CN115412323B - Method for accessing multiple applications through single login based on TCM - Google Patents
Method for accessing multiple applications through single login based on TCM Download PDFInfo
- Publication number
- CN115412323B CN115412323B CN202211009513.XA CN202211009513A CN115412323B CN 115412323 B CN115412323 B CN 115412323B CN 202211009513 A CN202211009513 A CN 202211009513A CN 115412323 B CN115412323 B CN 115412323B
- Authority
- CN
- China
- Prior art keywords
- server
- tcm
- application server
- equipment
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000012795 verification Methods 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a method for accessing a plurality of applications by single login based on TCM, which comprises the steps of judging whether the accessed TCM equipment has login information or not through a CA server, verifying whether the user name and the password are correct or not, writing a flag bit with effective login in the CA server, logging in other application servers of a system, and realizing single login access of a plurality of applications by a user after series signature verification operation and passing. The invention realizes that the TCM equipment can safely access different application programs by single login, is convenient and safe for users to use, and has strong popularization and application values.
Description
Technical Field
The invention relates to the technical field of trusted computing, in particular to a method for accessing a plurality of applications by single login based on TCM.
Background
With the development of enterprises, the system applications are correspondingly increased, related personnel need to log in for multiple times when operating different system applications, and account numbers of each system are different, so that redundant operation of operators is increased. Meanwhile, account passwords are easy to leak and are illegally used, and the source cannot be traced. Only one system logs in, other system applications can be used at the same time, and the safety of account passwords and the traceability of operation in the using process are ensured, so that the method is a problem to be solved.
Chinese patent discloses a single sign-on method based on digital certificates, application number CN200310109481.1. According to the method, the digital certificate and the public/private key pair are stored in the application server, the public/private key of the server is utilized to encrypt and store the user information and apply the user information between multiple application systems, so that safe single sign-on is realized, and the method is safe and reliable. Not only avoids the loss of user information caused by the expiration of session, but also solves the limitation of rejecting cookies by the user. The user can log in once without repeatedly inputting login information, thereby realizing 'one-time login and roaming everywhere'. However, the applicant believes that the technical solution of the patent is that each application server issues a set of certificates, and it can be seen that the signature and the signature verification are performed by deriving a public and private key from the certificates. The public and private keys are not protected, and the risk of leakage exists, so that the risk of being leaked and impersonated exists. In the step t, when logging in other application servers, the user needs to log out first and then encrypt the local server private key to form a log-out ciphertext, so that the operation is complicated.
Disclosure of Invention
Aiming at the technical problems, the invention provides a single login access method for a plurality of applications based on TCM, which adopts the following technical scheme:
a method for TCM-based single sign-on access to multiple applications, comprising the steps of:
1) When the TCM equipment accesses the first application server, the first application server determines whether effective login information exists or not to the CA server; if no effective login information exists, returning to a user login interface, wherein a user is required to input a user name and a password;
2) The first application server determines whether the user name and the password of the first application server are correct or not from the user information server, and if so, the first application server is successfully logged in;
3) After successful login, the first application server writes the flag bit with effective login into the CA server, and stores effective login information in the CA server;
4) When any other application server except the first application server is logged in, if the other application server detects that an effective login flag bit is set in the CA server, the effective login information corresponding to the TCM equipment is checked, and if the check passes, the other application server is normally accessed; if the user needs to access the application server other than the current application server, repeating the steps, so that the user can access a plurality of applications in a single login.
Further, the valid login information in the step 3) is composed of four fields in the format: server name + TCM device serial number + username cryptogram signature; wherein the user name password ciphertext is encrypted by using a TCM device public key, and the user name password signature is signed by using a TCM device private key.
Further, the method for signing the effective login information corresponding to the TCM equipment comprises the following steps:
firstly, signing a TCM equipment serial number in the effective login information by using a CA server, and then checking a signature by using a CA server certificate built in the TCM equipment, wherein if the signature passes, the TCM equipment serial number in the effective login information is consistent with the equipment serial number in the TCM equipment;
then, decrypting the user name and the password in the effective login information by using the private key of the TCM equipment, and comparing the decrypted user name and password with the user name and password in the corresponding application server in the user information server; if the login information is consistent, the effective login information is legal, the TCM equipment certificates corresponding to the TCM equipment serial numbers in the CA server are used for checking the labels, if the labels pass, the user name and the password are not changed, and then the other application servers can be normally accessed.
Further, the first application server is any one of a Web server, an FTP server, a file server, and a mail server.
Further, the user information server is used for storing the user name and the password of the corresponding application server.
The invention realizes that the TCM equipment can safely access different application programs by single login, is convenient and safe for users to use, and has strong popularization and application values.
Drawings
Fig. 1: the invention discloses a flow diagram for issuing a TCM equipment certificate.
Fig. 2: the invention discloses a flow diagram of a single login access to a plurality of application servers.
Detailed Description
In order to make the objects, features and advantages of the present invention more comprehensible, the technical solutions in the embodiments of the present invention are described in detail below with reference to the accompanying drawings, and it is apparent that the embodiments described below are only some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In order to facilitate the understanding of the technical solution of the present invention, the following abbreviations and key terms are defined:
trusted cryptography module Trusted Cryptography Module (TCM), a hardware module of a trusted computing platform, provides cryptographic operations for the trusted computing platform, with protected memory space.
The CA server Certificate Authority (CA) takes charge of the functions of batch examination, issuing, archiving, revocation and the like of the digital certificate, and the digital certificate issued by the CA server has a digital signature of the CA server and can be used for identity confirmation.
User information server: the user name and the password of the corresponding application server are stored, and the user name and the password are contained in the effective login information.
The embodiments of the present application are only illustrated by examples of FTP servers, file servers, web servers, mail servers, and applicant should be noted that existing system application servers may be used.
Example 1:
in this embodiment, the manufacturer issues the login authority before the trusted cryptography module TCM device leaves the factory, and the issuing method is as shown in fig. 1, generates a public-private key pair on the TCM device, and uses the TCM device serial number as a part of the subject information to generate certificate request information to request the CA server to issue the device certificate. The CA server issues a TCM (TCM) equipment certificate to the TCM equipment and stores the corresponding relation between the TCM equipment certificate and the TCM equipment serial number. While a CA certificate is preset on the TCM device.
The process of the CA server issuing the TCM device certificate to the TCM device is generally:
(1) The TCM equipment generates public and private key pairs; (2) The TCM equipment forms a P10 certificate request by containing information such as a TCM equipment serial number, a public key and the like; (3) the CA server issues certificates to the TCM devices.
As shown in fig. 2, when the TCM device accesses the Web server, the Web server determines whether valid login information exists to the CA server, and if not, returns to the user login interface. At this point the user is required to enter a user name and password. The Web server determines to the user information server whether the user name and password of the Web server are correct. If the password is correct, the Web server is successfully logged in. After successful login, the Web server writes the flag bit with effective login into the CA server, and stores effective login information in the CA server. The effective login information consists of four fields with the following formats: server name + TCM device serial number + username cryptogram (encrypted using the TCM device public key) +username cryptogram signature (signed using the TCM device private key)).
After successfully logging in the Web server, logging in the FTP server again at this time, the FTP server detects that an effective login flag bit is set in the CA server (different TCM equipment serial numbers correspond to different flag bits, and when a plurality of users use the same, the CA server can have a plurality of effective login information, and can distinguish which TCM equipment is the effective login information according to the TCM equipment serial numbers). The serial numbers of the TCM devices in the effective login information are signed by using a CA server, then a CA certificate built in the TCM devices is used for signature verification, and if the signature verification passes, the TCM device serial numbers in the effective login information are consistent with the device serial numbers in the TCM devices.
And if the equipment serial number in the effective login information is consistent with the serial number in the TCM equipment, decrypting the user name and the password in the effective login information by using the private key of the TCM equipment, and comparing the decrypted user name and password with the user name and password in the corresponding application server in the user information server. If the information is consistent, the effective login information is legal, then the TCM equipment certificates corresponding to the TCM equipment serial numbers in the CA server are used for checking the labels, and if the labels pass the checking. Indicating that the user name and password have not been changed, the FTP server may be accessed normally at this time.
The private key of the CA server and the private key of the TCM equipment of the embodiment cannot be derived, the risk of leakage cannot exist, and the security is high.
In the embodiment, the CA server is used for signing the TCM equipment serial number in the effective login information, and then the CA server certificate built in the TCM equipment is used for verifying the signature, and the user name and the password in the effective login information are also verified by using the equipment certificate corresponding to the TCM, so that the identity verification effect can be achieved, the safety can be ensured, and the step that the random number signature is required to be generated each time in the prior art is omitted.
In the embodiment, the effective login information is stored in the CA server, and when the user switches to log in different application servers, the corresponding server only needs to call the corresponding interface to decrypt the user name and the password in the login information by using the private key of the TCM equipment, so that unnecessary operations are reduced.
Example 2:
the difference from the above embodiment 1 is that, after the Web server is successfully logged in, the mail server logs in, and the mail server detects that the valid login flag bit (different TCM device serial numbers correspond to different flag bits) has been set in the CA server, and when a plurality of users use the CA server has a plurality of valid login information, which TCM device valid login information can be distinguished according to the TCM device serial numbers. The serial numbers of the TCM devices in the effective login information are signed by using a CA server, then a CA certificate built in the TCM devices is used for signature verification, and if the signature verification passes, the TCM device serial numbers in the effective login information are consistent with the device serial numbers in the TCM devices.
And if the equipment serial number in the effective login information is consistent with the serial number in the TCM equipment, decrypting the user name and the password in the effective login information by using the private key of the TCM equipment, and comparing the decrypted user name and password with the user name and password in the corresponding application server in the user information server. If the information is consistent, the effective login information is legal, then the TCM equipment certificates corresponding to the TCM equipment serial numbers in the CA server are used for checking the labels, and if the labels pass the checking. Indicating that the user name and password have not been altered, the mail server may be accessed normally at this time.
Example 3:
the difference from the above embodiment is that the Web server is replaced with an FTP server, the FTP server is replaced with a file server, and the rest methods are the same.
Claims (4)
1. A method for TCM-based single sign-on access to multiple applications, comprising the steps of:
1) When the TCM equipment accesses the first application server, the first application server determines whether effective login information exists or not to the CA server; if no effective login information exists, returning to a user login interface, wherein a user is required to input a user name and a password;
2) The first application server determines whether the user name and the password of the first application server are correct or not from the user information server, and if so, the first application server is successfully logged in;
3) After successful login, the first application server writes the flag bit with effective login into the CA server, and stores effective login information in the CA server;
4) When any other application server except the first application server is logged in, if the other application server detects that an effective login flag bit is set in the CA server, the effective login information corresponding to the TCM equipment is checked, and if the check passes, the other application server is normally accessed; if the user needs to access the application server other than the current application server, repeating the step 4), so as to realize that the user accesses a plurality of applications in a single login, wherein the effective login information consists of four fields with the following formats: server name + TCM device serial number + username cryptogram signature; wherein the method comprises the steps of
The user name cipher text is encrypted by using a TCM (trusted computer system) equipment public key, the user name cipher signature is signed by using a TCM equipment private key, and the English of the TCM is named Trusted Cryptography Module, namely: a trusted cryptography module; the English language of CA is called Certificate Authority, namely: a credential management center.
2. The TCM-based single-sign-on method of accessing multiple applications of claim 1, wherein: the method for checking the effective login information corresponding to the TCM equipment comprises the following steps:
firstly, signing a TCM equipment serial number in the effective login information by using a CA server, and then checking a signature by using a CA server certificate built in the TCM equipment, wherein if the signature passes, the TCM equipment serial number in the effective login information is consistent with the equipment serial number in the TCM equipment;
then, decrypting the user name and the password in the effective login information by using the private key of the TCM equipment, and comparing the decrypted user name and password with the user name and password in the corresponding application server in the user information server; if the login information is consistent, the effective login information is legal, the TCM equipment certificates corresponding to the TCM equipment serial numbers in the CA server are used for checking the labels, if the labels pass, the user name and the password are not changed, and the other application servers are normally accessed at the moment.
3. The TCM-based single-sign-on method of accessing multiple applications of claim 2, wherein: the first application server is any one of a Web server, an FTP server, a file server and a mail server.
4. The TCM-based single-sign-on method of accessing multiple applications of claim 1, wherein: the user information server is used for storing the user name and the password of the corresponding application server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211009513.XA CN115412323B (en) | 2022-08-23 | 2022-08-23 | Method for accessing multiple applications through single login based on TCM |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211009513.XA CN115412323B (en) | 2022-08-23 | 2022-08-23 | Method for accessing multiple applications through single login based on TCM |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115412323A CN115412323A (en) | 2022-11-29 |
| CN115412323B true CN115412323B (en) | 2023-07-18 |
Family
ID=84162420
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211009513.XA Active CN115412323B (en) | 2022-08-23 | 2022-08-23 | Method for accessing multiple applications through single login based on TCM |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115412323B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101626292A (en) * | 2008-07-09 | 2010-01-13 | 上海格尔软件股份有限公司 | Linux log-on protection method |
| CN106559408A (en) * | 2015-11-27 | 2017-04-05 | 国网智能电网研究院 | A kind of SDN authentication methods based on trust management |
| US9736145B1 (en) * | 2014-08-01 | 2017-08-15 | Secureauth Corporation | Generation and validation of derived credentials |
| US11245690B1 (en) * | 2020-02-05 | 2022-02-08 | Dg Ventures, Llc | System and method for streamlined user authentication on a server using a securely stored client identifier |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1323508C (en) * | 2003-12-17 | 2007-06-27 | 上海市高级人民法院 | A Single Sign On method based on digital certificate |
| EP2055077B1 (en) * | 2006-08-22 | 2017-04-05 | InterDigital Technology Corporation | Method and apparatus for providing trusted single sign-on access to applications and internet-based services |
| WO2011031272A1 (en) * | 2009-09-14 | 2011-03-17 | Interdigital Patent Holdings, Inc. | Method and apparatus for trusted authentication and logon |
| CN102111410B (en) * | 2011-01-13 | 2013-07-03 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
| JP6417483B2 (en) * | 2014-12-31 | 2018-11-07 | サイトリックス システムズ,インコーポレイテッド | Shared secret repository for applications including single sign-on |
| CN110334489A (en) * | 2019-07-12 | 2019-10-15 | 广州大白互联网科技有限公司 | A kind of unified single sign-on system and method |
-
2022
- 2022-08-23 CN CN202211009513.XA patent/CN115412323B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101626292A (en) * | 2008-07-09 | 2010-01-13 | 上海格尔软件股份有限公司 | Linux log-on protection method |
| US9736145B1 (en) * | 2014-08-01 | 2017-08-15 | Secureauth Corporation | Generation and validation of derived credentials |
| CN106559408A (en) * | 2015-11-27 | 2017-04-05 | 国网智能电网研究院 | A kind of SDN authentication methods based on trust management |
| US11245690B1 (en) * | 2020-02-05 | 2022-02-08 | Dg Ventures, Llc | System and method for streamlined user authentication on a server using a securely stored client identifier |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115412323A (en) | 2022-11-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11316685B1 (en) | Systems and methods for encrypted content management | |
| CN111783075B (en) | Authority management method, device and medium based on secret key and electronic equipment | |
| US10929524B2 (en) | Method and system for verifying an access request | |
| US10122529B2 (en) | System and method of enforcing a computer policy | |
| US10250591B2 (en) | Password-based authentication | |
| CN113626802B (en) | Login verification system and method for equipment password | |
| CN103067399A (en) | A wireless transmitting/receiving unit | |
| CN114697040A (en) | Electronic signature method and system based on symmetric key | |
| CN110740116B (en) | System and method for multi-application identity authentication | |
| CN119484898A (en) | Encrypted video playback method, device, storage medium and computer equipment | |
| KR20180087543A (en) | Key management method and fido authenticator software authenticator | |
| Mahnamfar et al. | ROSTAM: A passwordless web single sign-on solution mitigating server breaches and integrating credential manager and federated identity systems | |
| CN110830507B (en) | Resource access method, device, electronic equipment and system | |
| CN115412323B (en) | Method for accessing multiple applications through single login based on TCM | |
| CN115549930B (en) | Verification method for logging in operating system | |
| CN114553566B (en) | Data encryption method, device, equipment and storage medium | |
| CN117494104A (en) | 3 DES-based password management method, system, equipment and medium | |
| EP4222623A1 (en) | Exclusive self-escrow method and apparatus | |
| CN112260831A (en) | Security authentication method based on dynamic key | |
| CN112685293A (en) | Testing method of encryption interface and related equipment | |
| Doğan | A Survey on Password-free Authentication Method: Passkey | |
| Yingkai et al. | A kind of identity authentication under cloud computing environment | |
| Xu et al. | OTP bidirectional authentication scheme based on MAC address | |
| CN114866253B (en) | Reliable cloud host login system and cloud host login method implemented by same | |
| CN118842657B (en) | Method and device for accessing computing power resources of intelligent computing center |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |