[go: up one dir, main page]

WO2004054172A1 - A method of data protection for information provider - Google Patents

A method of data protection for information provider Download PDF

Info

Publication number
WO2004054172A1
WO2004054172A1 PCT/CN2003/000871 CN0300871W WO2004054172A1 WO 2004054172 A1 WO2004054172 A1 WO 2004054172A1 CN 0300871 W CN0300871 W CN 0300871W WO 2004054172 A1 WO2004054172 A1 WO 2004054172A1
Authority
WO
WIPO (PCT)
Prior art keywords
requester
information provider
access
password
management server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2003/000871
Other languages
French (fr)
Chinese (zh)
Inventor
Xiaoqin Duan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to AU2003272873A priority Critical patent/AU2003272873A1/en
Publication of WO2004054172A1 publication Critical patent/WO2004054172A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Definitions

  • the invention relates to the field of data security, in particular to a method for data protection of an information provider. Background of the invention
  • password protection is usually adopted for the security protection of data such as information and resources at the information provider.
  • An access password is assigned to each requester that needs to access information data. The requester must verify the access password before accessing the data of the information provider. The requester can only be accessed after the access password verification is passed. The access password If the authentication fails, the access of the requesting end is denied, that is, the access of the requesting end to the data of the information providing end is controlled by the protection of the access password to prevent illegal access and illegal access.
  • the information provider refers to the interviewee who provides certain information and resources
  • the requester refers to the access terminal that points to the information provider to request access to its information, resources, and other data.
  • the information provider in the process of obtaining the geographic location of the information provider, the information provider needs the requester to provide an access password (cordword) to verify whether the requester is authorized.
  • an access password cordword
  • 3GPP Third Generation Partnership Project
  • One authentication method is that the information provider assigns an access password to each requester, and When requesting the geographic location of the information provider, the requester provides the access password to the mobile communication network, and the mobile communication network provides the access password along with the requested information to the information provider, and the information provider verifies the access password.
  • This verification method is usually called Full-service management of the information provider.
  • Another verification method is that the information provider registers the access password of each requester in advance on the mobile communication network, and the mobile communication network verifies the access password provided by the requester. This verification method is usually called a password verification service Management mode.
  • the information provider when the information provider authorizes and verifies the requester A, the information provider assigns an access password to the requester A, and notifies the request of the access password corresponding to the requester A
  • the requester A requests access to the data of the information provider
  • the requester A provides the access password to the supplier;
  • the access provider verifies the access password the information provider assigns the access password provided by the requester A with itself to the request
  • the access passwords of the terminal A are compared and checked. If they are the same, the access password is verified and the access request is accepted; otherwise, the access password is not verified and the access request is denied.
  • the assignment, comparison, verification and management of access passwords are all done by the information provider.
  • the information provider needs to allocate a large number of different access passwords to the requester, and needs to store the correspondence between each access password and the requester.
  • the information provider For the modification and cancellation of the access password, it is also necessary for the information provider to allocate and manage the corresponding access password.
  • the workload is large and it takes up a lot of storage resources at the information provider.
  • the information provider assigns an access password to the requesting end B, and registers the access password in advance with the password verification server of the mobile communication network, and then the information providing end or the password verification server will request the access of the requesting end B.
  • the password notifies the requesting end B; when the requesting end B requests to access the data of the information providing end, it provides its own access password to the password verification server.
  • the password verification server verifies the access password, the password verification server compares and checks the access password provided by the requesting end B with the access password corresponding to the requesting end B registered in advance by the information providing end. If they are consistent, the access password verification is performed. Pass and accept the access request; otherwise, the access password does not pass the verification and the access request is rejected.
  • the password authentication server described above is a server capable of storing different access passwords assigned by the information provider to different requesters, and capable of performing authentication based on the access passwords provided by the requester.
  • the crypto face ID server can stand alone as a physical entity or as a physical entity. Functional modules are integrated in other entities.
  • the password authentication server management method simplifies the access to the password insurance part of the information provider than the information provider's full management method, and the access password verification part is completed by the password verification server.
  • the assignment and management of access passwords are also completed by the information provider.
  • the information provider also needs to store the correspondence between each access password that has been assigned and the requester to avoid misuse.
  • the information provider needs to allocate and manage the corresponding access password. It also has the problem of heavy workload on the information provider. Summary of the Invention
  • an object of the present invention is to provide a method for data protection of an information providing end, which centralizes the assignment, management, and security verification of an access password in a data management server, thereby realizing the improvement of the authorization verification mechanism.
  • the present invention provides a method for data protection of an information provider.
  • the present invention centrally completes the assignment, verification, and management operations of the access password of the requester through the data management server.
  • the information provider only needs to authorize the requester on the data management server.
  • the data management server will automatically assign an access password to each requester, and complete the authentication of the requester ’s identity and the access password. management. Therefore, the access password is completely transparent to the information provider.
  • the information provider does not need to assign an access password to the requester by itself.
  • the information provider does not need to know the content of the access password to complete the entire authorization process, which greatly simplifies the information provision.
  • End authorization mechanism When the requesting end sends an access request to the information providing end, the data management server checks and verifies the access password of the requesting end, thereby improving the efficiency of the requesting end's access to the data of the information providing end.
  • FIG. 1 is a schematic structural diagram of an authorization verification system according to the present invention
  • FIG. 2 is a flowchart of the authorization verification implementation of the data management server of the present invention. Mode of Carrying Out the Invention
  • the present invention improves the authorization verification mechanism by a method of allocating, verifying and managing access passwords performed by the data management server.
  • FIG. 1 is a schematic structural diagram of an authorization verification system of the present invention, as shown in FIG. 1:
  • the authorization verification system of the present invention is mainly composed of a requesting end 101, a data management server 102, and an information providing end 103.
  • the data management server 102 refers to a server capable of allocating different access passwords and managing and verifying the access passwords according to the identifiers of different requesters 101 authorized by the information provider 103.
  • the data management server 102 may stand alone as a physical entity, or may be integrated as a functional module in other entities.
  • the data management server 102 can be further divided into three parts in function: a random password generator 104, a data storage database 105, and a password validator 106.
  • the random password generator 104 is used for randomly generating passwords, and requires using a certain standard algorithm to make the generated passwords different and irregular.
  • the password generation algorithm used here can be arbitrarily selected, such as adding a random suffix based on the identity of the requesting end, and so on.
  • the data storage database 105 is used to store the identifiers of the information providers 103, the identifiers of the requesters 101 corresponding thereto, the access passwords assigned by the random generator to the requesters 101, and the correspondence between the three.
  • the password validator 106 is used to search the data storage database 105 for an access password corresponding to the current requester of an information provider, and compare and check the access password with the current access password provided by the current requester 101.
  • the data management server 102 may be a newly set function in the authorization verification mechanism.
  • the capable entity may also add a random password generator 104 part to the password verification server in the prior art. In this way, all the functions of the data management server 102 can be realized.
  • the information providing end provides the data management server with a list of identifications of the requesting end.
  • the identification of the requesting end may be information such as the name of the requesting end that can uniquely identify the requesting end, and is used to distinguish different requests corresponding to the information providing end. end.
  • the random password generator in the data management server randomly assigns an access password to each requesting end according to a preset standard algorithm. For example, an algorithm for generating an access password based on the identification of the requesting end and a random suffix is used to ensure the access of each requesting end. The passwords are different and irregular.
  • the data management server notifies the corresponding requester of the access password.
  • the identification of the information providing end, the identification of each requesting end corresponding to the information providing end, the assigned access password, and the corresponding relationship between the three are stored in the data storage database of the data management server.
  • the requester requests data from the information provider
  • the requester provides the data management server with the identifier of the accessed information provider, the identifier of the requester, and the access password of the requester.
  • the password validator in the data management server searches the data storage database for the access password of the requesting end corresponding to the information providing end, and compares and checks it with the access password provided by the requesting end of the information providing end. If they are the same,
  • the requesting end passes password authentication, and the data management server notifies the requesting end to accept its access request. If the requesting end does not pass the password verification, the data management server notifies the requesting end of rejecting its access request.
  • the information provider needs to cancel the access passwords of some requesters, it only needs to provide the data management server with the requester ID list that needs to be canceled.
  • the data management server automatically cancels the original access password of the corresponding requester according to the logout requester ID list, and notifies The corresponding requester. If these requesters use the original access password, they cannot pass the password verification and cannot access the information provider.
  • the data management server requests The client identification list automatically re-assigns the access password for the requesting end, and at the same time logs off the original access password of the corresponding requesting end. The data management server will then notify the corresponding requester of the modified access password. If these requesters use the original access password, they cannot pass the password verification and cannot access the information provider. These requesters can pass the password verification only by using the newly assigned access password to achieve access to the information provider.
  • a data management server is set in the mobile communication network in advance. Then, when the requesting end obtains the geographic location of the information providing end, the data management server authorization verification process is shown in FIG. 2, where the authorization The verification process includes the following steps: Step 201 ⁇ Step 203: Authorization process.
  • the information providing end provides the authorized requester identification list to the data management server of the mobile communication network; the random password generator in the data management server assigns an access password to each requesting end corresponding to the information providing end.
  • the data storage database stores the identifier of the information provider, the identifier of each requester corresponding to the information provider, the assigned access password, and the relationship between the three; the data management server notifies the corresponding requestor of the assigned access password.
  • the requesting end sends a request to the data management server of the mobile communication network to access the geographic location of the information providing end, and the requesting end provides the data management server with the identification of the accessed information providing end, the identification of the requesting end, and the access password of the requesting end; the password in the data management server
  • the validator searches the data storage database for the access password of the requesting end corresponding to the information providing end, and compares and checks it with the access password provided by the requesting end corresponding to the information providing end. If they are consistent, the requesting end passes For password verification, the data management server notifies the requester to accept its access request; otherwise, the requester fails the password verification, and the data management server notifies the requester to reject its access request.
  • the information provider when the information provider needs to cancel the access passwords of some requesters, it only needs to provide the data management server of the mobile communication network with the requester ID list that needs to be deregistered, and the data management server automatically deregisters according to the cancellation requester ID list.
  • Corresponding request source Incoming access password and notify the corresponding requester. If these requesters use the original access password, they cannot pass the password verification and cannot access the information provider.
  • the information provider when the information provider needs to modify the access password of some requesters, it only needs to provide the data management server of the mobile communication network with the requester identification list that needs to be modified, and the data management server automatically changes the requester identification list to The corresponding requesting end redistributes the access password and logs off the original accessing password of the corresponding requesting end.
  • the data management server will notify the corresponding requester of the modified access password. If these requesters use the original access password, they cannot pass the password verification and cannot access the information provider. These requesters can use the newly assigned access password to pass the password verification and access the information provider.
  • the authorization verification mechanism related to data security of the information provider according to the present invention can also be applied to other various communication systems.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention discloses a method of data protection for information provider. It relates to the field of data security, adopts a data manage server to achieve management to applicant’s cordword: data manage server distributes a cordword to each applicant which is accredited by information provider, the data manage server accomplishes identity validation according to the cordword provided by applicant; the data manage server is also able to logout and modify the applicant’s cordword according to the indication of information provider. During accrediting, information provider only accredits the applicant at the data manage server, and distributing cordword to the applicant accomplished by data manage server, while information provider needn’t distribute cordword to the applicant by itself, so that accrediting process is improved. During validating, data manage server checks up and validates the applicant’s cordword when applicant sends access request to information provider, in order to improve applicant access efficiency to information provider.

Description

一种信息提供端数据保护的方法  Method for data protection of information provider

技术领域 Technical field

本发明涉及数据安全领域,特别是一种信息提供端数据保护的方法。 发明背景  The invention relates to the field of data security, in particular to a method for data protection of an information provider. Background of the invention

在通信领域中, 对于信息提供端信息、 资源等数据的安全保护方式 通常采用密码验证的方式。 对每个需要访问信息数据的请求端都分配有 一个访问密码, 该请求端在访问信息提供端数据之前要先进行访问密码 的验证, 访问密码验证通过后请求端才能被接入访问, 访问密码验证不 通过则拒绝请求端的访问, 即通过访问密码的保护来控制请求端对信息 提供端数据的访问, 防止非法访问和非法接入。 这里, 信息提供端是指 提供一定信息和资源的被访问者, 请求端是指向信息提供端请求访问其 信息、 资源等数据的访问端。  In the field of communications, password protection is usually adopted for the security protection of data such as information and resources at the information provider. An access password is assigned to each requester that needs to access information data. The requester must verify the access password before accessing the data of the information provider. The requester can only be accessed after the access password verification is passed. The access password If the authentication fails, the access of the requesting end is denied, that is, the access of the requesting end to the data of the information providing end is controlled by the protection of the access password to prevent illegal access and illegal access. Here, the information provider refers to the interviewee who provides certain information and resources, and the requester refers to the access terminal that points to the information provider to request access to its information, resources, and other data.

具体到移动通信网络的位置业务(LCS, Location Service ) 中, 请 求端在获取信息提供端地理位置的过程中, 信息提供端需要请求端提供 访问密码(cordword )来验证请求端是否已被授权。 在第三代伙伴计划 ( 3GPP , Third Generation Partnership Project ) 的 Rel 6 TS2071-610规 范中提出两种访问密码的验证方式: 一种验证方式是信息提供端为每个 请求端分配访问密码, 且在请求信息提供端的地理位置时, 请求端向移 动通信网络提供访问密码, 移动通信网络将访问密码随同请求信息一起 提供给信息提供端, 由信息提供端对访问密码进行验证, 该验证方式通 常称为信息提供端全权管理方式。 另一种验证方式是信息提供端提前在 移动通信网络上对每一个请求端的访问密码进行注册, 由移动通信网络 对请求端提供的访问密码进行验证, 该验证方式通常称为密码验证服务 器管理方式。 Specifically, in the location service (LCS, Location Service) of the mobile communication network, in the process of obtaining the geographic location of the information provider, the information provider needs the requester to provide an access password (cordword) to verify whether the requester is authorized. In the Rel 6 TS2071-610 specification of the Third Generation Partnership Project (3GPP), two access password authentication methods are proposed: One authentication method is that the information provider assigns an access password to each requester, and When requesting the geographic location of the information provider, the requester provides the access password to the mobile communication network, and the mobile communication network provides the access password along with the requested information to the information provider, and the information provider verifies the access password. This verification method is usually called Full-service management of the information provider. Another verification method is that the information provider registers the access password of each requester in advance on the mobile communication network, and the mobile communication network verifies the access password provided by the requester. This verification method is usually called a password verification service Management mode.

目前, 在信息提供端全权管理方式下, 当信息提供端对请求端 A进 行授权、 验证时, 信息提供端为请求端 A分配一个访问密码, 并将与请 求端 A相对应的访问密码通知请求端 A;请求端 A请求访问信息提供端 数据时, 向信息揭:供端提供自己的访问密码; 信息提供端在对访问密码 进行验证时,将请求端 A提供的访问密码与自己分配给请求端 A的访问 密码进行比较、核对, 如果一致, 则访问密码验证通过, 接受访问请求; 否则, 访问密码未通过验证, 拒绝访问清求。  At present, in the full-service management mode of the information provider, when the information provider authorizes and verifies the requester A, the information provider assigns an access password to the requester A, and notifies the request of the access password corresponding to the requester A When the requester A requests access to the data of the information provider, the requester A provides the access password to the supplier; when the access provider verifies the access password, the information provider assigns the access password provided by the requester A with itself to the request The access passwords of the terminal A are compared and checked. If they are the same, the access password is verified and the access request is accepted; otherwise, the access password is not verified and the access request is denied.

信息提供端全权管理方式下, 访问密码的分配、 比较、 核对和管理 全部由信息提供端完成。 这样, 对于存在大量请求端的情况下, 信息提 供端需要为请求端分配大量的不同的访问密码, 并且需要存储每个访问 密码和请求端之间的对应关系。 对于访问密码的修改和注销工作, 也需 要由信息提供端进行相应的访问密码分配和管理, 工作量较大且占用信 息提供端的大量存储资源。  In the full management mode of the information provider, the assignment, comparison, verification and management of access passwords are all done by the information provider. In this way, for a case where there are a large number of requesters, the information provider needs to allocate a large number of different access passwords to the requester, and needs to store the correspondence between each access password and the requester. For the modification and cancellation of the access password, it is also necessary for the information provider to allocate and manage the corresponding access password. The workload is large and it takes up a lot of storage resources at the information provider.

在密码验证服务器管理方式下, 信息提供端为请求端 B分配一个访 问密码 , 并将该访问密码提前注册于移动通信网络的密码验证服务器, 然后信息提供端或密码验证服务器将请求端 B 的访问密码通知请求端 B; 请求端 B请求访问信息提供端的数据时, 向密码验证服务器提供自 己的访问密码。 密码验证服务器在对访问密码进行验证时, 密码验证服 务器将请求端 B提供的访问密码与信息提供端提前注册的与请求端 B相 对应的访问密码进行比较、 核对, 如果一致, 则访问密码验证通过, 接 受访问请求; 否则, 访问密码未通过验证, 拒绝访问请求。  In the password verification server management mode, the information provider assigns an access password to the requesting end B, and registers the access password in advance with the password verification server of the mobile communication network, and then the information providing end or the password verification server will request the access of the requesting end B. The password notifies the requesting end B; when the requesting end B requests to access the data of the information providing end, it provides its own access password to the password verification server. When the password verification server verifies the access password, the password verification server compares and checks the access password provided by the requesting end B with the access password corresponding to the requesting end B registered in advance by the information providing end. If they are consistent, the access password verification is performed. Pass and accept the access request; otherwise, the access password does not pass the verification and the access request is rejected.

上面所述的密码验证服务器是一种能够存储信息提供端对不同请求 端分配的不同访问密码, 并能够根据请求端提供的访问密码进行验证的 服务器。 该密码脸证服务器可以独立成一个物理实体, 也可以作为一个 功能模块集成在其他实体中。 The password authentication server described above is a server capable of storing different access passwords assigned by the information provider to different requesters, and capable of performing authentication based on the access passwords provided by the requester. The crypto face ID server can stand alone as a physical entity or as a physical entity. Functional modules are integrated in other entities.

密码验证服务器管理方式较信息提供端全权管理方式简化了信息提 供端的访问密码险证部分, 将访问密码验证部分通过密码验证服务器来 完成。 但访问密码的分配和管理工作同样由信息提供端来完成, 信息提 供端同样需要存储已分配了的每个访问密码与请求端之间的对应关系, 以避免造成误用。 对于访问密码的修改和注销工作, 同样需要由信息提 供端进行相应的访问密码分配和管理, 同样存在信息提供端工作量大的 问题。 发明内容  The password authentication server management method simplifies the access to the password insurance part of the information provider than the information provider's full management method, and the access password verification part is completed by the password verification server. However, the assignment and management of access passwords are also completed by the information provider. The information provider also needs to store the correspondence between each access password that has been assigned and the requester to avoid misuse. For the modification and cancellation of the access password, the information provider needs to allocate and manage the corresponding access password. It also has the problem of heavy workload on the information provider. Summary of the Invention

有鉴于此,本发明的目的在于提供一种信息提供端数据保护的方法, 将访问密码的分配、 管理和安全性验证全部集中在数据管理服务器中完 成, 实现了对授权验证机制的改进。  In view of this, an object of the present invention is to provide a method for data protection of an information providing end, which centralizes the assignment, management, and security verification of an access password in a data management server, thereby realizing the improvement of the authorization verification mechanism.

为了达到上述目的,本发明提供了一种信息提供端数据保护的方法, 本发明通过数据管理服务器集中完成了对请求端访问密码的分配、 验证和管理操作。 在整个过程中, 信息提供端只需在数据管理服务器上 对请求端进行授权, 数据管理服务器会自动为每个请求端分配访问密 码, 并完成对请求端身份的^ r证和对访问密码的管理。 因此, 访问密码 对信息提供端来说是完全透明的, 信息提供端无需自行为请求端分配访 问密码, 甚至信息提供端不需要知道访问密码的内容便完成了整个授权 过程, 大大简化了信息提供端的授权机制。 当请求端向信息提供端发出 访问请求时, 由数据管理服务器对请求端的访问密码进行核对和验证, 提高了请求端对信息提供端数据的访问效率。 附图简要说明 In order to achieve the above-mentioned object, the present invention provides a method for data protection of an information provider. The present invention centrally completes the assignment, verification, and management operations of the access password of the requester through the data management server. During the entire process, the information provider only needs to authorize the requester on the data management server. The data management server will automatically assign an access password to each requester, and complete the authentication of the requester ’s identity and the access password. management. Therefore, the access password is completely transparent to the information provider. The information provider does not need to assign an access password to the requester by itself. The information provider does not need to know the content of the access password to complete the entire authorization process, which greatly simplifies the information provision. End authorization mechanism. When the requesting end sends an access request to the information providing end, the data management server checks and verifies the access password of the requesting end, thereby improving the efficiency of the requesting end's access to the data of the information providing end. Brief description of the drawings

图 1为本发明授权验证系统结构示意图;  FIG. 1 is a schematic structural diagram of an authorization verification system according to the present invention;

图 2为本发明数据管理服务器授权验证实现的流程图。 实施本发明的方式  FIG. 2 is a flowchart of the authorization verification implementation of the data management server of the present invention. Mode of Carrying Out the Invention

下面结合附图对本发明进行详细描述。  The present invention is described in detail below with reference to the drawings.

本发明是通过访问密码的分配、 验证和管理全部由数据管理服务器 完成的方法来改进授权验证机制的。  The present invention improves the authorization verification mechanism by a method of allocating, verifying and managing access passwords performed by the data management server.

图 1为本发明授权验证系统结构示意图, 如图 1所示: 本发明的授 权验证系统主要由请求端 101、 数据管理服务器 102和信息提供端 103 组成。  FIG. 1 is a schematic structural diagram of an authorization verification system of the present invention, as shown in FIG. 1: The authorization verification system of the present invention is mainly composed of a requesting end 101, a data management server 102, and an information providing end 103.

其中, 数据管理服务器 102是指一种能够根据信息提供端 103授权 的不同请求端 101标识来分配不同的访问密码、 并且对访问密码进行管 理和验证的服务器。 该数据管理服务器 102可以独立成一个物理实体, 也可以作为一个功能模块集成在其他实体中。  The data management server 102 refers to a server capable of allocating different access passwords and managing and verifying the access passwords according to the identifiers of different requesters 101 authorized by the information provider 103. The data management server 102 may stand alone as a physical entity, or may be integrated as a functional module in other entities.

数据管理服务器 102从功能上可进一步划分为三个部分: 密码随机 产生器 104、 数据存储数据库 105和密码验证器 106。 密码随机产生器 104用于随机产生密码, 要求使用一定的标准算法使得产生的密码各不 相同且无规律性。 此处所采用的密码产生算法可随意选择, 如根据请求 端的标识加随机后缀等等。 数据存储数据库 105用于存储各信息提供端 103标识、 与其对应的请求端 101标识和密码随机产生器为请求端 101 分配的访问密码, 以及三者相互之间的对应关系。 密码验证器 106用于 从数据存储数据库 105中搜索出与当前某信息提供端的请求端相对应的 访问密码, 并将其与当前请求端 101提供的访问密码进行比较、 核对。 由此可见, 数据管理服务器 102可以是授权验证机制中新设置的一个功 能实体, 也可以是在现有技术中的密码验证服务器上增加密码随机产生 器 104部分, 如此, 即可实现数据管理服务器 102的全部功能。 The data management server 102 can be further divided into three parts in function: a random password generator 104, a data storage database 105, and a password validator 106. The random password generator 104 is used for randomly generating passwords, and requires using a certain standard algorithm to make the generated passwords different and irregular. The password generation algorithm used here can be arbitrarily selected, such as adding a random suffix based on the identity of the requesting end, and so on. The data storage database 105 is used to store the identifiers of the information providers 103, the identifiers of the requesters 101 corresponding thereto, the access passwords assigned by the random generator to the requesters 101, and the correspondence between the three. The password validator 106 is used to search the data storage database 105 for an access password corresponding to the current requester of an information provider, and compare and check the access password with the current access password provided by the current requester 101. It can be seen that the data management server 102 may be a newly set function in the authorization verification mechanism. The capable entity may also add a random password generator 104 part to the password verification server in the prior art. In this way, all the functions of the data management server 102 can be realized.

在本发明中, 信息提供端向数据管理服务器提供需要授权的请求端 标识名单, 该请求端标识可以是请求端名称等能够唯一标识请求端的信 息, 用以区分对应于该信息提供端的各个不同请求端。 数据管理服务器 中的密码随机产生器依据事先设定的标准算法为每个请求端随机分配 一个访问密码, 如采用依据请求端的标识加上随机后缀生成访问密码的 算法, 以保证每个请求端的访问密码各不相同且无规律性。 数据管理服 务器将访问密码通知相应的请求端。 该信息提供端的标识、 对应于该信 息提供端的每个请求端标识和分配的访问密码以及三者相互之间的对 应关系存储于数据管理服务器的数据存储数据库中。 请求端请求访问信 息提供端数据时, 请求端向数据管理服务器提供被访问信息提供端的标 识、 请求端标识及该请求端的访问密码。 数据管理服务器中的密码验证 器从数据存储数据库中搜索到与该信息提供端相对应的该请求端的访 问密码,将其与该信息提供端的请求端提供的访问密码进行比较、核对, 如果一致, 则请求端通过密码验证, 数据管理服务器通知该请求端接受 其访问请求; 如果不一致, 请求端未通过密码验证, 则数据管理服务器 通知该请求端拒绝其访问请求。  In the present invention, the information providing end provides the data management server with a list of identifications of the requesting end. The identification of the requesting end may be information such as the name of the requesting end that can uniquely identify the requesting end, and is used to distinguish different requests corresponding to the information providing end. end. The random password generator in the data management server randomly assigns an access password to each requesting end according to a preset standard algorithm. For example, an algorithm for generating an access password based on the identification of the requesting end and a random suffix is used to ensure the access of each requesting end. The passwords are different and irregular. The data management server notifies the corresponding requester of the access password. The identification of the information providing end, the identification of each requesting end corresponding to the information providing end, the assigned access password, and the corresponding relationship between the three are stored in the data storage database of the data management server. When the requester requests data from the information provider, the requester provides the data management server with the identifier of the accessed information provider, the identifier of the requester, and the access password of the requester. The password validator in the data management server searches the data storage database for the access password of the requesting end corresponding to the information providing end, and compares and checks it with the access password provided by the requesting end of the information providing end. If they are the same, The requesting end passes password authentication, and the data management server notifies the requesting end to accept its access request. If the requesting end does not pass the password verification, the data management server notifies the requesting end of rejecting its access request.

当信息提供端需要注销一些请求端的访问密码时, 只需向数据管理 服务器提供需要注销的请求端标识名单, 数据管理服务器根据该注销请 求端标识名单自动注销相应请求端原来的访问密码, 并通知相应请求 端。 如果这些请求端使用原来的访问密码将无法通过密码验证, 不能访 问信息提供端。  When the information provider needs to cancel the access passwords of some requesters, it only needs to provide the data management server with the requester ID list that needs to be canceled. The data management server automatically cancels the original access password of the corresponding requester according to the logout requester ID list, and notifies The corresponding requester. If these requesters use the original access password, they cannot pass the password verification and cannot access the information provider.

当信息提供端需要修改一些请求端的访问密码时, 只需向数据管理 服务器提供需要修改的请求端标识名单, 数据管理服务器根据该修改请 求端标识名单自动为该请求端重新分配访问密码, 同时将相应请求端原 来的访问密码注销。 数据管理服务器随后会将修改后的访问密码通知相 应请求端。 如果这些请求端使用原来的访问密码将无法通过密码验证, 不能访问信息提供端, 这些请求端只有使用新分配的访问密码才能通过 密码验证, 实现对信息提供端的访问。 When the information provider needs to modify the access password of some requesters, it is only necessary to provide the data management server with the list of requester IDs that need to be modified. The data management server requests The client identification list automatically re-assigns the access password for the requesting end, and at the same time logs off the original access password of the corresponding requesting end. The data management server will then notify the corresponding requester of the modified access password. If these requesters use the original access password, they cannot pass the password verification and cannot access the information provider. These requesters can pass the password verification only by using the newly assigned access password to achieve access to the information provider.

以移动通信网络中的位置业务为例, 预先在移动通信网絡中设置数 据管理服务器, 那么, 请求端在获取信息提供端地理位置时, 数据管理 服务器授权验证过程如图 2所示, 所述授权验证过程包括以下的步骤: 步骤 201〜步骤 203: 授权过程。 信息提供端向移动通信网络的数据 管理服务器提供其授权的请求端标识名单; 数据管理服务器中的密码随 机产生器为对应于该信息提供端的每个请求端分配一个访问密码, 数据 管理服务器中的数据存储数据库存储该信息提供端的标识、 对应于该信 息提供端的每个请求端标识和分配的访问密码以及三者相互之间对应 的关系; 数据管理服务器将分配的访问密码通知相应请求端。  Taking a location service in a mobile communication network as an example, a data management server is set in the mobile communication network in advance. Then, when the requesting end obtains the geographic location of the information providing end, the data management server authorization verification process is shown in FIG. 2, where the authorization The verification process includes the following steps: Step 201 ~ Step 203: Authorization process. The information providing end provides the authorized requester identification list to the data management server of the mobile communication network; the random password generator in the data management server assigns an access password to each requesting end corresponding to the information providing end. The data storage database stores the identifier of the information provider, the identifier of each requester corresponding to the information provider, the assigned access password, and the relationship between the three; the data management server notifies the corresponding requestor of the assigned access password.

步驟 204〜步骤 208: 验证过程。 请求端向移动通信网络的数据管理 服务器发出访问信息提供端地理位置的请求, 请求端向数据管理服务器 提供被访问信息提供端的标识、 请求端标识及该请求端的访问密码; 数 据管理服务器中的密码验证器从数据存储数据库中搜索到与该信息提 供端相对应的该请求端的访问密码, 将其与对应于该信息提供端的请求 端提供的访问密码进行比较、核对,如果一致, 则请求端通过密码验证, 数据管理服务器通知该请求端接受其访问请求; 否则, 请求端未通过密 码验证, 数据管理服务器通知该请求端拒绝其访问请求。  Step 204 ~ Step 208: The verification process. The requesting end sends a request to the data management server of the mobile communication network to access the geographic location of the information providing end, and the requesting end provides the data management server with the identification of the accessed information providing end, the identification of the requesting end, and the access password of the requesting end; the password in the data management server The validator searches the data storage database for the access password of the requesting end corresponding to the information providing end, and compares and checks it with the access password provided by the requesting end corresponding to the information providing end. If they are consistent, the requesting end passes For password verification, the data management server notifies the requester to accept its access request; otherwise, the requester fails the password verification, and the data management server notifies the requester to reject its access request.

在本实施例中, 当信息提供端需要注销一些请求端的访问密码时, 只需向移动通信网络的数据管理服务器提供需要注销的请求端标识名 单, 数据管理服务器根据该注销请求端标识名单自动注销相应请求端原 来的访问密码, 并通知相应请求端。 如果这些请求端使用原来的访问密 码将无法通过密码验证, 不能访问信息提供端。 In this embodiment, when the information provider needs to cancel the access passwords of some requesters, it only needs to provide the data management server of the mobile communication network with the requester ID list that needs to be deregistered, and the data management server automatically deregisters according to the cancellation requester ID list. Corresponding request source Incoming access password, and notify the corresponding requester. If these requesters use the original access password, they cannot pass the password verification and cannot access the information provider.

在本实施例中, 当信息提供端需要修改一些请求端的访问密码时, 只需向移动通信网络的数据管理服务器提供需要修改的请求端标识名 单, 数据管理服务器根据该修改请求端标识名单自动为相应请求端重新 分配访问密码, 并将相应请求端原来的访问密码注销。 数据管理服务器 会将修改后的访问密码通知相应请求端。 如果这些请求端使用原来的访 问密码将无法通过密码验证, 不能访问信息提供端, 这些请求端只有使 用新分配的访问密码才能通过密码验证, 访问信息提供端。  In this embodiment, when the information provider needs to modify the access password of some requesters, it only needs to provide the data management server of the mobile communication network with the requester identification list that needs to be modified, and the data management server automatically changes the requester identification list to The corresponding requesting end redistributes the access password and logs off the original accessing password of the corresponding requesting end. The data management server will notify the corresponding requester of the modified access password. If these requesters use the original access password, they cannot pass the password verification and cannot access the information provider. These requesters can use the newly assigned access password to pass the password verification and access the information provider.

当然, 在实际应用中, 本发明提出的有关信息提供端数据安全的授 权验证机制还可以应用于其他多种通信系统中。  Of course, in practical applications, the authorization verification mechanism related to data security of the information provider according to the present invention can also be applied to other various communication systems.

总之, 以上所述仅为本发明的较佳实施例而已 , 并非用于限定本发 明的保护范围。  In short, the above descriptions are merely preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims

权利要求书 Claim 1、一种信息提供端数据保护的方法, 当请求端要访问信息提供端所 提供的数据时, 首先要根据访问密码对其身份进行验证, 其特征在于该 方法还包括:  1. A method for data protection of an information provider. When a requester wants to access data provided by the information provider, it must first verify its identity based on the access password. The method is characterized in that the method further includes: A、 预先在请求端和信息提供端之间设置数据管理服务器, 由该数 据管理服务器为信息提供端授权的每个请求端分配对应于各请求端的 访问密码;  A. A data management server is set in advance between the requesting end and the information providing end, and the data management server allocates an access password corresponding to each requesting end to each requesting end authorized by the information providing end; B、 当请求端访问信息提供端时, 由步骤 A所设置的数据管理服务 器根据请求端提供的访问密码对其身份进行验证。  B. When the requester accesses the information provider, the data management server set in step A verifies its identity according to the access password provided by the requester. 2、 根据权利要求 1所述的方法, 其特征在于, 步骤 A中所述由数 据管理服务器为信息提供端授权的每个请求端分配对应于各请求端的 访问密码, 进一步包括: 数据管理服务器根据信息提供端向其提供的请 求端标识名单, 为每个请求端分配对应于各请求端的访问密码, 并将所 述访问密码通知相应请求端; 同时, 数据管理服务器存储信息提供端标 识、 请求端标识和访问密码及三者之间的对应关系。  2. The method according to claim 1, wherein in step A, the data management server allocates an access password corresponding to each requesting end to each requesting end authorized by the information provider, further comprising: The requester ID list provided to it by the information provider, assigns each requester an access password corresponding to each requester, and notifies the corresponding requester of the access password; at the same time, the data management server stores the identifier of the information provider, the requester Identification and access password and the corresponding relationship between the three. 3、 根据权利要求 1所述的方法, 其特征在于, 所述步驟 B进一步 包括:  3. The method according to claim 1, wherein the step B further comprises: Bl、 请求端请求访问信息提供端数据时, 向数据管理服务器提供被 访问信息提供端的标识、 请求端标识及所述清求端的访问密码;  Bl. When the requester requests access to the information provider data, it provides the data management server with the ID of the accessed information provider, the requester ID, and the access password of the requester; B2、数据管理服务器在自身存储的信息中搜索到与信息提供端相对 应的请求端的访问密码 , 将其与当前请求端所提供的访问密码进行比较 核对, 如果一致, 则所述请求端通过密码验证, 数据管理服务器通知该 请求端接受其访问请求; 否则, 所述请求端未通过密码验证, 数据管理 服务器通知该请求端拒绝其访问请求。 B2. The data management server searches for the access password of the requesting end corresponding to the information providing end in the information stored by the data management server, and compares it with the access password provided by the current requesting end. If they are the same, the requesting end uses the password. For verification, the data management server notifies the requesting end to accept its access request; otherwise, the requesting end fails the password verification, and the data management server notifies the requesting end to reject its access request. 4、根据权利要求 1所述的方法, 其特征在于该方法进一步包括: 信 息提供端注销请求端的访问密码时, 信息提供端向数据管理服务器提供 需要注销的请求端标识名单, 数据管理服务器根据该注销请求端标识名 单注销相应请求端原来的访问密码, 并通知相应请求端。 4. The method according to claim 1, further comprising: when the information provider logs off the access password of the requester, the information provider provides the data management server with a list of identifications of the requesters that need to log out, and the data management server The cancellation requester identification list cancels the original access password of the corresponding requester, and notifies the corresponding requester. 5、根据权利要求 1所述的方法, 其特征在于该方法进一步包括: 信 息提供端修改请求端的访问密码时, 信息提供端向数据管理服务器提供 需要修改的请求端标识名单 , 数据管理服务器根据该修改请求端标识名 单为相应请求端重新分配访问密码, 同时注销相应请求端原来的访问密 码, 并将修改后的访问密码通知相应请求端。  5. The method according to claim 1, further comprising: when the information providing end changes the access password of the requesting end, the information providing end provides the data management server with a list of identifications of the requesting end to be modified, and the data management server according to the Modify the identification list of the requesting end to re-assign the access password to the corresponding requesting end, at the same time cancel the original access password of the corresponding requesting end, and notify the corresponding requesting end of the modified access password. 6、 根据权利要求 1所述的方法, 其特征在于, 所述步雞 A是: 在 请求端和信息提供端之间预先设置至少包括密码随机产生器、 数据存储 数据库和密码验证器的数据管理服务器。  6. The method according to claim 1, wherein the step chicken A is: presetting data management including at least a random password generator, a data storage database, and a password validator between the requesting end and the information providing end. server.
PCT/CN2003/000871 2002-10-31 2003-10-17 A method of data protection for information provider Ceased WO2004054172A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003272873A AU2003272873A1 (en) 2002-10-31 2003-10-17 A method of data protection for information provider

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN02145981.9 2002-10-31
CN 02145981 CN1277366C (en) 2002-10-31 2002-10-31 Method of information providing end data protection

Publications (1)

Publication Number Publication Date
WO2004054172A1 true WO2004054172A1 (en) 2004-06-24

Family

ID=32477212

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2003/000871 Ceased WO2004054172A1 (en) 2002-10-31 2003-10-17 A method of data protection for information provider

Country Status (3)

Country Link
CN (1) CN1277366C (en)
AU (1) AU2003272873A1 (en)
WO (1) WO2004054172A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007051430A1 (en) * 2005-11-07 2007-05-10 Huawei Technologies Co., Ltd. Authentication password modification method, user agent server and user agent client based on sip
CN101047964B (en) * 2006-03-29 2010-10-27 华为技术有限公司 Method of ICR Data Configuration Consistency Check
CN100483988C (en) * 2006-07-17 2009-04-29 华为技术有限公司 Information propagating network and method for transmission information verification in network
CN108011858A (en) * 2016-11-02 2018-05-08 深圳中电长城信息安全系统有限公司 A kind of client-side management method and system, client, server

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1298589A (en) * 1998-04-29 2001-06-06 艾利森电话股份有限公司 Method, arrangement and apparatus for authentication
JP2002007344A (en) * 2000-04-21 2002-01-11 Fujitsu Ltd Authentication system and method for multiple services
CN1341310A (en) * 1999-02-26 2002-03-20 英特尔公司 Protecting information in system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1298589A (en) * 1998-04-29 2001-06-06 艾利森电话股份有限公司 Method, arrangement and apparatus for authentication
CN1341310A (en) * 1999-02-26 2002-03-20 英特尔公司 Protecting information in system
JP2002007344A (en) * 2000-04-21 2002-01-11 Fujitsu Ltd Authentication system and method for multiple services

Also Published As

Publication number Publication date
CN1277366C (en) 2006-09-27
AU2003272873A1 (en) 2004-06-30
CN1494253A (en) 2004-05-05

Similar Documents

Publication Publication Date Title
CN110784433B (en) User access processing method, device and equipment
TWI706263B (en) Trust registration method, server and system
EP3005648B1 (en) Terminal identification method, and method, system and apparatus of registering machine identification code
US8474017B2 (en) Identity management and single sign-on in a heterogeneous composite service scenario
CN103795690B (en) A kind of method, proxy server and the system of cloud access control
CN105554004B (en) An authentication system and method for container services in a hybrid cloud computing environment
CN112738100B (en) Authentication method, device, authentication equipment and authentication system for data access
CN101540755B (en) Method, system and device for recovering data
JP2004185623A (en) Method and system for authenticating user associated with sub-location in network location
US20130144633A1 (en) Enforcement and assignment of usage rights
CN104216907A (en) Method, device and system for providing database access control
CN106330813A (en) Method, device and system for processing authorization
CN114417287B (en) Data processing method, system, device and storage medium
CN102752319A (en) Cloud computing secure access method, device and system
CN109756446A (en) A kind of access method and system of mobile unit
US7325143B2 (en) Digital identity creation and coalescence for service authorization
CN107404488A (en) A kind of same application multi-terminal equipment mutual exclusion method and device
CN101291220B (en) System, device and method for identity security authentication
CN114385995B (en) Method for accessing micro-service to industrial Internet through identification analysis based on Handle and identification service system
TW202242634A (en) Data storage system and method for controlling access to data stored in a data storage
CN114579951B (en) Service access method, electronic device and storage medium
CN101291221A (en) A method, communication system, and device for user identity privacy protection
WO2004054172A1 (en) A method of data protection for information provider
CN118890518A (en) A security authentication method for smart set-top box
KR101209812B1 (en) Method for access controll of client in home network system and apparatus thereof

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP