Movatterモバイル変換

[0]ホーム
URL:

CN111107055B - Method and system for realizing user authentication login of CA unified authentication platform - Google Patents

Method and system for realizing user authentication login of CA unified authentication platformDownload PDF

Info

Publication number
CN111107055B
CN111107055BCN201911157190.7ACN201911157190ACN111107055BCN 111107055 BCN111107055 BCN 111107055BCN 201911157190 ACN201911157190 ACN 201911157190ACN 111107055 BCN111107055 BCN 111107055B
Authority
CN
China
Prior art keywords
random number
party application
specific
user
authentication platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911157190.7A
Other languages
Chinese (zh)
Other versions
CN111107055A (en
Inventor
李孝猛
董宁博
王永涛
刘茜
黄艳丽
许广武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aisino Corp
Original Assignee
Aisino Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aisino CorpfiledCriticalAisino Corp
Priority to CN201911157190.7ApriorityCriticalpatent/CN111107055B/en
Publication of CN111107055ApublicationCriticalpatent/CN111107055A/en
Application grantedgrantedCritical
Publication of CN111107055BpublicationCriticalpatent/CN111107055B/en
Activelegal-statusCriticalCurrent
Anticipated expirationlegal-statusCritical

Links

Images

Classifications

Landscapes

Abstract

The invention discloses a method for realizing user authentication login of a CA unified authentication platform, and the method and the system comprise the following steps: the multi-CA unified authentication platform verifies the digital certificates of the user client and the specific third-party application and calls a password module to generate random numbers; encrypting the random number by using the pre-stored public key of the specific third-party application, and returning the encrypted random number and the specific third-party application URL to the user client; the user client side sends a login request to the third-party application according to the encrypted random number, the specific third-party application verifies and decrypts the encrypted random number, signs along with the random number through a private key, sends a user information acquisition request with standby to the multi-CA unified authentication platform and acquires user information; and the specific third-party application establishes connection with the user client to realize user authentication login.

Description

Method and system for realizing user authentication login of CA unified authentication platform
Technical Field
The invention relates to the technical field of communication, in particular to a method and a system for realizing user authentication login of a CA (certificate authority) unified authentication platform.
Background
The electronic Certificate Authority (CA), an Authority that issues digital certificates, is the core of PKI. The CA is the authority responsible for issuing certificates, authenticating certificates, and managing issued certificates. It makes policies and specific steps to verify, identify the user's identity, and sign the user's certificate to ensure ownership of the certificate holder's identity and public key.
At present, there are several electronic authentication service organizations, and the issued digital certificates reach hundreds of millions. These certificates play a positive role in dozens of application fields and thousands of application departments, such as finance, tax, industry and commerce, social security, quality inspection, medical treatment, customs, bidding and the like. Each family has different solutions, which causes the problems that the safety application can not be interconnected, intercommunicated and mutually trusted, the situation of 'information safety island' which is not communicated with each other in regions or industries, the regional development is unbalanced and the like. With the increasingly close contact among various places, the electronic authentication application range is continuously expanded, the application requirements are continuously shown, the application level is continuously deepened, and the increasingly urgent cross-regional and cross-industry application requirements of the electronic authentication based on cloud computing are realized. At present, the application development and popularization of a multi-CA unified authentication system are urgent, and how to realize safe, effective and quick user authentication login in the multi-CA unified authentication system is urgent.
Disclosure of Invention
In order to solve the problem that the user authentication login needs to be solved urgently in a multi-CA unified authentication system in the background art, the invention provides a method and a system for realizing the user authentication login of a CA unified authentication platform, wherein when a user client accesses a third-party application, the method and the system verify the user client and any CA authentication certificate of the third-party application through the multi-CA unified authentication platform, and establish safe authentication connection based on a state secret algorithm; the method for realizing the user authentication login of the CA unified authentication platform comprises the following steps:
the multi-CA unified authentication platform receives a request of a user client for logging in a specific third-party application;
verifying the digital certificates of the user client and the specific third-party application;
if the verification passes, calling a password module to generate a random number;
encrypting the random number by using the pre-stored public key of the specific third-party application to obtain an encrypted random number;
returning the encrypted random number and the specific third-party application URL to the user client, and performing associated storage on the random number and the user information of the user client;
receiving a user information acquisition request of the specific third-party application, and returning user information to the specific third-party application;
further, after the encrypted random number and the specific third-party application URL are returned to the user, the method further includes:
the specific third-party application receives login request information including the encrypted random number of the user client, verifies the user qualification and the login request information and judges whether the login request information contains the encrypted random number;
if the verification is passed, the encrypted random number is decrypted by the private key of the specific third-party application;
signing the decrypted random number through a self key, and sending a user information acquisition request of the random number with the signature to the multi-CA unified authentication platform;
and receiving user information returned by the multi-CA unified authentication platform, and establishing connection with a user client to realize user authentication login.
Further, after receiving the user information acquisition request of the third-party application, the method further includes:
decrypting the signed random number through the pre-stored public key of the specific third-party application to obtain a random number;
acquiring user information which is stored in a correlated manner according to the random number;
and returning the user information to the specific third-party application.
Further, the association storage includes:
taking the random number as a cached key value; taking the user information as a value of a corresponding cache; writing a pair of key-value values into a local cache of the multi-CA platform.
The system for realizing CA unified authentication platform user authentication login comprises:
a user client for sending a request to log in to a specific third party application to a multi-CA unified authentication platform;
a multi-CA unified certification platform for verifying digital certificates of the user and the specific third party application;
if the verification passes, the password module of the multi-CA unified authentication platform generates a random number, and the random number is encrypted by using the pre-stored public key of the specific third-party application to obtain an encrypted random number; the multi-CA unified authentication platform returns the encrypted random number and the specific third-party application URL to the user client, and stores the random number and the user information of the user client in an associated manner;
and the specific third-party application requested to log in by the user client side in the one or more third-party applications is used for requesting the multi-CA unified authentication platform to obtain the user information after receiving the login request of the user client side, and establishing login connection with the user client side according to the user information.
Further, the specific third-party application receives login request information including the encrypted random number of the user client, verifies the user qualification and the login request information, and judges whether the login request information contains the encrypted random number;
if the verification is passed, the encrypted random number is decrypted by the private key of the specific third party application; the specific third-party application signs the decrypted random number through a self secret key and sends a user information acquisition request of the random number with the signature to the multi-CA unified authentication platform;
and the specific third-party application is used for receiving the user information returned by the multi-CA unified authentication platform, establishing connection with the user client and realizing user authentication login.
Further, the multi-CA unified authentication platform is configured to decrypt the signed random number through a pre-stored public key of the specific third-party application to obtain a random number;
and the multi-CA unified authentication platform acquires the user information which is stored in a correlated manner according to the random number and returns the user information to the specific third-party application.
Further, the multi-CA unified authentication platform is configured to use the random number as a cached key value, and use the user information as a corresponding cached value; the multi-CA unified authentication platform is used for writing a pair of key-value values into a local cache of the multi-CA platform.
The invention has the beneficial effects that: the technical scheme of the invention provides a method and a system for realizing CA unified authentication platform user authentication login, wherein the method and the system verify the user client and any CA authentication certificate of a third party application through a multi-CA unified authentication platform when the user client accesses the third party application, and establish safe authentication connection based on a state secret algorithm; the user client side with any CA authentication certificate can access the third-party application, and the user authentication login based on the unified authentication of the CA digital certificate has safety and convenience.
Drawings
A more complete understanding of exemplary embodiments of the present invention may be had by reference to the following drawings in which:
FIG. 1 is a flowchart of a method for implementing CA unified authentication platform user authentication login according to an embodiment of the present invention;
fig. 2 is a structural diagram of a user authentication login system implementing a CA unified authentication platform according to an embodiment of the present invention.
Detailed Description
Example embodiments of the present invention will now be described with reference to the accompanying drawings, however, the invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein, which are provided for a complete and complete disclosure of the invention and to fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.
Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
Fig. 1 is a flowchart of a method for implementing user authentication login of a CA unified authentication platform according to an embodiment of the present invention, as shown in fig. 1:
step 1, the process is started by a user client initiating a request to log in a third party application.
And 2, after receiving a request for logging in to a specific third-party application from a user client, the multi-CA unified authentication platform checks the states of the user client and the requested specific third-party application, namely whether the user client and the requested specific third-party application have CA digital certificates which can be authenticated by the multi-CA unified authentication platform.
Step 3, the multi-CA unified authentication platform verifies the digital certificates of the user client and the specific third-party application;
if the check fails, the process is directly ended, and a request result that the check fails is fed back to the user client.
And if the verification is passed, entering the step 4.
And 4, the multi-CA unified authentication platform calls a password module to generate a random number.
Step 5, encrypting the random number by using the pre-stored public key of the specific third-party application to obtain an encrypted random number;
in this embodiment, a third-party application that can log in through the multi-CA unified authentication platform needs to generate a pair of public and private keys based on a cryptographic algorithm, and store the public keys to the CA unified authentication platform.
Step 6, the multi-CA unified authentication platform takes the random number as a cached key value; taking the user information as a value of a corresponding cache; and writing a pair of key-value values into a local cache of the multi-CA platform, namely, storing the random number and the user information of the user client in an associated manner.
And 7, returning the encrypted random number and the specific third-party application URL to the user client.
And 8, after the user client obtains the encrypted random number, directly sending the encrypted random number and the login request information to the third-party application, and initiating a request for logging in the application.
Step 9, the third party application receives login request information including the encrypted random number of the user client, verifies whether the information contains the encrypted random number, and judges whether the login request information contains the encrypted random number;
if the encrypted random number is not contained, the user client directly sends a request to the third-party application without the multi-CA unified authentication platform, the login request has potential safety hazards, and the third-party application sends a request result of refusing to login to the user client;
if the verification is included, step 10 is performed.
And step 10, decrypting the encrypted random number by using the private key of the specific third-party application to obtain the random number.
And step 11, signing the encrypted random number again by using the private key of the third party to obtain the random number with the signature.
And step 12, the third-party application generates a user information acquisition request according to the random number with the signature, and sends the user information acquisition request to the multi-CA unified authentication platform.
Step 13, the multi-CA unified authentication platform verifies the signature information;
the multi-CA unified authentication platform judges whether the user information acquisition request summary contains a random number with a signature;
decrypting the signed random number through the pre-stored public key of the specific third-party application to obtain a random number;
and acquiring the user information which is stored in a related manner according to the random number.
And step 14, returning the user information to the specific third-party application.
And step 15, the third party application receives the user information returned by the multi-CA unified authentication platform and establishes connection with the user client.
And step 16, the user client realizes the login of the third-party user through the established connection.
Fig. 2 is a structural diagram of a system for implementing CA unified authentication platform user authentication login according to an embodiment of the present invention, as shown in fig. 2, the system includes:
auser client 210, theuser client 210 for sending a request to log in to a particularthird party application 230 to a multi-CA unified authentication platform;
theuser client 210 is configured to send a login request to the particularthird party application 230 after obtaining the encrypted random number.
A multi-CAunified authentication platform 220, the multi-CAunified authentication platform 220 being configured to verify digital certificates of the user and the specific third-party application 230;
if the verification is passed, the cryptographic module of the multi-CAunified authentication platform 220 generates a random number, and encrypts the random number by using the pre-stored public key of the specific third-party application 230 to obtain an encrypted random number; the multi-CAunified authentication platform 220 returns the encrypted random number and the specific third party application 230URL to theuser client 210, and stores the random number and the user information of theuser client 210 in association;
further, the multi-CAunified authentication platform 220 is configured to decrypt the signed random number through the pre-stored public key of the specific third-party application 230 to obtain a random number;
the multi-CAunified authentication platform 220 obtains the associated and stored user information according to the random number, and returns the user information to the specific third-party application 230.
Further, the multi-CAunified authentication platform 220 is configured to use the random number as a cached key value, and use the user information as a corresponding cached value; the multi-CAunified authentication platform 220 is configured to write a pair of key-value values into a local cache of the multi-CA platform.
The specific third-party application 230 requested to log in by theuser client 210 in the one or more third-party applications is configured to request the multi-CAunified authentication platform 220 to obtain the user information after receiving the login request of theuser client 210, and establish a login connection with theuser client 210 according to the user information.
Further, the specific third-party application 230 receives login request information including the encrypted random number from theuser client 210, verifies user qualification and the login request information, and determines whether the login request information includes the encrypted random number;
if the verification is passed, the encrypted random number is decrypted by the private key of the specific third-party application 230; the specificthird party application 230 signs the decrypted random number through its own key, and sends a user information acquisition request of the random number with the signature to the multi-CAunified authentication platform 220;
the specific third-party application 230 is configured to receive the user information returned by the multi-CAunified authentication platform 220, and establish a connection with theuser client 210, so as to implement user authentication login.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the disclosure may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Those skilled in the art will appreciate that the modules in the devices in an embodiment may be adaptively changed and arranged in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Reference to step numbers in this specification is only for distinguishing between steps and is not intended to limit the temporal or logical relationship between steps, which includes all possible scenarios unless the context clearly dictates otherwise.
Moreover, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the disclosure and form different embodiments. For example, any of the embodiments claimed in the claims can be used in any combination.
Various component embodiments of the disclosure may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. The present disclosure may also be embodied as device or system programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present disclosure may be stored on a computer-readable medium or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the disclosure, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The disclosure may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several systems, several of these systems can be embodied by one and the same item of hardware.
The foregoing is directed to embodiments of the present disclosure, and it is noted that numerous improvements, modifications, and variations may be made by those skilled in the art without departing from the spirit of the disclosure, and that such improvements, modifications, and variations are considered to be within the scope of the present disclosure.

Claims (4)

CN201911157190.7A2019-11-222019-11-22Method and system for realizing user authentication login of CA unified authentication platformActiveCN111107055B (en)

Priority Applications (1)

Application NumberPriority DateFiling DateTitle
CN201911157190.7ACN111107055B (en)2019-11-222019-11-22Method and system for realizing user authentication login of CA unified authentication platform

Applications Claiming Priority (1)

Application NumberPriority DateFiling DateTitle
CN201911157190.7ACN111107055B (en)2019-11-222019-11-22Method and system for realizing user authentication login of CA unified authentication platform

Publications (2)

Publication NumberPublication Date
CN111107055A CN111107055A (en)2020-05-05
CN111107055Btrue CN111107055B (en)2023-01-10

Family

ID=70421228

Family Applications (1)

Application NumberTitlePriority DateFiling Date
CN201911157190.7AActiveCN111107055B (en)2019-11-222019-11-22Method and system for realizing user authentication login of CA unified authentication platform

Country Status (1)

CountryLink
CN (1)CN111107055B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN103560888A (en)*2013-11-052014-02-05江苏先安科技有限公司Digital certificate-based unified authentication login method for integrating multiple application systems
CN104717648A (en)*2013-12-122015-06-17中国移动通信集团公司Unified authentication method and device based on SIM card
CN106936759A (en)*2015-12-292017-07-07航天信息股份有限公司A kind of single-point logging method, server and client
CN107508837A (en)*2017-09-282017-12-22山东浪潮通软信息科技有限公司A kind of cross-platform heterogeneous system login method based on intelligent code key certification

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
EP2629488B1 (en)*2012-02-172015-12-16OSAN Technology Inc.Authentication system, authentication method, and network storage appliance

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN103560888A (en)*2013-11-052014-02-05江苏先安科技有限公司Digital certificate-based unified authentication login method for integrating multiple application systems
CN104717648A (en)*2013-12-122015-06-17中国移动通信集团公司Unified authentication method and device based on SIM card
CN106936759A (en)*2015-12-292017-07-07航天信息股份有限公司A kind of single-point logging method, server and client
CN107508837A (en)*2017-09-282017-12-22山东浪潮通软信息科技有限公司A kind of cross-platform heterogeneous system login method based on intelligent code key certification

Also Published As

Publication numberPublication date
CN111107055A (en)2020-05-05

Similar Documents

PublicationPublication DateTitle
US12170662B2 (en)Domain unrestricted mobile initiated login
US11963006B2 (en)Secure mobile initiated authentication
US12143817B2 (en)Secure mobile initiated authentications to web-services
US11973750B2 (en)Federated identity management with decentralized computing platforms
US11558381B2 (en)Out-of-band authentication based on secure channel to trusted execution environment on client device
US20190305955A1 (en)Push notification authentication
US10642664B2 (en)System and method for securing an inter-process communication via a named pipe
CN109450633B (en)Information encryption transmission method and device, electronic equipment and storage medium
WO2021127577A1 (en)Secure mobile initiated authentications to web-services
CN105978855B (en)Personal information safety protection system and method under a kind of system of real name
WO2021127575A1 (en)Secure mobile initiated authentication
WO2020173019A1 (en)Access certificate verification method and device, computer equipment and storage medium
US11677547B1 (en)Mobile authenticator for performing a role in user authentication
CN113271207A (en)Escrow key using method and system based on mobile electronic signature, computer equipment and storage medium
CN106992978B (en)Network security management method and server
CN109802927B (en)Security service providing method and device
CN103532961A (en)Method and system for authenticating identity of power grid website based on trusted crypto modules
US20150058621A1 (en)Proof of possession for web browser cookie based security tokens
CN116248368B (en) Blockchain-based identity authentication method, system, device, and storage medium
CN111107055B (en)Method and system for realizing user authentication login of CA unified authentication platform
CN112948894A (en)Block chain-based anti-counterfeiting method, device, equipment and medium for tally inspection report
CN114024682A (en)Cross-domain single sign-on method, service equipment and authentication equipment
CN114238916A (en) Communication method, apparatus, computer equipment and storage medium
CN114826616A (en)Data processing method, device, electronic equipment and medium

Legal Events

DateCodeTitleDescription
PB01Publication
PB01Publication
SE01Entry into force of request for substantive examination
SE01Entry into force of request for substantive examination
GR01Patent grant
GR01Patent grant
[8]ページ先頭
©2009-2025 Movatter.jp