CN1592197A

Movatterモバイル変換

Info

Publication number: CN1592197A
Application number: CN 03156489
Authority: CN
Inventors: 施宣明
Original assignee: Tai Guen Enterprise Co Ltd
Current assignee: MAISHIYA (BEIJING) SCIENCE AND TECHNOLOGY Co Ltd
Priority date: 2003-09-01
Filing date: 2003-09-01
Publication date: 2005-03-09
Anticipated expiration: 2023-09-01
Also published as: CN100426719C

Abstract

The invention provides a method for authenticating between user end equipment and local client application/remote network service, which comprises the steps of setting authentication information and a security mechanism interface in the user end equipment, and setting an authentication file matched with the authentication information and a path for accessing the security mechanism interface in the application or service; the security mechanism interface is a specific protocol for communication between the two, when a user needs a certain application or service, the authentication files of the two are handed to the authentication mechanism for authentication through the security mechanism interface arranged between the user terminal equipment and the application or service, and the user terminal equipment passing the authentication can obtain the software application or service; if not, the user is rejected. The invention can realize the safe storage, management and interaction of information, thereby deriving: hardware equipment identification, user identity authentication, user authority management, user data sharing, safety data storage and management, software copyright protection, customized application service and other functions.

Description

The method of authentication between ustomer premises access equipment and local client application or telecommunication network service

Technical field

The present invention relates to field of computer technology, specifically, relate to that ustomer premises access equipment and local client are used or the telecommunication network service between the method for authentication, especially realize based on the software and hardware combining mode at user side and the client application service between the method for authentication.

Background technology

The continuous development of application software and network service will cause the information interaction between user and the application service.This information interaction can not be unconfined, must be to carry out under security mechanism.On the one hand, need know which user has the right to use which application or service; On the other hand, the user also needs to know which part personal information which application or service can calling parties.

In information interactive process, bipartite authentication of user and application service and authentication had certain methods to realize, but all there are the defective of self in these methods.The technology of soft encryption for example; be not rely on hard-wired especially resist technology to software; mainly contain cipher code method, computer hardware check addition, key floppy disc method; the defective of these class methods is relatively easy crack of encryption method; its verification condition is changeless in addition; in case be cracked, with rapid spread.Based on software publishing and network service demands of applications, have to take widely this technology, but how-do-you-do usually appears in this encrypted authentication method at present, be difficult to realize such as purposes such as copyright protections.For specific application, can also adopt the hardware encryption technology, hardware encipher dog for example, the shortcoming of this mode is: a hardware can only be protected at an application service, and is limited in using on a certain fixing local terminal or the remote server.The hardware encryption mode of so too " fixing ", though fail safe is higher, but flexibility, universality and mobility are relatively poor, can not satisfy far away and be authorized to general mandate and the mobile requirement used of user for different application, different local terminal or remote service in the actual conditions.

Summary of the invention

The object of the present invention is to provide the method for authentication between application of a kind of ustomer premises access equipment and local client or telecommunication network service, realize the authentication of user, and the user is to the authentication of the rights of using of network service the client application rights of using of mandate.

A further object of the present invention is to provide the method for authentication between a kind of ustomer premises access equipment and local client application or telecommunication network service, realizes client application or the network service authentication to user's access rights.

Another object of the present invention is to provide a kind of ustomer premises access equipment and local client use or the telecommunication network service between the method for authentication, can finish the authentication of user between serving with a plurality of client application or network by same hardware device.

Another purpose of the present invention is to provide the method for authentication between a kind of ustomer premises access equipment and local client application or telecommunication network service, ustomer premises access equipment and local client are used or authentication condition can be dynamically changed, be controlled in the telecommunication network service as required, ensure data security neatly.

For this reason, the present invention is achieved through the following technical solutions above-mentioned purpose: authentication information and security mechanism interface are set in ustomer premises access equipment, are provided with in using or serving and the authentication document of described authentication information coupling and the path of access security mechanism interface; The security mechanism interface is the specific protocol of both communication, when user's request application or service, by the security mechanism interface that is provided with between ustomer premises access equipment and application or the service, hand over authentication mechanism to carry out authentication both authentication documents, the ustomer premises access equipment that authentication is passed through can obtain software application or service; Do not pass through, then refuse this user.

Hardware device stores, leading subscriber and client application or the network service required interactive information of the present invention by having security mechanism; realize that information security is deposited, information management and information security be mutual, thereby derive: hardware device identification, subscriber authentication, user authority management, user data are shared, secure data is deposited and a series of functions such as management, software copyright protection, customized application service.

Description of drawings

Fig. 1 is the structural representation of authentication system of the present invention;

Fig. 2 is the schematic flow sheet of authentication content of the present invention;

Fig. 3 is the flow chart of authentication of the present invention and visit.

Embodiment

Below with reference to the accompanying drawings and embodiment, technical scheme of the present invention is described in further detail.

Referring to Fig. 1, the authentication mechanism between user that the present invention combines for a kind of hardware and software and client application or the network service.By the security mechanism of setting up in the hardware device; the authentication document (AKF) that authorized client is used or network is served; the security mechanism interface of following; to carrying out the authentication system of authentication between hardware device and the software application service; can realize the authentication between the service of user and client application or network; the realization information security is deposited; information management and information security are mutual, thereby derive: hardware device identification; subscriber authentication; user authority management; user data is shared; secure data is deposited and is managed; software copyright protection; a series of functions such as customized application service.

As shown in Figure 2, method of the present invention comprises the content of 3 aspects:

The first, the hardware device that has security mechanism.This equipment has the algorithm of safe enciphered data space, encryption and authentication, the authentication information of self and characteristic information.This equipment can be embodied in different electronic products, as: USB flash memory, keyboard fetch equipment, MP3 fetch equipment, PDA fetch equipment, STB fetch equipment, disk fetch equipment, intelligent PDA fetch equipment, data bank, e-book, multifunction wireless equipment E-phone, digital camera, recording pen etc.

The second, follow the application or the service of security mechanism interface.These application and service all have authentication document, and by set security mechanism interface accessing hardware device.

Three, authentication system.Authentication system is finished the process of authentication, is used for the mutual authentication that hardware device and application service both sides carry out legitimacy and authority.Authentication system can be realized by the IC of hardware device, also can realize by software mode, and also can be the combination of the two.

When using or service when needing access hardware devices, its concise and to the point process is as follows:

Use or service transmission access request, simultaneously authentication document is submitted to authentication system;

Authentication system is obtained the authentication document of using or serving, and obtains the authentication information and the characteristic information of hardware device self simultaneously;

Whether authentication system authenticates this hardware device and has the right to use this application or service, as haves no right, and returns error message, stops visit; Otherwise, continue;

Authentication system authenticates this application or whether service has the right to visit this hardware device, as haves no right, and returns error message, stops visit; Otherwise, continue;

Authentication system authenticates effective visit information of this hardware device (useful space, size or the like) this application or service;

After authentication was passed through, this application or service were by set security mechanism interface accessing hardware device.

Referring to Fig. 3, user's hardware device of the present invention has security mechanism structure and characteristics again.The hardware device chip has the characteristic information of this equipment, comprises the sign of unique device id number and device type.Hardware device comprises MP3, the PDA data bank, and digital camera, types such as recording pen, each type is subdivided into different models, different manufacturers again, and the movable storage device with same model, same manufacturer is same classification.In user's hardware device, have the key list that adds, deciphers, be used for the information of safety encipher data area stores is added, deciphers, also have the functional module of execution information encryption and decryption.Carry out encrypting and decrypting for information, can utilize the mode of software or hardware independence or combination to realize.Above-mentioned encrypting and decrypting algorithm can be qualified any algorithm, and for example DES algorithm, RSA Algorithm, and user's hardware device also has the Management Information Base collection are used to realize the verification process between hardware device and application or the service.

Be provided with the safety encipher data field of a constant volume in user's hardware device.In this data field, the authentication information that has this hardware device, these information are set of a services package, the content of each services package comprises: effective marker, be used to indicate whether this type of service is unlocked, the authentication document of which classification be can accept by indicating this hardware device, application or service which classification this hardware device can use just indicated; Effective time, be used to indicate this type of service effectively by the time.

If the data in the access security encrypted data region are necessary by certificate verification, and can only conduct interviews by the security mechanism interface.

Authentication system of the present invention obtains the authentication information of hardware from hardware device, obtains authentication document from application or the service center of authorizing, as the foundation of carrying out authentication.Authentication system can utilize hardware device IC with authentication mechanism algorithm and/or the authentication mechanism algorithm realized of software hardware identification information and authentication document are authenticated.

Particularly, step of the present invention is:

At first, set authentication information, just services package information for each hardware device.Each hardware device all carries out the setting of authentication information when dispatching from the factory, authentication information can also be made amendment by the mode of software or network remote control.

Secondly, service or the specific AKF authentication document of application generation for each mandate consign to the user by issuing channel.The AKF authentication document has valid expiration date, needs periodic replacement.

When the service of authorizing or use when wanting access hardware devices information, send access request, simultaneously the AKF file is submitted to authentication system.Read the authentication information of hardware at this moment by authentication system, just services package information.

Authentication system verifies at first whether this hardware device has authority to use this application or service, and promptly whether the user of this hardware device has authority to use this application or service.Specifically: authentication system reads " service type " in the AKF authentication document, judges whether this " service type " is effective service in the authentication service package informatin of hardware.As not being, prove that this hardware device lack of competence uses this application or service, return error message, finish; In this way, continue.Whether authentication system is judged in the services package information of hardware should " service type " expired.If expired, prove that this hardware device lack of competence uses this application or service, return error message, finish; As not out of date, continue.

Authentication system is analyzed the AKF authentication document then, verifies this application or the service access rights to hardware device information.Specifically: authentication system reads " effective time " in the AKF file, judges whether the AKF file is expired, if expired, returns error message, finishes; As not out of date, continue.Read " string of maintaining secrecy " in the AKF file, judge whether user's identity is legal, as illegal, returns error message, finish; As legal, then continue.Read " effective coverage title " in the AKF file, judge that the user wishes whether the space of visiting is consistent with effective addressing space, as inconsistent, returns error message, finishes; As unanimity, continue.Read " effective coverage size " in the AKF file, judge whether addressing space overflows, as overflow, return error message, finish; As not overflowing, then showing this application or service has authority visit it wants the hardware device information of visiting.Read " using method " in the AKF file at last, obtain the key ID that lecture is used, and by the information on the security mechanism interface accessing hardware device.

Adopt the present invention, realize that the process of two-way authentication is as follows:

Authentication system obtains hardware identification information from hardware device, obtains authentication document from application or the service center of authorizing, as the foundation of authentication.

Wherein, the user device hardware authentication information is the set of a services package, has indicated that this hardware device is to the application of mandate or the rights of using of service.To the authentication of hardware identification information, just to the authentication of hardware device equipment authority.

Authentication document has then indicated the application of authorizing or the service rights of using to hardware device.To the authentication of authentication document, just to the authentication of the authority of the application of authorizing or service.

When adopting the present invention to realize authentication between using of a hardware device and a plurality of service, the user device hardware authentication information is the set of a services package, a plurality of services packages have been comprised, each services package can indicate the rights of using of this hardware device to the application or the service of a certain class authority, so can verify this hardware device and a plurality of service authentication between using by hardware identification information.

The present invention realizes that dynamically the condition of control authentication is: the user device hardware authentication information is to make amendment by the mode of software or network remote control; The AKF authentication document can be changed simultaneously.So both sides' authentication condition all can dynamically be controlled.

It should be noted last that, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not breaking away from the spirit and scope of technical solution of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.

Claims

1, the method for authentication between the service of a kind of ustomer premises access equipment and local client application/telecommunication network, it is characterized in that: authentication information and security mechanism interface are set in ustomer premises access equipment, in using or serving, are provided with and the authentication document of authentication information coupling and the path of access security mechanism interface; The security mechanism interface is the specific protocol of both communication, when user's request application or service, by the security mechanism interface that is provided with between ustomer premises access equipment and application or the service, hand over authentication mechanism to carry out authentication both authentication documents, the ustomer premises access equipment that authentication is passed through can obtain software application or service; Do not pass through, then refuse this user.

2, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network, it is characterized in that: ustomer premises access equipment is USB flash memory, keyboard fetch equipment, MP3 fetch equipment, PDA fetch equipment, STB fetch equipment, disk fetch equipment, intelligent PDA fetch equipment, data bank, electronic dictionary, multifunction wireless equipment, digital camera, recording pen.

3, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network, it is characterized in that: the authentication mechanism of realizing authentication process is arranged on ustomer premises access equipment or client, is perhaps undertaken by both combinations.

4, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network, it is characterized in that: it is to be carried out to ustomer premises access equipment by application or service that authentication mechanism carries out authentication, and promptly whether application or service authentication ustomer premises access equipment have rights of using.

5, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network, it is characterized in that: the authentication information that is provided with in the ustomer premises access equipment is the set of services package, is used for authentication between realization and application or the service.

6, the method for authentication between the service of ustomer premises access equipment according to claim 5 and local client application/telecommunication network is characterized in that: described services package set contains one or more services package information.

7, the method for authentication between the service of ustomer premises access equipment according to claim 6 and local client application/telecommunication network, it is characterized in that: described services package information comprises effective marker and/or effective time, and wherein effective marker indicates the rights of using information of ustomer premises access equipment for certain application or service; Indicated the effective time that this type of service is used effective time.

8, the method for authentication between the service of ustomer premises access equipment according to claim 7 and local client application/telecommunication network is characterized in that: services package information can be downloaded by network remote and dynamically update.

9, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network, it is characterized in that: authentication information is set in the ustomer premises access equipment can make amendment by software or network remote control mode.

10, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network is characterized in that: comprise authentication document version, effective coverage title and effective coverage length in the authentication document that application or service are provided with; Described authentication document version is used to write down the version information of authentication document; Described effective coverage title is used for indicating the application of mandate or the zone that service can be visited in hardware device safety encipher data field; Described effective coverage length is used for indicating the application of mandate or the length in the zone that service can be visited in hardware device safety encipher data field.

11, the method for authentication between the service of ustomer premises access equipment according to claim 10 and local client application/telecommunication network is characterized in that: also comprise valid expiration date in the authentication document that application or service are provided with, be used to limit the effective time of certificate.

12, the method for authentication between the service of ustomer premises access equipment according to claim 10 and local client application/telecommunication network, it is characterized in that: also comprise service type in the authentication document that application or service are provided with, be used to indicate the COS of this authentication document correspondence.

13, the method for authentication between the service of ustomer premises access equipment according to claim 10 and local client application/telecommunication network is characterized in that: also comprise the authentication document deletion in the authentication document that application or service are provided with, be used to delete authentication document.

14, the method for authentication between the service of ustomer premises access equipment according to claim 10 and local client application/telecommunication network is characterized in that: also comprise the string of maintaining secrecy in the authentication document that application or service are provided with, be used for certificate of certification owner's legitimacy.

15, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network is characterized in that: generate when the setting of application or service authentication file is obtained or made by network.

16, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network is characterized in that: using or serving is provided by local client or telecommunication network.

17, according to the method for authentication between the service of the arbitrary described ustomer premises access equipment of claim 1 to 16 and local client application/telecommunication network, it is characterized in that: the concrete steps of authentication are between ustomer premises access equipment and application or the service: when service of authorizing or application need calling party end facility information, send access request, simultaneously authentication document is submitted to authentication mechanism; Authentication mechanism reads the authentication information of ustomer premises access equipment, just services package information; Verify whether this ustomer premises access equipment has authority to use this application or service; Authentication mechanism reads " service type " in the authentication document, judges whether this " service type " is effective service in the authentication service package informatin of hardware; As not being, prove that this ustomer premises access equipment lack of competence uses this application or service, return error message, finish; Whether in this way, " service type " is somebody's turn to do in the authentication mechanism judgement in the services package information of hardware expired; If expired, prove that this ustomer premises access equipment lack of competence uses this application or service, return error message, finish; As not out of date, authentication mechanism analysis authentication file is verified this application or the service access rights to hardware information; Read " effective time " in the authentication document, judge whether authentication document is expired; If expired, return error message, finish; As not out of date, read " string of maintaining secrecy " in the authentication document, judge whether user's identity is legal; If illegal, return error message, finish; As legal, then ustomer premises access equipment obtains this application or service.

18, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network is characterized in that: security mechanism is set in the ustomer premises access equipment, realizes the protection of devices encrypt data space by cryptographic algorithm.

19, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network is characterized in that: also be provided with identity information and/or type identification information in the ustomer premises access equipment.

20, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network, it is characterized in that: described authentication mechanism carries out authentication and comprises by ustomer premises access equipment to using or service is carried out, i.e. whether ustomer premises access equipment authentication application or service has rights of using.

21, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network, it is characterized in that: be provided with the secure data storage district in the ustomer premises access equipment, security mechanism is set, comprise built-in key list, be used for the data of encryption and decryption safety encipher data storage area.

22, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network, it is characterized in that: application or service authentication file comprise the authority of device security data storage area visit, valid data zone name or area size are used to limit this application or service and are merely able to visit corresponding data storage area.

23, the method for authentication between the service of ustomer premises access equipment according to claim 1 and local client application/telecommunication network, it is characterized in that: application or service authentication file comprise the equipment using method, be used to formulate access mode for the secure data storage district, obtain corresponding key, realize data encrypting and deciphering.

24, according to the method for authentication between the service of the arbitrary described ustomer premises access equipment of claim 20 to 23 and local client application/telecommunication network, it is characterized in that: ustomer premises access equipment is for using or serving and carry out, be whether ustomer premises access equipment authentication application or service be when having rights of using, authentication mechanism reads " the effective coverage title " in the authentication document, judges that the user wishes whether the space of visiting is consistent with effective addressing space; As inconsistent, return error message, finish; As unanimity, read " effective coverage size " in the authentication document, judge whether addressing space overflows; As overflow, return error message, finish; As not overflowing, this application or service have the authority visit it want the ustomer premises access equipment information of visiting; Read " using method " in the authentication document, obtain the key ID that lecture is used, by the information on the security mechanism interface accessing ustomer premises access equipment.