CN104270338A

CN104270338A - A method and system of electronic identity registration and authentication login

Info

Publication number: CN104270338A
Application number: CN201410440273.8A
Authority: CN
Inventors: 刘文印; 邱彼特
Original assignee: Individual
Current assignee: Login Beijing Technology Co ltd
Priority date: 2014-09-01
Filing date: 2014-09-01
Publication date: 2015-01-07
Anticipated expiration: 2034-09-01
Also published as: CN107302539A; CN104270338B; CN107302539B

Abstract

The invention discloses a method of electronic identity registration and authentication login. The method of electronic identity registration and authentication login comprises: an identity information acquisition step, wherein a user agent on a mobile terminal acquires encrypted identity information on a system and encrypted session information between a system agent and the system through the system agent; a registration information generation step, wherein the user agent executes decryption according to reception of the encrypted identity information and the encrypted session information to generate automatically a uniform identity code, encrypts registration login information containing the uniform identity code, and sends the encrypted registration login information to the system for identity registration; and an identity registration step, wherein the system executes decryption after reception of the encrypted registration login information containing the uniform identity code, and automatically executes identity registration operation. The invention also discloses a system of electronic identity registration and authentication login.

Description

A kind of method that electronic identity registration and certification log in and system thereof

Technical field

The present invention relates to a kind of computer technology of information security field, particularly relate to method and the system thereof of the registration of a kind of electronic identity based on Unified Identity code and certification login.

Background technology

Traditional system login authentication interface require each user in advance respectively in each system by arranging a pair user name (UserID, or be called digital identity, login name or account) and password register, user need to remember and each log in each system time provide corresponding username and password to allow this user of this system authentication.Afterwards, in order to avoid robot (conjecture of a kind of program Automatic continuous generates user name and password goes to log in, or is called and automatically logs in bots, and a lot of website employs identifying code (CAPTCHAs), the method respectively open in the following documents:

(1) name of document is: " CAPTCHA:Using hard AI problems for security ", journal title is called: Advances in Cryptology, E.Biham, Ed., vol.2656 of Lecture Notes in Computer Science (Springer, Berlin, 2003), pp.294-311, author is: L.von Ahn, M.Blum, N.Hopper, J.Langford;

(2) name of document is: " Telling humans and computers apart automatically:How lazy cryptographers do AI ", journal title is called: Communications of ACM 47 (2), pp.56-60,2004, author is: L.von Ahn, M.Blum, J.Langford.

In recent years use again the method for two identifying codes (reCAPTCHAs), openly in the following documents, name of document is the method: " reCAPTCHA:Human-Based Character Recognition via Web Security Measures ", journal title is called: Science, vol.321, pp.1465-1468, September 12,2008, author is: Luis von Ahn*, Benjamin Maurer, Colin McMillen, David Abraham, Manuel Blum.

Because the username and password that each system login interface requires user to input registered in advance to be arranged, human user will remember that the username and password of each system is a troublesome thing, is also easy to be abducted these username and passwords by fishing website or network fraud.These bring inconvenience when system login all to human user.

Network fraud be a kind of by personation actual site obtain the criminal offence of people's sensitive information as user name, password and credit card information etc.In recent years, network fraud case sharply increases, and it is also increasing to penetrate difficulty.Huge economic loss is caused because of network fraud in the whole world.

In order to avoid cheat uses the password login stolen, in recent years a lot of bank system of web uses double authentication (double factor authentication), requires that user uses disposal password (or identifying code) maker (equipment) to generate disposal password assisting as conventional cipher in addition.But the password generator that user will carry each bank is also very inconvenient thing.

In denomination of invention be: sensitive operation verification method, terminal equipment, server and verification system, application number is: the disclosure of the invention of CN103825734A: (1) does not need user to input user name and password but the method for sensitive operation comprising login by verifying by the mode of mobile terminal (i.e. first terminal) barcode scanning, to transfer accounts etc., but does not comprise the function that user registers (can only registering in artificial mode) automatically; (2) this invention needs to download an application A pp to first terminal (mobile terminal) operation for sending checking request from the server of each participation sensitive operation, when there being the server of multiple participation sensitive operation, downloading multiple corresponding application program also makes troubles to user.

In denomination of invention be: page login method and server, application number is: the disclosure of the invention of CN102769628A: certain application module on (1) end of scan is (as QQ or micro-letter, namely the user agent in the present invention) need first by sending login instruction to server (system namely in the present invention), and after server authorizes makes sent instructions corresponding account log on described application module, just sign in on display terminal by barcode scanning; (2) whether the identification code that server judges in display terminal is scanned (by judging the authorization information that whether has in the scanning information that server receives in described identification code), which increases and the traffic of server and burden.

Denomination of invention is: login method and device and terminal, the webserver, application number is: the disclosure of the invention of CN103297408A: only relate to a terminal, this terminal mainly System Agent, also just need not scan and obtain system identity information, this terminal leaves user name and actual log password thereof in advance, i.e. so-called second password, user also wants a self-defined local password (so-called first password), after terminal obtains this local password, if the match is successful, the second password is dealt into system server for verifying and logging in this terminal.

Present single-point logging method (SSO) (1) is generally the different information systems for an organization internal, only need a system login wherein once just can access other system (username and password generally in all systems is all identical, also can be different); (2) only a needs system login wherein once, namely obtains the access authorization of other related systems; And user has corresponding different username and password in each system in the present invention, need to log in each system and could access this system, just this username and password does not need user to arrange, remembers and input, but automatically generate when being registered on this system by user agent, need automatically to be sent to this system server terminal by user agent when logging in.

Denomination of invention is: the convenient web identity identifying method of a kind of multi-screen multiple-factor, application number is: disclose in the invention of CN201410065291: the authentication proxy (i.e. user agent) of (1) user needs the authentication proxy's (i.e. System Agent) with the direct connected system of wireless network, so System Agent needs to be equipped with Wi-fi.(2) if the information how to be connected with its System Agent of the information spinner that in this invention, Quick Response Code comprises, as wi-fi name, address etc.(3) this disclosure of the invention WS, be arranged on separately the Collective qualification server on network, this is the core of this documents, and each system login all needs to verify once on WS, three layers of map bindings of its equipment DID, user UID and service SPID are also realize at WS.(4) authentication information stream is from user agent to System Agent, then to system (server), then to WS.(5) thought of this invention or the thought of SSO, namely logs in automatically by being proved to be successful the SP system in all bindings of just can authorizing on WS.First this WS be newly set up independently, concentrate authentication server, if concerning workload a large amount of SP very large (being perhaps fine to an organization internal), the user all concerning the whole world and all SP, feasibility is not high, secondly, the trust of SP to this WS is maximum problem; And juche idea of the present invention is not SSO, each system still will log in respectively (just automatically being logged in by barcode scanning), the relation between existing system and identifying procedure is not changed yet, only change the generating mode of system login name and password, Unified Identity website only possesses management function that is complementary, that operate for convenience of backup, download etc.

Denomination of invention is: the implementation method of the one-to-many account map bindings of the convenient web authentication of a kind of multi-screen multiple-factor, application number is: the method disclosing the binding of one-to-many account in CN103856332A: equipment DID is (namely DID and SPID tables to bind with two with UID respectively) that realized by the user UID of on WS with the binding (mapping of multi-to-multi) of service SPID, and the process of this binding needs artificial input registration and logs in SPID and password thereof.

Summary of the invention

A kind of electronic identity is the object of the present invention is to provide to register and certification login method, to solve the identity registration that exists in prior art and certification login method cannot register the problem with automatic login authentication automatically.

For reaching above-mentioned purpose, the present invention proposes the registration of a kind of electronic identity and certification login method, it is characterized in that, comprising:

Identity information obtaining step: for being obtained the identity information of a system and the dialog information between this System Agent and system of encryption by a System Agent by the user agent on a mobile terminal;

Log-on message generation step: described user agent is according to after receiving described crypto identity information and dialog information, automatically a Unified Identity code is generated after deciphering, and be sent to described system after the registration log-on message comprising described Unified Identity code being encrypted, carry out identity registration;

Identity registration step: described system automatically performs identity registration operation after receiving the registration log-on message deciphering comprising described Unified Identity code.

Above-mentioned electronic identity registration and certification login method, is characterized in that, also comprised before described identity information obtaining step:

User agent's setting steps: after being logged in by a Unified Identity website registration, download one and comprise the application program as user agent of a Unified Identity bag to described mobile terminal;

User agent's login step: the biological information of the physical characteristics collecting module acquires user be arranged on described mobile terminal by logs in, or logged in by the username and password of the user agent at described mobile terminal input pre-registration, or sign in user agent by any existing certification login method.

Above-mentioned electronic identity registration and certification login method, is characterized in that, also comprise after described identity information obtaining step:

Identity registration information inquiry step: described user agent inquires about in Unified Identity bag according to the described system identity information received, if this system identity information exists, the username and password then finding this system identity information corresponding in described Unified Identity bag, be sent to described system by after described username and password and the encryption of described dialog information, after described system decrypts, carry out automatic register and corresponding mandate; Otherwise, perform described log-on message generation step.

Above-mentioned electronic identity registration and certification login method, is characterized in that, also comprise:

Account combining step: for multiple accounts of corresponding for same user same system are carried out merging treatment.

Unified Identity bag step of updating, synchronized update is carried out in the Unified Identity bag on described mobile terminal and described Unified Identity website.

Above-mentioned electronic identity registration and certification login method, is characterized in that, also comprise after described identity registration step:

Direct login step: described user agent and described Unified Identity bag can use on same mobile terminal or same fixed terminal simultaneously, a system is selected in all registered system identity information stored from described Unified Identity bag, username and password corresponding for described system taking-up is sent to described system together with described System Agent and the dialog information of described system directly log in, the backward described System Agent return authorization interface of described system login success, described mandate interface is the Application Program Interface connecting described system, or connect the general browser interface of described system.

Above-mentioned electronic identity registration and certification login method, it is characterized in that, described registration log-on message comprises: described Unified Identity code, or/and described system identity information and dialog information between System Agent and system.

Above-mentioned electronic identity registration and certification login method, it is characterized in that, described Unified Identity code comprises: username and password, logs in described system for described user, described user name and/or cipher random generate or generate according to an algorithm, and described Unified Identity code can regularly replace automatically.

Above-mentioned electronic identity registration and certification login method, it is characterized in that, described log-on message generation step is further, comprising:

User name generation step: be a N bit by the identity information corresponding conversion of described user agent, be a M bit by described system identity information corresponding conversion, it is a P bit by system time corresponding conversion, be a Q bit by the random number corresponding conversion of generation, and being filled into described N bit, M bit, P bit and Q bit in described Unified Identity code by pre-defined rule, generate described user name;

Password generation step: the random number of generation is converted to a W bit, is filled into described W bit in described Unified Identity code by pre-defined rule, generates described password;

Character visible generation step: if described system needs the character using character visible or specific character to concentrate as the character in username and password, the ASCII character integer that each character in the described password that the described user name then described user name generation step generated respectively and described password generation step generate is corresponding carries out dividing exactly delivery, substitutes the respective symbols in described user name and described password by the result of described delivery and pre-defined rule.

Above-mentioned electronic identity registration and certification login method, it is characterized in that, described identity registration step also comprises:

Log-on message system queries step: after receiving described registration log-on message when described system, the described user name in described Unified Identity code is inquired about in registration databases, if search unsuccessfully, then automatically perform identity registration operation, and return the result that succeeds in registration to described user agent and described System Agent, described system after successful registration or log in described username and password and talk with mandate accordingly to described System Agent, described user agent the identity information of described username and password and described system stored in Unified Identity bag; Otherwise, return user name existed or registration failure result give described user agent, described user agent performs described log-on message generation step again.

Above-mentioned electronic identity registration and certification login method, it is characterized in that, in identity information obtaining step, described identity information and described dialog information are hidden in audio signal, one-dimension code or Quick Response Code after encryption, and described user agent obtains described encrypted identity information and described dialog information by an audio receiver, camera or the scanner be arranged on described mobile terminal.

The present invention also provide a kind of electronic identity register and certification login system, adopt as described in electronic identity registration and certification login method, it is characterized in that, described system comprises:

Identity information acquisition module: for being obtained the identity information of a system and the dialog information between this System Agent and system of encryption by a System Agent by the user agent on a mobile terminal;

Log-on message generation module: described user agent is according to after receiving described crypto identity information and dialog information, automatically a Unified Identity code is generated after deciphering, and be sent to described system after the registration log-on message comprising described Unified Identity code being encrypted, carry out identity registration;

Identity registration module: described system automatically performs identity registration operation after receiving the registration log-on message deciphering comprising described Unified Identity code.

Above-mentioned electronic identity registration and certification login system, is characterized in that, also comprise:

User agent arranges module: after being logged in by a Unified Identity website registration, download one and comprise the application program as user agent of a Unified Identity bag to described mobile terminal;

User agent's login module: the biological information of the physical characteristics collecting module acquires user be arranged on described mobile terminal by logs in, or logged in by the username and password of the user agent at described mobile terminal input pre-registration, or sign in user agent by any existing certification login method.

Identity registration information inquiry module: described user agent inquires about in Unified Identity bag according to the described system identity information received, if this system identity information exists, the username and password then finding this system identity information corresponding in described Unified Identity bag, be sent to described system by after described username and password and the encryption of described dialog information, after described system decrypts, carry out automatic register and corresponding mandate; Otherwise, perform described log-on message generating run.

Account merges module: for multiple accounts of corresponding for same user same system are carried out merging treatment.

Unified Identity bag update module, synchronized update is carried out in the Unified Identity bag on described mobile terminal and described Unified Identity website.

Direct login module: described user agent and described Unified Identity bag can use on same mobile terminal or same fixed terminal simultaneously, a system is selected in all registered system identity information stored from described Unified Identity bag, username and password corresponding for described system taking-up is sent to described system together with described System Agent and the dialog information of described system directly log in, the backward described System Agent return authorization interface of described system login success, described mandate interface is the Application Program Interface connecting described system, or connect the general browser interface of described system.

Compared to method of the prior art, the main beneficial effect of the present invention is: the present invention can for user in each system that will log in automatic registered user name and password and on mobile terminals unification be kept at one and be called in the local data base of Unified Identity bag, user does not need to remember these username and passwords, when needs log in certain system, just can automatically corresponding username and password to be recalled by corresponding simple operations and the system that is sent to logs in automatically; Do not need from application program needed for each system downloads, an application program being called user agent can issue each system that will log in required checking request; The user agent as local client application module in the present invention does not need could log in this local client application module by the mandate of server, this local client application module makes local verification independently, and local verification neither be necessary, this locality can not need checking, or be all in the state of being proved to be successful, just like this safe class is just weaker always; The present invention only needs on user agent, judge whether the Quick Response Code (or one-dimension code or audio signal) comprising system identity information is scanned into merit, as long as namely successfully resolved namely can represent and scan successfully.

Simultaneously, method of the present invention is that user agent on the mobile apparatus generates the username and password of user in system automatically, then automatically bind, by uploading Unified Identity bag to Unified Identity website, then download to the multi-to-multi other mobile devices realizing similar equipment and service and bind, namely the binding of this multi-to-multi is not display, namely also this binding is not necessarily, each equipment has a table, namely Unified Identity bag, directly issues system from equipment log-on message during login.

Accompanying drawing explanation

Fig. 1 is electronic identity of the present invention registration and login method schematic flow sheet;

Fig. 2 is electronic identity of the present invention registration and login method log-on message generation step schematic flow sheet;

Fig. 3 is electronic identity of the present invention registration and login method embodiment schematic diagram;

Fig. 4 is Unified Identity code structure embodiment schematic diagram of the present invention;

Fig. 5 is electronic identity of the present invention registration and login system structural representation.

Wherein, Reference numeral:

1 user agent arranges module 2 user agent login module

3 identity information acquisition module 4 identity registration information inquiry module

5 log-on message generation module 6 identity registration modules

7 accounts merge module 8 Unified Identity bag update module

9 direct login module

S1 ~ S9, S51 ~ 53, S61: the administration step of various embodiments of the present invention

Embodiment

Describe the present invention below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.The identity information of such as system can be hidden in the figure such as Quick Response Code, one-dimension code, also can be hidden in audio signal, user agent then obtains such information by corresponding scanning device and program, but the present invention is mainly to scan Quick Response Code to describe the identity information of acquisition system mode for embodiment, not as to the restriction of mode obtaining system identity information in the present invention.

Below in conjunction with the drawings and specific embodiments, the present invention is described further.

The technical problem that the present invention solves is, user is facilitated to go registration and log in each system, as website or one-of-a-kind system, and/or the problem of hardware system and system authentication user login, develop unified login protocol, manage all user names of user in different systems concentratedly, login name, or be called digital identity and password, the situation occurring fake site can be avoided simultaneously.

The present invention not only thoroughly solves fake site, the problem of fishing website, user is also made to concentrate its login name in all systems of one-stop management and password, do not need to remember numerous password, only need the password of the application program (i.e. user agent) remembered on a mobile terminal or use biological information to carry out authentication, greatly facilitate user, improve efficiency, also improve fail safe, as managed by high in the clouds, even if user agent and Unified Identity bag with hardware as after special mobile equipment or common apparatus (as mobile phone) lose, also can download from high in the clouds or designated lane through strict checking.

Personation, fishing website cannot obtain the personal information such as the login name of user on true website and password, and therefore deception can not be successful.If fishing website uses the user agent of victim and Unified Identity bag to go to log in goal systems, but because user agent and Unified Identity bag not easily stolen, and again can require certification before using, as pinned fingerprint device, and vehicle equipment scans the Quick Response Code of true website, therefore fishing website use the user agent of victim and this possibility of Unified Identity bag energy Successful login system very little; If, the true scanning input Quick Response Code of false website, if now this Quick Response Code provides the identity of false website, user is just equivalent to have registered in this false website, and not reoffering sensitive information as long as follow-up would not have large loss; And if false website provides the Quick Response Code of true website, no matter which kind of channel obtains, just gone after user's barcode scanning true website logs in, so also can not loss be had.

The invention provides a Unified Identity website beyond the clouds, the system of each employing registration of the present invention and login method needs to register in this Unified Identity website, obtain a set of PKI and private key and a parsing deciphering software kit that distribute public key encryption system, each user agent also obtains when downloading Unified Identity bag in this Unified Identity website and distributes a set of PKI and private key and resolve deciphering software kit, based on can resolve when communicating between this user agent and system deciphering the other side the information sent out.

If the people of malice is by registering in Unified Identity website, obtain a set of corresponding software program and information, can not draw corresponding cryptographic algorithm or private key or password by reverse engineering, because existing public key encryption algorithm is safe, this is general knowledge well known in the art.

In order to avoid robot bots rogue program constantly the Quick Response Code of scanning system send request and will automatically register or log in, the username and password that the present invention generates adopts special form, can identify whether this request is the username and password generated from the user agent that the present invention is legal, if illegal, then ignore this request, if and certain terminal of judgement or user agent propose this generic request continuously thick and fast, such request a period of time also can be refused.User agent from the present invention on common apparatus and the user agent on special hardware only need register once on the target system, and next time, barcode scanning directly logged in again, and easy user logs in.

As shown in Figure 1, a kind of electronic identity registration provided by the invention and certification login method, comprising:

User agent's setting steps S1: after a Unified Identity website registration, download one and comprise the application program as user agent of a Unified Identity bag to mobile terminal;

User downloads an application program (UUUID App) being called user agent containing a Unified Identity bag (UUUID Package) to one or more special or general (mobile phone afterwards in Unified Identity (UUUID) website registration (arranging user name UID1 and password pwd1), iPad etc.) on mobile device, the useful effect territory of this username and password (i.e. UID1 and pwd1) comprises this Unified Identity website and the user agent after downloading to mobile device.Each user agent manages after having a sequence number or ID to be convenient to.User agent also can arrange the user name UID2 different from UID1 and pwd1 and password pwd2.Download Unified Identity website successfully and also record the sequence number of this user agent or ID so that final-period management.

Special mobile equipment has been registered and the user agent downloaded and Unified Identity bag to also comprising during user in granting, and its username and password has preset and can change after first time logs in subsequently.This special mobile equipment can arrange simultaneously and adopt fingerprint or other biological information registration.

User agent and Unified Identity can be immediately after wrapping in first acquisition, or the random time before formal use or after using arranges user name, password and/or true identity information, include but not limited to ID card No., or passport number etc., and/or user biological identity information is set, as fingerprint, iris, sound etc.Before not arranging, certification cannot be gone with true identity and/or biometric identity information, also just cannot by the content recovered after true identity and/or biometric identity information certification in Unified Identity bag after loss or damage.

User agent and Unified Identity bag and/or Unified Identity website comprise carries out manual authenticating identity function with true identity and/or biometric identity information.User name and password automated validation cannot used, as forget user name and or password time can carry out manual certification by true identity information and/or biometric identity information.

Its Unified Identity can be wrapped to pass in Unified Identity Website server and store by user, when this user for storing, the mobile device of Unified Identity bag or device and/or user agent application are lost, after damage, this user can obtain new equipment or download and generate new user agent application, Unified Identity website can be downloaded its Unified Identity bag to new equipment and new user agent after its identity of certification.

Whether the system that the inventive method also provides a Unified Identity website and authorized organization to carry out each request registration of mutual authentication is the step truly ratified a motion.Particularly to important system, mutual authentication comprises and obtains contact details contacting with it from industrial and commercial registration, or the mode such as to subscribe to the agreement, and the cost of personation or preperator just greatly increases like this, thus minimizing or the person that stops network attack.

User agent login step S2: the biological information of the physical characteristics collecting module acquires user be arranged on mobile terminal by logs in, or logged in by the username and password of the user agent at mobile terminal input pre-registration, or sign in user agent by any existing certification login method.

User agent on each equipment needs on equipment, use user name UID1 and password pwd1 to log in before use, log in after after first with Unified Identity website synchronization, whether have renewal, if there is renewal, download if inquiring about its Unified Identity bag.For special mobile equipment or the common apparatus being equipped with biometric information authentication function, fingerprint or other biological information registration can be adopted.

Identity information obtaining step S3: for being obtained the identity information of a system and the dialog information between this System Agent and system of encryption by a System Agent by the user agent on a mobile terminal.

User in a terminal by a client-side program of calling system, or on general browser or dedicated program the registration of access system and/or log-on webpage, get a System Agent of system.System Agent, as a part for an application program or an application program, namely the relevant information for display system communicates with system server.System Agent comprises a registration login interface of system, and registration and the interface logged in can unite two into one, and also can be interfaces separately.System Agent also comprises the identity information of system, includes but not limited to systematic name and URI, and the information of ongoing communication session (Session) between System Agent and system, includes but not limited to SessionID and/or SessionKey.The identity information of system and dialog information can be encrypted, concrete cryptographic algorithm can use the method for existing maturation, as SHA and RSA, and the perfect forward encryption method PFS-perfect forward secrecy in recent years occurred, as ECDHE-Elliptical Curve, Diffie-Hellman, after Ephemeral signed, be hidden in such as audio signal or the graph image such as one-dimension code, Quick Response Code, corresponding information getting method is and scans received audio signal with audio receiver, or deciphers with after such as camera/barcode scanning instrument scanning patter image/resolve.

The client registers of the system that need register or log in and/or login interface, except comprising System Agent, can also comprise traditional user name and cryptographic interface.After logging in legacy user's name and pin mode, the customer center at interface or similar user profile maintenance function interface can increase a System Agent.System Agent can provide the identity information of system and the current username and password used with Quick Response Code or other forms, for user agent's acquisition and stored in Unified Identity bag.

Identity registration information inquiry step S4: user agent inquires about in Unified Identity bag according to the system identity information received, if this system identity information exists, in Unified Identity bag, then find the username and password that this system identity information is corresponding, be sent to system by after username and password and dialog information encryption, after system decrypts, carry out automatic register and corresponding mandate; Otherwise, perform log-on message generation step.

Inquiry system identity information in Unified Identity bag, if this system identity exists, illustrate that this user is once registered on this system, in Unified Identity bag, then find the username and password that this system identity information is corresponding, system is sent to after encrypting together with the dialog information in system identity information, decipher after system acceptance to enciphered message and use user name and password to log in system, and authorizing to the corresponding dialogue of the client of System Agent accordingly.If have one not mate with the corresponding informance of systematic conservation in user name, password and dialog information three, then log in unsuccessful, can not authorize, return the corresponding error code of user agent.

Log-on message generation step S5: user agent, according to after receiving crypto identity information and dialog information, generates a Unified Identity code after deciphering automatically, and be sent to system by after the registration log-on message encryption comprising Unified Identity code, carry out identity registration.

Registration log-on message comprises: Unified Identity code, or/and system identity information and dialog information between System Agent and system.Wherein Unified Identity code comprises: username and password, for user's automatic login system.

User agent generates a pair username and password automatically, and registration log-on message is sent to system, and wherein, registration log-on message can be after encryption.Registration log-on message comprises username and password, and comprises system identity information and dialog information.User name and/or password can be stochastic generation, also can be according to system identity information partly or entirely and/or a certain algorithm of the part or all of use of the identity information of user agent generate.The user name of each generation and/or password can be fixed length, also can be random length, but both are added together and add that the total length of check digit is no more than a threshold value, the present embodiment specifically adopts 256 binary digits (bits), but be not limited to this, longer or shorter total length can be adopted.Username and password can connect into a word string use and not distinguish part is in some systems user name or password.In some systems, user name and/or password requirement are displayable characters, or even part can show a set of character or some specific character, and the ASCII character numerical value of other system to each character (byte) in user name and/or password does not limit, it namely can be any number between 0 to 255.

Password can be automatically regularly or irregularly change, as carried out certain login randomly in system after, user agent requires system conversion password (not changing user name) automatically, after obtaining the authorization, generates new password and is sent to system execution password update and upgrades Unified Identity bag.

Identity registration step S6: system automatically performs identity registration operation after receiving the registration log-on message deciphering comprising Unified Identity code.

Registration log-on message can be encryption, also can not encrypt, but the fail safe of not encrypting is very poor.If encryption, system will first decipher acquisition username and password after receiving registration log-on message.The registration database of system queries system or user name list, look at that wherein whether this user name exists, if had, illustrates duplication of name, return to the error code of user agent one " this user name exists " and again perform step S5.Otherwise, return correct code, and with this username and password in system registry, in registration database or user name list, add a record, write this user name and password and create additional space and imparting corresponding authority and attribute etc. for this user name, in Unified Identity bag, generate a record simultaneously, write down the identity information of system, and username and password.

Account combining step S7: for multiple accounts of corresponding for same user same system are carried out merging treatment.

After user uses Unified Identity bag to register a goal systems that need log in, if once registered in the mode of user name and password in goal systems before this user, and used, have accumulated the historical informations such as useful subscriber data, that is, user just has two accounts or two to overlap user names and password in goal systems and wishes to use original subscriber data.Now, need the subscriber data of two accounts to merge.Generally, because the accounts information registered afterwards is less, so can based on the information of original account.Now, user can with after original user name and the success of password login goal systems, merge after interface inputs username and password certification again in an account at customer center or similar user profile maintenance function interface, log in the user profile provided in the mode Unified Identity bag of barcode scanning again, after system obtains the username and password of this New Account, just existing (in the past, old) under information under account copies New Account to when not conflicting, if conflict, namely certain data field under New Account is not empty, then this data field does not just copy, and the data retained under use New Account.Under new account, can retain a page or function can go to check old account under content, the information particularly do not copied because of conflict.

In another embodiment, after logging in order to username and password in barcode scanning mode one Unified Identity bag, (or " merging other accounts ") interface is merged manually to input the mode certification of other username and passwords at the customer center of system or an account at similar user profile maintenance function interface, information in account under other user names is all merged, has information in the data field of conflict motionless.If other username and passwords cannot input, generated by other user agents in this way, then after using specific process certification under the help of system manager, or the merging of the information of account under other user names is come.

Unified Identity bag step of updating S8: synchronized update is carried out in the Unified Identity bag on mobile terminal and Unified Identity website.

Can automatically or upgrade after user's request or be synchronized to Unified Identity website after Unified Identity on each equipment is surrounded by change.Can download from Unified Identity website when same like this user downloads new user agent on other mobile terminals or when logging on other user agent or upgrade the up-to-date Unified Identity bag of user.

User agent or its vehicle equipment can arrange a button, for generation of a disposable password (OTP), the effect of this disposal password is equivalent to the disposal password of Web bank U shield generation, in Web bank or other system sensitive operation, use as extra checking during as transferred accounts.

Direct login step S9: user agent and Unified Identity bag can use on same mobile terminal or same fixed terminal simultaneously, a system is selected in all registered system identity information stored from described Unified Identity bag, username and password corresponding for described system taking-up is sent to described system together with described System Agent and the dialog information of described system directly log in, the backward described System Agent return authorization interface of described system login success, described mandate interface is the Application Program Interface connecting described system, or connect the general browser interface of described system.

User agent and Unified Identity bag can use on same mobile terminal or same fixed terminal simultaneously, user agent shows all registered systems in Unified Identity bag, user selects a system request to log in wherein, System Agent connects this system and creates a dialogue, username and password corresponding for this system taking-up is sent to this system together with System Agent and the dialog information of this system and directly logs in by user agent, the backward System Agent return authorization interface of system login success, the system authorization interface returned can be a certain Application Program Interface connecting this system, also can be the general browser interface connecting this system.This mode eliminates the process obtaining system identity information also can sign in system.

As shown in Figure 2, log-on message generation step S5 is further, comprising:

User name generation step S51: be a N bit by the identity information corresponding conversion of user agent, be a M bit by system identity information corresponding conversion, it is a P bit by system time corresponding conversion, be a Q bit by the random number corresponding conversion of generation, and N bit, M bit, P bit and Q bit be filled in Unified Identity code by pre-defined rule, generate user name;

Password generation step S52: the random number of generation is converted to a W bit, is filled in Unified Identity code by W bit by pre-defined rule, generating cipher;

Character visible generation step S53: if system needs the character using character visible or specific character to concentrate as the character in username and password, the ASCII character integer that each character in the password then the username and password generation step that user name generation step generates generated respectively is corresponding carries out dividing exactly delivery, substitutes the respective symbols in username and password by the result of delivery and pre-defined rule.

Wherein, identity registration step S6 also comprises:

Log-on message system queries step S61: for receive registration log-on message when system after, the user name in Unified Identity code is inquired about in registration databases, if search unsuccessfully, then automatically perform identity registration operation, and return the result that succeeds in registration to user agent and System Agent, system after successful registration or log in username and password and talk with mandate accordingly to System Agent, user agent the identity information of username and password and system stored in Unified Identity bag; Otherwise, return user name existed or the result of registration failure to user agent, user agent performs log-on message generation step again.

System, after new user has registered, then licenses to new logging in system by user at once, but other system needs user again to input username and password ability login system.Therefore, in one embodiment of the present of invention, system also can to log in and to the dialogue mandate of System Agent and correspondence by horse back username and password after for user's successful registration.In another embodiment of the present invention, after system registry success, user agent needs again to scan Quick Response Code, or usually, after again obtaining system identity information, could perform register.The reason done like this comprise dialog information for registering and for log in dialog information can be different, also can be different for the Quick Response Code of registration and the Quick Response Code for logging in.If different, user agent just must be scanned new Quick Response Code or could log in after again obtaining system identity information.

In one embodiment of this invention, add a unified registration databases be deployed in a certain private server or be deployed on the server of Unified Identity website.Want to use method of the present invention, identity information and relevant information that the system of system and service needs Accreditation System on integrated system registration database, including but not limited to URI, IP address, server hardware information, software information, as OS Type, bandwidth etc., also can download software kit from integrated system registration database be installed on the server of system, for generation of and the special Quick Response Code of scrambled or the other forms of media identity information that stores this system obtain for user agent.Just know through resolving the whether legal generation of Quick Response Code that system provides after user agent scans Quick Response Code or other forms of system identity information, therefore user agent can determine whether continue executable operations.

As shown in Figure 3, be below a specific embodiment detailed description of the inventive method: user requires access system by input system URI in the terminal at System Agent place, System Agent sends the request of access system to system, system returns to System Agent one registration login interface, and this interface comprises the identity information of system.

After user logs on user agent, specifically as shown in step s 2, the identity information of described system is obtained by the scanner on its vehicle equipment or program scanning, specifically as shown in step S3, the identity information of described system is inquired about in Unified Identity bag, if existed, from Unified Identity bag, then take out the username and password that the identity information of described system is corresponding, be sent to described system, described system performs register, no matter all put back to user agent and System Agent and perform the result of register, be successfully or failure.

Otherwise, if see the identity information less than system in Unified Identity bag, then perform step S5 generate username and password and be sent to system, system receives rear elder generation in log-on data, checks whether user name exists, if there is no, then perform concrete registration operation and result is returned to System Agent and user agent, user agent adds one and comprises system identity information, the record of username and password in same identity bag.

Otherwise, if user name exists, then re-execute step S5 and later step.

Below describe in detail under ATM terminal scene for the inventive method specific embodiment:

The login interface two-dimensional code display of ATM terminal, comprise the link information of the banking system server of encryption and dialogue (Session) information of this terminal and system server, described login interface can in short-term regularly (as per minute) change the SessionID of dialogue, and comprise the Quick Response Code of current SessionID.

User first after the system registry of described bank, the account that required bank card binding is registered to it, can show after ATM is logged in by barcode scanning several card information, select wherein one card after carry out subsequent operation again, as withdrawn the money, transfer accounts, pay, inquiry etc.User also can select to forbid logging on ATM with traditional ATM interface by the mode of barcode scanning in Web bank.

In order to avoid the frequent barcode scanning continuously of same user agent logs in chartered system, if have sent the username and password in the described system that has in described Unified Identity bag, but described system refusal logs in, illustrate and do not mate, return corresponding error code and after requiring that user carries out manual examination and verification by contact customer attendant, log in again and carry out accounts information maintenance, as remerged account after registration New Account.

As shown in Figure 4, be below the detailed description of username and password generative process in specific embodiment of the invention log-on message generation step:

The algorithm of automatic generation a pair username and password can have a lot, and length also can have different restriction, and the present invention is to generate 128 long (binary digit bit) user names and 128 long passwords propose with next optimization algorithm:

Input parameter: user agent's identity information did is (if device id and user are from equipment user's name of establishing, phone, the sequence number etc. of equipment and user agent application), system identity information sid (as URI etc.), the length lu of the required user name that generates and password and lp (as, 256 binary digits, below as not specified otherwise, what integer referred to is all bigit, position and figure place are also binary positions), output format requires (as user agent's portion start bit dsb, termination position deb, system identity part start bit ssb, termination position seb), to the requirement of Output rusults character set (as, must be the character in character visible or given character set charset) etc., Output rusults: user name and password.

Step is as follows:

The long uid for lu of a, initialization bit and position long be the pwd of lp;

B, each single datum comprised in did changed into take up space be that 4 bytes (32) are long, be used as the integer of 32, the data of all items are added the rear integer didi obtaining 32, by didi each in order (can from left to right or from right to left) be filled into dsb to the deb position in uid, if didi is oversize, then block; If too short, then continue to fill until be filled to deb position and terminate to multipass for each one time in Recycling didi;

C, by method in step 2 sid changed into 32 integers and be filled into ssb to the seb position in uid with it;

D, the calling system function of time obtain time (or clock) t of system, and are filled in the half in the residue room in uid by method in step 2 by each in t;

The random number generator function of e, calling system (also can by hardware chip, as Intel810 chip generates, at this moment be exactly by reading the numerical value in the register on this hardware chip) generate a random number r, and by method in step 2 each in r is filled in the residue room in uid;

F, alternatively, using last several (as 1-3 positions) in uid as check digit, with being filled in check digit behind all the other calculation check positions;

The random number generator function of g, calling system (also can by hardware chip, as Intel810 chip generates, at this moment be exactly by reading the numerical value in the register on this hardware chip) generate a random number r2, and by method in step 2, each in r2 is filled in pwd;

If h has requirement to Output rusults, as being the character in given character set charset, then by every 8 (i.e. each character or byte) in uid and pwd as one 8 long integer i8, calculate imode=i8%lset, wherein lset is the size of given character set charset, the number of character in this character set, % is for dividing exactly modulo operation, fresh character after conversion is character in specific character collection charset and, by the i-th mode character after certain rule compositor, substitutes the character of original i8 representative with the character after this conversion.

I, output uid and pwd.

Be below the volume calculation detailed description of specific embodiment of the invention Unified Identity bag and Unified Identity bag site databases and registration databases:

Following examples estimate that proof server can bear service and the data of registration databases:

Each login name in Unified Identity bag and password (can respectively by 256 word lengths or longer): 256x2=512bits (64bytes, 64 characters) can be one, and when a user name, first half section works as password when the ID second half section.

The URI:1K bits=128chars (also can use the restriction to URI length in World Wide Web standards) of described system

Every bar record of such Unified Identity grid database is 1.5KB (can be left to 2KB in advance)

If have the username and password on average having 100 systems in the Unified Identity bag of each like this user,

The size of each Unified Identity bag is 200KB, can be stored on mobile phone.

The user of 10000000000 users=10B (Billion) needs the space of 10Gx200K=2000TB=2PB to store their Unified Identity bag altogether, the whole world estimates that Internet user is no more than 50,000,000,000, need 10PB space altogether, can with a server and very large database process, each user frequently accesses this center, only has after the loss. from newly arranging user agent or just needing when new system is registered to upgrade or download.

On registration databases, each system will preserve a record: respectively account for 2KB and (comprise URL/URI, system parameters, database parameter, OS etc.), the estimation of the such whole world has at most the system of 1,000,000,000 (1Billion) to need to take the space of 1Gx2K=2TB, may need when each system is registered in registration databases in addition to download necessary software kit and page code section, such registration databases can with a server providing services.

The present invention also provides a kind of electronic identity to register and certification login system, and adopt as electronic identity registration and certification login method, as shown in Figure 5, system comprises:

User agent arranges module 1: after a Unified Identity website registration, download the application program as user agent of the Unified Identity bag that has comprised to described mobile terminal;

User agent's login module 2: the biological information of the physical characteristics collecting module acquires user be arranged on described mobile terminal by logs in, or logged in by the username and password of the user agent at described mobile terminal input pre-registration, or sign in user agent by any existing certification login method.

Identity information acquisition module 3: for obtaining the crypto identity information of a system and the dialog information between this System Agent and system by the user agent on a mobile terminal by a System Agent;

Log-on message generation module 4: described user agent is according to after receiving described crypto identity information and dialog information, automatically a Unified Identity code is generated after deciphering, and be sent to described system after the registration log-on message comprising described Unified Identity code being encrypted, carry out identity registration;

Identity registration module 5: described system automatically performs identity registration operation after receiving the registration log-on message deciphering comprising described Unified Identity code.

Identity registration information inquiry module 6: described user agent inquires about in Unified Identity bag according to the described system identity information received, if this system identity information exists, the username and password then finding this system identity information corresponding in described Unified Identity bag, perform described automatic register, otherwise, perform described log-on message generating run;

Account merges module 7: for multiple accounts of corresponding for same user same system are carried out merging treatment;

Unified Identity bag update module 8, synchronized update is carried out in the Unified Identity bag on described mobile terminal and described Unified Identity website.

Direct login module 9: user agent and Unified Identity bag can use on same mobile terminal or same fixed terminal simultaneously, a system is selected in all registered system identity information stored from described Unified Identity bag, username and password corresponding for described system taking-up is sent to described system together with described System Agent and the dialog information of described system directly log in, the backward described System Agent return authorization interface of described system login success, described mandate interface is the Application Program Interface connecting described system, or connect the general browser interface of described system.

Certainly; the present invention also can have other various embodiments; when not deviating from the present invention's spirit and essence thereof; those of ordinary skill in the art are when making various corresponding change and distortion according to the present invention, but these change accordingly and are out of shape the protection range that all should belong to the claim appended by the present invention.

Claims

1. electronic identity registration and a certification login method, is characterized in that, comprising:

Identity information obtaining step: for being obtained the identity information of a system and the dialog information between described System Agent and described system of encryption by a System Agent by the user agent on a mobile terminal;

2. electronic identity is registered and certification login method according to claim 1, it is characterized in that, also comprises before described identity information obtaining step:

3. electronic identity is registered and certification login method according to claim 2, it is characterized in that, also comprises after described identity information obtaining step:

4. electronic identity is registered and certification login method according to claim 1, it is characterized in that, also comprises:

5. electronic identity is registered and certification login method according to claim 2, it is characterized in that, also comprises:

6. electronic identity registration and certification login method according to Claims 2 or 3, is characterized in that, also comprise:

7. electronic identity is registered and certification login method according to claim 1, and it is characterized in that, described registration log-on message comprises: described Unified Identity code, or/and described system identity information and dialog information between System Agent and system.

8. electronic identity is registered and certification login method according to claim 1, it is characterized in that, described Unified Identity code comprises: username and password, described system is logged in for described user, described user name and/or cipher random generate or generate according to an algorithm, and described Unified Identity code can regularly replace automatically.

9. electronic identity is registered and certification login method according to claim 1, it is characterized in that, described log-on message generation step is further, comprising:

User name generation step: be a N bit by the identity information corresponding conversion of described user agent, be a M bit number by described system identity information corresponding conversion, it is a P bit by system time corresponding conversion, be a Q bit by the random number corresponding conversion of generation, and being filled into described N bit, M bit, P bit and Q bit in described Unified Identity code by pre-defined rule, generate described user name;

10. electronic identity is registered and certification login method according to claim 1, and it is characterized in that, described identity registration step also comprises:

11. according to claim 1 electronic identity registration and certification login method, it is characterized in that, in identity information obtaining step, described identity information and described dialog information are hidden in audio signal, one-dimension code or Quick Response Code after encryption, and described user agent obtains described encrypted identity information and described dialog information by an audio receiver, camera or the scanner be arranged on described mobile terminal.

12. 1 kinds of electronic identity registrations and certification login system, adopt electronic identity registration and certification login method according to any one of claim 1-11, it is characterized in that, described system comprises:

13., according to electronic identity registration and certification login system described in claim 12, is characterized in that, also comprise:

14., according to electronic identity registration and certification login system described in claim 13, is characterized in that, also comprise:

15., according to electronic identity registration and certification login system described in claim 12, is characterized in that, also comprise:

16., according to electronic identity registration and certification login system described in claim 13, is characterized in that, also comprise:

17. according to claim 13 or 14 electronic identity registration and certification login system, it is characterized in that, also comprise: