Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it is obvious that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention discovers that the existing authorization mode of 'authentication, namely authorization' has larger potential safety hazard under the following conditions:
1. the authentication process for the applicant is subject to fraud.
For example, a malicious user uses a technical means to interfere with the verification process of the hardware features, so that the verification process is disabled, thereby stealing the access right.
2. The technology of the means of authentication of the applicant's identity is itself broken.
For example, the password authentication algorithm is cracked by reverse engineering, a number calculator is used for generating a large number of legal passwords or serial numbers, or authentication software is directly modified, so that the authentication means is disabled, and the access right is stolen.
3. Legitimate authentication data is stolen.
For example, fingerprint data is stolen in a social engineering manner, even iris data is deceived, and the access right is obtained through a legal identity verification mechanism.
4. The hardware device is lost.
The condition that the intelligent terminal device is lost can cause the verification means depending on hardware characteristics to completely fail.
5. Legitimate rights requestors make involuntary requests.
In the existing "authentication, i.e. authorization" authorization mode, even if the authentication of the rights requester is unproblematic, i.e. has been "verified as being correct", social engineering problems may still occur, since the identity and the access rights are bound to each other. For example, a legitimate rights requestor is in fact under duress, or a password or other authentication data is spoofed, etc. In this case, even if the identity of the rights requestor is verified, the access rights predefined by the identity should not be obtained.
In summary, in the existing "authentication and authorization" authorization mode, once the above situation occurs, the security requirement of the sensitive function or service cannot be guaranteed, and the key reason is that: the "authentication i.e. authorization" mode relies entirely on authentication in the role of the rights requestor.
Thus, the inventors of the present invention contemplate that a new role of a guarantor may be introduced to perform cross-authorization in a manner similar to a "witness". In particular, authentication and authorization may be divided into two separate phases: the authority requester can not obtain authorization directly after passing the identity authentication, but needs to use the guarantor passing the identity authentication to implement cross authorization for the authority requester passing the identity authentication, thereby ensuring that the authority requester can be authorized to a legal user under the application scene with high sensitivity and high risk.
In practice, both the rights requestor and the vouchers are predefined roles, which can be understood as two different individuals or devices.
In the embodiment of the invention, the authority requester passing the identity authentication can request to acquire the access authority predefined by the identity of the authority requester and can also request to acquire the access authority of other levels. And the guarantor passing the identity authentication can guarantee the authority requester needing to obtain the access authority. And one or more of the vouchers vouching the rights requesters of the access rights to be acquired.
In the scheme of the invention, different guarantee groups can be set for different access authorities; a vouchers in a vouching group may vouch for an authority requester that needs to obtain access rights corresponding to the vouching group.
In this way, the authority requester needs to obtain the access authority of the sensitive function or service, and needs at least one legal guarantor to guarantee the authority besides having a legal identity, so that the attack difficulty is increased, and the access security is improved. Among them, the guarantor for the authority requester can be randomly selected from the guarantor group corresponding to the access authority requested by the authority requester, and is not fixed, so that the security can be further improved.
In the scheme of the invention, the identity role of the guarantor and the authority requester do not necessarily have the same access authority, but the role definition of the guarantor allows the guarantor to authorize the access authority of the authority requester.
The technical scheme of the invention is explained in detail in the following with the accompanying drawings.
The invention provides an authorization system of an intelligent terminal, as shown in fig. 1, the authorization system may include: a first intelligent terminal 101, a second intelligent terminal 102, and an authorization server 103.
In the solution of the present invention, the first intelligent terminal 101 may be an authority requester for requesting to obtain the access authority, and correspondingly, the second intelligent terminal 102 may be a guarantor for performing guaranty for the authority requester for the access authority. Alternatively, the second smart terminal 102 may be an authority requester for requesting to acquire the access authority, and accordingly, the first smart terminal 101 may be a guarantor for the authority requester of the access authority.
The following will describe the scheme of the present invention by taking the first intelligent terminal 101 as the authority requester and the second intelligent terminal 102 as the guarantor as examples.
In the scheme of the present invention, in order to ensure the validity of the identity of the authority requester, when the first intelligent terminal 101 wants to access a sensitive function or service with a security access restriction, the identity role needs to be verified first. The verification means may be a means commonly used by those skilled in the art.
In this way, the first intelligent terminal 101 passing the identity authentication enters an authenticated and to-be-authorized state; thereafter, the first intelligent terminal 101 may send an authorization request to a legitimate vouchers, and specifically, the first intelligent terminal 101 may send an authorization request to the authenticated second intelligent terminal 102.
In the solution of the present invention, the second intelligent terminal 102 as the guarantor may also adopt a technical means commonly used by those skilled in the art for its authentication.
In practical applications, the first intelligent terminal 101 and the second intelligent terminal 102 may perform authentication through at least one of the following authentication data: passwords, gestures, biometrics of the user, hardware features of the device, digital certificates held by the device. The second intelligent terminal 102 and the first intelligent terminal 101 may use the same authentication method or different authentication methods.
In the embodiment of the present invention, the authenticated first intelligent terminal 101 may send an authorization request to the authenticated second intelligent terminal 102. The authorization request may include: identity data of the first intelligent terminal 101, and permission request information for access permission requested to be acquired by the first intelligent terminal 101. In practical applications, the identity data of the first intelligent terminal 101 may be device identification information of the first intelligent terminal 101, or user identification information of the first intelligent terminal 101, or other identification information that may represent the first intelligent terminal 101.
Accordingly, the second intelligent terminal 102 may verify the received authorization request after receiving the authorization request sent by the first intelligent terminal 101. Specifically, the second intelligent terminal 102 verifies the identity data of the first intelligent terminal 101 in the authorization request and the access right for which the right request information is directed, so as to determine whether it can guarantee the first intelligent terminal 101.
After the verification is passed, the received authorization request may be signed by using its own guarantee private key, and the authorization request signed by its own guarantee private key may be returned to the first intelligent terminal 101.
Then, after receiving the authorization request signed by the guarantee private key of the second smart terminal 102, the first smart terminal 101 may upload the signed authorization request to the authorization server 103.
The authorization server 103 serving as an authorization platform can verify the signature on the authorization request, and read the permission request information in the authorization request after the verification is passed; and determining whether to authorize or not according to the read authority request information, and feeding back an authorization result to the first intelligent terminal 101 according to the authorization request.
That is, the first smart terminal 101 receives the authorization result for the authorization request from the authorization server 103 after the signature on the authorization request passes the verification of the authorization server 103. If the authorization result is that the authorization is successful, the first intelligent terminal 101 may use the function or service corresponding to the access right that it requests to obtain.
Therefore, compared with the existing 'authentication-authorization' mode, the scheme of the invention increases the role of the guarantor, separates the authentication process from the authorization process, so that the authority requester can not directly obtain the access authority predefined by the identity after the authentication, thereby avoiding the condition that the authorization can be obtained through the authentication and improving the access security; moreover, the security signature of the security holder on the authorization request of the authority requester is utilized, so that the attack difficulty is increased, and the access security is further improved.
Further, in practical applications, considering that there is a data exchange process between the first smart terminal 101 and the second smart terminal 102, and the NFC (near field communication) protocol requires that two communicating parties are in physical contact or that the distance between the two parties is not greater than a set distance threshold (e.g., 10 cm), the possibility of eavesdropping or replay attack is low.
Therefore, in the embodiment of the present invention, based on the communication security, the NFC protocol may be used between the first smart terminal 101 and the second smart terminal 102. In practical applications, the NFC data link may be established when the first smart terminal 101 and the second smart terminal 102 are in physical contact or close to within a set distance threshold (e.g., 10 centimeters). In this way, due to the mandatory limitation of the NFC protocol on the physical distance, the permission requester and the guarantor must be in the same time and space to possibly implement the signature of the guarantor on the authorization request, which greatly increases the difficulty of the attack.
In practical applications, in order to be able to use the NFC protocol, the devices of the first smart terminal 101 and the second smart terminal 102 both need to have NFCSE (secure element) hardware to perform NFCSE services.
Specifically, after establishing the NFC data link with the second smart terminal 102, the first smart terminal 101 activates the request guarantee interface in the NFCSE service; at the same time, the second smart terminal 102 activates the vouching interface in the NFCSE service, thereby completing secure communication with the first smart terminal 101.
Based on the authorization system of the intelligent terminal, the invention provides an authorization method of the intelligent terminal, the specific flow of which is shown in fig. 2, and the method can comprise the following steps:
s201: the first intelligent terminal sends an authorization request to the second intelligent terminal.
Specifically, unlike the existing "authentication, i.e., authorization" mode, the first smart terminal 101, which is the authority requester, enters the to-be-authorized state after passing the authentication.
In order to obtain access rights to a function or service, the first intelligent terminal 101 may initiate a request to a legitimate vouchers, i.e. send an authorization request to the authenticated second intelligent terminal 102. The authorization request may include: identity data of the first intelligent terminal 101, and permission request information for access permission requested to be acquired by the first intelligent terminal 101.
In practical applications, the second smart terminal 102, which is responsible for the security of the first smart terminal 101 requesting to acquire the access right, may be selected from a security group corresponding to the access right requested to be acquired by the first smart terminal 101. The guarantee group comprises at least one legal guarantee person which can guarantee the authority requester of the access authority.
Furthermore, the access rights predefined by the identity of the first intelligent terminal 101 may or may not be the same as the access rights for which the authorisation request is sent to the second intelligent terminal 102.
That is, when the first intelligent terminal 101 requests to obtain the access right predefined by its identity, the second intelligent terminal 102 may be selected from the guaranteed group corresponding to the predefined access right; when the first intelligent terminal 101 requests to acquire the access rights of other levels, the second intelligent terminal 102 may be selected from the security group corresponding to the access right requested by the first intelligent terminal 101.
In the scheme of the present invention, the first intelligent terminal 101 and the second intelligent terminal 102 may perform authentication through at least one of the following authentication data:
passwords, gestures, biometrics of the user, hardware features of the device, digital certificates held by the device.
In practical application, an NFC protocol is adopted between the first intelligent terminal 101 and the second intelligent terminal 102, and an NFC data link may be established when the first intelligent terminal 101 and the second intelligent terminal 102 are in physical contact or are close to a set distance threshold (for example, 10 centimeters); then, the first smart terminal 101 sends an authorization request through the activated request guarantee interface in the NFCSE service; and the second smart terminal 102 receives the authorization request through the vouch-for interface in the activated NFCSE service.
S202: and the second intelligent terminal verifies the received authorization request, and after the verification is passed, the authorization request signed by the self guarantee private key is returned to the first intelligent terminal.
Specifically, after receiving the authorization request sent by the first intelligent terminal 101, the authenticated second intelligent terminal 102 may first authenticate the identity data of the sender of the authorization request and the permission request information for the access permission requested by the sender, so as to determine whether the authenticated second intelligent terminal 102 can perform security for the first intelligent terminal 101.
Specifically, the second intelligent terminal 102 verifies the identity data of the first intelligent terminal 101 in the authorization request and the access right for which the right request information is directed, so as to determine whether it can guarantee the first intelligent terminal 101.
After the verification is passed, the received authorization request may be signed by using its own security private key, and the signed authorization request is returned to the first intelligent terminal 101 through the NFC data link.
S203: and the first intelligent terminal uploads the signed authorization request to an authorization server.
Specifically, after the first smart terminal 101 receives the authorization request signed by the vouching private key of the second smart terminal 102 through the NFC data link, the signed authorization request may be uploaded to the authorization server 103 so as to obtain the access right.
Further, in the solution of the present invention, before uploading the authorization request signed by the guarantee private key of the second smart terminal 102 to the authorization server 103, the first smart terminal 101 may sign the authorization request by using its own predefined application private key.
Then, the first smart terminal 101 may upload the authorization request jointly signed by the application private key and the guarantee private key to the authorization server 103, so that the subsequent authorization server 103 can verify the identity of the authority requester again according to the application private key.
In practical applications, when the first intelligent terminal 101 is a legal authority requester, the authorization server 103 should store an application public key corresponding to the application private key of the first intelligent terminal 101.
Similarly, when the second smart terminal 102 is a legitimate vouchers, the authorization server 103 should store a vouching public key corresponding to the vouching private key of the second smart terminal 102.
Preferably, in practical application, in order to ensure the security of information transmission, before the signed authorization request is uploaded to the authorization server 103, the first intelligent terminal 101 may further encrypt the signed authorization request by using a preset authorization public key, so as to avoid stealing information such as a signature. The authorization public key used by the first intelligent terminal 101 is published and distributed by the authorization server 103 in advance, and accordingly, the authorization server 103 has an authorization private key corresponding to the authorization public key and is used for decrypting information encrypted by the authorization public key.
S204: and the authorization server verifies the signature on the authorization request, and feeds back an authorization result to the first intelligent terminal according to the authority request information in the authorization request after the verification is passed.
In this step, after receiving the signed authorization request uploaded by the first intelligent terminal 101, the authorization server 103 may first verify the signature on the authorization request, read the authorization request information in the authorization request after the verification is passed, and determine whether to authorize according to the read authorization request information. After that, the authorization result is fed back to the first intelligent terminal 101 according to the permission request information.
In practical applications, if the authorization request received by the authorization server 103 from the first smart terminal 101 is encrypted by the authorization public key, the authorization server 103 needs to decrypt the signed authorization request by using its own authorization private key before verifying the signature on the authorization request.
The signature on the authorization request is then checked. Specifically, in the case where the signature on the authorization request includes only the vouching private key of the second intelligent terminal 102, the authorization server 103 may verify the vouching private key of the second intelligent terminal 102 using the pre-stored vouching public key. In the case that the signature on the authorization request includes the guaranteed private key of the second smart terminal 102 and the application private key of the first smart terminal 101, the authorization server 103 may verify the signature on the authorization request by using the pre-stored application public key and the guaranteed public key.
In practical applications, the authorization server 103 and the first intelligent terminal 101 may be connected through the internet or a 3G or 4G network by using other communication protocols. For example, data security may be protected by using a secure communication protocol such as PPTP (point to point tunneling protocol) or L2TP (Layer2tunneling protocol).
S205: the first intelligent terminal receives an authorization result aiming at the authorization request from the authorization server.
Specifically, the first intelligent terminal 101 receives an authorization result returned by the authorization server 103, and if the authorization result is successful, the access right to which the authorization request is directed may be obtained, and the service or function to which the authorization request is directed is used; otherwise, the service or function for which the authorization request is directed cannot be used.
In the scheme of the invention, the legal identities of the authority requester and the guarantor can be guaranteed through the identity verification of the first intelligent terminal 101 and the second intelligent terminal 102, and the legality of the authority of the guarantor to the authority requester can be detected through the verification of the authorization public key of the second intelligent terminal 102. Compared with the existing mode of authentication, namely authorization, in the scheme of the invention, a malicious user cannot directly obtain the access right even through identity verification, thereby effectively reducing the malicious access risk of sensitive functions or services and improving the safety.
The technical solution of the present invention will be explained from the perspective of a rights requester.
Based on the authorization system of the intelligent terminal, the invention provides an authorization method of the intelligent terminal, the specific flow of which is shown in fig. 3, and the method can include the following steps:
s301: the first intelligent terminal sends an authorization request to the second intelligent terminal.
The first intelligent terminal 101 and the second intelligent terminal 102 both pass through the authentication, and can perform the authentication by using at least one of the following authentication data:
passwords, gestures, biometrics of the user, hardware features of the device, digital certificates held by the device.
The first intelligent terminal 101 and the second intelligent terminal 102 adopt an NFC protocol.
S302: and after the authorization request passes the verification of the second intelligent terminal, the first intelligent terminal receives the authorization request signed by the guarantee private key of the second intelligent terminal and uploads the signed authorization request to the authorization server.
Preferably, after the first intelligent terminal 101 receives the authorization request signed by the private key of the second intelligent terminal, the authorization request may also be signed by its own application private key.
Preferably, the first smart terminal 101 may further encrypt the signed authorization request with an authorization public key of the authorization server before uploading the signed authorization request to the authorization server 103.
S303: and the first intelligent terminal receives an authorization result aiming at the authorization request from the authorization server after the signature on the authorization request passes the verification of the authorization server.
Specifically, the first intelligent terminal 101 receives the authorization result returned by the authorization server 103, and if the authorization result is successful, the first intelligent terminal 101 may use the service corresponding to the access right requested to be obtained by the first intelligent terminal 101.
In the embodiment of the present invention, the specific implementation of steps S301 to S303 in the authorization method for an intelligent terminal shown in fig. 3 may refer to steps S201 to S205 in the authorization method for an intelligent terminal shown in fig. 2.
In practical application, the functions of the first and second intelligent terminals can exist in one intelligent terminal at the same time; that is, the same intelligent terminal can be used as both the authority requester and the guarantor. The intelligent terminal of the present invention may specifically be a PC (personal computer), a mobile phone, a PDA (personal digital assistant), an intelligent wearable device (e.g., an intelligent watch), and the like.
Based on the authorization method of the intelligent terminal, the present invention further provides an intelligent terminal 400, as shown in fig. 4a, the intelligent terminal may include: a guarantee request module 401 and an authorization request module 402.
The guarantee request module 401 is configured to initiate an authorization request to another intelligent terminal; and after the authorization request passes the verification of other intelligent terminals, receiving the authorization request signed by the guarantee private key of other intelligent terminals.
In practical application, different guarantee groups can be set for different access rights; a vouchers in a vouching group may vouch for an authority requester that needs to obtain access rights corresponding to the vouching group.
Therefore, in the scheme of the invention, other intelligent terminals can be selected from the guarantee group corresponding to the access authority to which the initiated authorization request aims; after selecting another smart terminal as a vouchers, the vouching request module 401 in the smart terminal 400 may communicate with the other smart terminal using the NFC protocol, and send the initiated authorization request to the other smart terminal.
The authorization request module 402 is configured to upload the signed authorization request received by the vouch-for request module 401 to an authorization server; and receiving an authorization result aiming at the authorization request from the authorization server after the signature on the authorization request passes the verification of the authorization server.
The authorization request module 402 in the intelligent terminal 400 may communicate with the authorization server by using secure communication protocols such as PPTP, L2TP, and the like.
In practical applications, the smart terminal 400 may also be used as a guarantor to perform guaranty for other smart terminals. Further, in the solution of the present invention, as shown in fig. 4b, the intelligent terminal 400 may further include: a rights vouching module 403.
The permission guarantee module 403 is configured to receive an authorization request sent by another intelligent terminal, verify the received authorization request, and return an authorization request signed by its own guarantee private key to the other intelligent terminal after the verification is passed.
In the solution of the present invention, the specific function implementation of each module in the intelligent terminal 400 may refer to each step of the authorization method of the intelligent terminal shown in fig. 2 and 3, which is not described herein again.
Thus, when the smart terminal 400 is specifically a smart watch and the smart watch needs to access a certain function or service, after passing the authentication, the smart watch may send an authorization request to another smart terminal (e.g., a smart watch, a mobile phone, etc.); after the other intelligent terminals guarantee and sign the authorization request of the intelligent watch, the intelligent watch uploads the signed authorization request to an authorization server to request to obtain authorization.
For example, after the authentication is passed, the first smart watch as the authority requester may make physical contact with the vouchers that have passed the authentication or be close to a set distance threshold, thereby establishing the NFC data link and sending an authorization request to the vouchers. Where the guarantor may be a second smart watch, or other wearable smart device.
And then, after receiving the authorization request, the second smart watch serving as a guarantor verifies the received authorization request, and after the received authorization request passes the verification, the second smart watch returns the authorization request signed by the own guaranty private key to the first smart watch. In this way, after the first smart watch receives the authorization request signed by the vouching private key of the second smart watch through the NFC data link, the signed authorization request may be uploaded to the authorization server in order to obtain access rights.
Further, the first smart watch may sign the authorization request using a predefined application private key of the first smart watch, and then upload the authorization request signed by the application private key and the guarantee private key to the authorization server.
And the authorization server verifies the signature on the authorization request by utilizing the prestored application public key and the prestored guarantee public key, and feeds back an authorization result to the first smart watch according to the authority request information in the authorization request after the verification is passed.
The first smart watch receives an authorization result returned by the authorization server, and if the authorization result is successful, the first smart watch can obtain the access right aimed at by the authorization request and use the service or function aimed at by the authorization request; otherwise, the service or function for which the authorization request is directed cannot be used.
Compared with the existing authorization mode, the method and the system have the advantages that the role of a guarantor is added, the authentication process is separated from the authorization process, so that an authority requester needs to obtain the access authority, the legal identity is required, the legal guarantor needs to guarantee the authority, the access authority predefined by the identity cannot be directly obtained after the authority passes the authentication, the condition that a malicious user can obtain the access authority through the authentication is effectively avoided, and the access security is improved; moreover, the guarantee signature of the guarantee person on the authorization request initiated by the authority requester is utilized, so that the attack difficulty is increased, and the access security is further improved.
Further, in the scheme of the present invention, the permission requester can request different access permissions according to different requests of the guarantor, in addition to the access permission predefined by the identity of the permission requester.
As used in this application, the terms "module," "system," and the like are intended to include a computer-related entity, such as but not limited to hardware, firmware, a combination of hardware and software, or software in execution. For example, a module may be, but is not limited to: a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. For example, an application running on a computing device and the computing device may both be a module. One or more modules may reside within a process and/or thread of execution and a module may be localized on one computer and/or distributed between two or more computers.
Those skilled in the art will appreciate that the present invention includes apparatus directed to performing one or more of the operations described in the present application. These devices may be specially designed and manufactured for the required purposes, or they may comprise known devices in general-purpose computers. These devices have stored therein computer programs that are selectively activated or reconfigured. Such a computer program may be stored in a device (e.g., computer) readable medium, including but not limited to any type of disk including floppy disks, hard disks, optical disks, CD-ROMs, and magnetic-optical disks, ROMs (Read-only memories), RAMs (random access memories), EPROMs (erasable programmable Read-only memories), EEPROMs (electrically erasable programmable Read-only memories), flash memories, magnetic cards, or optical cards, or any type of media suitable for storing electronic instructions, and each coupled to a bus. That is, a readable medium includes any medium that stores or transmits information in a form readable by a device (e.g., a computer).
It will be understood by those within the art that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions. Those skilled in the art will appreciate that the computer program instructions may be implemented by a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, implement the features specified in the block or blocks of the block diagrams and/or flowchart illustrations of the present disclosure.
Those of skill in the art will appreciate that various operations, methods, steps in the processes, acts, or solutions discussed in the present application may be alternated, modified, combined, or deleted. Further, various operations, methods, steps in the flows, which have been discussed in the present application, may be interchanged, modified, rearranged, decomposed, combined, or eliminated. Further, steps, measures, schemes in the various operations, methods, procedures disclosed in the prior art and the present invention can also be alternated, changed, rearranged, decomposed, combined, or deleted.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that those skilled in the art can make various improvements and modifications without departing from the principle of the present invention, and these improvements and modifications should also be construed as the protection scope of the present invention.