Design of identity authentication system for Broadband portal website

Design

　　 SummaryThis paper studies the functional requirements of the identity authentication system of Hunan Tietong broadband portal, and puts forward a set of comprehensive solutions from the aspects of unified authentication, authentication security and universality. The scheme uses the centralized user management to realize the unified authentication, uses "One Secret", two times authentication way to achieve the good security, uses the Web services architecture to realize the system universality.

　　 Key WordsUnified identity authentication; time stamp; Web Services

　　 background

In the past, the speed of broadband was the root cause of attracting users. When broadband users have multiplied at an unprecedented rate, price and speed is not the main factor affecting Internet users, no rich content users can not really enjoy the "broadband journey." Hunan Railcom obtains a variety of content services from various content providers, which are more difficult for users to enjoy in narrowband situations, such as online downloads, VOD, online games, etc. It is then integrated through the broadband portal and then provided to the user. Users can enjoy a wide range of content services by accessing broadband portal sites. To get the cost of using content from the user, the broadband portal must have a good authentication and billing system, this article mainly elaborates the design of identity authentication system.

Target function of identity authentication system

Through the analysis of the demand of the whole broadband portal website, the identity authentication system must have the following functions:

A to provide a unified certification approach. The content service system of the broadband portal is obtained from different content providers, each system has its own user system and authentication mode. To allow users to access a content service system will need to log in once, is obviously difficult to accept the user authentication methods. Therefore, the identity authentication system to provide a unified identity authentication, so that users can log in at one time, access to the full network of resources

b The system has good scalability and integration. The broadband portal will continue to provide new content services in the process of development. This requires the identity authentication system to have good scalability and integration, not only to support the existing content business system and its existing user system, when a new content business system is deployed or developed, This unified identity authentication service can be used as the form of its identity authentication module, that is, the new content business system can not bring the user system, can be integrated into the form of the service to achieve the equivalent function.

c The system provides cross-platform authentication capabilities. Each content business system has the characteristic, runs separately on the different platform, must be able to and the identity authentication system interaction, this requires the authentication system to provide the Cross-platform authentication function.

D) The system has good security. Due to the use of content business system, users have to pay, identity authentication system to protect the user's security.

　　 Solution

1, the unified authentication two kinds of ways

The core idea of the Unified identity authentication system is to unify the user storage, unify the authorization to the application system, standardize the user authentication mode of the content business system, and achieve the effect of improving the whole system's integrity, manageability and security. The content business system must interact with the identity authentication system to determine whether a user can access itself. The identity authentication system is responsible for the centralized authentication of users.

There are two ways for a user to access a Content service system: Access to a content service system via a broadband portal, or direct access to a content service system. According to these two ways of access authentication system to provide two kinds of authentication methods.

The first authentication way: The user directly login the content business system, the content business system transmits the user name/password which the user provides to the unified Identity authentication service to verify that it passes the authorization. The process is shown in Figure 1

Figure 1 The first type of authentication

The second authentication method: The user first registers the Unified identity authentication system, verifies that it is the legal registration user, if is the legitimate user may obtain the privilege value. Since legitimate users do not necessarily have all content services, the content business system interacts with the unified Identity Authentication service to verify the legality of the access to the content business system using this privilege value. The process is shown in Figure 2

Figure 2 The second type of identity authentication method

2. Security plan

If the authentication credentials are passed from the client to the server in clear text, an attacker with basic network monitoring software on a host on the same network can capture the delivered information and obtain the user's name and password. For this security threat, the identity authentication system encrypts the username and password to avoid transmission on the network in the form of clear text.

But threats remain, and for ordinary cryptographic algorithms, an attacker will have the means to decrypt and obtain a user's password. Even with the enhanced encryption algorithm, an attacker could not decrypt it for a while and could implement a session replay attack. One solution to this security threat is to authenticate again when performing critical operations. For example, when the user through the authentication, can enter the VOD on-demand page; When the user specifies to play a VOD movie, the system asks the user to re-enter the username, password to authenticate again. But doing so will allow users to frequently enter user names, passwords, not desirable.

A better approach would be to: taking the combination of DES algorithm, using the timestamp based on MD5 Digest algorithm to encrypt the access user's password, the user name, password and time stamp encrypted transmission together, even if the attacker to replay attacks, because the timestamp has changed, can not pass the authentication. And when performing critical operations, the content business system is validated again by the identity authentication system without requiring the user to re-enter the username and password. Take the user to login VOD system in the first way as an example, the specific process is shown in Figure 3:

Figure 3 Encryption authentication process

The process description is as follows:

1 User Login to the user name, password submitted to the VOD system, VOD system will be the user name forward to the identity authentication system.

2) The VOD system encrypts the user name, password and time stamp together to form a string pwd.

3 at the same time, the identity of the system according to the user name to check the user's registration password, and the user name, registration password, time stamp together to form a string pass.

4 The VOD system sends the PWD to the identity authentication system. Identity authentication System Comparison of the two is consistent

5 if consistent, the user will be allowed to enter the VOD system page. The user chooses to watch the movie

6 The VOD system generates PWD again, the identity authentication system generates pass again, and compares the two again to be consistent. If consistent, the movie is played

3. Common interface

In order to enable the content business system running on different platforms to access the identity authentication system, and allow the identity authentication system to continuously integrate the new content business system, when the identity authentication system unifies the authentication function and the security aspect function realizes, we use the Web Services technology architecture, The identity authentication system is converted into identity authentication service.

The service describes the functions provided by the identity authentication system as a generic service interface in the WSDL language, in which the identity authentication service is described as a function provided to the content business system, and the entry parameter of the function is the ID of the user name, user password, and content business system. The export parameter is the string that the user can access the Content business system.
The following is a WSDL description of the identity authentication interface:

<?xml version= "1.0" encoding= "UTF-8"?
<definitions name= "Railwayhelperremoteinterface" targetnamespace= "http://www.railwayhelper.com/definitions/ Railwayhelperremoteinterface "xmlns=" http://schemas.xmlsoap.org/wsdl/"xmlns:tns=" http://www.railwayhelper.com/ Definitions/railwayhelperremoteinterface "xmlns:xsd=" Http://www.w3.org/2001/XMLSchema "xmlns:soap=" http:// Schemas.xmlsoap.org/wsdl/soap/">
<message name= "Loginrequest"
<part name= "userid" type= "xsd:string"
<part name= "Password" type= "xsd:string"
<part name= "Serviceid" type= "xsd:string"
</message>
<message name= "Loginresponse"
<part name= "Result" type= "xsd:string"/>
</message>
<porttype name= "Railwayhelperjavaporttype"
<operation name= "Login" >
<input name= "Loginrequest" message= "Tns:loginrequest"
<output name= "Loginresponse" message= "Tns:loginresponse"
</operation>
</portType>
<binding name= "railwayhelperbinding" type= "Tns:railwayhelperjavaporttype"
<soap:binding style= "rpc" transport= "http://schemas.xmlsoap.org/soap/http"/>
<operation name= "Login" >
<soap:operation soapaction= "" style= "RPC"/>
<input name= "Loginrequest"
<soap:body use= "encoded" encodingstyle= http://schemas.xmlsoap.org/soap/encoding/"namespace=" http://tempuri.org/ Creator.javabean.railwayhelper "/>
</input>
<output name= "Loginresponse"
<soap:body use= "encoded" encodingstyle= http://schemas.xmlsoap.org/soap/encoding/"namespace=" http://tempuri.org/ Creator.javabean.railwayhelper "/>
</output>
</operation>
</binding>
</definitions>
In this interface, the login function provided by the authentication service is described, and the entry parameters for the service are: UserID The string pwd, Serviceid content Business system number that was obtained by encrypting the user name, password, password, and time stamp. Returns whether the value allows the user to log in to the Content business system string.

Regardless of the platform on which the content business system is running, as long as the user name and PWD are sent to the identity authentication service with the SOAP message according to the description of the WSDL interface and the SOAP protocol specification, the authentication service will return the authentication result to the content business system with the SOAP message. The content business system does not need to understand how the authentication service is implemented, so as to realize universal authentication across the platform.

　　 Concluding remarks

The above-mentioned broadband Portal identity authentication scheme has been applied to the Hunan railcom Broadband portal site, and achieved good results.