[go: up one dir, main page]

CN101707613B - Authentication system based on trust negotiation and user login and collaboration systems and methods - Google Patents

Authentication system based on trust negotiation and user login and collaboration systems and methods Download PDF

Info

Publication number
CN101707613B
CN101707613B CN 200910242235 CN200910242235A CN101707613B CN 101707613 B CN101707613 B CN 101707613B CN 200910242235 CN200910242235 CN 200910242235 CN 200910242235 A CN200910242235 A CN 200910242235A CN 101707613 B CN101707613 B CN 101707613B
Authority
CN
China
Prior art keywords
user
module
certificate
strategy
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 200910242235
Other languages
Chinese (zh)
Other versions
CN101707613A (en
Inventor
蒋文保
刘思征
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Information Science and Technology University
Original Assignee
Beijing Information Science and Technology University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Information Science and Technology University filed Critical Beijing Information Science and Technology University
Priority to CN 200910242235 priority Critical patent/CN101707613B/en
Publication of CN101707613A publication Critical patent/CN101707613A/en
Application granted granted Critical
Publication of CN101707613B publication Critical patent/CN101707613B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

一种基于信任协商的认证系统包括策略解析模块、策略处理模块、证书处理模块、策略库模块、证书库模块和一致性检验模块;一种采用本发明的基于信任协商的认证系统的用户登录系统,包括用户模块、用户管理模块和服务器信任协商模块;一种采用本发明的基于信任协商的认证系统的用户协同系统,包括至少两个用户模块,每个用户模块包含有自己的用户信任协商模块,每个用户模块通过网络互相连接;从而提供一种增加网络游戏等网络应用系统的安全性的基于信任协商的认证系统,采用该认证系统的用户登陆的系统和方法以及采用该认证系统的用户协同的系统和方法。

Figure 200910242235

An authentication system based on trust negotiation includes a policy analysis module, a policy processing module, a certificate processing module, a policy library module, a certificate library module and a consistency checking module; a user login system using the authentication system based on trust negotiation of the present invention , including a user module, a user management module, and a server trust negotiation module; a user collaboration system adopting the authentication system based on trust negotiation of the present invention includes at least two user modules, and each user module includes its own user trust negotiation module , each user module is connected to each other through a network; thereby providing an authentication system based on trust negotiation that increases the security of network application systems such as online games, a system and method for user login using the authentication system, and users using the authentication system Collaborative systems and methods.

Figure 200910242235

Description

基于信任协商的认证系统及用户登陆和协同的系统和方法Authentication system based on trust negotiation and system and method for user login and collaboration

技术领域 technical field

本发明涉及广播通信领域,特别是一种基于信任协商的认证系统,采用该认证系统的用户登陆的系统和方法以及采用该认证系统的用户协同的系统和方法。The invention relates to the field of broadcast communication, in particular to an authentication system based on trust negotiation, a system and method for user login using the authentication system, and a system and method for user collaboration using the authentication system.

背景技术 Background technique

随着网络技术的发展和社会信息化进程的全面加快,网络与信息系统的重要性日益增强,信息安全问题已经成为事关经济发展、公众利益、社会稳定、国家安全的全局性问题。为了加强信息安全保障工作,需要采用多种方式普及信息安全知识,提高大众的安全意识,并积极探索多种形式的信息安全人才培养途径。其中,游戏作为一种行之有效的辅助方式,有助于人们获取安全知识和提高安全意识,达到事半功倍的效果。With the development of network technology and the overall acceleration of social informatization, the importance of network and information systems is increasing day by day. Information security has become an overall issue related to economic development, public interests, social stability, and national security. In order to strengthen information security work, it is necessary to popularize information security knowledge in various ways, improve public security awareness, and actively explore various forms of information security personnel training. Among them, games, as an effective auxiliary method, help people acquire safety knowledge and improve safety awareness, achieving twice the result with half the effort.

国内外比较有名的黑客游戏有uplink,Hack The Game,黑客精英系列,黑客基地系列,电脑报的黑客游戏等。这些游戏开发者的思路大同小异,注重对玩家的黑客知识的具体应用能力的培养,但是形式单一,基本都是具体的应用的各种密码破解方法来破解得到通关所需要的密码,对密码学知识的要求很高,而对其他方面的黑客知识很少涉及而且没有任何的剧情。同时这些游戏存在的一个共同的问题在于游戏玩家均各自为战,互相之间没有交流与沟通,这样不但大大降低了游戏的趣味性,同时也不利于玩家之间的相互促进学习,所以本发明在同类游戏的基础上引入了网络协同机制。The well-known hacking games at home and abroad include uplink, Hack The Game, hacker elite series, hacker base series, computer newspaper hacker games, etc. The ideas of these game developers are similar, and they pay attention to the cultivation of the specific application ability of the player's hacking knowledge, but the form is single, and they are basically various password cracking methods for specific applications to crack the passwords required for customs clearance. The requirements are high, while other aspects of hacking knowledge are rarely involved and there is no plot. Simultaneously, a common problem that these games exist is that the game players all fight on their own, without communication and communication with each other, which not only greatly reduces the fun of the game, but also is not conducive to mutual promotion and learning between players, so the present invention On the basis of similar games, a network coordination mechanism is introduced.

另外,虽然目前在信息安全领域之外存在许多其它种类的网络协同游戏,但在现有的网络协同游戏中,由于缺乏相应的安全防护措施,用户敏感信息泄露、游戏装备和道具被盗等不安全现象时有发生,严重影响了游戏用户的积极性,甚至引起许多法律纠纷问题。In addition, although there are many other types of network collaborative games outside the field of information security, in the existing network collaborative games, due to the lack of corresponding security protection measures, user sensitive information leaks, game equipment and props are stolen, etc. Security phenomena occur from time to time, seriously affecting the enthusiasm of game users, and even causing many legal disputes.

因此现今安全问题已经成为了制约网络进一步发展和应用的关键因素。Therefore, today's security issues have become a key factor restricting the further development and application of the network.

目前,在Internet上广泛使用的是基于“用户名/密码”对的方案,这需要每个网站提供一套用户管理系统,请求该网站服务或资源的用户必须首先填写一定的个人资料,申请一对用户名和密码,以后访问该站点时采用已申请的用户名和密码登录。这种方案的优点是实现简单、直接,因此应用较为广泛。但是,其缺点也是比较明显:首先,这种访问控制粒度较粗,无法满足进一步划分的需求;其次,用户名和密码的方式较为容易被窃取,一旦窃取了用户名和密码则用户在系统存储的信息都面临着被窃取的风险,使系统安全性得不到保障。At present, the scheme based on the "username/password" pair is widely used on the Internet, which requires each website to provide a user management system. Users who request services or resources of the website must first fill in certain personal information and apply for a For the user name and password, use the applied user name and password to log in when visiting this site in the future. The advantage of this scheme is that it is simple and direct to implement, so it is widely used. However, its disadvantages are also obvious: first, this kind of access control has a coarse granularity and cannot meet the needs of further division; second, the way of user name and password is relatively easy to be stolen, once the user name and password are stolen, the information stored by the user in the system All are facing the risk of being stolen, so that the system security cannot be guaranteed.

一些网站采用了数字证书的方式来提高系统的安全性,进一步确认用户身份和用户所具有的能力。服务请求者向服务提供者提交所持有的数字证书来表明自身所具备的属性;服务提供者的授权依据是请求者的属性是否满足其访问请求所对应的访问控制策略。但是,数字证书中很可能包括一些敏感性的信息,如银行账号信息等。对于这类证书,服务请求者在确定服务提供者的真实身份之前应该不愿盲目地提交。也就是说,含有敏感属性信息的证书也需要受到保护。并且,服务的请求者和提供者应该在完成双向的验证后才能进行交互。在这种情况信任协商应运而生,其含义是通过数字证书和访问控制策略的交互披露,服务或资源的请求方和提供方自动地建立信任关系。Some websites use digital certificates to improve system security and further confirm user identities and capabilities. The service requester submits the digital certificate held by the service provider to indicate its own attributes; the service provider's authorization is based on whether the requester's attributes meet the access control policy corresponding to its access request. However, digital certificates are likely to include some sensitive information, such as bank account information. For this type of certificate, service requesters should be reluctant to submit blindly until they have established the true identity of the service provider. That said, certificates containing sensitive attribute information also need to be protected. Moreover, the requester and provider of the service should only interact after completing two-way authentication. In this situation, trust negotiation comes into being, which means that through the interactive disclosure of digital certificates and access control policies, the requester and provider of services or resources automatically establish a trust relationship.

发明内容 Contents of the invention

针对上述现有技术的缺陷,本发明的目的是提供一种增加网络游戏安全性等网络应用系统的基于信任协商的认证系统,采用该认证系统的用户登陆的系统和方法以及采用该认证系统的用户协同的系统和方法。Aiming at the defects of the above-mentioned prior art, the object of the present invention is to provide an authentication system based on trust negotiation for increasing the security of online games and other network application systems, a system and method for user login using the authentication system, and an authentication system using the authentication system. Systems and methods for user collaboration.

为达到上述目的,本发明采用如下技术方案:To achieve the above object, the present invention adopts the following technical solutions:

一种基于信任协商的认证系统,包括策略解析模块、策略处理模块、证书处理模块、策略库模块、证书库模块和一致性检验模块;An authentication system based on trust negotiation, including a policy analysis module, a policy processing module, a certificate processing module, a policy library module, a certificate library module and a consistency checking module;

所述策略库模块用于存储策略;The policy library module is used to store policies;

所述证书库模块用于存储证书;The certificate library module is used to store certificates;

所述策略解析模块用于对传入的策略进行解析,判断策略中是否涉及敏感证书,涉及则交由策略处理模块进行处理,不涉及则交由证书处理模块进行处理;The policy parsing module is used for parsing the incoming policy, and judging whether sensitive certificates are involved in the policy, if it is involved, it will be processed by the policy processing module, and if it is not involved, it will be processed by the certificate processing module;

所述策略处理模块用于从所述策略库模块中调出相应的策略,返还给请求方,并将提供的策略存入一致性检验模块中;或者根据策略解析模块发来的涉及敏感证书的请求,从策略库模块中调出相应的保护策略,返还给请求方,并将提供的保护策略存入一致性检验模块中;The policy processing module is used to call out the corresponding policy from the policy library module, return it to the requester, and store the provided policy in the consistency check module; request, call out the corresponding protection policy from the policy library module, return it to the requester, and store the provided protection policy in the consistency check module;

所述证书处理模块用于根据策略中所描述的序列,从所述证书库模块中调出证书向证书请求方提供证书链,并将收到的证书链依据顺序存入到一致性检验模块中;The certificate processing module is used to call out the certificate from the certificate library module to provide the certificate chain to the certificate requester according to the sequence described in the policy, and store the received certificate chain into the consistency verification module according to the order ;

所述一致性检验模块用于校验收到的证书链和策略的一致性,一致则告知请求方信任协商成功,并向请求方提供相应的服务,否则告知请求方信任协商失败,不向请求方提供服务。The consistency check module is used to verify the consistency of the received certificate chain and policy, if it is consistent, it will inform the requesting party that the trust negotiation is successful, and provide corresponding services to the requesting party; Provide services.

本发明的基于信任协商的认证系统,其中所述一致性检验模块中还包括序列集模块,所述序列集模块存储证书链。In the authentication system based on trust negotiation of the present invention, the consistency check module further includes a sequence set module, and the sequence set module stores certificate chains.

一种采用上述基于信任协商的认证系统的用户登录系统,包括用户模块、用户管理模块和服务器信任协商模块;A user login system adopting the above authentication system based on trust negotiation, including a user module, a user management module and a server trust negotiation module;

所述用户模块将自身的用户信息发送到用户登管理模块中,并提出访问请求;The user module sends its own user information to the user login management module, and makes an access request;

所述用户管理模块对用户信息进行校验,校验失败则告知所述用户模块登录失败,校验成功则发送访问请求到所述服务器信任协商模块;The user management module verifies the user information, if the verification fails, it informs the user module that the login fails, and if the verification succeeds, it sends an access request to the server trust negotiation module;

所述服务器信任协商模块接收所述用户管理模块发来的访问请求,根据所述用户管理模块中的用户等级等信息,调出相应的策略,返还给所述用户模块,并将策略保存;The server trust negotiation module receives the access request sent by the user management module, calls out the corresponding strategy according to information such as the user level in the user management module, returns it to the user module, and saves the strategy;

所述用户模块接收所述服务器信任协商模块返还的策略,依据策略要求查找相应的证书,形成证书链,并将证书链发送给所述服务器信任协商模块;The user module receives the policy returned by the server trust negotiation module, searches for the corresponding certificate according to the policy requirements, forms a certificate chain, and sends the certificate chain to the server trust negotiation module;

所述服务器信任协商模块将证书链依据顺序保存,并对该证书链和保存的策略进行校验,两者一致,则告知所述用户模块协商成功,所述用户模块可以进行相应的访问,否则告知所述用户模块登录失败。The server trust negotiation module saves the certificate chain according to the order, and verifies the certificate chain and the saved policy, and if the two are consistent, it informs the user module that the negotiation is successful, and the user module can perform corresponding access, otherwise Inform the user module that the login failed.

本发明的用户登录系统,其中所述用户模块包括用户登录模块和用户信任协商模块,所述用户信任协商模块包括用户策略解析模块、用户策略处理模块、用户证书处理模块、用户策略库模块、用户证书库模块和用户一致性检验模块;所述用户管理模块包括用户注册管理模块、用户登录管理模块、用户等级管理模块和用户信息存储模块;所述服务器信任协商模块包括服务器策略解析模块、服务器策略处理模块、服务器证书处理模块、服务器策略库模块、服务器证书库模块和服务器一致性检验模块;In the user login system of the present invention, the user module includes a user login module and a user trust negotiation module, and the user trust negotiation module includes a user policy analysis module, a user policy processing module, a user certificate processing module, a user policy library module, a user Certificate storehouse module and user consistency check module; Described user management module comprises user registration management module, user login management module, user level management module and user information storage module; Described server trust negotiation module comprises server policy analysis module, server policy processing module, server certificate processing module, server policy library module, server certificate library module and server consistency check module;

所述用户登录模块将自身的用户信息发送到所述用户登录管理模块中,并发送访问请求;The user login module sends its own user information to the user login management module, and sends an access request;

所述用户登录管理模块查询所述用户信息存储模块中的用户信息,并对用户信息进行校验,校验失败则告知所述用户登录模块登录失败,校验成功则发送访问请求到所述服务器策略处理模块;The user login management module queries the user information in the user information storage module, and verifies the user information. If the verification fails, it informs the user login module that the login failed. If the verification succeeds, it sends an access request to the server. Policy processing module;

所述服务器策略处理模块根据用户登录管理模块发来的关卡访问请求,根据所述用户等级管理模块中的用户等级等信息,从服务器策略库模块中调出相应的策略,返还给用户信任协商模块,并将策略保存在服务器一致性检验模块中;According to the checkpoint access request sent by the user login management module, the server policy processing module calls out the corresponding policy from the server policy library module according to the user level and other information in the user level management module, and returns it to the user trust negotiation module , and save the policy in the server consistency check module;

所述用户信任协商模块中的用户策略解析模块接收服务器策略处理模块返还的策略,交给所述用户证书处理模块,所述用户证书处理模块依据策略要求从所述用户证书库模块中查找相应的证书,形成证书链,并将证书链发送给所述服务器证书处理模块;The user policy analysis module in the user trust negotiation module receives the policy returned by the server policy processing module, and hands it to the user certificate processing module, and the user certificate processing module searches the corresponding user certificate library module according to the policy requirements. A certificate, forming a certificate chain, and sending the certificate chain to the server certificate processing module;

所述服务器证书处理模块将证书链依据顺序存入到所述服务器一致性检验模块中,所述服务器一致性检验模块对该证书链和保存的策略进行校验,两者一致,则告知所述用户登录模块协商成功,所述用户登录模块可以进行相应的访问,否则告知所述用户登录模块登陆失败。The server certificate processing module stores the certificate chain in the server consistency check module according to the sequence, and the server consistency check module checks the certificate chain and the saved policy, and if the two are consistent, then notify the If the user login module negotiates successfully, the user login module can perform corresponding access; otherwise, the user login module is notified that the login fails.

本发明的用户登录系统,其中所述服务器一致性检验模块中还包括服务器序列集模块,所述服务器序列集模块存储证书链。In the user login system of the present invention, the server consistency check module further includes a server sequence set module, and the server sequence set module stores certificate chains.

一种采用上述基于信任协商的认证系统的用户协同系统,包括至少两个用户模块,每个用户模块包含有自己的用户信任协商模块,每个用户模块通过网络互相连接;A user collaboration system adopting the above authentication system based on trust negotiation, including at least two user modules, each user module includes its own user trust negotiation module, and each user module is connected to each other through a network;

用户甲和用户乙建立连接,用户乙返回用户甲信息,用户甲信任协商模块中的用户甲策略解析模块判断用户乙返回的信息是策略还是证书;User A and User B establish a connection, User B returns User A's information, and User A trusts User A's policy analysis module in the negotiation module to determine whether the information returned by User B is a policy or a certificate;

如果是策略则对其进行解析,看是否涉及到用户甲自身拥有的敏感证书,如果解析结果涉及用户甲自身拥有的敏感证书,则用户甲策略解析模块通知用户甲策略处理模块进行处理,用户甲策略处理模块调出用户甲策略库模块中的关于敏感证书的保护策略,返还给用户乙信任协商模块关于敏感证书的保护策略,如果用户甲策略解析模块的解析结果不涉及敏感证书,则用户甲策略解析模块通知用户甲证书处理模块进行处理,用户甲证书处理模块依据用户乙发来的访问控制策略,调出用户甲证书库模块中的用户乙发送来的策略涉及的证书,返还给用户乙信任协商模块;If it is a policy, it is analyzed to see if it involves the sensitive certificate owned by user A. If the analysis result involves the sensitive certificate owned by user A, the policy analysis module of user A notifies the policy processing module of user A to process it. The policy processing module calls out the protection policy on sensitive certificates in user A's policy library module, and returns the protection policy on sensitive certificates to user B's trust negotiation module. If the analysis result of user A's policy analysis module does not involve sensitive certificates, user A The policy analysis module notifies user A's certificate processing module to process, and the user A's certificate processing module calls out the certificates involved in the policy sent by user B in the user A's certificate library module according to the access control policy sent by user B, and returns them to user B Trust negotiation module;

如果用户甲策略解析模块判断用户乙返回的信息是证书,则通知用户甲证书处理模块进行处理,用户甲证书处理模块将用户乙返回的证书保存到用户甲一致性检验模块,用户甲一致性检验模块校验该证书和用户甲之前对用户乙提出的策略的要求是否一致,若一致,则双方建立信任关系,用户乙可以同用户甲进行协同交流,了解各自拥有的敏感信息,否则告知用户乙协商失败,双方不能建立协同连接。If the policy analysis module of user A judges that the information returned by user B is a certificate, it will notify the certificate processing module of user A to process it, and the certificate processing module of user A will save the certificate returned by user B to the consistency verification module of user A. The module verifies whether the certificate is consistent with the policy requirements proposed by user A to user B before. If they are consistent, the two parties will establish a trust relationship, and user B can communicate with user A to understand the sensitive information they own. The negotiation failed, and the two parties cannot establish a collaborative connection.

一种采用上述基于信任协商的认证系统的用户登录系统的登录方法,包括以下步骤:A login method for a user login system adopting the above-mentioned authentication system based on trust negotiation, comprising the following steps:

用户登录模块将用户自身的用户名和密码等用户信息发送到用户登录管理模块中,并提出访问请求;The user login module sends user information such as the user's own user name and password to the user login management module, and makes an access request;

用户登录管理模块查询用户信息存储模块中的用户信息,对用户信息进行校验,校验失败则告知用户登录模块登录失败,校验成功则发送访问请求到服务器策略处理模块,服务器策略处理模块根据用户登录管理模块发来的访问请求,根据用户等级管理模块中的用户等级等信息,从服务器策略库模块中调出相应的策略,返还给用户信任协商模块,并将策略保存在服务器一致性检验模块中;The user login management module queries the user information in the user information storage module, and verifies the user information. If the verification fails, the user login module is notified of the login failure. If the verification is successful, the access request is sent to the server policy processing module. The server policy processing module The access request sent by the user login management module, according to the user level and other information in the user level management module, calls out the corresponding policy from the server policy library module, returns it to the user trust negotiation module, and saves the policy in the server consistency check in the module;

用户信任协商模块中的用户策略解析模块接收服务器策略处理模块返还的策略,交给用户证书处理模块,用户证书处理模块依据策略要求从用户证书库模块中查找相应的证书,形成证书链,并将证书链发送给服务器证书处理模块,服务器证书处理模块将证书链依据顺序存入到服务器一致性检验模块中的服务器序列集中;The user policy analysis module in the user trust negotiation module receives the policy returned by the server policy processing module and sends it to the user certificate processing module. The user certificate processing module searches the corresponding certificate from the user certificate library module according to the policy requirements to form a certificate chain The certificate chain is sent to the server certificate processing module, and the server certificate processing module stores the certificate chain in the server sequence set in the server consistency verification module according to the order;

服务器一致性检验模块对服务器证书处理模块保存的证书链和服务器策略处理模块保存的策略进行校验,两者一致,则告知用户登录模块协商成功,用户登录模块可以进行相应的访问,否则告知用户登陆失败。The server consistency verification module verifies the certificate chain saved by the server certificate processing module and the policy saved by the server policy processing module. If they are consistent, the user login module is notified that the negotiation is successful, and the user login module can perform corresponding access, otherwise the user is notified Login failed.

一种采用上述基于信任协商的认证系统的用户协同系统的协同方法,包括以下步骤:A method for coordinating a user coordinating system using the above-mentioned authentication system based on trust negotiation, comprising the following steps:

用户甲信任协商模块中的用户甲策略解析模块判断用户乙返回的信息是策略还是证书;The user A policy analysis module in the user A trust negotiation module judges whether the information returned by user B is a policy or a certificate;

如果是策略,用户甲策略解析模块对其进行解析,看是否涉及到用户甲自身拥有的敏感证书,如果解析结果涉及用户甲自身拥有的敏感证书,则用户甲策略解析模块通知用户甲策略处理模块进行处理,用户甲策略处理模块调出用户甲策略库模块中的关于敏感证书的保护策略,返还给用户乙信任协商模块关于敏感证书的保护策略,如果解析结果不涉及用户甲自身拥有的敏感证书,则用户甲策略解析模块通知用户甲证书处理模块进行处理,用户甲证书处理模块依据用户乙发来的访问控制策略,调出用户甲证书库模块中的用户乙发送来的策略涉及的证书,返还给用户乙信任协商模块;If it is a policy, User A’s policy analysis module analyzes it to see if it involves the sensitive certificate owned by User A itself. If the analysis result involves the sensitive certificate owned by User A itself, User A’s policy analysis module notifies User A’s policy processing module For processing, user A's policy processing module calls out the protection policy on sensitive certificates in user A's policy library module, and returns the protection policy on sensitive certificates in user B's trust negotiation module. If the analysis result does not involve the sensitive certificates owned by user A , the policy analysis module of user A notifies the certificate processing module of user A to process, and the certificate processing module of user A calls out the certificates involved in the policy sent by user B in the certificate library module of user A according to the access control policy sent by user B. Return the trust negotiation module to user B;

如果是证书,用户甲策略解析模块通知用户甲证书处理模块进行处理,用户甲证书处理模块将用户乙返回的证书保存到用户甲一致性检验模块,用户甲一致性检验模块校验该证书和用户甲之前对用户乙提出的策略的要求是否一致,若一致,则双方建立信任关系,用户乙可以同用户甲进行协同交流,了解各自拥有的敏感信息,否则告知用户乙协商失败,双方不能建立协同连接。If it is a certificate, the policy analysis module of user A notifies the certificate processing module of user A to process it, and the certificate processing module of user A saves the certificate returned by user B to the consistency verification module of user A, and the consistency verification module of user A verifies the certificate and the user Whether A’s previous policy requirements for user B are consistent. If they are consistent, the two parties will establish a trust relationship. User B can communicate with user A to understand the sensitive information they own. Otherwise, user B will be informed that the negotiation failed, and the two parties cannot establish coordination. connect.

信任协商通过证书交换能够在处于不同安全域的陌生网络实体之间自动地、动态地建立信任关系;协商者双方都可以通过制定策略来保护自己的敏感性资源,对对方的请求进行访问控制;协商过程中,不需要可信第三方的参与。Trust negotiation can automatically and dynamically establish a trust relationship between unfamiliar network entities in different security domains through certificate exchange; both negotiators can formulate policies to protect their sensitive resources and control access to each other's requests; During the negotiation process, the participation of a trusted third party is not required.

由于本发明采用了信任协商认证的系统和方法,可以进一步进行认证,保证了认证的安全性,从而增加了网络协同游戏系统的安全性。Since the present invention adopts the system and method of trust negotiation and authentication, further authentication can be carried out to ensure the security of authentication, thereby increasing the security of the network cooperative game system.

附图说明 Description of drawings

图1是本发明一种基于信任协商的认证系统的系统框图;Fig. 1 is a system block diagram of an authentication system based on trust negotiation in the present invention;

图2是本发明一种基于信任协商的认证系统的网络攻防游戏系统的系统框图;Fig. 2 is a system block diagram of the network attack and defense game system of the authentication system based on trust negotiation of the present invention;

图3是采用本发明基于信任协商的认证系统的用户协同系统框图;Fig. 3 is a block diagram of a user collaboration system adopting the authentication system based on trust negotiation of the present invention;

图4是采用本发明基于信任协商的认证系统的用户登录系统的登录方法的流程图;Fig. 4 is the flow chart of the login method of the user login system adopting the authentication system based on trust negotiation of the present invention;

图5是采用本发明基于信任协商的认证系统的用户协同系统的协同方法的流程图;Fig. 5 is a flowchart of a collaboration method of a user collaboration system using the trust negotiation-based authentication system of the present invention;

图6是本发明用户登录时用户甲的协商过程示意图;Fig. 6 is a schematic diagram of the negotiation process of user A when the user logs in according to the present invention;

图7是本发明用户登录时用户乙的协商过程示意图;Fig. 7 is a schematic diagram of the negotiation process of user B when the user logs in according to the present invention;

图8是本发明用户协商时用户甲和用户乙的协商过程示意图;Fig. 8 is a schematic diagram of the negotiation process between user A and user B during user negotiation in the present invention;

图9是本发明用户协商时用户甲和用户乙与服务器的协商过程示意图。FIG. 9 is a schematic diagram of the negotiation process between user A and user B and the server during user negotiation in the present invention.

具体实施方式 Detailed ways

下面结合附图对本发明基于信任协商的认证系统及用户登录和协同的系统和方法的实施方式进行详细说明。The implementation of the authentication system based on trust negotiation and the system and method for user login and collaboration of the present invention will be described in detail below with reference to the accompanying drawings.

参见图1,一种信任协商的认证系统,包括策略解析模块1、策略处理模块2、证书处理模块3、策略库模块4、证书库模块5和一致性检验模块6。Referring to FIG. 1 , an authentication system for trust negotiation includes a policy analysis module 1 , a policy processing module 2 , a certificate processing module 3 , a policy library module 4 , a certificate library module 5 and a consistency checking module 6 .

策略解析模块1用于对被请求方传入的策略进行解析,判断策略中是否涉及敏感证书,涉及则交由策略处理模块2进行处理,不涉及则交由证书处理模块3进行处理;The policy analysis module 1 is used to analyze the policy imported by the requested party, and judge whether the policy involves sensitive certificates. If it is involved, it will be processed by the policy processing module 2, and if it is not involved, it will be processed by the certificate processing module 3;

策略处理模块2被请求则从策略库模块4中调出相应的策略,返还给请求方,并将提供的策略存入一致性检验模块6中;或者根据策略解析模块1发来的涉及敏感证书的请求,从策略库模块4中调出相应的保护策略,返还给请求方,并将提供的保护策略存入一致性检验模块6中;When the policy processing module 2 is requested, it calls out the corresponding policy from the policy library module 4, returns it to the requester, and stores the provided policy in the consistency check module 6; or according to the sensitive certificate sent by the policy analysis module 1 call out the corresponding protection policy from the policy library module 4, return it to the requesting party, and store the provided protection policy in the consistency check module 6;

证书处理模块3用于根据策略中所描述的序列,从证书库模块5中调出证书向证书请求方提供证书链,并将收到的证书链依据顺序存入到一致性检验模块6中的序列集模块7中;The certificate processing module 3 is used to call out the certificate from the certificate library module 5 to provide the certificate chain to the certificate requester according to the sequence described in the policy, and store the received certificate chain into the consistency check module 6 according to the sequence. In sequence set module 7;

策略库模块4用于存储相应的策略,包括访问控制策略以及协商策略,其中访问控制策略是网络安全防范和保护的主要策略,其任务是保证网络资源不被非法使用和非法访问,本发明的访问控制策略规定了访问受保护资源所需提供的信任证集;协商策略参与信任协商的实体的证书披露规则,表达了实体在完成信任协商时所遵循的一种逻辑关系。比如说,实体间消息传递的顺序以及实体间的各种约束等;The policy library module 4 is used to store corresponding policies, including access control policies and negotiation policies, wherein the access control policy is the main policy for network security prevention and protection, and its task is to ensure that network resources are not illegally used and accessed illegally. The access control policy stipulates the set of trust certificates that need to be provided to access protected resources; the negotiation policy discloses the certificate rules of the entities involved in the trust negotiation, expressing a logical relationship that the entities follow when completing the trust negotiation. For example, the order of message delivery between entities and various constraints between entities, etc.;

证书库模块5用于存储相应的证书,证书是由权威机构颁发的特权属性数字证书,包括颁发机构的签名,信任证持有方的公钥等,用于对主体进行授权,在本发明中所使用到的证书大部分是由服务器为用户颁发的;The certificate library module 5 is used to store corresponding certificates, and the certificates are privileged attribute digital certificates issued by an authority, including the signature of the issuing authority, the public key of the trust certificate holder, etc., and are used to authorize the subject. In the present invention Most of the certificates used are issued by the server for the user;

序列集模块7按顺序存储证书链;The sequence set module 7 stores certificate chains in order;

一致性检验模块6用于校验收到的证书链和策略的一致性,一致则告知请求方信任协商成功,并向请求方提供相应的服务,否则告知请求方信任协商失败,不向请求方提供服务。Consistency check module 6 is used to verify the consistency of the received certificate chain and policy. If they are consistent, the requester will be notified that the trust negotiation is successful, and corresponding services will be provided to the requester. Otherwise, the requester will be notified that the trust negotiation has failed and the requester will not be provided Serve.

参见图2,本发明采用网络攻防游戏系统来说明采用本发明的认证系统的用户登陆系统和用户协同系统。Referring to Fig. 2, the present invention uses a network attack and defense game system to illustrate the user login system and user collaboration system using the authentication system of the present invention.

一种基于信任协商的认证系统的网络攻防游戏系统,包括若干个用户模块10、用户管理模块20、服务器信任协商模块30、系统关卡模块40、网络协同模块50和信任度评估模块80,用户模块10包括用户登录模块11和用户信任协商模块12;用户管理模块20包括用户注册管理模块21、用户登录管理模块22、用户等级管理模块23和用户信息存储模块24;系统关卡模块40包括知识问答模块41、积分管理模块42和具体关卡模块43;网络协同模块50包括WEB聊天模块51和在线用户管理模块52。A network attack and defense game system based on trust negotiation authentication system, including several user modules 10, user management module 20, server trust negotiation module 30, system checkpoint module 40, network collaboration module 50 and trust evaluation module 80, user module 10 includes a user login module 11 and a user trust negotiation module 12; the user management module 20 includes a user registration management module 21, a user login management module 22, a user level management module 23 and a user information storage module 24; the system checkpoint module 40 includes a question-and-answer module 41. Points management module 42 and specific level module 43; network collaboration module 50 includes WEB chat module 51 and online user management module 52.

本发明采用基于信任协商的认证系统的用户登陆系统,包括用户模块10、用户管理模块20和服务器信任协商模块30,用户模块10包括用户登录模块11和用户信任协商模块12;用户管理模块20包括用户注册管理模块21、用户登录管理模块22、用户等级管理模块23和用户信息存储模块24。The present invention adopts the user login system of the authentication system based on trust negotiation, including user module 10, user management module 20 and server trust negotiation module 30, user module 10 includes user login module 11 and user trust negotiation module 12; user management module 20 includes User registration management module 21 , user login management module 22 , user level management module 23 and user information storage module 24 .

用户登录模块11用于用户进行注册和登录。The user login module 11 is used for the user to register and log in.

用户注册管理模块21用于接收用户登录模块11进行的注册和登录,为第一次登录的用户提供相应的用户注册界面,用户注册成功后将用户信息存储在用户信息存储模块24中。The user registration management module 21 is used to receive the registration and login performed by the user login module 11, and provide a corresponding user registration interface for the user logging in for the first time, and store the user information in the user information storage module 24 after the user registration is successful.

用户登录管理模块22,用于对用户登录模块11在登录过程中提供的用户信息包括用户名和密码,通过查询用户信息存储模块14中的用户信息进行校验,校验成功后,将用户信息提供给服务器信任协商模块30以对用户的身份和权限进行进一步验证。The user login management module 22 is used for the user information provided by the user login module 11 in the login process including user name and password, and checks the user information in the user information storage module 14 by querying. After the verification is successful, the user information is provided. Trust the negotiation module 30 to the server to further verify the identity and authority of the user.

用户等级管理模块23,存储用户通关后的用户等级。The user level management module 23 stores the user level after the user clears the level.

用户信息存储模块24存储用户信息,包括用户名和密码等。The user information storage module 24 stores user information, including user names and passwords.

用户注册后,在用户登录系统时,用户登录模块11将自身的用户名和密码等用户信息发送到用户登录管理模块22中,并请求访问相应的关卡,用户登录管理模块22查询用户信息存储模块24中的用户信息,并对用户信息进行校验,校验失败则告知用户登录模块11登录失败,校验成功则发送关卡访问请求到服务器策略处理模块302,服务器策略处理模块302根据用户登录管理模块22发来的关卡访问请求,根据用户等级管理模块23中的用户等级等信息,从服务器策略库模块304中调出相应的策略,返还给用户信任协商模块12,并将策略保存在服务器一致性检验模块306中,用户信任协商模块12中的用户策略解析模块121接收服务器策略处理模块302返还的策略,交给用户证书处理模块123,用户证书处理模块123依据策略要求从用户证书库模块125中查找相应的证书,形成证书链,并将证书链发送给服务器证书处理模块303,服务器证书处理模块303将证书链依据顺序存入到服务器一致性检验模块306中的服务器序列集307中,同时服务器一致性检验模块306对该证书链和保存的策略进行校验,两者一致,则告知用户登录模块11协商成功,用户登录模块11可以访问相应的关卡,否则告知用户登录模块11协商失败,用户登录模块11不具有访问相应关卡的权限。After the user registers, when the user logs into the system, the user login module 11 sends user information such as its user name and password to the user login management module 22, and requests to visit the corresponding checkpoint, and the user login management module 22 queries the user information storage module 24 If the verification fails, the user login module 11 will be notified of the login failure. If the verification is successful, the checkpoint access request will be sent to the server policy processing module 302. The server policy processing module 302 will log in the management module 302 according to the 22, according to the information such as the user level in the user level management module 23, call out the corresponding policy from the server policy library module 304, return it to the user trust negotiation module 12, and save the policy in the server consistency In the verification module 306, the user policy analysis module 121 in the user trust negotiation module 12 receives the policy returned by the server policy processing module 302, and hands it to the user certificate processing module 123, and the user certificate processing module 123 retrieves the policy from the user certificate library module 125 according to the policy requirements. Find the corresponding certificate, form a certificate chain, and send the certificate chain to the server certificate processing module 303, the server certificate processing module 303 stores the certificate chain in the server sequence set 307 in the server consistency check module 306 according to the order, and the server Consistency checking module 306 checks the certificate chain and the saved strategy, if they are consistent, then inform the user login module 11 that the negotiation is successful, and the user login module 11 can access the corresponding checkpoint, otherwise inform the user login module 11 that the negotiation failed, and the user The login module 11 does not have the authority to access the corresponding level.

当服务器一致性检验模块306告知用户协商成功,用户登录模块11进入系统关卡模块40进行游戏,系统关卡模块40包括知识问答模块41、积分管理模块42和具体关卡模块43,知识问答模块41以选择题的方式呈现,涉及本关卡所要用到的相应的信息安全技术;积分管理模块42针对知识问答模块41中的用户的一共答题数和答对的题目数进行统计,每答对一题得一分,并将统计结果发送到具体关卡模块43中;具体关卡模块43是游戏的主体,采用WEB界面的形式,关卡中涉及各个方面的信息安全知识,如:加密解密、信息隐藏技术、拒绝服务器攻击和木马原理等。当用户通过具体关卡模块43后,具体关卡模块将用户通关后的用户积分和等级等信息发送到用户等级管理模块23中。When the server consistency checking module 306 informs the user that the negotiation is successful, the user login module 11 enters the system checkpoint module 40 to play the game. Presentation in the form of questions, related to the corresponding information security technology to be used in this checkpoint; the points management module 42 counts the total number of questions answered and the number of questions answered correctly by users in the knowledge quiz module 41, and gets one point for each correct answer. And the statistical results are sent to the specific level module 43; the specific level module 43 is the main body of the game, adopts the form of the WEB interface, and involves various aspects of information security knowledge in the level, such as: encryption and decryption, information hiding technology, denial of server attacks and Trojan horse principle, etc. After the user passes through the specific checkpoint module 43 , the specific checkpoint module sends information such as user points and grades after the user has cleared the checkpoint to the user grade management module 23 .

在用户进行游戏的过程中,可以采取网络协同模块50进行协同游戏,网络系统模块50包括WEB聊天模块51和在线用户管理模块52,WEB聊天模块51是用户沟通的主要界面,它嵌入到游戏系统的WEB界面中,可以为用户提供私聊和在群里喊话等功能。同时用户还可根据自身需要选择字体和表情图案。用户从在线用户列表中选择相应的用户进而触发各自的信任协商模块,通过各自的信任协商模块进行协商双方建立基本的信任关系,沟通交流,探讨攻关方式以及协同攻关。In the process that the user carries out game, can adopt network cooperation module 50 to carry out cooperative game, network system module 50 comprises WEB chat module 51 and online user management module 52, and WEB chat module 51 is the main interface that user communicates, and it is embedded in game system In the WEB interface, it can provide users with functions such as private chat and shouting in the group. At the same time, users can also choose fonts and emoticons according to their own needs. The user selects the corresponding user from the online user list and then triggers their respective trust negotiation modules. Through their respective trust negotiation modules, the two parties negotiate to establish a basic trust relationship, communicate, discuss research methods, and coordinate research.

在线用户管理模块52对于在线用户进行统计,并根据他们的等级高低进行排列,方便用户查找并选择适当的用户获得帮助或协同攻关。The online user management module 52 makes statistics on online users, and arranges them according to their grades, so that users can easily find and select appropriate users to obtain help or collaborate in tackling key problems.

信任度评估模块80根据具体关卡模块43中的用户的积分记录,利用公式:准确率=(用户实得积分数/用户应得积分数)*100%。The trust degree evaluation module 80 uses the formula: accuracy rate=(user's actual points/user's due points)*100% according to the user's point records in the specific checkpoint module 43 .

计算出用户的准确率,并根据准确率所在范围得出用户的相应的信用度,发送到用户等级管理模块23中,方便服务器信任协商模块30中的服务器策略处理模块302可以根据相应的信用度为用户提供不同的策略。Calculate the accuracy rate of the user, and draw the corresponding credit degree of the user according to the scope of the accuracy rate, and send it to the user grade management module 23, so that the server policy processing module 302 in the server trust negotiation module 30 can provide the user with the corresponding credit degree according to the corresponding credit degree. Different strategies are offered.

采用本发明的基于信任协商的认证系统的用户协同系统,包括至少两个个用户模块,每个用户模块含有自己的信任协商模块,每个用户模块均通过网络互相连接。The user collaboration system adopting the authentication system based on trust negotiation of the present invention includes at least two user modules, each user module has its own trust negotiation module, and each user module is connected to each other through the network.

结合图3,以用户甲信任协商模块60和用户乙信任协商模块70为例,具体描述。With reference to FIG. 3 , the trust negotiation module 60 of user A and the trust negotiation module 70 of user B are taken as examples to describe in detail.

在用户甲和用户乙登录后,用户甲和用户乙分别进入系统关卡模块40和网络协同模块50中,当用户甲从在线用户列表中选择用户乙进而触发各自的信任协商模块。After user A and user B log in, user A and user B enter the system checkpoint module 40 and the network collaboration module 50 respectively, and when user A selects user B from the online user list, their respective trust negotiation modules are triggered.

此时,用户甲对用户乙的请求建立连接后,或用户乙对用户甲的请求建立连接后,用户甲信任协商模块60或用户乙信任协商模块70为对方信任协商模块提供一条用户返回信息。如果用户甲对用户乙进行请求,则用户乙返还给用户甲一条访问控制策略,如果用户乙对用户甲进行请求,则用户甲返还给用户乙一条访问控制策略,以用户甲的工作过程举例说明:用户甲信任协商模块60中的用户甲策略解析模块601判断用户乙返回的信息是策略还是证书,如果是策略则说明用户甲向用户乙请求协同连接,用户甲策略解析模块601对用户乙信任协商模块70返还的策略进行解析,看是否涉及到用户甲自身拥有的敏感证书,如果解析结果涉及用户甲自身拥有的敏感证书,则用户甲策略解析模块601通知用户甲策略处理模块602进行处理,用户甲策略处理模块602调出用户甲策略库模块604中的关于敏感证书的保护策略,返还给用户乙信任协商模块70关于敏感证书的保护策略,如果用户甲策略解析模块601的解析结果不涉及敏感证书,则用户甲策略解析模块601通知用户甲证书处理模块603进行处理,用户甲证书处理模块603依据用户乙发来的访问控制策略,调出用户甲证书库模块605中的用户乙发送来的策略涉及的证书,返还给用户乙信任协商模块70,如果用户甲策略解析模块601判断用户乙返回的信息是证书,则说明用户乙向用户甲请求连接,用户甲信任协商模块60之前返还给用户乙信任协商模块70一条访问控制策略,用户乙信任协商模块70完成上述用户甲信任协商模块60完成的动作,返回给用户甲信任协商模块60证书,则用户甲策略解析模块601通知用户甲证书处理模块603进行处理,用户甲证书处理模块603将用户乙返回的证书保存到用户甲一致性检验模块606,用户甲一致性检验模块606校验该证书和用户甲之前对用户乙提出的策略的要求是否一致,若一致,则双方建立信任关系,用户乙可以同用户甲进行协同交流,了解各自拥有的敏感信息,否则告知用户乙协商失败,双方不能建立协同连接。At this time, after user A establishes a connection with user B's request, or after user B establishes a connection with user A's request, user A's trust negotiation module 60 or user B's trust negotiation module 70 provides a piece of user return information for the other party's trust negotiation module. If user A makes a request to user B, user B returns an access control policy to user A, and if user B makes a request to user A, user A returns an access control policy to user B, using the working process of user A as an example : The user A policy analysis module 601 in the user A trust negotiation module 60 judges whether the information returned by the user B is a policy or a certificate. If it is a policy, it shows that the user A requests a collaborative connection from the user B, and the user A policy analysis module 601 trusts the user B. The strategy returned by the negotiation module 70 is analyzed to see if it involves the sensitive certificate owned by user A itself. If the analysis result involves the sensitive certificate owned by user A itself, the policy analysis module 601 of user A notifies the policy processing module 602 of user A to process it. User A's policy processing module 602 calls out the protection policy on sensitive certificates in user A's policy library module 604, and returns the protection policy on sensitive certificates to user B's trust negotiation module 70. If the analysis result of user A's policy analysis module 601 does not involve Sensitive certificates, user A’s policy analysis module 601 notifies user A’s certificate processing module 603 to process, and user A’s certificate processing module 603 calls out the user A’s certificate library module 605 according to the access control policy sent by user B. The certificates involved in the policy will be returned to user B’s trust negotiation module 70. If user A’s policy analysis module 601 judges that the information returned by user B is a certificate, it means that user B requests a connection from user A, and user A’s trust negotiation module 60 returns it to User B's trust negotiation module 70 provides an access control policy. User B's trust negotiation module 70 completes the actions completed by user A's trust negotiation module 60 and returns a certificate to user A's trust negotiation module 60. User A's policy analysis module 601 notifies user A of the certificate. The processing module 603 performs processing. The certificate processing module 603 of user A saves the certificate returned by user B to the consistency checking module 606 of user A. The consistency checking module 606 of user A verifies the certificate and the policy proposed by user A to user B before. Whether the requirements are consistent, if they are consistent, the two parties will establish a trust relationship, and user B can communicate with user A to understand the sensitive information they own. Otherwise, user B will be informed that the negotiation failed and the two parties cannot establish a collaborative connection.

通过用户信任协商模块12与服务器信任协商模块30的交换信任凭证,使服务器信任协商模块30对用户的身份的真实性有了进一步确认,并根据用户提交的信用凭证赋予用户相应的访问权限,并通过每个用户信任协商模块之间交换信任凭证,使得用户之间可以进行协同交流,共同攻关。Through the exchange of trust certificates between the user trust negotiation module 12 and the server trust negotiation module 30, the server trust negotiation module 30 has further confirmed the authenticity of the identity of the user, and gives the user corresponding access rights according to the credit certificate submitted by the user, and Through the exchange of trust certificates between each user trust negotiation module, users can conduct collaborative communication and jointly tackle key problems.

参见图4,一种采用本发明的基于信任协商的认证系统的用户登录系统的登录方法,包括以下步骤:Referring to Fig. 4, a kind of login method of the user login system that adopts the authentication system based on trust negotiation of the present invention, comprises the following steps:

步骤401,用户登录模块将用户自身的用户名和密码等用户信息发送到用户登录管理模块中,并请求访问相应的关卡。Step 401 , the user login module sends the user information such as the user name and password of the user to the user login management module, and requests to visit the corresponding checkpoint.

步骤402,用户登录管理模块查询用户信息存储模块中的用户信息,对用户信息进行校验,校验失败则告知用户登录模块登录失败,校验成功则发送关卡访问请求到服务器策略处理模块。Step 402, the user login management module queries the user information in the user information storage module, and verifies the user information. If the verification fails, it informs the user login module that the login failed. If the verification succeeds, it sends a checkpoint access request to the server policy processing module.

步骤403,服务器策略处理模块根据用户登录管理模块发来的关卡访问请求,根据用户等级管理模块中的用户等级等信息,从服务器策略库模块中调出相应的策略,返还给用户信任协商模块,并将策略保存在服务器一致性检验模块中。Step 403, the server policy processing module calls out the corresponding policy from the server policy library module according to the checkpoint access request sent by the user login management module, and according to the user level and other information in the user level management module, and returns it to the user trust negotiation module, And save the policy in the server consistency check module.

步骤404,用户信任协商模块中的用户策略解析模块接收服务器策略处理模块返还的策略,交给用户证书处理模块。Step 404, the user policy analysis module in the user trust negotiation module receives the policy returned by the server policy processing module, and sends it to the user certificate processing module.

步骤405,用户证书处理模块依据策略要求从用户证书库模块中查找相应的证书,形成证书链,并将证书链发送给服务器证书处理模块。Step 405, the user certificate processing module searches the corresponding certificate from the user certificate library module according to the policy requirements, forms a certificate chain, and sends the certificate chain to the server certificate processing module.

步骤406,服务器证书处理模块将证书链依据顺序存入到服务器一致性检验模块中的服务器序列集中。Step 406, the server certificate processing module stores the certificate chain in the server sequence set in the server consistency checking module according to the sequence.

步骤407,服务器一致性检验模块对服务器证书处理模块保存的证书链和服务器策略处理模块保存的策略进行校验,两者一致,则告知用户登录模块协商成功,用户登录模块可以访问相应的关卡,否则告知用户协商失败,用户不具有方位相应关卡的权限。Step 407, the server consistency checking module verifies the certificate chain saved by the server certificate processing module and the policy saved by the server policy processing module, and if they are consistent, the user login module is notified that the negotiation is successful, and the user login module can access the corresponding checkpoint, Otherwise, inform the user that the negotiation failed, and the user does not have the authority of the corresponding checkpoint.

服务器信任协商模块通过对用户管理模块提交的信用凭证的属性进行验证的方式,进一步确认用户身份以及用户所具有的相关权限,提高了系统安全性。The server trust negotiation module further confirms the identity of the user and the relevant authority possessed by the user by verifying the attributes of the credit certificate submitted by the user management module, thereby improving the security of the system.

参见图5,一种采用本发明的基于信任协商的认证系统的用户协同系统的协同方法,包括以下步骤:Referring to Fig. 5, a collaboration method of a user collaboration system using the authentication system based on trust negotiation of the present invention includes the following steps:

步骤501,用户甲信任协商模块中的用户甲策略解析模块判断用户乙返回的信息是策略还是证书,如果是策略则执行步骤502,否则执行步骤505。Step 501 , User A's policy analysis module in User A's trust negotiation module judges whether the information returned by User B is a policy or a certificate, if it is a policy, go to step 502 , otherwise go to step 505 .

步骤502,用户甲策略解析模块对用户乙返回的信息进行解析,看是否涉及到用户甲自身拥有的敏感证书,如果解析结果涉及用户甲自身拥有的敏感证书,则执行步骤503,否则执行步骤504。Step 502, User A's policy analysis module analyzes the information returned by User B to see if it involves the sensitive certificate owned by User A, if the analysis result involves the sensitive certificate owned by User A, then execute Step 503, otherwise execute Step 504 .

步骤503,用户甲策略解析模块通知用户甲策略处理模块进行处理,用户甲策略处理模块调出用户甲策略库模块中的关于敏感证书的保护策略,返还给用户乙信任协商模块关于敏感证书的保护策略。Step 503, User A's policy analysis module notifies User A's policy processing module to process, User A's policy processing module calls out the protection policy on sensitive certificates in User A's policy library module, and returns the protection policy on sensitive certificates to User B's trust negotiation module Strategy.

步骤504,用户甲策略解析模块通知用户甲证书处理模块进行处理,用户甲证书处理模块依据用户乙发来的访问控制策略,调出用户甲证书库模块中的用户乙发送来的策略涉及的证书,返还给用户乙信任协商模块。Step 504, User A's policy analysis module notifies User A's certificate processing module to process, and User A's certificate processing module calls out the certificates involved in the policy sent by User B in User A's certificate library module according to the access control policy sent by User B , returned to user B's trust negotiation module.

步骤505,用户甲策略解析模块通知用户甲证书处理模块进行处理,用户甲证书处理模块将用户乙返回的证书保存到用户甲一致性检验模块,用户甲一致性检验模块校验该证书和用户甲之前对用户乙提出的策略的要求是否一致,若一致,则执行步骤506,否则执行步骤507。Step 505, User A's policy analysis module notifies User A's certificate processing module to process, User A's certificate processing module saves the certificate returned by User B to User A's consistency checking module, User A's consistency checking module verifies the certificate and User A's Check whether the policy requirements put forward by user B are consistent, if they are consistent, go to step 506, otherwise go to step 507.

步骤506,双方建立信任关系,用户乙可以同用户甲进行协同交流,了解各自拥有的敏感信息。In step 506, the two parties establish a trust relationship, and user B can communicate with user A to understand the sensitive information owned by each.

步骤507,告知用户乙协商失败,双方不能建立协同连接。In step 507, user B is notified that the negotiation fails, and the two parties cannot establish a coordinated connection.

下面对本发明中的一些概念进行说明:Some concepts in the present invention are described below:

数字证书(digital credential)是用来携带用户身份/属性等相关特征的数字化工具。由于证书代表着用户的身份,因此,证书必须具有可证实性和不可伪造性。按照在不同系统中的用途,证书可分为身份证书和属性证书。Digital certificate (digital credential) is a digital tool used to carry relevant characteristics such as user identity/attribute. Since the certificate represents the identity of the user, the certificate must be verifiable and unforgeable. According to the usage in different systems, certificates can be divided into identity certificates and attribute certificates.

认证(authentication)用来确认参与方身份的真实性,通过对用户身份进行一致性检查,防止冒名顶替现象的发生。在信任协商开始前,确定通信双方的身份是否合法,是系统安全得以维持的保障,也是检查用户授权、证书交换以及系统审计的前提。认证的方法主要是检查用户所提交的“用户名-密码”是否属实。对于安全级别高的系统,则还需从用户提交的证书中提取身份信息来验证用户身份和用户所具有的能力。Authentication (authentication) is used to confirm the authenticity of the participant's identity, and prevent the occurrence of impersonation by checking the consistency of the user's identity. Before the start of trust negotiation, determining whether the identities of the communicating parties are legal is the guarantee for maintaining system security, and it is also the prerequisite for checking user authorization, certificate exchange, and system auditing. The method of authentication is mainly to check whether the "username-password" submitted by the user is true. For a system with a high security level, it is also necessary to extract identity information from the certificate submitted by the user to verify the user's identity and capabilities.

授权(authorization)是指分析用户提交的证书,根据证书上的属性值,为用户分配访问资源的权限。用户对资源具有什么样的操作权限,或者能够享受到什么样的服务,都体现在系统对用户的授权上。在基于身份认证的信任管理系统中,对用户的授权主要是激活用户对资源的相应控制操作。Authorization refers to analyzing the certificate submitted by the user, and assigning the user the right to access resources according to the attribute value on the certificate. What kind of operation authority the user has on resources, or what kind of service can be enjoyed, are all reflected in the authorization of the system to the user. In the trust management system based on identity authentication, the authorization to the user is mainly to activate the user's corresponding control operation on the resources.

策略(policy)是用来保护资源不被合法用户非授权访问,从而规范合法用户对资源的操作。访问控制策略决定了在自动信任协商中暴露哪些证书以及这些证书暴露的先后顺序。信任协商根据策略保护的内容不同可分为服务或资源保护策略和敏感证书保护策略。Policy (policy) is used to protect resources from unauthorized access by legitimate users, so as to regulate the operation of resources by legitimate users. The access control policy determines which certificates are exposed in automatic trust negotiation and the order in which these certificates are exposed. Trust negotiation can be divided into service or resource protection policies and sensitive certificate protection policies according to the content of policy protection.

根据描述的复杂程度,访问控制策略可分为元策略与复合策略。元策略是组成复合策略的基本元素,它们的关系类似于元数据与数据的关系。一般地,系统中提供一些操作,如“∧/∨/!”来实现复合策略的组成与分解。According to the complexity of the description, access control policies can be divided into meta-policies and composite policies. Meta-policies are the basic elements that compose compound policies, and their relationship is similar to the relationship between metadata and data. Generally, the system provides some operations, such as "∧/∨/!" to realize the composition and decomposition of composite strategies.

一条元策略中包括:A meta-policy includes:

  发布者 announcer   持有者 holder   属性名称 property name   属性值 attribute value ......  … 有效期 validity period

下面对信任协商的原理进行说明:The principle of trust negotiation is described below:

信任协商是根据我们日常生活中建立信任关系的原理设计的。日常生活中我们常常遇到与陌生人建立信任关系的过程。例如我们在行车过程中遇到交警临检,交警需要我们出示驾驶执照,而我们为了确认交警的真实身份,往往需要交警出示其警察证,待交警出示其警察证后我们才出示自身的驾照,这就是一个简单的确立信任关系的过程。在计算机网络中,通过数字证书和访问控制策略的交互披露,服务或资源的请求方和提供方自动地建立信任关系。这就是信任协商。Trust negotiation is designed based on the principles we use to build trusting relationships in our daily lives. In our daily life, we often encounter the process of establishing a trusting relationship with strangers. For example, when we encounter a traffic police inspection while driving, the traffic police need us to show our driver’s license. In order to confirm the true identity of the traffic police, we often need the traffic police to show their police card. We will not show our own driver’s license until the traffic police show their police card. This is a simple process of establishing a trust relationship. In a computer network, through the interactive disclosure of digital certificates and access control policies, the requester and provider of services or resources automatically establish a trust relationship. This is trust negotiation.

举例说明信任协商过程:An example to illustrate the trust negotiation process:

信任协商过程中的双方需要互相传递相关证书,当证书得到验证后,才可以访问相关资源,对于访问策略的描述方式有如下定义:The two parties in the trust negotiation process need to pass relevant certificates to each other. Only after the certificates are verified can they access the relevant resources. The description of the access policy is defined as follows:

定义1:PR为相关资源的访问策略,PC为敏感证书的访问策略。FR(C1……Ck)为访问资源的证书链,FC(C1……Ck)为访问敏感证书的证书链。当FR和FC所代表的证书链为True时才能公开相应的资源和敏感证书。表示形式为PR←FR(C1,C2,…,Ck),PC←FC(C1,C2,…,Ck)。为false时,则不公开相应的资源和敏感证书。Definition 1: P R is the access policy of related resources, and PC is the access policy of sensitive certificates. F R (C1...Ck) is a certificate chain for accessing resources, and F C (C1...Ck) is a certificate chain for accessing sensitive certificates. When the certificate chain represented by FR and FC is True, the corresponding resources and sensitive certificates can be disclosed. The representation form is P R ← F R (C1, C2, ..., Ck), P C ← F C (C1, C2, ..., Ck). When false, the corresponding resources and sensitive certificates are not exposed.

定义2:C1、C2……Ck分别代表了不同的信任证,它们之间通过逻辑符号∧(并)和∨(或)相连接组成证书链。当连接后的证书链得到一致性检验后,对于满足要求的,则返还证书链FR或FC的值为true,否则为false。Definition 2: C1, C2...Ck represent different trust certificates, and they are connected by logical symbols ∧ (and) and ∨ (or) to form a certificate chain. When the connected certificate chain has been checked for consistency, if it meets the requirements, the value of the returned certificate chain FR or F C is true, otherwise it is false.

例如FR(C1∧C2∧C3)为针对资源提供的证书链,只有当C1,C2,C3均满足时,FR的值为true,有PR←FR(C1,C2,C3)。又如FC(C1∨C2∨C3)为一个针对敏感证书提供的证书链,当C1,C2,C3三个证书中有一个符合条件,则FC的值为true,有PC←FC(C1,C2,C3)。For example, FR (C1∧C2∧C3) is a certificate chain provided for resources. Only when C1, C2, and C3 are all satisfied, the value of FR is true, and there is P RFR (C1, C2, C3). Another example is that F C (C1∨C2∨C3) is a certificate chain provided for sensitive certificates. When one of the three certificates C1, C2, and C3 meets the conditions, the value of F C is true, and there is P C ← F C (C1, C2, C3).

一个用户的积分情况是用户了解信息安全知识多少的一个反应,同时也从侧面放映了一个用户通关能力的大小。积分高的用户其通过某一关卡的真实性较为可信,而对积分相对较低的用户通过某一关卡的真实性有待更多的检测。通过公式:A user's score is a reflection of how much the user understands information security knowledge, and it also reflects the size of a user's clearance ability from the side. The authenticity of users with high points passing a checkpoint is more credible, while the authenticity of users with relatively low points passing a checkpoint needs more testing. By formula:

准确率=(用户实得积分数/用户应得积分数)*100%Accuracy rate = (the number of points earned by the user / the number of points earned by the user) * 100%

得到用户准确率,根据用户准确率的范围得到如下信用度:Get the user accuracy rate, and get the following credits according to the range of user accuracy rate:

  准确率 Accuracy   0%-10% 0%-10%   10%-35% 10%-35%   35%-65% 35%-65%   65%-90% 65%-90%   90%-100% 90%-100%   信用度 Credibility   0 0   1 1   2 2   3 3   4 4

在协商的过程中,以信用度作为参考指标,针对不同信用度的用户提供不同的策略的方式也就是自适应策略模式。信用度越高,则协商过程中的策略越简单,信用度越低,协商策略越复杂。In the negotiation process, using credit as a reference index, the way of providing different strategies for users with different credits is the adaptive strategy mode. The higher the credit, the simpler the strategy in the negotiation process, and the lower the credit, the more complex the negotiation strategy.

实例1:现有两个用户都具有可以直接进入第三关关卡的权限,但甲乙用户的积分有所不同,用户甲完全答对了所有知识问答的题,而乙则答错了所有问题。在登录时,甲乙用户协商过程如下:Example 1: There are two existing users who have the right to directly enter the third level, but the points of users A and B are different. User A has answered all the quiz questions correctly, while user B has answered all the questions wrong. When logging in, the negotiation process between users A and B is as follows:

参见图6,用户甲的协商过程:See Figure 6, the negotiation process of User A:

用户甲:提交用户名和密码,申请获得第三关的权限;User A: Submit the user name and password, and apply for the permission of the third level;

服务器:验证用户名和密码,并查询用户积分,根据积分给出甲可以访问第三关的策略PthirdServer: verify the user name and password, and query the user points, and give the strategy P third that A can access the third level according to the points;

用户甲:搜索证书,并返还FFthird(C1∧C2∧C3);User A: Search for the certificate and return F Fthird (C1∧C2∧C3);

服务器:验证用户甲传来的证书后,告知协商成功;Server: After verifying the certificate sent by User A, notify that the negotiation is successful;

参见图7,用户乙的协商过程See Figure 7, the negotiation process of user B

用户乙:提交用户名和密码,申请获得第三关的权限;User B: Submit the user name and password to apply for the permission of the third level;

服务器:验证用户名和密码,查询用户积分,根据积分给出乙可以访问第一关的策略PfirstServer: verify the user name and password, query the user points, and give the strategy P first that B can access the first level according to the points;

用户乙:搜索证书,返还证书Ffirst(C1);User B: Search for the certificate and return the certificate F first (C1);

服务器:验证证书C1,并返还第二关权限的策略PsecondServer: verify the certificate C1, and return the policy P second of the second pass authority;

用户乙:搜索证书,返还证书Fsecond(C2);User B: Search for the certificate and return the certificate F second (C2);

服务器:验证证书C2,并返还第三关权限的策略PthirdServer: verify the certificate C2, and return the policy P third of the third level authority;

用户乙:搜索证书,返还证书Fthird(C3);User B: Search for the certificate and return the certificate F third (C3);

服务器:验证用户乙传来的证书C3后,告知协商成功;Server: After verifying the certificate C3 sent by user B, notify that the negotiation is successful;

这里C1、C2和C3分别表示用户通过一、二、三关后系统返还给用户的相应的权限证书。Here, C1, C2, and C3 respectively represent the corresponding authority certificates that the system returns to the user after the user passes the first, second, and third levels.

网络协同过程中的信任协商与登录过程中的信任协商所不同的是,用户不仅要和服务器进行协商,还要与用户进行协商。用户与用户之间通过交互自身所拥有的证书确保对方身份的可信性,建立信任关系,协同攻关。The difference between the trust negotiation in the network collaboration process and the trust negotiation in the login process is that the user not only needs to negotiate with the server, but also needs to negotiate with the user. Users exchange their own certificates to ensure the credibility of each other's identities, establish trust relationships, and collaborate to tackle key problems.

实例2:用户甲和用户乙均到达第四关,且两人之前的积分均为满分,第四关要求两用户分别得到由系统随机生成的1000和1500以内的素数,两个素数和为通关密码。Example 2: Both user A and user B have reached the fourth level, and their previous points are all full marks. The fourth level requires the two users to obtain prime numbers within 1000 and 1500 randomly generated by the system, and the sum of the two prime numbers is the level pass password.

这一过程可以表述如下:This process can be expressed as follows:

参见图8.、图9,用户甲:向用户乙提出申请,请求建立协同管道,并提交自己的积分;See Figure 8., Figure 9, user A: submit an application to user B, request to establish a collaborative channel, and submit their own points;

用户乙:根据甲的积分,返还建立沟通的策略要求Pforth←Fforth(C1∧C2∧C3∧C4),并提供自身积分;User B: According to A's points, return the strategic requirements for establishing communication P forth ← F forth (C1∧C2∧C3∧C4), and provide their own points;

用户甲:返还Credential Chain(C1∧C2∧C3∧C4),并根据乙的积分提出策略Pforth←Fforth(C1∧C2∧C3∧C4);User A: Return the Credential Chain (C1∧C2∧C3∧C4), and propose a strategy P forth ←F forth (C1∧C2∧C3∧C4) based on B's points;

用户乙:验证甲所提交的证书,返还Credential Chain(C1∧C2∧C3∧C4);User B: Verify the certificate submitted by A and return the Credential Chain (C1∧C2∧C3∧C4);

用户甲:验证用户乙所提交的证书;User A: Verify the certificate submitted by User B;

双方协商成功,沟通后决定由甲获取1000以内的素数,由乙获得1500以内的素数;The negotiation between the two parties is successful, and after the communication, it is decided that A will obtain the prime numbers within 1000, and B will obtain the prime numbers within 1500;

甲乙双方分别向服务器发出请求;Party A and Party B respectively send requests to the server;

服务器随机产生1000以内的素数,和1500以内的素数,分别告知用户甲和用户乙,并为他们发放含有这两个数属性值的数字证书C和CThe server randomly generates a prime number within 1000 and a prime number within 1500, informs user A and user B respectively, and issues digital certificates C A and C B containing these two numerical attribute values for them.

用户甲和用户乙分别告知对方自己所拥有的数值,并交换数字证书C和CUser A and User B respectively inform the other party of the values they own, and exchange digital certificates C A and C B ;

用户甲和用户乙分别向服务器提交两数和;User A and User B submit two sums to the server respectively;

服务器对甲和乙分别提出访问第五关权限的策略PC5←FC5(C∧C);The server proposes a strategy P C5 ← F C5 (C A ∧ C B ) for A and B to access the fifth level of authority;

用户甲和用户乙分别提交自身证书Credential Chain(C∧C);User A and User B respectively submit their own certificate Credential Chain (C AC B );

服务器验证两用户提交的证书,并根据证书的属性值的和验证双方提交的素数和是否正确。若正确向两人发送第五关的权限证书C5;The server verifies the certificates submitted by the two users, and verifies whether the sum of the prime numbers submitted by both parties is correct according to the sum of the attribute values of the certificates. If the authority certificate C5 of the fifth level is sent to the two people correctly;

双方通关成功。The two parties successfully cleared the customs.

这里C1、C2、C3、C4和C5分别代表一到五关的访问权限证书,C和C分别代表由服务器发放给甲和乙,含有所选随机数属性值的证书。Here, C1, C2, C3, C4, and C5 represent the access authority certificates for Levels 1 to 5, respectively, and C A and C B represent the certificates issued by the server to A and B respectively, containing the selected random number attribute value.

信任协商通过证书交换能够在处于不同安全域的陌生网络实体之间自动地、动态地建立信任关系;协商者双方都可以通过制定策略来保护自己的敏感性资源,对对方的请求进行访问控制;协商过程中,不需要可信第三方的参与。Trust negotiation can automatically and dynamically establish a trust relationship between unfamiliar network entities in different security domains through certificate exchange; both negotiators can formulate policies to protect their sensitive resources and control access to each other's requests; During the negotiation process, the participation of a trusted third party is not required.

由于本发明采用了信任协商认证的系统和方法,可以进一步进行认证,保证了认证的安全性,从而增加了网络协同游戏系统的安全性。Since the present invention adopts the system and method of trust negotiation and authentication, further authentication can be carried out to ensure the security of authentication, thereby increasing the security of the network cooperative game system.

以上的实施例仅是对本发明的优选实施方式进行描述,并非对本发明的范围进行限定,在不脱离本发明设计精神的前提下,本领域普通工程技术人员对本发明的技术方案做出的各种变形和改进,均应落入本发明的权利要求书确定的保护范围内。The above embodiments are only descriptions of preferred implementations of the present invention, and are not intended to limit the scope of the present invention. On the premise of not departing from the design spirit of the present invention, various technical solutions of the present invention can be made by ordinary engineers and technicians in the field. Variations and improvements should fall within the scope of protection defined by the claims of the present invention.

Claims (8)

1. the Verification System based on trust negotiation is characterized in that, comprises strategy analyzing module (1), tactful processing module (2), certificate processing module (3), policy library module (4), certificate repository module (5) and consistency check module (6);
Said policy library module (4) is used for storage policy;
Said certificate repository module (5) is used for Store Credentials;
Said strategy analyzing module (1) is used for the strategy that imports into is resolved, and whether relates to responsive certificate in the determination strategy, relates to then transferring to tactful processing module (2) and handling, and does not relate to then transferring to certificate processing module (3) and handling;
Said tactful processing module (2) is used for accessing corresponding strategy from said policy library module (4), returns to the requesting party, and the strategy that will provide deposits in the consistency check module (6); The request that relates to responsive certificate of perhaps sending according to strategy analyzing module (1) accesses protection strategies from policy library module (4), return to the requesting party, and the protection strategy that will provide deposits in the consistency check module (6);
Said certificate processing module (3) is used for from said certificate repository module (5), accessing certificate and to certificate request side certificate chain being provided according to the sequence described in the strategy, and the certificate chain of receiving is deposited in the consistency check module (6) according to order;
Said consistency check module (6) is used for the certificate chain and tactful consistency that verification is received, unanimity is then informed the success of requesting party's trust negotiation, and to the requesting party corresponding service is provided, otherwise informs the failure of requesting party's trust negotiation, to the requesting party service is not provided.
2. the Verification System based on trust negotiation according to claim 1 is characterized in that, also comprises sequence sets module (7) in the said consistency check module (6), said sequence sets module (7) Store Credentials chain.
3. the employing logging in system by user based on the Verification System of trust negotiation according to claim 1 or claim 2 is characterized in that, comprises line module (10), user management module (20) and server trust negotiation module (30);
Said line module (10) sends to the user profile of self in the user management module (20), and proposes access request;
Said user management module (20) is carried out verification to user profile, and the verification failure informs that then said line module (10) login failure, verification succeeds then send access request to said server trust negotiation module (30);
Said server trust negotiation module (30) receives the access request that said user management module (20) is sent, and the user gradation information according in the said user management module (20) accesses corresponding strategy, returns to said line module (10), and strategy is preserved;
Said line module (10) receives the strategy that said server trust negotiation module (30) is returned, and requires to search corresponding certificate according to strategy, forms certificate chain, and certificate chain is sent to said server trust negotiation module (30);
Said server trust negotiation module (30) is preserved certificate chain according to order; And the strategy of this certificate chain and preservation carried out verification; Both are consistent; Inform that then said line module (10) consults successfully, said line module (10) can be visited accordingly, otherwise informs said line module (10) login failure.
4. logging in system by user according to claim 3; It is characterized in that; Said line module (10) comprises user log-in block (11) and users to trust negotiation module (12), and said users to trust negotiation module (12) comprises subscriber policy parsing module (121), subscriber policy processing module (122), user certificate processing module (123), subscriber policy library module (124), user certificate library module (125) and users consistency inspection module (126); Said user management module (20) comprises user's registration management module (21), user login management module (22), user gradation administration module (23) and subscriber information storing module (24); Said server trust negotiation module (30) comprises server policy parsing module (301), server policy processing module (302), server certificate processing module (303), server policy library module (304), server certificate library module (305) and server consistency check module (306);
Said user log-in block (11) sends to the user profile of self in the said user login management module (22), and sends access request;
Said user login management module (22) is inquired about the user profile in the said subscriber information storing module (24); And user profile carried out verification; The verification failure informs that then said user log-in block (11) login failure, verification succeeds then send access request to said server policy processing module (302);
The outpost of the tax office access request that said server policy processing module (302) is sent according to user login management module (22); According to the user gradation information in the said user gradation administration module (23); From server policy library module (304), access corresponding strategy; Return to users to trust negotiation module (12), and strategy is kept in the server consistency check module (306);
The strategy that subscriber policy parsing module (121) reception server strategy processing module (302) in the said users to trust negotiation module (12) is returned; Give said user certificate processing module (123); Said user certificate processing module (123) requires from said user certificate library module (125), to search corresponding certificate according to strategy; Form certificate chain, and certificate chain is sent to said server certificate processing module (303);
Said server certificate processing module (303) is deposited into certificate chain in the said server consistency check module (306) according to order; Said server consistency check module (306) is carried out verification to the strategy of this certificate chain and preservation; Both are consistent; Inform that then said user log-in block (11) consults successfully, said user log-in block (11) can be visited accordingly, otherwise informs that said user log-in block (11) lands failure.
5. logging in system by user according to claim 4 is characterized in that, also comprises server sequence sets module (307) in the said server consistency check module (306), said server sequence sets module (307) Store Credentials chain.
6. an employing user collaborative system according to claim 1 or claim 2 based on the Verification System of trust negotiation; It is characterized in that; Comprise at least two line modules, each line module includes the users to trust negotiation module of oneself, and each line module connects mutually through network;
User's first and user's second connect, and user's second is returned user's first information, and the information that user's first strategy analyzing module (601) the judges second in user's first trust negotiation module (60) is returned is strategy or certificate;
If strategy is then resolved it; See and whether relate to the owned responsive certificate of user's first; If analysis result relates to the owned responsive certificate of user's first; Then user's first strategy analyzing module (601) notifies user's first strategy processing module (602) to handle; User's first strategy processing module (602) accesses the protection strategy about responsive certificate in user's first policy library module (604), returns to the protection strategy of user's second trust negotiation module (70) about responsive certificate, if the analysis result of user's first strategy analyzing module (601) does not relate to responsive certificate; Then user's first strategy analyzing module (601) notifies user's first certificate processing module (603) to handle; The access control policy that user's first certificate processing module (603) is sent according to user's second accesses the certificate that strategy that the user's second in user's first certificate repository module (605) sends relates to, and returns to user's second trust negotiation module (70);
If the information that user's first strategy analyzing module (601) judges second is returned is certificate; Then notify user's first certificate processing module (603) to handle, the certificate that user's first certificate processing module (603) is returned user's second is saved in user's first consistency check module (606), and whether the requirement of the strategy that before this certificate of user's first consistency check module (606) verification and the user's first user's second is proposed is consistent; If it is consistent; Both sides' relation of breaking the wall of mistrust then, user's second can be worked in coordination with interchange with user's first, understands the sensitive information that has separately; Otherwise inform user's second negotiation failure, both sides can not set up collaborative the connection.
7. a login method that adopts the logging in system by user of claim 1 or 2 described Verification Systems based on trust negotiation is characterized in that, may further comprise the steps:
User log-in block sends to user profile such as user's its own user name and password in the user login management module, and proposes access request;
User profile in the user login management module searching user's information memory module; User profile is carried out verification; The verification failure informs that then user log-in block login failure, verification succeeds then send access request to the server policy processing module, the access request that the server policy processing module is sent according to the user login management module; According to the user gradation information in the user gradation administration module; From the server policy library module, access corresponding strategy, return to the users to trust negotiation module, and strategy is kept in the server consistency check module;
The strategy that subscriber policy parsing module reception server strategy processing module in the users to trust negotiation module is returned; Give the user certificate processing module; The user certificate processing module requires from the user certificate library module, to search corresponding certificate according to strategy; Form certificate chain, and certificate chain is sent to the server certificate processing module, the server certificate processing module is deposited into certificate chain in the server sequence sets in the server consistency check module according to order;
The strategy that server consistency check module is preserved the certificate chain and the server policy processing module of the preservation of server certificate processing module carries out verification; Both are consistent; Inform that then user log-in block consults successfully; User log-in block can be visited accordingly, otherwise informs that the user lands failure.
8. a Synergistic method that adopts the user collaborative system of claim 1 or 2 described Verification Systems based on trust negotiation is characterized in that, may further comprise the steps:
The information that user's first strategy analyzing module judges second in user's first trust negotiation module is returned is strategy or certificate;
If strategy; User's first strategy analyzing module is resolved it; See and whether relate to the owned responsive certificate of user's first; If analysis result relates to the owned responsive certificate of user's first, then user's first strategy analyzing module notifies user's first strategy processing module to handle, and user's first strategy processing module accesses the protection strategy about responsive certificate in user's first policy library module; Return to the protection strategy of user's second trust negotiation module about responsive certificate; If analysis result does not relate to the owned responsive certificate of user's first, then user's first strategy analyzing module notifies user's first certificate processing module to handle, the access control policy that user's first certificate processing module is sent according to user's second; Access the certificate that strategy that the user's second in user's first certificate repository module sends relates to, return to user's second trust negotiation module;
If certificate; User's first strategy analyzing module notifies user's first certificate processing module to handle, and the certificate that user's first certificate processing module is returned user's second is saved in user's first consistency check module, and whether the requirement of the strategy that before this certificate of user's first consistency check module verification and the user's first user's second is proposed is consistent; If it is consistent; Both sides' relation of breaking the wall of mistrust then, user's second can be worked in coordination with interchange with user's first, understands the sensitive information that has separately; Otherwise inform user's second negotiation failure, both sides can not set up collaborative the connection.
CN 200910242235 2009-12-10 2009-12-10 Authentication system based on trust negotiation and user login and collaboration systems and methods Expired - Fee Related CN101707613B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200910242235 CN101707613B (en) 2009-12-10 2009-12-10 Authentication system based on trust negotiation and user login and collaboration systems and methods

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200910242235 CN101707613B (en) 2009-12-10 2009-12-10 Authentication system based on trust negotiation and user login and collaboration systems and methods

Publications (2)

Publication Number Publication Date
CN101707613A CN101707613A (en) 2010-05-12
CN101707613B true CN101707613B (en) 2012-12-12

Family

ID=42377803

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200910242235 Expired - Fee Related CN101707613B (en) 2009-12-10 2009-12-10 Authentication system based on trust negotiation and user login and collaboration systems and methods

Country Status (1)

Country Link
CN (1) CN101707613B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951375B (en) * 2010-09-21 2014-02-19 北京信息科技大学 An adaptive trust negotiation system and method based on trust evaluation
CN107864159A (en) * 2017-12-21 2018-03-30 有米科技股份有限公司 Communication means and device based on certificate and trust chain
CN114338060B (en) * 2020-09-28 2024-08-06 北京金山云网络技术有限公司 Authority verification method, device, system, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1791117A (en) * 2005-12-26 2006-06-21 北京航空航天大学 Service computing system based on service and underlying resource separation
CN1791024A (en) * 2005-12-26 2006-06-21 北京航空航天大学 Authentic remote service heat deploying method
CN1790982A (en) * 2005-12-26 2006-06-21 北京航空航天大学 Method and system for realizing trust identification based on negotiation communication
WO2006056992A3 (en) * 2004-11-28 2008-01-17 Calling Id Ltd Obtaining and assessing objective data relating to network resources

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006056992A3 (en) * 2004-11-28 2008-01-17 Calling Id Ltd Obtaining and assessing objective data relating to network resources
CN1791117A (en) * 2005-12-26 2006-06-21 北京航空航天大学 Service computing system based on service and underlying resource separation
CN1791024A (en) * 2005-12-26 2006-06-21 北京航空航天大学 Authentic remote service heat deploying method
CN1790982A (en) * 2005-12-26 2006-06-21 北京航空航天大学 Method and system for realizing trust identification based on negotiation communication

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
.《一种基于隐藏证书的自动信任协商模型》.《计算机科学》.2006,第33卷(第12期),全文.
.《基于属性的信任协商模型》.《华中科技大学学报(自然科学版)》.2006,第34卷(第5期),全文. *
廖振松等&#1048577
廖振松等􀀁.《一种基于隐藏证书的自动信任协商模型》.《计算机科学》.2006,第33卷(第12期),全文. *

Also Published As

Publication number Publication date
CN101707613A (en) 2010-05-12

Similar Documents

Publication Publication Date Title
US8819803B1 (en) Validating association of client devices with authenticated clients
CN107749836B (en) Mobile sensing system and mobile sensing method for user privacy protection and data reliability
US9390243B2 (en) Dynamic trust score for evaluating ongoing online relationships
US8726358B2 (en) Identity ownership migration
AU2023223007A1 (en) Secure online access control to prevent identification information misuse
US8793778B2 (en) System for providing trusted user access of computer systems
CN100490387C (en) Token-based fine granularity access control system and method for application server
HK1244098A1 (en) Systems and methods for personal identification and verification
US8752157B2 (en) Method and apparatus for third party session validation
CN102739638B (en) Establishing privileges through claims of valuable assets
KR102620268B1 (en) Blockchain - based phishing prevention system, apparatus, and method thereof
CN109962890A (en) A blockchain authentication service device and node access and user authentication method
CN113595738A (en) Block chain-based collaborative position privacy protection method
CN104579681B (en) Identity authorization system between mutual trust application system
CN102571874B (en) On-line audit method and device in distributed system
CN105978855A (en) System and method for protecting personal information security in real-name system
CN114117264A (en) Illegal website identification method, device, equipment and storage medium based on block chain
CN102377573A (en) Double-factor authentication method capable of securely updating password
CN111294796A (en) Smart phone login management system based on zero-knowledge proof
CN120597251A (en) Personal information protection system and method
Zakrzewska et al. Using e-government services and ensuring the protection of sensitive data in EU member countries
CN112187800A (en) Attribute-based access control method with anonymous access capability
CN101707613B (en) Authentication system based on trust negotiation and user login and collaboration systems and methods
CN116821952A (en) Privacy data calculation traceability system and method based on block chain consensus mechanism
CN105379176B (en) System and method for validating SCEP certificate enrollment requests

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20121212

Termination date: 20151210

EXPY Termination of patent right or utility model