加密后的秘密 和用户标识, 然后利用在步骤 308中所选择的密钥、 所产生的随机数和 自身中保存的解密算法对所获取的加密后的秘密进行解密, 然后判断解 密后的秘密是否合法, 如果是, 则执行步骤 316, 否则, 执行步骤 315。  Step 314: After receiving the client authentication response, the CCC obtains the encrypted secret and the user identifier, and then uses the key selected in step 308, the generated random number, and the decryption algorithm saved in itself to obtain the acquired The encrypted secret is decrypted, and then it is judged whether the decrypted secret is legal. If yes, step 316 is performed; otherwise, step 315 is performed.
这里, CCC是通过判断自身中是否保存有与解密后的秘密相同的秘 密来判断解密后的秘密是否合法。 比如, 在步骤 312中, 客户端选取客 户端软件版本序列号作为秘密来进行加密, 则在本步骤中, CCC解密后 的秘密是该客户端的客户端软件版本序列号, CCC则判断自身中是否已 保存有该解密后的客户端软件版本序列号, 如果有, 则认为解密后的秘 密合法。 Here, the CCC determines whether the decrypted secret is legal by judging whether or not the same secret as the decrypted secret is stored in itself. For example, in step 312, the client selects a guest. The client software version serial number is encrypted as a secret. In this step, the secret of the CCC decryption is the client software version serial number of the client, and the CCC determines whether the decrypted client software has been saved in the client software. The version serial number, if any, considers the decrypted secret to be legal.
步骤 315: CCC通过 Ca接口将客户端认证失败消息发送至 AS, AS 通知客户端认证失败, 拒绝客户端接入, 结束当前流程。  Step 315: The CCC sends a client authentication failure message to the AS through the Ca interface, and the AS notifies the client that the authentication fails, denies the client access, and ends the current process.
步骤 316: CCC判断解密后的秘密与所获取的用户标识之间是否存 在预先设置的对应关系,如果是,则执行步骤 317,否则,返回步骤 315。  Step 316: The CCC determines whether there is a preset correspondence between the decrypted secret and the acquired user identifier. If yes, step 317 is performed; otherwise, the process returns to step 315.
步骤 317: CCC通过 Ca接口将客户端认证成功消息发送至 AS, AS 通知客户端认证成功, 执行后续的业务连接过程。  Step 317: The CCC sends a client authentication success message to the AS through the Ca interface, and the AS notifies the client that the authentication is successful, and performs a subsequent service connection process.
在本发明的上述实施过程中, 客户端在接收到客户端认证中心发来 的客户端认证请求后, 才将作为认证标识的加密后的密码, 也就是加密 后的客户端软件版本标识发送至客户端认证中心, 在本发明的其它实施 例中, 客户端也可以主动将认证标识携带在接入请求中发送至 AS , 由 AS 将认证标识发送至客户端认证中心, 其具体实现过程的原理与上述 实施例实现原理相同。  In the above implementation process of the present invention, after receiving the client authentication request sent by the client authentication center, the client sends the encrypted password as the authentication identifier, that is, the encrypted client software version identifier to the encrypted client software version identifier. In the other embodiment of the present invention, the client may also actively send the authentication identifier to the AS in the access request, and the AS sends the authentication identifier to the client authentication center. The principle is the same as that of the above embodiment.
另外, 需要说明的是, 在具体的业务实现中, 为了进一步确保认证 过程的安全性和可靠性, 本发明的认证过程还可进一步包括目前已有的 由 AS对用户身份进行认证的过程,其具体实现可以采用存在多种方式, 这里可以举例为: 预先在应用服务器中保存已注册用户的用户名和秘 密; 当进行认证时, 客户端将用户输入的用户名和密码发送至 AS, AS 判断自身中是否保存有与所接收到的用户名和密码相同的用户名和密 码, 如果是, 则认为对当前用户身份认证成功, 否则, 认证失败。 并且, 本发明中对用户身份进行认证的过程可以在对客户端认证成功后再进 行, 也可以在对客户端进行认证之前进行。 另外, 还需要说明的是, 由于客户端可以直接接入归属区的 AS或 者通过异地代理接入 AS, 所以无论是有线网络还是移动网络均可以分 为客户端接入归属区和拜访区两种情况。 上述过程描述的均是针对客户 端接入归属区时实现认证的过程, 在具体的业务实现中, 当客户端接入 拜访区时,本发明实现认证的过程与上述过程原理相同,所需说明的是, AS与 CCC之间的各种消息均需通过拜访区的 CCC ( VCCC )进行转发, 也就是说, 当 AS接收到客户端发送的接入请求后, 将客户端认证指示 发送到了 VCCC, 由 VCCC根据客户端认证指示中携带的客户端软件版 本标识将客户端认证指示转发至该客户端归属区的 CCC,以及由 VCCC 将该客户端归属区的 CCC发来的客户端认证应答转发至 AS。 In addition, it should be noted that, in a specific service implementation, in order to further ensure the security and reliability of the authentication process, the authentication process of the present invention may further include a currently existing process of authenticating the user identity by the AS, The specific implementation can be implemented in multiple ways. Here, the user name and the secret of the registered user are saved in the application server in advance; when the authentication is performed, the client sends the user name and password input by the user to the AS, and the AS judges itself. Whether the user name and password with the same username and password are saved. If yes, the authentication of the current user is considered successful. Otherwise, the authentication fails. Moreover, the process of authenticating the user identity in the present invention may be performed after the client authentication is successful, or may be performed before the client is authenticated. In addition, it should be noted that, since the client can directly access the AS in the home zone or access the AS through the remote agent, both the wired network and the mobile network can be divided into two types: the client accessing the home zone and the visiting zone. Happening. The foregoing process describes the process of implementing authentication when the client accesses the home zone. In a specific service implementation, when the client accesses the visited zone, the process of implementing the authentication by the present invention is the same as the above process. All the messages between the AS and the CCC need to be forwarded through the CCC (VCCC) of the visited area. That is, when the AS receives the access request sent by the client, it sends the client authentication indication to the VCCC. The VCCC forwards the client authentication indication to the CCC of the client home zone according to the client software version identifier carried in the client authentication indication, and forwards the client authentication response sent by the VCCC to the CCC of the client home zone. To AS.
总之, 以上所述仅为本发明的较佳实施例而已, 并不用以限制本发 明, 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进 等, 均应包食在本发明的保护范围之内。  In conclusion, the above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., which are made within the spirit and principles of the present invention, should be Within the scope of protection of the present invention.

Claims

权利要求书 Claim
1、 一种实现认证的方法, 其特征在于, 设置客户端认证中心, 该 方法还包括以下步骤:  A method for implementing authentication, characterized in that a client authentication center is set, the method further comprising the steps of:
A、 客户端将认证标识发送至客户端认证中心;  A. The client sends the authentication identifier to the client authentication center.
B、 客户端认证中心根据接收到的认证标识对客户端进行认证。 B. The client authentication center authenticates the client according to the received authentication identifier.
2、 根据权利要求 1 所述的方法, 其特征在于, 在客户端将认证标 识发送至客户端认证中心之前, 所述步骤 A进一步包括以下步骤: 2. The method according to claim 1, wherein the step A further comprises the following steps before the client sends the authentication identifier to the client authentication center:
Al、 客户端将接入请求发送至客户端认证中心;  Al, the client sends an access request to the client authentication center;
A2、客户端认证中心产生认证参数, 然后将所产生的认证参数携带 在客户端认证请求中发送至客户端;  A2. The client authentication center generates an authentication parameter, and then carries the generated authentication parameter in the client authentication request and sends it to the client.
A3、 客户端根据客户端认证请求中携带的认证参数获取认证标识。 A3. The client obtains the authentication identifier according to the authentication parameter carried in the client authentication request.
3、 根据权利要求 2所述的方法, 其特征在于, 该方法进一步包括: 设置包括多个密钥的密钥库, 并将所设置的密钥库保存在客户端认证中 心和每一个客户端软件中, 其中, 不同密钥在密钥库中对应不同的密钥 序号; 3. The method according to claim 2, wherein the method further comprises: setting a keystore including a plurality of keys, and saving the set keystore in the client authentication center and each client In the software, wherein different keys correspond to different key sequences in the keystore;
在步骤 A2中, 所述客户端认证中心产生认证参数的步骤包括: 客 户端认证中心从自身保存的密钥库中选择一个密钥, 并获取所选择密钥 对应的密钥序号,然后产生一个随机数,以及选择自身保存的加密算法; 所述认证参数包括密钥序号、 随机数和加密算法;  In step A2, the step of generating the authentication parameter by the client authentication center includes: the client authentication center selects a key from the keystore saved by itself, and obtains the key serial number corresponding to the selected key, and then generates a key. a random number, and an encryption algorithm selected by itself; the authentication parameter includes a key sequence number, a random number, and an encryption algorithm;
在步骤 A3中,所述客户端根据认证参数获取认证标识的步骤包括: 客户端根据所获取的密钥序号从自身保存的密钥库中查找到相应的密 钥, 然后^^据所查找到的密钥、 所获取的随机数和加密算法对在自身中 设置的秘密进行加密, 并将加密后的秘密作为所获取的认证标识;  In step A3, the step of the client obtaining the authentication identifier according to the authentication parameter includes: the client searches for the corresponding key from the keystore saved by the client according to the obtained key sequence number, and then finds the corresponding key according to the obtained key sequence. The key, the obtained random number, and the encryption algorithm encrypt the secret set in itself, and use the encrypted secret as the obtained authentication identifier;
所述步骤 B包括: 客户端认证中心根据所选择的密钥、 所产生的随 机数和自身中保存的解密算法对接收到的加密后的秘密进行解密, 然后 通过判断解密后的秘密是否合法来判断认证是否成功。 The step B includes: the client authentication center according to the selected key, the generated The number of machines and the decryption algorithm stored in itself decrypt the received encrypted secret, and then judge whether the authentication is successful by judging whether the decrypted secret is legal.
4、 根据权利要求 3所述的方法, 其特征在于, 该方法进一步包括: 在客户端认证中心设置对应于客户端认证中心的私钥, 并在每一个客户 端软件中设置对应于客户端认证中心的公钥;  4. The method according to claim 3, wherein the method further comprises: setting a private key corresponding to the client authentication center at the client authentication center, and setting a client authentication corresponding to each client software The public key of the center;
在步骤 A2中,所述客户端认证中心产生随机数的步骤进一步包括: 客户端认证中心使用所设置的私钥对所产生的随机数进行签名;  In step A2, the step of generating a random number by the client authentication center further includes: the client authentication center signatures the generated random number by using the set private key;
所述认证参数中包括的随机数为签名后的随机数;  The random number included in the authentication parameter is a signed random number;
在根据认证参数获取认证标识之前, 所述步骤 A3进一步包括: 客 户端使用在自身中所设置的公钥对签名后的随机数进行验证, 如果验证 结果为客户端认证中心签名, 则继续执行所述的根据认证参数获取认证 标识的步骤, 否则, 结束当前流程。  Before obtaining the authentication identifier according to the authentication parameter, the step A3 further includes: the client verifying the signed random number by using the public key set in itself, and if the verification result is the signature of the client authentication center, proceeding to execute the The step of obtaining the authentication identifier according to the authentication parameter, otherwise, ending the current process.
5、 根据权利要求 3或 4所述的方法, 其特征在于, 该方法进一步 包括: 为每一个不同的客户端软件分配不同的客户端软件版本标识, 并 将所分配的每一个客户端软件版本标识保存在对应的客户端软件中, 以 及保存在客户端认证中心;  5. The method according to claim 3 or 4, characterized in that the method further comprises: assigning different client software version identifiers to each different client software, and assigning each client software version to each client. The identifier is saved in the corresponding client software and saved in the client authentication center;
所述秘密为客户端使用软件的客户端软件版本标识;  The secret is a client software version identifier used by the client to use the software;
在步骤 B中, 所述客户端认证中心通过判断解密后的秘密是否合法 来判断认证是否成功的步骤包括: 客户端认证中心判断自身中是否保存 有与解密后的客户端软件版本标识相同的客户端软件版本标识, 如果 是, 则认证成功。  In step B, the step of the client authentication center determining whether the authentication is successful by determining whether the decrypted secret is legal or not includes: determining, by the client authentication center, whether the client with the same client software version identifier as the decrypted client is saved. End software version identifier, if yes, the authentication is successful.
6、 根据权利要求 5 所述的方法, 其特征在于, 所述客户端软件版 本标识包括: 客户端软件版本序列号, 或, 客户端软件版本序列号和发 行公司标识。  The method according to claim 5, wherein the client software version identifier comprises: a client software version serial number, or a client software version serial number and a issuing company identifier.
7、 根据权利要求 5 所述的方法, 其特征在于, 所述不同的客户端 软件包括不同开发商提供的客户端软件以及同一开发商提供的不同版 本的客户端软件。 7. The method according to claim 5, wherein the different clients are The software includes client software from different developers and different versions of client software from the same developer.
8、 根据权利要求 1 所述的方法, 其特征在于, 所述客户端认证中 心与应用服务器相连;  8. The method according to claim 1, wherein the client authentication center is connected to an application server;
所述步骤 A包括: 客户端将认证标识发送至应用服务器, 应用服务 器再将该认证标识发送至客户端认证中心。  The step A includes: the client sends the authentication identifier to the application server, and the application server sends the authentication identifier to the client authentication center.
9、 根据权利要求 8所述的方法, 其特征在于, 该方法进一步包括: 预先在应用服务器中保存注册用户的用户名和密码; 客户端将用户输入 的用户名和密码发送至应用服务器, 应用服务器判断自身中是否保存有 与所接收到的用户名和密码相同的用户名和密码,如果是,则认证成功, 否则, 认证失败。  The method according to claim 8, wherein the method further comprises: pre-storing the user name and password of the registered user in the application server; the client sends the user name and password input by the user to the application server, and the application server determines Whether the user name and password with the same user name and password are saved in the self, if yes, the authentication is successful, otherwise, the authentication fails.
10、 根据权利要求 8或 9所述的方法, 其特征在于, 该方法进一步 包括: 在应用服务器中设置触发认证策略;  The method according to claim 8 or 9, wherein the method further comprises: setting a trigger authentication policy in the application server;
在步骤 A 中, 所述客户端将认证标识发送至应用服务器的步骤包 括: 客户端将认证标识携带在接入请求中发送至应用服务器;  In step A, the step of the client sending the authentication identifier to the application server includes: the client carrying the authentication identifier in the access request and sending the method to the application server;
在客户端将认证标识携带在接入请求中发送至应用服务器之后, 并 在应用服务器将认证标识发送至客户端认证中心之前,所述步骤 A进一 步包括: 应用服务器根据所设置的触发认证策略判断当前是否应执行客 户端认证过程, 如果是, 则继续执行所述的将认证标识发送至客户端认 证中心的步骤, 否则, 结束当前流程。  After the client sends the authentication identifier to the application server in the access request, and before the application server sends the authentication identifier to the client authentication center, the step A further includes: the application server determining, according to the set trigger authentication policy Whether the client authentication process should be performed currently, and if so, the step of transmitting the authentication identifier to the client authentication center is continued, otherwise, the current process is ended.
11、 根据权利要求 10 所述的方法, 其特征在于, 所述触发认证策 略包括: 连续接收到同一客户端接入请求的次数是否超过所设置的次数 阈值, 或, 定期检测, 或, 随机检测, 或, 无条件检测, 或, 对特定业 务检测, 或, 计费检测。  The method according to claim 10, wherein the triggering the authentication policy comprises: whether the number of consecutively receiving the same client access request exceeds a threshold number of times set, or, periodically detecting, or randomly detecting , or, unconditional detection, or, for specific service detection, or, billing detection.
12、 根据权利要求 11 所述的方法, 其特征在于, 所述触发认证策 略为连续接收到同一客户端接入请求的次数是否超过所设置的次数阈 值; 12. The method according to claim 11, wherein the trigger authentication policy Whether the number of consecutively receiving the same client access request is more than the set number of times threshold;
所述应用服务器判断当前是否应执行客户端认证过程的步骤包括: 应用服务器判断当前已连续接收到所述客户端接入请求的次数是否超 过预先设置的次数阈值, 如果是, 则认为当前应执行客户端认证过程。  The step of determining, by the application server, whether the client authentication process should be performed currently includes: determining, by the application server, whether the number of times the client access request has been continuously received exceeds a preset threshold number, and if yes, determining that the current execution should be performed Client authentication process.
13、根据权利要求 1所述的方法, 其特征在于, 该方法进一步包括: 在客户端认证中心设置不同认证标识与不同用户标识的对应关系;  The method according to claim 1, wherein the method further comprises: setting a correspondence between different authentication identifiers and different user identifiers in the client authentication center;
所述步骤 A进一步包括: 客户端获取用户输入的用户标识, 将所获 取的用户标识发送至客户端认证中心;  The step A further includes: the client acquiring the user identifier input by the user, and sending the obtained user identifier to the client authentication center;
所述步骤 B进一步包括: 客户端认证中心根据接收到的认证标识与 用户标识之间是否满足所设置的对应关系来对客户端进行认证。  The step B further includes: the client authentication center authenticating the client according to whether the received authentication identifier and the user identifier meet the set correspondence relationship.
14、 根据权利要求 13 所述的方法, 其特征在于, 所述用户标识为 用户的手机号码或用户名。  14. The method according to claim 13, wherein the user identifier is a mobile phone number or a user name of the user.
15、 根据权利要求 1所述的方法, 其特征在于, 所述客户端接入拜 访区;  15. The method according to claim 1, wherein the client accesses a visited area;
所述步骤 A包括:客户端将认证标识发送至拜访区的客户端认证中 心 , 拜访区的客户端认证中心再将认证标识发送至归属区的客户端认证 中心;  The step A includes: the client sends the authentication identifier to the client authentication center of the visited area, and the client authentication center of the visiting area sends the authentication identifier to the client authentication center of the home zone;
在步骤 B中, 所述客户端认证中心为客户端归属区的客户端认证中 心。  In step B, the client authentication center is a client authentication center of the client home zone.
16、 一种实现认证的系统, 包括客户端和应用服务器,其特征在于, 该系统还包括客户端认证中心, 其中, 应用服务器与客户端和客户端认 证中心分别相连,  16. A system for implementing authentication, comprising a client and an application server, wherein the system further comprises a client authentication center, wherein the application server is connected to the client and the client authentication center respectively.
客户端认证中心, 将客户端认证请求发送给应用服务器, 并接收应 用服务器发来的认证标识, 然后根据接收到的认证标识对客户端进行认 证; The client authentication center sends the client authentication request to the application server, receives the authentication identifier sent by the application server, and then recognizes the client according to the received authentication identifier. Certificate
应用服务器, 将来自客户端认证中心的客户端认证请求发送给客户 端, 并将来自客户端的认证标识发送给客户端认证中心;  The application server sends a client authentication request from the client authentication center to the client, and sends the authentication identifier from the client to the client authentication center;
客户端, 在接收到来自应用服务器的客户端认证请求后获取认证标 识, 并将所获取的认证标识发送给应用服务器。  The client obtains the authentication identifier after receiving the client authentication request from the application server, and sends the obtained authentication identifier to the application server.
17、 根据权利要求 16 所述的系统, 其特征在于, 所述客户端认证 中心为单独的网络实体;  The system according to claim 16, wherein the client authentication center is a separate network entity;
所述客户端认证中心与应用服务器之间通过自定义的 Ca接口相连。 The client authentication center and the application server are connected through a customized Ca interface.
18、 根据权利要求 16 所述的系统, 其特征在于, 所述客户端认证 中心与网络中已有的实体合成为一个物理实体。 18. The system according to claim 16, wherein the client authentication center and the existing entities in the network are combined into one physical entity.
19、 根据权利要求 18 所述的系统, 其特征在于, 所述网络中已有 的实体为归属位置寄存器或应用服务器。  The system according to claim 18, wherein the existing entity in the network is a home location register or an application server.
PCT/CN2005/001157 2004-07-29 2005-07-29 A method for implementing certificating and a system thereof WO2006024216A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2004100703130A CN100499453C (en) 2004-07-29 2004-07-29 Method of the authentication at client end
CN200410070313.0 2004-07-29

Publications (1)

Publication Number Publication Date
WO2006024216A1 true WO2006024216A1 (en) 2006-03-09

Family

ID=35927668

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2005/001157 WO2006024216A1 (en) 2004-07-29 2005-07-29 A method for implementing certificating and a system thereof

Country Status (2)

Country Link
CN (1) CN100499453C (en)
WO (1) WO2006024216A1 (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101192926B (en) * 2006-11-28 2011-03-30 北京握奇数据系统有限公司 Account protection method and system
JP2008181228A (en) * 2007-01-23 2008-08-07 Sony Corp Management system, management method, terminal equipment, management server, and program
CN101127744B (en) * 2007-09-29 2010-10-13 杭州华三通信技术有限公司 Separation prompt method and system for illegal client and gateway device
US20100241861A1 (en) * 2007-12-05 2010-09-23 Tetsuro Yoshimoto Dhcp client server system, dhcp client device and dhcp server device
CN101860521B (en) * 2009-04-13 2013-05-08 中国联合网络通信集团有限公司 Authentication treatment method and system
CN101998575B (en) * 2009-08-24 2013-04-24 华为技术有限公司 Method, device and system for access control
CN102202040B (en) * 2010-03-26 2014-06-04 联想(北京)有限公司 Client authentication method and device
CN103795692B (en) * 2012-10-31 2017-11-21 中国电信股份有限公司 Open authorization method, system and certification authority server
TWI529537B (en) * 2013-06-04 2016-04-11 晨星半導體股份有限公司 Display with mobile high-definition link port and signal processing method thereof
CN103327489B (en) * 2013-06-28 2017-04-05 宇龙计算机通信科技(深圳)有限公司 The method and system of certification
US10033720B2 (en) * 2014-05-28 2018-07-24 Futurewei Technologies, Inc. Method and system for creating a certificate to authenticate a user identity
CN113886848A (en) * 2021-09-23 2022-01-04 深圳优地科技有限公司 Information verification method, information verification device, robot and storage medium
CN114826570A (en) * 2022-03-30 2022-07-29 微位(深圳)网络科技有限公司 Certificate acquisition method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020073322A1 (en) * 2000-12-07 2002-06-13 Dong-Gook Park Countermeasure against denial-of-service attack on authentication protocols using public key encryption
WO2003050995A1 (en) * 2001-12-07 2003-06-19 Qualcomm Incorporated Authentication in a hybrid communications network
CN1444362A (en) * 2002-03-08 2003-09-24 华为技术有限公司 Distribution method of wireless local area network encrypted keys

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020073322A1 (en) * 2000-12-07 2002-06-13 Dong-Gook Park Countermeasure against denial-of-service attack on authentication protocols using public key encryption
WO2003050995A1 (en) * 2001-12-07 2003-06-19 Qualcomm Incorporated Authentication in a hybrid communications network
CN1444362A (en) * 2002-03-08 2003-09-24 华为技术有限公司 Distribution method of wireless local area network encrypted keys

Also Published As

Publication number Publication date
CN100499453C (en) 2009-06-10
CN1728636A (en) 2006-02-01

Similar Documents

Publication Publication Date Title
WO2006024216A1 (en) A method for implementing certificating and a system thereof
US9531681B2 (en) Method for the authentication of applications
US8024488B2 (en) Methods and apparatus to validate configuration of computerized devices
JP4674044B2 (en) System and method for providing a key management protocol that allows a client to verify authorization
JP6033291B2 (en) Service access authentication method and system
EP3850510B1 (en) Infrastructure device enrolment
CN102299930B (en) Method for ensuring security of client software
WO2019085531A1 (en) Method and device for network connection authentication
KR100350316B1 (en) Access-request messgae handling method for over load prevention at AAA server
WO2012037897A1 (en) Method, system and device for binding and operating a secure digital memory card
JP2016533694A (en) User identity authentication method, terminal and server
CN109525565B (en) Defense method and system for short message interception attack
KR101531662B1 (en) Method and system for mutual authentication between client and server
KR20090054774A (en) Method of integrated security management in distribution network
WO2006026925A1 (en) A method for setting the authentication key
US20050144459A1 (en) Network security system and method
WO2013004104A1 (en) Single sign-on method and system
JP5185926B2 (en) Service providing apparatus, system, and method having anti-emulation mechanism
KR20070009490A (en) System and method for authenticating a user based on the internet protocol address
WO2012000313A1 (en) Method and system for home gateway certification
JP7043480B2 (en) Information processing system and its control method and program
KR20130046781A (en) System and method for access authentication for wireless network
CN109818903B (en) Data transmission method, system, device and computer readable storage medium
CN110225011B (en) Authentication method and device for user node and computer readable storage medium
WO2005046119A1 (en) A method of setting up the association between the session transaction identification and the network application entity

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase