[go: up one dir, main page]

CN104038486B - System and method for realizing user login identification based on identification type codes - Google Patents

System and method for realizing user login identification based on identification type codes Download PDF

Info

Publication number
CN104038486B
CN104038486B CN201410244543.8A CN201410244543A CN104038486B CN 104038486 B CN104038486 B CN 104038486B CN 201410244543 A CN201410244543 A CN 201410244543A CN 104038486 B CN104038486 B CN 104038486B
Authority
CN
China
Prior art keywords
user
account
information system
web information
browser
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201410244543.8A
Other languages
Chinese (zh)
Other versions
CN104038486A (en
Inventor
龙毅宏
唐志红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201410244543.8A priority Critical patent/CN104038486B/en
Publication of CN104038486A publication Critical patent/CN104038486A/en
Application granted granted Critical
Publication of CN104038486B publication Critical patent/CN104038486B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本发明涉及一种基于标识型密码实现用户登录鉴别的系统及方法,基于所述系统,用户的一个与Web信息系统帐户无关的密码标识作为帐户的鉴别数据保存在Web信息系统的用户帐户数据中;当用户登录Web信息系统时系统通过确认用户拥有帐户的密码标识的当前有效的标识私钥从而确认用户是帐户的拥有者。进一步地,若Web信息系统原本采用帐户名+口令或密码的登录方式,则实施登录处理的安全网关或插件在完成用户登录的帐户鉴别后将用户密码标识作为口令或密码代用户填写到登录请求中从而实现用户在Web信息系统的登录。在本发明中用户的标识型密钥仅用于替代帐户的口令或密码作为证明用户拥有帐户的安全私密数据而不是作为用户登录系统的身份凭证。

The present invention relates to a system and method for realizing user login authentication based on an identification type password. Based on the system, a user's password identification that has nothing to do with the account of the Web information system is stored in the user account data of the Web information system as the authentication data of the account. ; When the user logs into the Web information system, the system confirms that the user is the owner of the account by confirming that the user has the currently valid identification private key identified by the password of the account. Furthermore, if the web information system originally adopts the login method of account name + password or password, the security gateway or plug-in that implements login processing will fill in the login request with the user password identifier as the password or password on behalf of the user after completing the account authentication of the user login. In order to realize the user's login in the Web information system. In the present invention, the user's identification key is only used to replace the password or password of the account as a safe and private data that proves that the user has the account rather than as an identity certificate for the user to log in to the system.

Description

一种基于标识型密码实现用户登录鉴别的系统及方法System and method for realizing user login authentication based on identification password

技术领域technical field

本发明属于信息安全领域,特别是一种基于标识型密码实现用户登录鉴别的系统及方法。The invention belongs to the field of information security, in particular to a system and method for realizing user login authentication based on an identification password.

背景技术Background technique

用户访问一个受到安全保护和限制的Web信息系统(包括各种应用系统和安全系统)时,通常需要进行登录操作(Logon或Login)。用户登录操作的目的就是要确认用户是Web信息系统的一个合法用户,即进行用户鉴别(User Authentication);而实际上对许多Web信息系统而言,用户的身份信息是否真实、他是谁并不重要,因此,更确切地说,用户登录操作的目的就是要确认用户是Web信息系统的一个注册帐户的拥有者,即进行帐户鉴别(Account Authentication)。When a user accesses a security-protected and restricted Web information system (including various application systems and security systems), a login operation (Logon or Login) is usually required. The purpose of the user login operation is to confirm that the user is a legitimate user of the Web information system, that is, user authentication (User Authentication); in fact, for many Web information systems, whether the user's identity information is true or not, who he is does not matter. Important, therefore, more precisely, the purpose of the user login operation is to confirm that the user is the owner of a registered account in the Web information system, that is, to perform account authentication (Account Authentication).

目前的Web信息系统普遍采用帐户名+口令或密码(帐户名也称用户名)的方式作为用户登录(Long On或Long In)Web信息系统的用户或帐户鉴别的安全手段。帐户名+口令或密码的方案简单、用户操作使用方便,但它的不安全是众所周知的。PKI(Public KeyInfrastructure)数字证书(Digital Certificate)虽然安全,但将它用于Web信息系统的用户或帐户鉴别,存在用户操作使用不方便、用户私钥丢失恢复困难、证书更新麻烦(通常需要手工操作)等易用性差的问题,而且需要针对相关浏览器开发控件或插件,导致出现技术开发工作量大、适用性差等问题:一是因为需要针对不同的浏览器开发不同的控件或插件,而目前浏览器众多,针对所有浏览器包括运行在不同环境下的浏览器进行控件或插件开发的工作量是非常大的;二是因为有的浏览器对控件或插件的支持非常有限甚至不支持。进一步,将PKI数字证书实施用于已部署的采用帐户名+口令或密码的系统时,需要对已有系统进行改造,故到目前为止PKI数字证书并未获得广泛应用。The current Web information system generally adopts the method of account name + password or password (account name is also called user name) as a security means for user or account authentication of user login (Long On or Long In) Web information system. The scheme of account name+password or password is simple and convenient for users to operate and use, but its insecurity is well known. Although the PKI (Public Key Infrastructure) digital certificate (Digital Certificate) is safe, it is used for user or account authentication in the Web information system, which is inconvenient for user operation, difficult for user private key loss and recovery, troublesome for certificate renewal (usually requires manual operation) ) and other problems of poor usability, and it is necessary to develop controls or plug-ins for relevant browsers, resulting in problems such as heavy technical development workload and poor applicability: First, because different controls or plug-ins need to be developed for different browsers, and currently There are many browsers, and the workload of developing controls or plug-ins for all browsers including browsers running in different environments is very large; secondly, some browsers have very limited or even no support for controls or plug-ins. Furthermore, when PKI digital certificates are used in deployed systems that use account names + passwords or passwords, existing systems need to be modified, so PKI digital certificates have not been widely used so far.

基于标识的密码技术(Identity Based Cryptography,IBC)是一种新近获得人们广泛重视的公开密钥密码技术,它克服了PKI数字证书在易用性方面的缺点,它的主要技术特点是用户的一个唯一标识(如电子邮箱地址)就构成了用户的一个公钥(严格说来是用户的一个唯一标识加上一组公开参数构成了公钥),可用于数据加密或签名验证,一个标识同时对应有一个私钥,用于数据解密或数字签名(用于数据加密的IBC公钥和私钥同用于数字签名的IBC公钥和私钥不一定相同);私钥由一个专门的称为私钥生成器的密钥服务系统产生。IBC同样可用于Web信息系统中用户登录时的用户或帐户鉴别,但将IBC直接用于Web信息系统的用户或帐户鉴别也存在如下问题:Identity Based Cryptography (Identity Based Cryptography, IBC) is a public key cryptography technology that has recently gained widespread attention. It overcomes the shortcomings of PKI digital certificates in terms of ease of use. Its main technical feature is that a user A unique identifier (such as an email address) constitutes a public key of the user (strictly speaking, a unique identifier of the user plus a set of public parameters constitutes the public key), which can be used for data encryption or signature verification, and an identifier corresponds to There is a private key for data decryption or digital signature (the IBC public key and private key used for data encryption are not necessarily the same as the IBC public key and private key used for digital signature); Generated by the key service system of the key generator. IBC can also be used for user or account identification when users log in in a web information system, but there are also the following problems when using IBC directly for user or account identification in a web information system:

1)将IBC用于Web信息系统的用户或帐户鉴别时,通常的方案是将用户在Web信息系统的帐户名作为用户的IBC标识,这种方案的缺点是:一是用户在不同的Web信息系统有不同的帐户名,故需要获得不同的IBC密钥对,二是用户从密钥服务系统获得非电子通信标识(电子邮件地址、手机号码等用于电子通信的地址或终端标识称为电子通信标识)对应的私钥时,密钥服务系统确认用户是标识的真正拥有者是比较麻烦、困难的(对于电子通信标识,如电子邮箱地址、手机号码,做到这点比较容易);1) When IBC is used for user or account identification in a Web information system, the usual solution is to use the user's account name in the Web information system as the user's IBC identifier. The system has different account names, so different IBC key pairs need to be obtained. Second, users obtain non-electronic communication identifications (email addresses, mobile phone numbers, etc. addresses or terminal identifications used for electronic communication are called electronic key pairs) from the key service system. Communication ID) corresponding to the private key, it is more troublesome and difficult for the key service system to confirm that the user is the real owner of the ID (for electronic communication IDs, such as e-mail address, mobile phone number, it is easier to do this);

2)将IBC用于Web信息系统时,由于在用户端要调用密码模块进行IBC密码运算,因此,与数字证书类似,目前的方案通常是在用户端使用浏览器控件和插件调用密码模块进行IBC密码运算,这就存在同数字证书在Web信息系统用户登录中应用一样的问题;2) When IBC is used in the Web information system, since the cryptographic module needs to be invoked on the client side to perform IBC cryptographic operations, similar to digital certificates, the current solution is usually to use browser controls and plug-ins to invoke the cryptographic module to perform IBC cryptographic operations on the client side. Cryptographic operations, which have the same problems as the application of digital certificates in user login of Web information systems;

3)目前有大量的已部署的采用帐户名+口令或密码的系统,在这些系统中直接部署基于IBC的用户或帐户鉴别方案,需要对Web信息系统作修改。3) At present, there are a large number of deployed systems using account names + passwords or passwords. To directly deploy IBC-based user or account authentication schemes in these systems requires modification of the Web information system.

本发明的目的就是将标识型密码(Identity-Typed Cryptography)技术用于Web信息系统登录时的用户或帐户鉴别,并避免采用浏览器插件和控件技术,同时保持与已部署系统的兼容。The purpose of the present invention is to use Identity-Typed Cryptography (Identity-Typed Cryptography) technology for user or account identification when logging in to a Web information system, and avoid using browser plug-ins and control technologies, while maintaining compatibility with deployed systems.

本发明的标识型密码技术包括前面所述的基于标识的密码技术(Identity-BasedCryptography)和基于标识的椭圆曲线技术(参见本发明申请人的专利申请“一种基于标识的椭圆曲线密码系统”,申请号:20131052098.5)。The identity-based cryptographic technology of the present invention includes the aforementioned Identity-Based Cryptography (Identity-Based Cryptography) and the identity-based elliptic curve technology (see the applicant's patent application "a identity-based elliptic curve cryptosystem", Application number: 20131052098.5).

本发明所采用的标识型密码技术,无论是IBC密码技术还是基于标识的椭圆曲线密码技术,它们都有如下共同特点:The identification type cryptographic technology adopted in the present invention, whether it is IBC cryptographic technology or elliptic curve cryptographic technology based on identification, they all have the following common characteristics:

1)用户的一个标识对应一个标识公钥和一个标识私钥(用于数据加密的标识公钥和私钥同用于数字签名的标识公钥和私钥不一定相同);1) An identity of a user corresponds to an identity public key and an identity private key (the identity public key and private key used for data encryption are not necessarily the same as the identity public key and private key used for digital signature);

2)在实际的密钥生成和密码运算过程中,并不是将一个标识本身用于密钥生成和密码运算,而是将附加了其他限定信息后的扩展标识用于密钥生成和密码运算;2) In the actual process of key generation and cryptographic operations, instead of using an identifier itself for key generation and cryptographic operations, an extended identifier with other limited information added is used for key generation and cryptographic operations;

3)若采用“一种自动更新和恢复私钥的标识型密码系统及方法”(申请号:201410058689.3)中的专利技术,则能够实现自动恢复私钥,以及实现自动更新标识的当前有效的标识公钥和标识私钥。3) If the patented technology in "An identification-type cryptographic system and method for automatically updating and restoring private keys" (Application No.: 201410058689.3) is adopted, the private key can be automatically restored and the currently valid identification of the identification can be automatically updated Public key and identity private key.

常用的标识限定信息是时间段限定信息,如“标识||时间段”,其中的“||”表示字串合并。时间段限定信息规定扩展标识对应的公钥和私钥仅在规定的时间段内有效和使用。时间段覆盖当前时刻的扩展标识对应的公钥和私钥称为标识的当前有效的标识公钥和标识私钥。The commonly used identification limited information is time period limited information, such as "identification||time period", in which "||" indicates a combination of strings. The time period limitation information stipulates that the public key and private key corresponding to the extended identifier are valid and used only within the specified time period. The public key and private key corresponding to the extended identity whose time period covers the current moment are called the currently valid identity public key and identity private key of the identity.

发明内容Contents of the invention

本发明的目的是提供一种将标识型密码技术用于Web信息系统登录时的用户或帐户鉴别,并避免采用浏览器插件和控件技术,同时保持与已部署系统的兼容的基于标识型密码实现用户登录鉴别的系统及方法。The purpose of the present invention is to provide an identity-based password implementation that uses identification-type cryptography for user or account authentication when logging in to a Web information system, avoids the use of browser plug-ins and control technologies, and maintains compatibility with deployed systems A system and method for user login authentication.

为了实现上述目的,本发明所采用的技术方案是:In order to achieve the above object, the technical solution adopted in the present invention is:

一种基于标识型密码实现用户登录鉴别的系统,所述系统包括:A system for implementing user login authentication based on an identification password, the system comprising:

Web信息系统:基于Web技术开发面向用户提供信息或应用服务的系统:用户的一个标识(如电子邮箱地址、手机号码)或用户的一个标识的散列值作为用户在Web信息系统的帐户的鉴别数据(Authentication Data)保存在Web信息系统的用户帐户数据中(若Web信息系统原本的帐户鉴别数据是口令或密码,则用户标识或用户标识的散列值作为口令或密码保存在Web信息系统的用户帐户数据中的原有口令或密码存放处);相应地,所述作为用户帐户的鉴别数据保存在用户帐户数据中的用户标识,或者用户标识的散列值作为用户帐户的鉴别数据保存在用户帐户数据中时的用户标识,称为用户帐户对应的密码标识或简称用户帐户的密码标识;所述用户帐户的密码标识由用户在Web信息系统注册帐户时输入,或者由帐户管理系统或工具通过其他方式获得并设置(帐户管理系统或工具如何获得用户的密码标识属于本发明之外的问题);Web information system: a system based on Web technology to provide information or application services to users: an identifier of a user (such as an email address, a mobile phone number) or a hash value of an identifier of a user is used as the authentication of the user's account in the Web information system Data (Authentication Data) is stored in the user account data of the Web information system (if the original account authentication data of the Web information system is a password or password, the user ID or the hash value of the user ID is stored in the Web information system as the password or password). The original password or password depository in the user account data); Correspondingly, the user identification stored in the user account data as the identification data of the user account, or the hash value of the user identification is stored in the user account identification data as the user account The user identification in the user account data is called the password identification corresponding to the user account or simply the password identification of the user account; the password identification of the user account is entered by the user when registering an account in the Web information system, or is provided by the account management system or tool Obtain and set by other means (how the account management system or tool obtains the user's password identification belongs to the problem outside the present invention);

浏览器:用户用于访问Web信息系统的客户端;在用户登录过程中所述浏览器通过后台处理程序使用用户登录帐户的密码标识的标识私钥对Web信息系统返回的随机字串进行数字签名或对Web信息系统返回的加密的随机字串数据进行解密,以及进行其他密码预算(用于数据加密的标识公钥和私钥同用于数字签名的标识公钥和私钥不一定相同);Browser: the client used by the user to access the Web information system; during the user login process, the browser uses the identification private key identified by the password of the user login account to digitally sign the random string returned by the Web information system through the background processing program Or decrypt the encrypted random string data returned by the Web information system, and perform other cryptographic budgets (the identification public key and private key used for data encryption are not necessarily the same as the identification public key and private key used for digital signatures);

后台处理程序:一个运行在用户端的计算设备后台的程序;在用户登录过程中调用密码模块对Web信息系统返回的随机字串进行数字签名或对Web信息系统返回的加密的随机字串数据进行解密,以及进行其他密码计算;Background processing program: a program running in the background of the computing device at the user end; during the user login process, the cryptographic module is called to digitally sign the random string returned by the Web information system or decrypt the encrypted random string data returned by the Web information system , and perform other cryptographic calculations;

密码模块:实施标识型密码技术进行密码运算的用户端软件组件或软件和硬件相结合的组件;Cryptographic module: a client software component or a combination of software and hardware that implements identification-type cryptographic techniques for cryptographic operations;

当用户使用浏览器访问Web信息系统提交帐户名进行帐户登录时,Web信息系统通过如下数字签名方式或数据加密方式通过验证用户拥有密码标识的标识私钥完成用户是登录帐户的拥有者的鉴别:When a user uses a browser to access the Web information system and submits an account name to log in, the Web information system verifies that the user is the owner of the login account by verifying that the user owns the private key identified by the password through the following digital signature method or data encryption method:

数字签名方式:Web信息系统返回用户登录帐户的密码标识和一个随机生成的字串(随机字串)到用户端浏览器,浏览器通过后台处理程序调用密码模块采用用户登录帐户的密码标识的标识私钥对返回的随机字串签名,然后将随机字串的签名数据提交到Web信息系统,Web信息系统利用返回给浏览器的随机字串和用户登录帐户的密码标识的标识公钥验证用户端浏览器提交的随机字串的签名数据的有效性从而确认用户是密码标识的拥有者,并进而确认用户是登录帐户的拥有者;Digital signature method: the web information system returns the password identification of the user's login account and a randomly generated string (random string) to the client browser, and the browser invokes the password module through the background processing program to adopt the identification of the password identification of the user's login account The private key signs the returned random string, and then submits the signature data of the random string to the Web information system, and the Web information system uses the random string returned to the browser and the identification public key identified by the password of the user's login account to verify the client The validity of the signature data of the random string submitted by the browser to confirm that the user is the owner of the password identification, and further confirm that the user is the owner of the login account;

数据加密方式:Web信息系统返回一个使用用户登录帐户的密码标识的标识公钥加密的随机生成的字串(随机字串)到用户端浏览器,浏览器通过后台处理程序调用密码模块采用用户登录帐户的密码标识的标识私钥对返回的加密的随机字串进行解密,然后通过直接返回解密的随机字串方式或利用解密得到的随机字串通过HMAC(Hashed MessageAuthentication Code)数字签名方式完成用户登录鉴别操作(若正确返回解密的随机字串,或用解密的随机字串实现正确的HMAC数字签名,则表明用户有能正确解密加密的随机字串的标识私钥,则可以确定用户是密码标识的拥有者,从而确定用户是登录帐户的拥有者);Data encryption method: the web information system returns a randomly generated string (random string) encrypted with the identification public key identified by the password of the user's login account to the client browser, and the browser invokes the password module through the background processing program to adopt the user login The identity private key of the password identification of the account decrypts the returned encrypted random string, and then completes the user login by directly returning the decrypted random string or using the decrypted random string through HMAC (Hashed Message Authentication Code) digital signature Authentication operation (if the decrypted random string is returned correctly, or the correct HMAC digital signature is realized with the decrypted random string, it means that the user has the identification private key that can correctly decrypt the encrypted random string, and it can be determined that the user is a password identification owner of the user, thereby identifying the user as the owner of the login account);

若用户登录的Web信息系统原本采用帐户名+口令或密码的方式对用户是帐户的拥有者进行鉴别且保持原有鉴别方式不变,而Web信息系统信息基于标识型密码实施用户登录鉴别的系统组件是前置于Web信息系统的一个安全网关或插入到Web信息系统的请求响应传输通道中的一个安全插件,则用户帐户的密码标识或用户帐户的密码标识的散列值作为口令或密码保存在Web信息系统的用户帐户数据中的原有口令或密码存放处,而所述安全网关或安全插件在利用用户帐户的密码标识完成对用户是帐户的拥有者鉴别后,将用户的帐户名和帐户的密码标识作为用户登录Web信息系统的帐户名和口令或密码代用户以登录请求的方式提交到Web信息系统完成登录操作,或者将用户的帐户名和帐户的密码标识的散列值作为用户登录Web信息系统的帐户名和口令或密码代用户以登录请求的方式提交到Web信息系统完成登录操作,前者对应于Web信息系统的用户帐户数据中保存的帐户鉴别数据是用户帐户的密码标识的情形,后者对应于Web信息系统的用户帐户数据中保存的帐户鉴别数据是用户帐户的密码标识的散列值的情形;无论何种情形,Web信息系统自身按验证帐户名和口令或密码的方式对用户登录进行帐户鉴别处理。If the web information system that the user logs in originally adopts the method of account name + password or password to authenticate the user as the owner of the account and keeps the original authentication method unchanged, but the information of the web information system implements the system of user login authentication based on the identification password The component is a security gateway pre-installed in the Web information system or a security plug-in inserted into the request response transmission channel of the Web information system, and the password ID of the user account or the hash value of the password ID of the user account is saved as a password or password In the original password or password storage place in the user account data of the Web information system, and the security gateway or the security plug-in, after using the password identification of the user account to complete the identification of the user as the owner of the account, the user's account name and account The password ID is used as the account name and password for the user to log in to the Web information system, or the password is submitted to the Web information system in the form of a login request on behalf of the user to complete the login operation, or the hash value of the user's account name and the password ID of the account is used as the user's login Web information The account name and password or password of the system are submitted to the Web information system in the form of a login request to complete the login operation on behalf of the user. The former corresponds to the situation where the account authentication data stored in the user account data of the Web information system is the password identification of the user account, and the latter Corresponding to the case where the account authentication data stored in the user account data of the Web information system is the hash value of the password identification of the user account; no matter what the situation is, the Web information system itself will verify the user login by verifying the account name and password or password. Account Authentication Processing.

若用户的一个密码标识作为用户帐户的鉴别数据保存在Web信息系统的用户帐户数据中,则当用户使用浏览器登录Web信息系统时,Web信息系统、用户、用户端的浏览器和后台处理程序通过如下数据加密方式完成用户登录鉴别处理:If a password identifier of the user is stored in the user account data of the Web information system as the authentication data of the user account, when the user uses a browser to log in to the Web information system, the Web information system, the user, the client browser and the background processing program pass through The following data encryption method completes the user login authentication process:

第I步:Web信息系统通过浏览器要求用户输入帐户名;Step 1: the Web information system requires the user to input the account name through the browser;

第II步:用户通过浏览器输入帐户名并将输入的帐户名提交到Web信息系统;Step II: the user enters the account name through the browser and submits the entered account name to the Web information system;

第III步:Web信息系统接收到用户端浏览器提交的帐户名后,利用接收的帐户名在用户帐户数据中通过查询帐户名对应的用户帐户的鉴别数据获得用户帐户的密码标识,然后用获得密码标识的当前有效的标识公钥将Web信息系统名称和一个随机生成的字串(随机字串)加密,然后将加密后的Web信息系统名称和随机字串返回到用户端的浏览器;Step III: After the Web information system receives the account name submitted by the client browser, use the received account name to obtain the password identification of the user account by querying the authentication data of the user account corresponding to the account name in the user account data, and then use the obtained The currently effective identification public key identified by the password encrypts the name of the Web information system and a randomly generated string (random string), and then returns the encrypted Web information system name and the random string to the browser of the client;

第IV步:用户端的浏览器接收到Web信息系统返回的数据后,通过网络通信机制将接收到的加密的Web信息系统名称和随机字串提交到用户端本地的一个后台处理程序,然后提示用户将计算终端上显示的随机口令或密码输入到浏览器的口令或密码输入框;Step IV: After the client browser receives the data returned by the Web information system, it submits the received encrypted Web information system name and random string to a local background processing program on the client side through the network communication mechanism, and then prompts the user Input the random password or password displayed on the computing terminal into the password or password input box of the browser;

第V步:用户端本地的后台处理程序接收到浏览器提交的加密的Web信息系统名称和随机字串后,使用用户帐户的密码标识调用密码模块使用密码标识的当前有效的标识私钥解密Web信息系统返回的加密的Web信息系统名称和随机字串,然后将解密后的Web信息系统名称以及随机字串作为用户登录Web信息系统的一次性随机口令或密码在计算终端上通过一个人机界面向用户显示;Step V: After receiving the encrypted Web information system name and random string submitted by the browser, the local background processing program of the client uses the password ID of the user account to call the password module and uses the currently valid ID private key of the password ID to decrypt the Web The encrypted web information system name and random string returned by the information system, and then the decrypted web information system name and random string are used as a one-time random password or password for the user to log in to the web information system through a man-machine interface on the computing terminal displayed to the user;

第VI步:用户将后台处理程序显示的作为一次性随机口令或密码的随机字串输入到浏览器的口令或密码输入框并通过浏览器将用户输入的作为帐户口令或密码的随机字串提交到Web信息系统;Step VI: The user enters the random character string displayed by the background processing program as a one-time random password or password into the password or password input box of the browser and submits the random character string entered by the user as the account password or password through the browser to the Web information system;

第VII步:Web信息系统接收到用户端浏览器提交的作为帐户口令或密码的随机字串后,将接收到的作为帐户口令或密码的随机字串与(第III步)返回到浏览器的随机字串的明文进行比较,若一致,则确认用户是提交的帐户名所对应的用户帐户的拥有者并允许用户登录,否则拒绝。The VII step: after the web information system receives the random character string as the account password or password submitted by the client browser, the received random character string and (the third step) return to the browser as the account password or password The plaintext of the random string is compared, if they are consistent, it is confirmed that the user is the owner of the user account corresponding to the submitted account name and the user is allowed to log in, otherwise it is rejected.

若用户的一个密码标识作为用户帐户的鉴别数据保存在Web信息系统的用户帐户数据中,则当用户使用浏览器登录Web信息系统时,Web信息系统、用户、用户端的浏览器和后台处理程序通过如下数据加密方式完成用户登录鉴别处理:If a password identifier of the user is stored in the user account data of the Web information system as the authentication data of the user account, when the user uses a browser to log in to the Web information system, the Web information system, the user, the client browser and the background processing program pass through The following data encryption method completes the user login authentication process:

第1步:Web信息系统通过浏览器要求用户输入帐户名;Step 1: The Web information system requires the user to input the account name through the browser;

第2步:用户通过浏览器输入帐户名并将输入的帐户名提交到Web信息系统;Step 2: The user enters the account name through the browser and submits the entered account name to the Web information system;

第3步:Web信息系统接收到浏览器提交的帐户名后,利用接收的帐户名在用户帐户数据中通过查询帐户名对应的用户帐户的鉴别数据获得用户帐户的密码标识,然后用获得密码标识的当前有效的标识公钥对一个随机生成的字串(随机字串)加密,之后将加密后的随机字串返回到用户端的浏览器;Step 3: After the Web information system receives the account name submitted by the browser, it uses the received account name to obtain the password identification of the user account by querying the authentication data of the user account corresponding to the account name in the user account data, and then uses the obtained password identification The currently effective identification public key encrypts a randomly generated string (random string), and then returns the encrypted random string to the client's browser;

第4步:用户端的浏览器接收到Web信息系统返回的数据后,通过网络通信方式将接收到的加密的随机字串提交到后台处理程序,请求解密加密的随机字串;Step 4: After receiving the data returned by the Web information system, the browser at the client side submits the received encrypted random string to the background processing program through network communication, and requests to decrypt the encrypted random string;

第5步:后台处理程序接收到用户端浏览器提交的请求解密加密的随机字串的请求后,调用密码模块使用用户帐户的密码标识的当前有效的标识私钥解密加密的随机字串,然后将解密的随机字串返回到用户端浏览器;Step 5: After the background processing program receives the request submitted by the client browser to decrypt the encrypted random string, it calls the cryptographic module to decrypt the encrypted random string using the currently valid identification private key identified by the password of the user account, and then Return the decrypted random string to the client browser;

第6步:用户端浏览器接收到后台处理程序返回的解密的随机字串后,通过直接返回解密的随机字串方式或利用解密得到的随机字串通过HMAC数字签名方式完成用户登录鉴别操作。Step 6: After the client browser receives the decrypted random string returned by the background processing program, it completes the user login authentication operation by directly returning the decrypted random string or using the decrypted random string through HMAC digital signature.

若用户的一个密码标识的散列值作为用户帐户的鉴别数据保存在Web信息系统的用户帐户数据中,则当用户使用浏览器登录Web信息系统时,Web信息系统、用户、用户端的浏览器和后台处理程序通过如下数据加密方式完成用户登录鉴别处理:If the hash value of a password identifier of the user is stored in the user account data of the Web information system as the authentication data of the user account, when the user logs in to the Web information system with a browser, the Web information system, the user, the browser of the user end, and The background processing program completes the user login authentication process through the following data encryption methods:

步骤1:Web信息系统通过浏览器要求用户输入帐户名和鉴别数据;Step 1: The Web information system requires the user to input the account name and identification data through the browser;

步骤2:用户通过浏览器输入帐户名和帐户的密码标识,其中帐户的密码标识作为鉴别数据输入,然后通过浏览器将输入的帐户名和作为帐户鉴别数据的密码标识提交到Web信息系统;Step 2: the user enters the account name and the password identification of the account through the browser, wherein the password identification of the account is input as the identification data, and then submits the input account name and the password identification as the account identification data to the Web information system through the browser;

步骤3:Web信息系统接收到浏览器提交的数据后,计算接收到的密码标识的散列值,并将计算得到的密码标识的散列值与Web信息系统的用户帐户数据中保存的与用户提交的帐户名对应的用户帐户的密码标识的散列值比对,若一致,则使用用户提交的密码标识的当前有效的标识公钥对一个随机生成的字串加密,之后将加密的随机字串返回到用户端的浏览器;否则,返回报错;Step 3: After the web information system receives the data submitted by the browser, it calculates the hash value of the received password identification, and compares the calculated hash value of the password identification with the user account data stored in the web information system and the user Compare the hash value of the password ID of the user account corresponding to the submitted account name. If they are consistent, use the currently valid ID public key of the password ID submitted by the user to encrypt a randomly generated string, and then encrypt the encrypted random word The string is returned to the client's browser; otherwise, an error is returned;

步骤4:若接收到的Web信息系统返回数据提示出错,则用户端的浏览器提示错误;否则,用户端的浏览器通过网络通信方式将接收到的加密的随机字串提交到后台处理程序,请求解密加密的随机字串;Step 4: If the received data from the web information system returns an error message, the browser on the client side will prompt an error; otherwise, the browser on the client side will submit the received encrypted random string to the background processing program through network communication, and request decryption encrypted random string;

步骤5:后台处理程序接收到用户端浏览器提交的请求解密加密的随机字串请求后,调用密码模块使用用户帐户的密码标识的当前有效的标识私钥解密加密的随机字串,然后将解密的随机字串返回到用户端浏览器;Step 5: After the background processing program receives the request submitted by the client browser to decrypt the encrypted random string request, it calls the cryptographic module to decrypt the encrypted random string using the currently valid identification private key identified by the password of the user account, and then decrypts the encrypted random string. The random string of is returned to the client browser;

步骤6:用户端浏览器接收到后台处理程序返回的解密的随机字串后,通过直接返回解密的随机字串方式或利用解密得到的随机字串通过HMAC数字签名方式完成用户登录鉴别操作。Step 6: After the client browser receives the decrypted random string returned by the background processing program, it returns the decrypted random string directly or uses the decrypted random string to complete the user login authentication operation through the HMAC digital signature.

若用户的一个密码标识作为用户帐户的鉴别数据保存在Web信息系统的用户帐户数据中,则当用户使用浏览器登录Web信息系统时,Web信息系统、用户、用户端的浏览器和后台处理程序通过如下数字签名方式完成用户登录鉴别处理:If a password identifier of the user is stored in the user account data of the Web information system as the authentication data of the user account, when the user uses a browser to log in to the Web information system, the Web information system, the user, the client browser and the background processing program pass through The following digital signature method completes the user login authentication process:

第一步:Web信息系统通过浏览器要求用户输入帐户名;Step 1: The Web information system requires the user to input the account name through the browser;

第二步:用户通过浏览器输入帐户名并通过浏览器将输入的帐户名提交到Web信息系统;The second step: the user enters the account name through the browser and submits the entered account name to the Web information system through the browser;

第三步:Web信息系统接收到浏览器提交的帐户名后,利用接收到的帐户名在用户帐户数据中通过查询帐户名对应的用户帐户的鉴别数据获得用户帐户的密码标识,然后将获得的密码标识和一个随机生成的字串返回到用户端的浏览器;Step 3: After the Web information system receives the account name submitted by the browser, it uses the received account name to obtain the password identification of the user account by querying the authentication data of the user account corresponding to the account name in the user account data, and then the obtained The password ID and a randomly generated string are returned to the client's browser;

第四步:用户端的浏览器接收到Web信息系统返回的数据后,通过网络通信方式将接收到的密码标识和随机字串提交到后台处理程序,请求对返回的随机字串进行数字签名;Step 4: After receiving the data returned by the Web information system, the browser on the client side submits the received password identifier and random string to the background processing program through network communication, and requests to digitally sign the returned random string;

第五步:后台处理程序接收到用户端浏览器提交的对返回的随机字串进行数字签名的请求后,调用密码模块使用用户帐户的密码标识的当前有效的标识私钥对随机字串进行数字签名,然后将签名数据返回到用户端浏览器(签名数据无需再包含随机字串本身);Step 5: After the background processing program receives the request submitted by the client browser to digitally sign the returned random string, it calls the cryptographic module to digitally sign the random string using the currently valid identification private key identified by the password of the user account. Sign, and then return the signed data to the client browser (the signed data does not need to contain the random string itself);

第六步:用户端浏览器接收到后台处理程序返回的随机字串的签名数据后,将签名数据提交到Web信息系统;Step 6: After receiving the signature data of the random string returned by the background processing program, the client browser submits the signature data to the Web information system;

第七步:Web信息系统接收到浏览器提交的随机字串的签名数据后,利用返回到浏览器的随机字串和用户帐户的密码标识的当前有效的标识公钥对浏览器提交的随机字串的签名数据的签名有效性进行验证,验证通过则确认用户是提交的帐户名所对应的用户帐户的拥有者并允许用户登录,否则拒绝。Step 7: After the web information system receives the signature data of the random string submitted by the browser, it uses the random string returned to the browser and the currently effective identification public key identified by the password of the user account to verify the signature data of the random string submitted by the browser. The validity of the signature of the signature data of the string is verified, and if the verification is passed, it is confirmed that the user is the owner of the user account corresponding to the submitted account name and the user is allowed to log in, otherwise it is rejected.

若用户的一个密码标识的散列值作为用户帐户的鉴别数据保存在Web信息系统的用户帐户数据中,则当用户使用浏览器登录Web信息系统时,Web信息系统、用户、用户端的浏览器和后台处理程序通过如下数字签名方式完成用户登录鉴别处理:If the hash value of a password identifier of the user is stored in the user account data of the Web information system as the authentication data of the user account, when the user logs in to the Web information system with a browser, the Web information system, the user, the browser of the user end, and The background processing program completes the user login authentication process through the following digital signature method:

步骤一:Web信息系统通过浏览器要求用户输入帐户名和鉴别数据;Step 1: the Web information system requires the user to input the account name and authentication data through the browser;

步骤二:用户通过浏览器输入帐户名和帐户的密码标识,其中帐户的密码标识作为鉴别数据输入,然后将输入的帐户名和作为帐户鉴别数据的密码标识提交到Web信息系统;Step 2: the user inputs the account name and the password identification of the account through the browser, wherein the password identification of the account is input as authentication data, and then submits the input account name and the password identification as account identification data to the Web information system;

步骤三:Web信息系统接收到浏览器提交的数据后,计算接收到的密码标识的散列值,并将计算得到的密码标识的散列值与Web信息系统的用户帐户数据中保存的与用户提交的帐户名对应的用户帐户的密码标识的散列值比对,若一致,然后将用户提交的密码标识和一个随机生成的字串返回到用户端的浏览器;否则,返回出错;Step 3: After the web information system receives the data submitted by the browser, it calculates the hash value of the received password ID, and compares the calculated hash value of the password ID with the user account data stored in the web information system and the user Compare the hash value of the password ID of the user account corresponding to the submitted account name, if they are consistent, then return the password ID submitted by the user and a randomly generated string to the browser of the client; otherwise, return an error;

步骤四:若接收到的Web信息系统的返回数据提示报错,则用户端的浏览器提示出错;否则,用户端的浏览器通过网络通信方式将接收到的密码标识和随机字串提交到后台处理程序,请求对返回的随机字串进行数字签名;Step 4: If the received return data of the Web information system prompts an error, then the browser at the client end prompts an error; otherwise, the browser at the client end submits the received password identifier and random character string to the background processing program through network communication, Request to digitally sign the returned random string;

步骤五:后台处理程序接收到用户端浏览器提交的对返回的随机字串进行数字签名的请求后,调用密码模块使用用户帐户的密码标识的当前有效的标识私钥对随机字串进行数字签名,然后将签名数据返回到用户端浏览器(签名数据无需再包含随机字串本身);Step 5: After the background processing program receives the request submitted by the client browser to digitally sign the returned random string, it calls the cryptographic module to digitally sign the random string using the currently valid identification private key identified by the password of the user account , and then return the signed data to the client browser (the signed data does not need to contain the random string itself);

步骤六:用户端浏览器接收到后台处理程序返回的随机字串的签名数据后,将签名数据提交到Web信息系统;Step 6: After receiving the signature data of the random character string returned by the background processing program, the client browser submits the signature data to the Web information system;

步骤七:Web信息系统接收到浏览器提交的随机字串的签名数据后,利用返回给浏览器的随机字串和用户帐户的密码标识的当前有效的标识公钥对浏览器提交的签名数据的签名有效性进行验证,验证通过则确认用户是提交的帐户名所对应的用户帐户的拥有者并允许用户登录,否则拒绝。Step 7: After the web information system receives the signature data of the random string submitted by the browser, it uses the random string returned to the browser and the currently valid identification public key identified by the password of the user account to verify the signature data submitted by the browser. Verify the validity of the signature. If the verification is passed, it is confirmed that the user is the owner of the user account corresponding to the submitted account name and the user is allowed to log in, otherwise it is rejected.

若用户帐户的密码标识由用户在Web信息系统注册帐户时输入,则Web信息系统在接收到用户的帐户注册信息后,先按用户登录时帐户鉴别一样的方式采用数字签名或数据加密方式验证、确认用户拥有注册输入的密码标识的私钥,从而确认用户是输入的密码标识的拥有者,验证、确认通过后完成用户帐户注册并保存注册信息,否则返回出错。If the password identification of the user account is entered by the user when registering an account in the Web information system, after receiving the user's account registration information, the Web information system first uses digital signature or data encryption to verify in the same way as the account authentication when the user logs in. Confirm that the user owns the private key of the password ID entered for registration, thereby confirming that the user is the owner of the password ID entered. After the verification and confirmation pass, the user account registration is completed and the registration information is saved, otherwise an error is returned.

若所述基于标识型密码实现用户登录鉴别的系统所采用的标识型密码技术是IBC(Identity-Based Cryptography)密码技术且支持多组不同的IBC密码运算公开参数,则Web信息系统通过如下方式确定用户帐户的密码标识进行密码运算所用的公开参数组:If the identity-based cryptography adopted by the system for realizing user login authentication based on identity-based ciphers is IBC (Identity-Based Cryptography) cryptography and supports multiple sets of different IBC cryptography operation public parameters, then the Web information system is determined in the following manner: The password for the user account identifies the set of public parameters used for cryptographic operations:

若用户通过浏览器登录Web信息系统时同时输入、提交帐户名和作为鉴别数据的密码标识,则浏览器在提交密码标识前先通过网络通信机制请求后台处理程序返回密码标识进行密码运算所用的公开参数组的指示信息(如参数组标识或版本号),后台处理程序接收到请求后调用密码模块查询密码标识进行密码运算所用的公开参数组的指示信息,然后将查询获取的公开参数组的指示信息返回给浏览器,浏览器接收到后台处理程序返回的公开参数组的指示信息后将公开参数组的指示信息同密码标识一起提交到Web信息系统,Web信息系统根据登录请求中提交的公开参数的指示信息确定使用用户帐户的密码标识进行密码运算所用的公开参数组;If the user enters and submits the account name and the password ID as authentication data at the same time when logging into the web information system through the browser, the browser will request the background processing program through the network communication mechanism to return the password ID to the public parameters used for cryptographic operations before submitting the password ID Group indication information (such as parameter group ID or version number), after the background processing program receives the request, it calls the cryptographic module to inquire about the indication information of the public parameter group used by the cryptographic identifier for cryptographic operations, and then queries the acquired public parameter group indication information After receiving the instruction information of the public parameter group returned by the background processing program, the browser submits the instruction information of the public parameter group together with the password identification to the Web information system. Instructions identifying the set of public parameters used for cryptographic operations using the cryptographic identity of the user account;

否则,若Web信息系统在用户帐户数据中保存有用户帐户的密码标识进行密码运算所用的公开参数组的指示信息,则Web信息系统在使用用户帐户的密码标识进行加密运算前先通过用户帐户数据中的密码标识进行密码运算所用的公开参数的指示信息确定进行密码运算所用的公开参数组;Otherwise, if the web information system stores in the user account data the indication information of the public parameter group used by the user account's password identifier for cryptographic operations, the web information system will pass the user account data before using the user account's password identifier to perform encryption operations. The instruction information of the public parameters used for cryptographic operations in the cryptographic identifier determines the public parameter groups used for cryptographic operations;

否则,Web信息系统在使用用户帐户的密码标识进行加密运算前先将用户帐户的密码标识返回到用户端的浏览器,请求获取密码标识进行密码运算所用的公开参数组的指示信息;用户端的浏览器接收到Web信息系统返回的密码标识和请求后,通过网络通信机制将接收到的密码标识提交到用户端本地的后台处理程序,请求获取密码标识进行密码运算所用的公开参数组的指示信息;后台处理程序调用密码模块查询获取用户帐户的密码标识进行密码运算所用的公开参数组的指示信息,并将查询获取的公开参数组的指示信息返回给用户端的浏览器;浏览器将获取的密码标识进行密码运算所用的公开参数组的指示信息返回到Web信息系统;Web信息系统根据返回的公开参数组的指示信息确定密码标识进行密码运算所用的公开参数组;Otherwise, the web information system returns the password identifier of the user account to the browser on the user end before using the password identifier of the user account to perform encryption operations, and requests to obtain the instruction information of the public parameter group used for the encryption operation using the password identifier; the browser on the user end After receiving the password ID and request returned by the Web information system, submit the received password ID to the local background processing program of the client through the network communication mechanism, and request to obtain the instruction information of the public parameter group used by the password ID for cryptographic operations; the background The processing program invokes the cryptographic module to query and obtain the instruction information of the public parameter group used for the cryptographic operation using the password identifier of the user account, and returns the instruction information of the public parameter group obtained by query to the browser of the user end; the browser performs the obtained password identifier The instruction information of the public parameter group used for the cryptographic operation is returned to the Web information system; the Web information system determines the public parameter group used for the cryptographic operation according to the returned public parameter group instruction information;

进一步地,若后台处理程序调用密码模块对Web信息系统使用密码标识加密的数据进行解密处理过程中发现Web信息系统使用了不正确的公开参数组,则后台处理程序通过浏览器向Web信息系统更新用户帐户的密码标识进行密码运算所用的公开参数组的指示信息。Further, if the background processing program invokes the cryptographic module to decrypt the data encrypted by the web information system using the password identifier and finds that the web information system uses an incorrect public parameter set, the background processing program updates the web information system through the browser. The user account's password identifies an indication of the set of public parameters used for cryptographic operations.

若Web信息系统还在用户帐户数据中保存用户帐户名和用户帐户的密码标识或密码标识的散列值合并后的数据(如字串合并后的数据)的数字签名(由Web信息系统签名),以防止对帐户数据中的用户帐户名和帐户的密码标识或密码标识的散列值的未经授权的修改,则Web信息系统在对用户登录进行帐户鉴别的过程中,在接收到用户通过浏览器提交的帐户名后,先对帐户名和用户帐户的密码标识或密码标识的散列值合并后的数据的数字签名进行验证以确定Web信息系统帐户数据中保存的用户帐户名和用户帐户的密码标识或密码标识的散列值是否被修改,若已被修改,则中止登录帐户鉴别处理并返回错误;否则,继续用户登录的帐户鉴别处理;帐户名和用户帐户的密码标识或密码标识的散列值合并后的数据的数字签名所采用的数字签名方法包括基于HMAC的对称密钥数字签名和基于非对称密钥密码算法(如RSA、ECC、IBC)的数字签名。If the web information system also saves the digital signature (signed by the web information system) of the combined data of the user account name and the password identifier of the user account or the hash value of the password identifier (such as the data after the string combination) in the user account data, In order to prevent unauthorized modification of the user account name and account password ID or the hash value of the password ID in the account data, the Web information system, in the process of account authentication for user login, receives the user's password ID through the browser After submitting the account name, first verify the digital signature of the combined data of the account name and the password identifier of the user account or the hash value of the password identifier to determine the user account name and the password identifier of the user account saved in the account data of the web information system or Whether the hash value of the password ID has been modified, if it has been modified, the login account authentication process will be terminated and an error will be returned; otherwise, the user login account authentication process will continue; the account name and the password ID of the user account or the hash value of the password ID will be merged The digital signature methods adopted for the digital signature of the final data include HMAC-based symmetric key digital signatures and digital signatures based on asymmetric key cryptographic algorithms (such as RSA, ECC, IBC).

基于以上发明内容可看到,本发明的系统所采用的用户登录鉴别方案具有如下优点或特点:Based on the above content of the invention, it can be seen that the user login authentication scheme adopted by the system of the present invention has the following advantages or characteristics:

1)若使用的标识是电子通信标识(如电子邮箱地址、手机号码),则标识密钥的生成、恢复、更新将方便;特别地,若进一步地实施标识密钥的自动更新,则标识密钥的更新操作无需用户手工干预,给用户带来极大方便;1) If the identification used is an electronic communication identification (such as email address, mobile phone number), then the generation, recovery and update of the identification key will be convenient; in particular, if the automatic update of the identification key is further implemented, the identification key The update operation of the key does not require manual intervention by the user, which brings great convenience to the user;

2)没有采用浏览器,故不受浏览器类型和种类的限制,也不受用户端计算设备的运行平台限制;2) No browser is used, so it is not limited by the type and type of browser, nor is it limited by the operating platform of the client computing device;

3)在本发明中用户标识及标识密钥不是作为用户的身份凭证使用,而是作为高安全强度的帐户鉴别私密数据使用,而且不同的Web信息系统可以使用同一个密码标识的密钥进行用户登录时的帐户鉴别,无需针对不同的Web信息系统使用不同的标识密钥;3) In the present invention, the user identification and the identification key are not used as the identity certificate of the user, but are used as account authentication private data with high security strength, and different Web information systems can use the key identified by the same password to perform user identification. For account authentication during login, there is no need to use different identification keys for different web information systems;

4)本发明的方案能够很好地用于已部署的、自身原本采用帐户名+口令或密码进行登录帐户鉴别的Web信息系统,能够在不修改Web信息系统的情况下通过外置安全网关或内置安全插件的方式在采用帐户名+口令或密码进行登录帐户鉴别的Web信息系统中实施本发明安全登录方案。4) The solution of the present invention can be well used for deployed Web information systems that originally use account names + passwords or passwords for login account authentication, and can pass through external security gateways or passwords without modifying the Web information system. The method of built-in security plug-in implements the security login scheme of the present invention in the Web information system using account name+password or password for login account authentication.

附图说明Description of drawings

图1为本发明的系统结构示意图。Fig. 1 is a schematic diagram of the system structure of the present invention.

具体实施方式detailed description

下面结合附图和实施例对本发明作进一步的描述。The present invention will be further described below in conjunction with the accompanying drawings and embodiments.

本发明的具体实施首先涉及到标识型密码技术的实施方案,有两种方案可选择:IBC密码技术或基于标识的椭圆曲线密码技术,其中采用IBC方案最简单。The specific implementation of the present invention firstly relates to the implementation scheme of the identification type encryption technology, and there are two options: IBC encryption technology or identification-based elliptic curve encryption technology, among which the IBC scheme is the simplest.

若采用IBC密码技术,这时的标识公钥和私钥就是IBC公钥和私钥,且公钥就是标识本身。此时,还要实施专利申请“一种IBE密码装置及数据加解密方法”(申请号:20131043846.2)中的IBE密码模块和数据加解密方法(该专利申请中的密码模块名称虽称为IBE密码模块,实际上有关技术方案适合于IBC)和专利申请“一种自动更新和恢复私钥的标识型密码系统及方法”(申请号:201410058689.3)中的标识密钥自动更新方案,以及实施一个用于IBC私钥生成和恢复的IBC密钥服务系统(包括IBC私钥生成器)。IBC本身的技术实施方案,可参见IEEE国际标准IEEE Std 1363.3-2013:IEEE Standard for Identity-Based Cryptographic Techniques using Pairings,22August 2013。在IBC实施方案下,若IBC加密支持使用多组不同的IBC公开参数组进行密码运算,则不同的公开参数组可用不同的标识或版本号指示。If the IBC encryption technology is used, the identification public key and private key at this time are the IBC public key and private key, and the public key is the identification itself. At this time, the IBE encryption module and data encryption and decryption method in the patent application "an IBE encryption device and data encryption and decryption method" (application number: 20131043846.2) (although the name of the encryption module in this patent application is called IBE encryption Module, in fact, the relevant technical solutions are suitable for IBC) and the identification key automatic update scheme in the patent application "An identification-type cryptographic system and method for automatically updating and recovering private keys" (application number: 201410058689.3), and the implementation of a IBC key service system (including IBC private key generator) for IBC private key generation and recovery. For the technical implementation of IBC itself, please refer to IEEE International Standard IEEE Std 1363.3-2013: IEEE Standard for Identity-Based Cryptographic Techniques using Pairings, 22August 2013. Under the IBC implementation scheme, if the IBC encryption supports the use of multiple different sets of IBC public parameter sets for cryptographic operations, different sets of public parameter sets can be indicated by different identifiers or version numbers.

若采用基于标识的椭圆曲线密码技术,则要实施专利申请“一种基于标识的椭圆曲线密码系统”(申请号:20131052098.5)中的密码系统,包括密钥服务系统和用户端的密码模块,此时标识公钥和私钥就是基于标识生成的椭圆曲线密码公钥和私钥。进一步地,还要实施专利申请“一种自动更新和恢复私钥的标识型密码系统及方法”(申请号:201410058689.3)中的标识密钥自动更新方案。采用基于标识的椭圆曲线密码技术的方案,Web信息系统如何获取密码标识的当前有效的标识公钥有两种方案可供选择:一是从密钥服务系统获取并缓存,二是由浏览器从用户端的密码模块本地的密钥库中获取并提交到Web信息系统,采用后一种方案需要标识公钥被密钥服务系统签名以保证安全性(不需要采用X509格式)。If the identity-based elliptic curve cryptography technology is adopted, the cryptographic system in the patent application "A Identity-Based Elliptic Curve Cryptosystem" (application number: 20131052098.5) must be implemented, including the key service system and the cryptographic module of the client. The identification public key and private key are elliptic curve cryptographic public keys and private keys generated based on the identification. Furthermore, the identification key automatic update scheme in the patent application "An Identification Cryptographic System and Method for Automatically Updating and Restoring Private Keys" (Application No.: 201410058689.3) must be implemented. Using the identity-based elliptic curve cryptography scheme, there are two options for how the Web information system obtains the currently effective identity public key of the cryptographic identity: one is to obtain and cache it from the key service system, and the other is to let the browser obtain it from the key service system. The cryptographic module on the client end obtains it from the local keystore and submits it to the Web information system. The latter scheme needs to identify the public key and be signed by the key service system to ensure security (the X509 format is not required).

无论采用IBC密码技术还是基于标识的椭圆曲线密码技术,利用解密得到的随机字串通过HMAC数据签名方式完成用户是帐户或密码标识的拥有者鉴别的一种方案是(还可以采用其他方案):由用户端的后台处理程序将当前时间与解密得到的随机字串合并,之后通过密码模块针对合并后的数据使用散列算法(如SHA-1)生成一个散列值,然后由浏览器将当前时间与生成的散列值一起发送到Web信息系统;Web信息系统接收到浏览器提交的数据后,先检查浏览器提交的数据中的时间是否与当前时刻之差在规定的时间范围内,若是,则将用户端浏览器提交的数据中的时间同Web信息系统之前返回给客户端的随机字串合并,针对合并后的数据使用同样的散列算法生成一个散列值,然后比对用户端浏览器提交的散列值同Web信息系统自身计算得到的散列值是否一致,若一致,则证明用户拥有密码标识的当前有效的标识私钥,并进而确认用户是登录帐户的拥有者。Regardless of whether IBC cryptography or identity-based elliptic curve cryptography is used, a scheme for authenticating whether the user is the owner of the account or password identification by using the decrypted random string through HMAC data signature is (other schemes can also be used): The background processing program on the client end combines the current time with the decrypted random string, and then uses a hash algorithm (such as SHA-1) to generate a hash value for the combined data through the cryptographic module, and then the browser converts the current time Together with the generated hash value, it is sent to the Web information system; after the Web information system receives the data submitted by the browser, it first checks whether the difference between the time in the data submitted by the browser and the current time is within the specified time range, and if so, Then merge the time in the data submitted by the client browser with the random string returned to the client by the Web information system, use the same hash algorithm to generate a hash value for the merged data, and then compare it with the client browser Whether the submitted hash value is consistent with the hash value calculated by the Web information system itself. If they are consistent, it proves that the user has the currently valid identification private key identified by the password, and then confirms that the user is the owner of the login account.

对于后台处理程序,可开发一个运行在用户端计算设备上的程序作为后台处理程序,这个程序一方面接收以HTTP请求形式提交的对随机字串进行签名或对加密的随机字串进行解密的请求,并以HTTP响应形式返回处理结果;另一方面通过调用密码模块对随机字串进行签名或对加密的随机字串进行解密以及获取密码标识进行密码运算所用的公开参数组的指示信息;还有,后台处理程序通过弹出一个人机交互界面提示用户登录Web信息系统的一次性随机口令或密码。For the background processing program, a program running on the client computing device can be developed as a background processing program. On the one hand, this program receives a request to sign a random string or decrypt an encrypted random string submitted in the form of an HTTP request. , and return the processing result in the form of HTTP response; on the other hand, sign the random string or decrypt the encrypted random string by calling the cryptographic module, and obtain the instruction information of the public parameter group used by the cryptographic identifier for cryptographic operations; and , the background processing program prompts the user to log in the one-time random password or password of the Web information system by popping up a human-computer interaction interface.

对应于后台处理程序通过HTTP请求、响应方式接收对随机字串进行签名或对加密的随机字串进行解密的请求并返回处理结果的处理方式,用户端浏览器通过自动HTTPPOST方式将请求提交到后台处理程序并通过自动HTTP POST方式将后台处理程序返回的处理结果提交Web信息系统,或者用户端浏览器通过Ajax与后台处理程序进行交互并将后台处理程序返回的处理结果提交到Web信息系统。Corresponding to the processing method that the background processing program receives a request to sign a random string or decrypt an encrypted random string through HTTP request and response, and returns the processing result, the client browser submits the request to the background through automatic HTTP POST The processing program submits the processing results returned by the background processing program to the Web information system through automatic HTTP POST, or the client browser interacts with the background processing program through Ajax and submits the processing results returned by the background processing program to the Web information system.

若Web信息系统还保存帐户名和密码标识或密码标识的散列值的数字签名,则帐户名和密码标识或密码标识的散列值的数字签名数据既可以单独存放,也可以同密码标识或密码标识的散列值一起作为帐户的鉴别数据存放;若数字签名数据同密码标识或密码标识的散列值一起作为帐户的鉴别数据存放,则在实施代用户登录操作时的帐户鉴别数据包括从用户帐户数据中获取的数字签名数据。Web信息系统用一个专门的公开密钥对或随机字串用于数字签名(公开密钥密码签名或HMAC签名)。If the web information system also saves the digital signature of the account name and password ID or the hash value of the password ID, the digital signature data of the account name and password ID or the hash value of the password ID can be stored separately, or can be stored together with the password ID or password ID. The hash value of the password is stored together as the authentication data of the account; if the digital signature data is stored together with the password identifier or the hash value of the password identifier as the authentication data of the account, the account authentication data when implementing the login operation on behalf of the user includes the authentication data from the user account Digitally signed data obtained in data. Web information system uses a special public key pair or random string for digital signature (public key cryptographic signature or HMAC signature).

为了进一步加强用户登录鉴别的安全性,可以采用如下方案之一:In order to further enhance the security of user login authentication, one of the following solutions can be adopted:

方案一:后台处理程序在使用用户帐户的密码标识的标识私钥对Web信息系统返回的随机字串签名前或对返回的加密的随机字串解密前,先弹出一个人机界面提示用户正在进行登录处理,询问用户是否继续;Solution 1: Before the background processing program signs the random string returned by the web information system with the private key identified by the password of the user account or decrypts the returned encrypted random string, a man-machine interface pops up to prompt the user to proceed. Login processing, asking the user whether to continue;

方案二:可信的Web信息系统被签发了一个经数字签名的安全站点令牌,当用户登录Web信息系统时这个安全站点令牌同随机字串(加密或非加密的随机字串)一起被返回到用户端浏览器并被浏览器提交到后台处理程序;后台处理程序在调用密码模块使用用户帐户的密码标识的标识私钥对返回的随机字串签名或对返回的加密的随机字串解密前,先检查是否有可信的安全站点令牌(签名有效且可信),若没有安全站点令牌或安全站点令牌的数字签名不可信,则弹出一个人机交互界面提示用户风险;若有可信的安全站点令牌,则提示用户要访问的系统是可信的并显示用户要访问的站点的地址,询问用户是否继续;Scenario 2: The trusted web information system is issued a digitally signed security site token, and when the user logs in to the web information system, the security site token and the random string (encrypted or non-encrypted random string) are Return to the client browser and be submitted to the background processing program by the browser; the background processing program uses the identification private key identified by the password of the user account to sign the returned random string or decrypt the returned encrypted random string when calling the password module Before checking whether there is a credible security site token (the signature is valid and credible), if there is no security site token or the digital signature of the security site token is untrustworthy, a human-computer interaction interface will pop up to remind the user of the risk; if If there is a credible security site token, it prompts the user that the system to be accessed is credible and displays the address of the site the user wants to visit, and asks the user whether to continue;

方案三:Web信息系统在向用户端浏览器返回随机字串或加密的随机字串之前,先采用公开密钥密码技术对返回的数据进行数字签名,然后再返回数据;后台处理程序在调用密码模块对返回的随机字串签名或对返回的加密的随机字串解密之前,先验证Web信息系统返回的数据的数字签名,若返回的数据没有数字签名或签名不可信,则弹出一个人机交互界面提示用户风险;若有数字签名且签名可信,则提示用户要访问的系统是可信的并显示用户要访问的站点的地址;Scheme 3: Before the web information system returns random strings or encrypted random strings to the client browser, it uses public key cryptography to digitally sign the returned data, and then returns the data; Before the module signs the returned random string or decrypts the returned encrypted random string, it first verifies the digital signature of the data returned by the web information system. If the returned data does not have a digital signature or the signature is untrustworthy, a human-computer interaction will pop up. The interface reminds the user of risks; if there is a digital signature and the signature is credible, it will prompt the user that the system to be accessed is credible and display the address of the site the user wants to visit;

方案四:用户端的浏览器在将Web信息系统返回的随机字串或加密的随机字串提交到后台处理程序的同时将用户要登录的Web信息系统的主机地址(主机DNS域名)同时提交到后台处理程序;后台处理程序在调用密码模块使用用户帐户的密码标识的标识私钥对返回的随机字串签名或对返回的加密的随机字串解密前,先通过一个人机交互界面向用户显示当前浏览器要访问的Web信息系统的主机地址,询问用户是否继续;若用户选择继续,则对返回的随机字串签名或对返回的加密的随机字串解密,然后调用密码模块使用Web信息系统的公钥对签名的随机字串或要直接返回的解密的随机字串或用解密的随机字串HMAC签名的登录鉴别数据进行加密,然后将加密后的数据返回到浏览器并由浏览器提交到Web信息系统;Web信息系统在接收到浏览器返回的加密的数据后,先使用Web信息系统的私钥解密接收到的加密的数据,然后根据解密后的数据作进一步的登录鉴别处理;所述Web信息系统的公钥包括Web信息系统的IBC公钥(如以Web信息系统的主机地址作为公钥)或由一个可信密钥服务系统(如CA证书系统)发布的公钥(如通过数据证书发布的RSA、ECC公钥等)。Solution 4: The browser on the client end submits the random string or encrypted random string returned by the Web information system to the background processing program, and at the same time submits the host address (host DNS domain name) of the Web information system that the user wants to log in to the background Processing program; before the background processing program calls the cryptographic module to sign the returned random string with the private key identified by the password of the user account or decrypt the returned encrypted random string, it first displays the current status to the user through a human-computer interaction interface The host address of the web information system to be accessed by the browser, and ask the user whether to continue; if the user chooses to continue, sign the returned random character string or decrypt the returned encrypted random character string, and then call the password module to use the web information system The public key encrypts the signed random string or the decrypted random string to be returned directly or the login authentication data signed with the decrypted random string HMAC, and then returns the encrypted data to the browser and is submitted by the browser to Web information system; after receiving the encrypted data returned by the browser, the Web information system first uses the private key of the Web information system to decrypt the received encrypted data, and then performs further login authentication processing according to the decrypted data; The public key of the web information system includes the IBC public key of the web information system (such as using the host address of the web information system as the public key) or the public key issued by a trusted key service system (such as the CA certificate system) (such as through the data Certificate issued RSA, ECC public key, etc.).

除了以上方案外,Web信息系统还可以通过服务器证书和SSL(Secure SocketLayer)安全传输通道来提高系统的安全性。In addition to the above solutions, the Web information system can also improve system security through server certificates and SSL (Secure Socket Layer) secure transmission channels.

若用户登录的Web信息系统原本采用帐户名+口令或密码的方式对用户是帐户的拥有者进行鉴别,而Web信息系统实施本发明的技术方案对用户进行登录帐户鉴别的系统组件是前置于Web信息系统的一个安全网关,则安全网关可以基于Web反向代理技术开发(如可用Apache开发);若Web信息系统实施本发明的技术方案对用户进行登录帐户鉴别的系统组件是内置于Web信息系统的一个安全插件,则安全插件可基于过滤器(如ISAPI、Servlet Filter)或其他插件技术开发。If the Web information system that the user logs in originally adopts the mode of account name+password or password to identify the user as the owner of the account, and the system component that the Web information system implements the technical solution of the present invention to authenticate the user's login account is pre-located A security gateway of the Web information system, then the security gateway can be developed based on Web reverse proxy technology (as available Apache development); If the Web information system implements the technical scheme of the present invention, the system component that the user logs in to account authentication is built into the Web information system. A security plug-in of the system, the security plug-in can be developed based on filters (such as ISAPI, Servlet Filter) or other plug-in technologies.

其他未说明的具体技术实施,对于相关领域的技术人员而言是众所周知,不言自明的。Other unspecified specific technical implementations are well known and self-evident to those skilled in the relevant fields.

Claims (10)

1. a kind of to realize the system that User logs in differentiates based on identification type password, the system includes:
Web information system:Based on the system that Web technological development user oriented provides information or application service:One mark of user Know or the hashed value for identifying of user is stored in Web information as user in the authentication data of the account of Web information system In the user account data of system;Correspondingly, the authentication data as user account is stored in user account data ID, or use of the hashed value of ID when being stored in user account data as the authentication data of user account Family identifies, referred to as the cipher mark of the corresponding cipher mark of user account or abbreviation user account;The password of the user account Mark is input into by user in Web information system registry account, or is obtained by other means by account management system or instrument Obtain and arrange;
Browser:User is used to access the client of Web information system;The browser described in process of user login passes through backstage The random word string number that processing routine is returned using the identity private key of the cipher mark of User logs in account to Web information system The random words string data of the encryption that word is signed or returned to Web information system is decrypted;
Spooler:The program on one computing device backstage for operating in user side;Call in process of user login close Code module the random word string that Web information system is returned is digitally signed or to Web information system return encryption it is random Word string data are decrypted;
Crypto module:Enforcement identification type cryptographic technique carries out the user side component software or software and hardware of crypto-operation and combines Component;
When user submits to account name to carry out account's login using browser access Web information system, Web information system is by such as Lower digital signature encryption mode or data encryption mode complete user and are logged on by the identity private key that checking user possesses cipher mark The discriminating of the owner of account:
Digital signature encryption mode:Web information system returns the cipher mark of User logs in account and a random word string for generating is arrived User side browser, browser calls crypto module using the mark of the cipher mark of User logs in account by spooler Private key is known to the random word string signature for returning, then the signed data of random word string is submitted to into Web information system, Web information System utilization returns to the random word string of browser and the mark public key verifications user side of the cipher mark of User logs in account is clear The validity of the signed data of the random word string that device of looking at is submitted to is the owner of cipher mark so as to confirm user, and and then is confirmed User is logged on the owner of account;
Data encryption mode:Web information system returns a mark public key encryption using the cipher mark of User logs in account Random generation word string to user side browser, browser calls crypto module to adopt User logs in by spooler The random word string of encryption of the identity private key of the cipher mark of account to returning is decrypted, then by directly returning decryption Random words string mode or the random words string obtained using decryption are completed User logs in and differentiate operation by HMAC digital signature encryption modes;
If the Web information system script of User logs in is that account possesses to user by the way of account name+password or password Person is differentiated and is kept original identification method constant, and Web information system information implements User logs in based on identification type password The system component of discriminating is a preposition security gateway in Web information system or is inserted into the request response of Web information system A safety insert in transmission channel, then the hashed value conduct of the cipher mark of the cipher mark of user account or user account Password or password are stored in original password or password storeroom in the user account data of Web information system, and the safety Gateway or safety insert completed using the cipher mark of user account to user be account owner differentiate after, by user's The cipher mark of account name and account as User logs in Web information system account name and password or the alternative family of password logging in The mode of request is submitted to Web information system and completes register, or by the cipher mark of the account name of user and account Hashed value as User logs in Web information system account name and password or the alternative family of password be submitted in the way of logging request Web information system completes register, and the former differentiates number corresponding to the account preserved in the user account data of Web information system According to the situation of the cipher mark for being user account, the latter is corresponding to the account preserved in the user account data of Web information system Authentication data is the situation of the hashed value of the cipher mark of user account;No matter which kind of situation, Web information system itself is by checking The mode of account name and password or password carries out account's discriminating process to User logs in.
2. realize that the User logs in of the system that User logs in differentiates is reflected based on identification type password described in a kind of utilization claim 1 Other method, is characterized in that:If a cipher mark of user is stored in Web information system as the authentication data of user account In user account data, then when user logs in Web information system using browser, Web information system, user, user side Browser and spooler complete User logs in discriminating and process by following data encryption mode:
I is walked:Web information system passes through browser requirement user input account name;
Ii is walked:User is input into account name and the account name of input is submitted to into Web information system by browser;
Ii I is walked:Web information system receive user side browser submission account name after, using receive account name with The cipher mark of user account is obtained in the account data of family by the authentication data of the corresponding user account of inquiry account name, then The random word string for generating of Web information systematic name and one is encrypted with the currently valid mark public key for obtaining cipher mark, Then Web information systematic name and random word string after encryption returned to the browser of user side;
Iv is walked:The browser of user side is received after the data of Web information system return, will be received by network communication mechanism To encryption Web information systematic name and random word string be submitted to a local spooler of user side, Ran Houti Show user by the password or Password Input frame of the random password shown on computing terminal or Password Input to browser;
V is walked:The local spooler of user side receive browser submission encryption Web information systematic name and with After machine word string, crypto module is called to use the currently valid identity private key solution of cipher mark using the cipher mark of user account The Web information systematic name and random word string of the encryption that close Web information system is returned, then by the Web information system after decryption Title and random word string pass through as the disposable random password or password of User logs in Web information system on computing terminal One personal-machine interface displays to the user that;
VI is walked:User is input to the random word string that spooler is shown as disposable random password or password clear Look at device password or Password Input frame and the random word string as account password or password of user input is carried by browser It is sent to Web information system;
VII is walked:Web information system receive user side browser submission as account password or the random word string of password Afterwards, the random word string as account password or password for receiving and the plaintext of the random word string for returning to browser are compared Compared with if unanimously, confirmation user is the owner of the user account corresponding to the account name submitted to and allows User logs in, otherwise Refusal.
3. realize that the User logs in of the system that User logs in differentiates is reflected based on identification type password described in a kind of utilization claim 1 Other method, is characterized in that:If a cipher mark of user is stored in Web information system as the authentication data of user account In user account data, then when user logs in Web information system using browser, Web information system, user, user side Browser and spooler complete User logs in discriminating and process by following data encryption mode:
1st step:Web information system passes through browser requirement user input account name;
2nd step:User is input into account name and the account name of input is submitted to into Web information system by browser;
3rd step:Web information system is received after the account name of browser submission, using the account name for receiving in user account number The cipher mark of user account is obtained by the authentication data of the corresponding user account of inquiry account name according in, it is then close with obtaining The word string encryption for generating random to one of the currently valid mark public key of code mark, afterwards by encryption after random word string return To the browser of user side;
4th step:The browser of user side is received after the data of Web information system return, will be received by network communication mode To the random word string of encryption be submitted to spooler, the random word string of request decryption encryption;
5th step:Spooler is received after the request of the random word string of the request decryption encryption of user side browser submission, Crypto module is called to use the random word string of the currently valid identity private key decryption encryption of the cipher mark of user account, then The random word string of decryption is returned to into user side browser;
6th step:User side browser is received after the random word string of the decryption of spooler return, by directly returning solution Close random words string mode or the random words string obtained using decryption complete User logs in discriminating by HMAC digital signature encryption modes Operation.
4. realize that the User logs in of the system that User logs in differentiates is reflected based on identification type password described in a kind of utilization claim 1 Other method, is characterized in that:If the hashed value of a cipher mark of user is stored in Web letters as the authentication data of user account In the user account data of breath system, then when user using browser log in Web information system when, Web information system, user, The browser and spooler of user side completes User logs in discriminating and processes by following data encryption mode:
Step 1:Web information system is by browser requirement user input account name and authentication data;
Step 2:User is input into the cipher mark of account name and account by browser, and wherein the cipher mark of account is used as discriminating Data input, is then submitted to Web letters by browser using the account name of input and as the cipher mark of account's authentication data Breath system;
Step 3:Web information system is received after the data of browser submission, calculates the hashed value of the cipher mark for receiving, and By the account submitted to user preserved in the user account data of the hashed value of calculated cipher mark and Web information system The hashed value of the cipher mark of the corresponding user account of name in an account book is compared, if unanimously, the cipher mark submitted to using user is worked as The word string encryption for generating random to one of front effective mark public key, returns to the clear of user side by the random word string of encryption afterwards Look at device;Otherwise, return reports an error;
Step 4:If the Web information system returned data prompting error for receiving, the browser prompts mistake of user side;It is no Then, the random word string of the encryption for receiving is submitted to spooler by the browser of user side by network communication mode, The random word string of request decryption encryption;
Step 5:Spooler is received after the random word string request of request decryption encryption of user side browser submission, is adjusted With crypto module using the random word string of the currently valid identity private key decryption encryption of the cipher mark of user account, then will The random word string of decryption returns to user side browser;
Step 6:User side browser is received after the random word string of the decryption of spooler return, by directly returning solution Close random words string mode or the random words string obtained using decryption complete User logs in discriminating by HMAC digital signature encryption modes Operation.
5. realize that the User logs in of the system that User logs in differentiates is reflected based on identification type password described in a kind of utilization claim 1 Other method, is characterized in that:If a cipher mark of user is stored in Web information system as the authentication data of user account In user account data, then when user logs in Web information system using browser, Web information system, user, user side Browser and spooler complete User logs in discriminating and process by following digital signature encryption mode:
The first step:Web information system passes through browser requirement user input account name;
Second step:User is input into account name and the account name of input is submitted to into Web information system by browser by browser System;
3rd step:Web information system is received after the account name of browser submission, using the account name for receiving in user account The cipher mark of user account is obtained in data by the authentication data of the corresponding user account of inquiry account name, then will be obtained Cipher mark and random word string for generating return to the browser of user side;
4th step:The browser of user side is received after the data of Web information system return, will be received by network communication mode To cipher mark and random word string be submitted to spooler, ask the random word string to returning to be digitally signed;
5th step:Spooler receives what the random word string to returning of user side browser submission was digitally signed After request, call crypto module using the currently valid identity private key of the cipher mark of user account to random word string number Word is signed, and then signed data is returned to into user side browser;
6th step:User side browser is received after the signed data of the random word string of spooler return, by number of signature According to being submitted to Web information system;
7th step:Web information system is received after the signed data of the random word string of browser submission, using returning to browser Random word string and user account cipher mark the currently valid mark public key label of random word string that browser is submitted to The signature validity of name data is verified, is verified that confirmation user is the user account corresponding to the account name submitted to Owner simultaneously allows User logs in, otherwise refuses.
6. realize that the User logs in of the system that User logs in differentiates is reflected based on identification type password described in a kind of utilization claim 1 Other method, is characterized in that:If the hashed value of a cipher mark of user is stored in Web letters as the authentication data of user account In the user account data of breath system, then when user using browser log in Web information system when, Web information system, user, The browser and spooler of user side completes User logs in discriminating and processes by following digital signature encryption mode:
Step one:Web information system is by browser requirement user input account name and authentication data;
Step 2:User is input into the cipher mark of account name and account by browser, and wherein the cipher mark of account is used as mirror Other data input, is then submitted to Web information system using the account name of input and as the cipher mark of account's authentication data;
Step 3:Web information system is received after the data of browser submission, calculates the hashed value of the cipher mark for receiving, And will preserve in the user account data of the hashed value of calculated cipher mark and Web information system and submitted to user The hashed value of the cipher mark of the corresponding user account of account name is compared, if unanimously, the cipher mark of then submitting to user and One random word string for generating returns to the browser of user side;Otherwise, error is returned;
Step 4:If the returned data prompting of the Web information system for receiving reports an error, the browser prompts error of user side; Otherwise, the cipher mark for receiving and random word string are submitted to background process by the browser of user side by network communication mode Program, asks the random word string to returning to be digitally signed;
Step 5:Spooler receives what the random word string to returning of user side browser submission was digitally signed After request, call crypto module using the currently valid identity private key of the cipher mark of user account to random word string number Word is signed, and then signed data is returned to into user side browser;
Step 6:User side browser is received after the signed data of the random word string of spooler return, by number of signature According to being submitted to Web information system;
Step 7:Web information system is received after the signed data of the random word string of browser submission, using returning to browser Random word string and user account cipher mark the currently valid mark public key label of signed data that browser is submitted to Name validity is verified, is verified that confirmation user is the owner of the user account corresponding to the account name submitted to and permits Perhaps User logs in, otherwise refuses.
7. it is according to claim 1 that the system that User logs in differentiates is realized based on identification type password, it is characterized in that:If user The cipher mark of account is input into by user in Web information system registry account, then Web information system is receiving the account of user After the log-on message of family, first when User logs in account differentiate it is the same in the way of verified using digital signature or data encryption mode, Confirm that user possesses the private key of the cipher mark of registration input, so as to confirm that user is the owner of the cipher mark of input, test Card, be identified through after complete user account and register and preserve log-on message, otherwise return error.
8. it is according to claim 1 that the system that User logs in differentiates is realized based on identification type password, it is characterized in that:If described The identification type cryptographic technique that system is adopted is IBC cryptographic techniques and supports that multigroup different IBC crypto-operations disclose parameter, then Web information system is determined as follows the open parameter group that the cipher mark of user account carries out used by crypto-operation:
If input simultaneously, submission account name and the password as authentication data when user logs in Web information system by browser Mark, then browser submit to cipher mark before first pass through network communication mechanism request spooler return cipher mark enter The configured information of the open parameter group used by row crypto-operation, spooler is received and call crypto module to inquire about after request Cipher mark carries out the configured information of the open parameter group used by crypto-operation, the finger of the open parameter group for then obtaining inquiry Show that information returns to browser, browser is received will be openly after the configured information of the open parameter group of spooler return The configured information of parameter group is submitted to together Web information system with cipher mark, and Web information system is submitted to according in logging request The configured information of open parameter determine the open parameter group for carrying out using the cipher mark of user account used by crypto-operation;
Otherwise, if Web information system is preserved the cipher mark of user account in user account data and carries out crypto-operation institute The configured information of open parameter group, then Web information system using the cipher mark of user account before computing is encrypted First pass through the cipher mark in user account data carry out open parameter used by crypto-operation configured information determine carry out it is close Open parameter group used by code computing;
Otherwise, Web information system before computing is encrypted using the cipher mark of user account first by the password of user account Mark returns to the browser of user side, and acquisition request cipher mark carries out the instruction letter of the open parameter group used by crypto-operation Breath;The browser of user side is received after the cipher mark of Web information system return and request, will be connect by network communication mechanism The cipher mark for receiving is submitted to the local spooler of user side, and acquisition request cipher mark is carried out used by crypto-operation Open parameter group configured information;Spooler calls the cipher mark that crypto module inquiry obtains user account to carry out The configured information of the open parameter group used by crypto-operation, and the configured information of the open parameter group that inquiry is obtained returns to use The browser at family end;Browser the cipher mark of acquisition is carried out the configured information of the open parameter group used by crypto-operation and returned To Web information system;Web information system determines that cipher mark carries out password fortune according to the configured information of the open parameter group for returning Calculate open parameter group used;
Further, if spooler calls crypto module to enter Web information system using the data that cipher mark is encrypted Find that Web information system has used incorrect open parameter group in row decryption processes, then spooler is by clear Device of looking at carries out the instruction letter of the open parameter group used by crypto-operation to the cipher mark of Web information system update user account Breath.
9. it is according to claim 1 that the system that User logs in differentiates is realized based on identification type password, it is characterized in that:If Web Information system preserves the cipher mark or the hash of cipher mark of user account names and user account also in user account data Value merge after data digital signature, with prevent check account user data in user account names and account cipher mark or password The unwarranted modification of the hashed value of mark, then Web information system during account's discriminating is carried out to User logs in, User is received after the account name that browser is submitted to, first to the cipher mark or cipher mark of account name and user account The user account that the digital signature of the data after hashed value merging is preserved in being verified to determine Web information systematic account data Whether the hashed value of the cipher mark or cipher mark of name and user account is changed, if being changed, stops login account Discriminating processes and returns mistake;Otherwise, the account's discriminating for continuing User logs in is processed;The cipher mark of account name and user account Or the digital signature method that the digital signature of the data after the hashed value merging of cipher mark is adopted is included based on the right of HMAC Claim key digital signature and the digital signature based on asymmetric key cipher algorithm.
10. according to any one of claim 3-6 based on identification type password realize User logs in differentiate system user Discrimination method is logged in, be it is characterized in that:The User logs in discrimination method improves what User logs in differentiated by one of following scheme Security:
Scheme one:Spooler is returned in the identity private key of the cipher mark using user account to Web information system Before random word string decryption before random word string signature or to the encryption for returning, first eject a personal-machine interface prompt user and enter Row login process, asks the user whether to continue;
Scheme two:Believable Web information system has been signed and issued a digitally signed secure site token, works as User logs in This secure site token is returned to together user side browser and is submitted to by browser with random word string during Web information system To spooler;Spooler is calling crypto module using the identity private key of the cipher mark of user account to returning Before the random word string signature for returning or the random word string decryption to the encryption for returning, believable secure site order is first checked whether there is Board, if the digital signature without secure site token or secure site token is insincere, ejects a personal-machine interactive interface and carries Show consumer's risk;If there is believable secure site token, user's system to be accessed is pointed out to be believable and show that user will The address of the website of access, asks the user whether to continue;
Scheme three:Web information system was first adopted before the random word string of random word string or encryption is returned to user side browser Public-key cipher technology is digitally signed to the data for returning, and then returns again to data;Spooler call it is close Before code module is to the random word string signature of return or the random word string decryption to the encryption for returning, Web information system is first verified The digital signature of the data of return, if the data for returning do not have digital signature or sign insincere, ejects personal-machine interaction Interface prompt consumer's risk;If having digital signature and signing credible, user's system to be accessed is pointed out to be believable and show The address of user's website to be accessed;
Scheme four:The browser of user side is submitted in the random word string of the random word string or encryption that return Web information system The host address of the Web information system to be logged in user while spooler is while be submitted to spooler; Spooler is calling random word string label of the crypto module using the identity private key of the cipher mark of user account to return Before name or the random word string decryption to the encryption for returning, first pass through a personal-machine interactive interface and display to the user that current browser will The host address of the Web information system of access, asks the user whether to continue;If user selects to continue, to the random words for returning String signature or the random word string decryption of the encryption to returning, then call crypto module to use the public key of Web information system to signing The random word string of name or the random word string of the decryption directly to return are differentiated with the login of the random word string HMAC signature of decryption Data are encrypted, and then the data after encryption are returned to into browser and are submitted to Web information system by browser;Web believes Breath system receive browser return encryption data after, first using Web information system private key decryption receive plus Close data, then make further login discriminating and process according to the data after decryption;The public key of the Web information system includes The IBC public keys of Web information system or the public key issued by a trusted key service system.
CN201410244543.8A 2014-06-04 2014-06-04 System and method for realizing user login identification based on identification type codes Expired - Fee Related CN104038486B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410244543.8A CN104038486B (en) 2014-06-04 2014-06-04 System and method for realizing user login identification based on identification type codes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410244543.8A CN104038486B (en) 2014-06-04 2014-06-04 System and method for realizing user login identification based on identification type codes

Publications (2)

Publication Number Publication Date
CN104038486A CN104038486A (en) 2014-09-10
CN104038486B true CN104038486B (en) 2017-05-10

Family

ID=51469075

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410244543.8A Expired - Fee Related CN104038486B (en) 2014-06-04 2014-06-04 System and method for realizing user login identification based on identification type codes

Country Status (1)

Country Link
CN (1) CN104038486B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12216565B2 (en) * 2019-05-23 2025-02-04 Connectfree Corporation Programming assist system and programming assist method

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105812341B (en) 2014-12-31 2019-03-29 阿里巴巴集团控股有限公司 A kind of method and device of identity user identity
CN105868213A (en) * 2015-01-22 2016-08-17 U3D有限公司 Method for delayed connection identification of account
CN105282150B (en) * 2015-09-16 2019-08-20 武汉理工大学 A Login Assistant System Oriented to Web System
CN105391727B (en) * 2015-11-26 2018-03-02 武汉理工大学 A kind of system login method based on mobile terminal
CN105281902B (en) * 2015-12-03 2018-04-20 武汉理工大学 A kind of Web system safe login method based on mobile terminal
CN105391549B (en) * 2015-12-10 2018-10-12 四川长虹电器股份有限公司 Communication dynamics key implementation method between client and server
CN105553970A (en) * 2015-12-14 2016-05-04 北京锐安科技有限公司 Information system safety inspection device and inspection result analysis method
CN105897424B (en) * 2016-03-14 2019-07-12 深圳奥联信息安全技术有限公司 A kind of enhancing identity authentication method
US10380100B2 (en) * 2016-04-27 2019-08-13 Western Digital Technologies, Inc. Generalized verification scheme for safe metadata modification
US10380069B2 (en) 2016-05-04 2019-08-13 Western Digital Technologies, Inc. Generalized write operations verification method
CN105933350A (en) * 2016-07-01 2016-09-07 浪潮(北京)电子信息产业有限公司 Security enhancement method and device for serial port protocol
CN106100889A (en) * 2016-07-01 2016-11-09 浪潮(北京)电子信息产业有限公司 The Enhancement Method of a kind of snmp protocol safety and device
CN107171789A (en) * 2017-04-20 2017-09-15 努比亚技术有限公司 A kind of safe login method, client device and server
US11720665B2 (en) 2019-08-13 2023-08-08 Google Llc Improving data integrity with trusted code attestation tokens
CN114297597B (en) * 2021-12-29 2023-03-24 渔翁信息技术股份有限公司 Account management method, system, equipment and computer readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103117861A (en) * 2013-01-31 2013-05-22 武汉理工大学 Pseudo RSA (Rivest Shamir Adleman) based method for transmitting IBE key information (identity based encryption) in IBE
CN103532709A (en) * 2013-09-24 2014-01-22 武汉理工大学 IBE (Identity Based Encryption) cryptographic equipment and data encryption and decryption method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103326853A (en) * 2012-03-22 2013-09-25 中兴通讯股份有限公司 Method and device for upgrading secret key

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103117861A (en) * 2013-01-31 2013-05-22 武汉理工大学 Pseudo RSA (Rivest Shamir Adleman) based method for transmitting IBE key information (identity based encryption) in IBE
CN103532709A (en) * 2013-09-24 2014-01-22 武汉理工大学 IBE (Identity Based Encryption) cryptographic equipment and data encryption and decryption method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12216565B2 (en) * 2019-05-23 2025-02-04 Connectfree Corporation Programming assist system and programming assist method

Also Published As

Publication number Publication date
CN104038486A (en) 2014-09-10

Similar Documents

Publication Publication Date Title
CN104038486B (en) System and method for realizing user login identification based on identification type codes
US20210367795A1 (en) Identity-Linked Authentication Through A User Certificate System
US11223614B2 (en) Single sign on with multiple authentication factors
US9871791B2 (en) Multi factor user authentication on multiple devices
CN102932149B (en) Integrated identity based encryption (IBE) data encryption system
US9838205B2 (en) Network authentication method for secure electronic transactions
US10567370B2 (en) Certificate authority
US8719952B1 (en) Systems and methods using passwords for secure storage of private keys on mobile devices
JP6012125B2 (en) Enhanced 2CHK authentication security through inquiry-type transactions
US11363009B2 (en) System and method for providing secure cloud-based single sign-on connections using a security service provider having zero-knowledge architecture
JP6105721B2 (en) Start of corporate trigger type 2CHK association
US9231925B1 (en) Network authentication method for secure electronic transactions
US8532620B2 (en) Trusted mobile device based security
US20190173873A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
US8924714B2 (en) Authentication with an untrusted root
US20100042848A1 (en) Personalized I/O Device as Trusted Data Source
US20100185860A1 (en) Method for authenticating a communication channel between a client and a server
CN116112242B (en) Unified safety authentication method and system for power regulation and control system
Alsaid et al. Preventing phishing attacks using trusted computing technology
CN114079645A (en) Method and device for registering services
CN113545004A (en) Authentication system with reduced attack surface
US9882891B2 (en) Identity verification
CN113918984A (en) Blockchain-based application access method and system, storage medium, and electronic device
Corella et al. Strong and convenient multi-factor authentication on mobile devices
CN119011181A (en) Information processing method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170510