CN106878280B - User authentication method and device, and method and device for acquiring user number information - Google Patents

User authentication method and device, and method and device for acquiring user number information Download PDF

Info

Publication number
CN106878280B
CN106878280B CN201710016046.6A CN201710016046A CN106878280B CN 106878280 B CN106878280 B CN 106878280B CN 201710016046 A CN201710016046 A CN 201710016046A CN 106878280 B CN106878280 B CN 106878280B
Authority
CN
China
Prior art keywords
user
number information
terminal
server
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710016046.6A
Other languages
Chinese (zh)
Other versions
CN106878280A (en
Inventor
李小峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced New Technologies Co Ltd
Advantageous New Technologies Co Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201710016046.6A priority Critical patent/CN106878280B/en
Publication of CN106878280A publication Critical patent/CN106878280A/en
Application granted granted Critical
Publication of CN106878280B publication Critical patent/CN106878280B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

The application provides a method for user authentication, which is applied to a terminal and comprises the following steps: acquiring user number information of the equipment; sending an authentication request to an authentication server, wherein the authentication request comprises user number information; and receiving an authentication response returned by the authentication server, wherein the authentication response is generated by the authentication server according to the matching result of the number information of the service end reserved by the user and the number information of the user. According to the technical scheme, the authentication server can authenticate the user number without sending the verification code through the short message, authentication failure caused by short message communication faults is avoided, the user does not need to check and input the verification code, and the authentication speed is accelerated while user operation is simplified.

Description

User authentication method and device, and method and device for acquiring user number information
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a method and an apparatus for user authentication, and a method and an apparatus for obtaining user number information.
Background
The mobile phone App (application program) widely uses a short message check code as a verification means in application scenes such as user registration, identity recognition, secondary verification and the like. The user reserves a mobile phone number at the service end of the App, and when the verification is carried out, the service end sends a short message to the mobile phone number reserved by the user, wherein the content of the short message comprises a string of check codes consisting of numbers or characters. The user inputs the received check code into an appointed input frame of the App, the App uploads the check code to the server, and the server authenticates the user by comparing whether the uploaded check code is the same as the issued check code.
The verification method of the short message check code in the prior art has some problems. Firstly, according to the investigation of industry institutions, due to the reasons of communication delay, gateway shielding, security software interception and the like, the average arrival rate of the current short message verification code is 93%, that is to say, under the condition of 7%, a user cannot pass verification due to non-self reasons; secondly, in the authentication process, the user needs to switch the interface to view the short message, remember the check code and input the check code into a specified input box, so that the operation is complicated, the time consumption is long, and the inconvenience of the user is caused.
Disclosure of Invention
In view of this, the present application provides a method for user authentication, applied to a terminal, including:
acquiring user number information of the equipment;
sending an authentication request to an authentication server, wherein the authentication request comprises user number information;
and receiving an authentication response returned by the authentication server, wherein the authentication response is generated by the authentication server according to the matching result of the number information of the service end reserved by the user and the number information of the user.
The method for user authentication provided by the application is applied to an authentication server and comprises the following steps:
receiving an authentication request sent by a terminal, wherein the authentication request comprises user number information;
acquiring the number information of the service end reserved by the user, and matching the number information of the service end with the number information of the user;
and sending the authentication response generated according to the matching result to the terminal.
The application also provides a method for acquiring the user number information, which is applied to a terminal and comprises the following steps:
sending a connection request to a number server and establishing connection, wherein the connection request comprises a requester identifier;
initiating communication to a preset interface of a number server by adopting a number-based communication mode, wherein the communication content comprises the identifier of the requester;
receiving user number information returned by the number server through the connection, wherein the user number information is generated according to a user number communicated with a preset interface of the number server, and a requester identifier in the communication content of the user number is the same as a requester identifier in a connection request for establishing the connection; the user number information is used for being provided to the authentication server by the terminal during user authentication and is matched with the service end number information reserved by the user at the authentication server.
The method for acquiring the user number information provided by the application is applied to a number server and comprises the following steps:
receiving a connection request sent by a terminal and establishing connection, wherein the connection request comprises a requester identifier;
receiving communication initiated by a terminal to a preset interface of a server side in a communication mode based on a user number, acquiring the user number and a requester identifier in communication content and establishing a corresponding relation between the user number and the requester identifier;
generating user number information according to the user number, and returning the user number information to the terminal through connection with a requester identifier corresponding to the user number; the user number information is used for being provided to the authentication server by the terminal during user authentication and is matched with the service end number information reserved by the user at the authentication server.
The application also provides a device for user authentication, which is applied to a terminal and comprises:
a number information acquisition unit for acquiring user number information of the device;
the authentication request sending unit is used for sending an authentication request to an authentication server, wherein the authentication request comprises user number information;
and the authentication response receiving unit is used for receiving an authentication response returned by the authentication server, and the authentication response is generated by the authentication server according to the matching result of the number information of the service end reserved by the user and the number information of the user.
The application provides a device of user authentication, uses on the authentication server, includes:
the authentication request receiving unit is used for receiving an authentication request sent by a terminal, wherein the authentication request comprises user number information;
the number information matching unit is used for acquiring the number information of the service end reserved by the user and matching the number information of the service end with the number information of the user;
and the authentication response sending unit is used for sending the authentication response generated according to the matching result to the terminal.
The application also provides a device for acquiring the user number information, which is applied to a terminal and comprises:
a connection request sending unit, configured to send a connection request to a number server and establish a connection, where the connection request includes a requester identifier;
the number-based communication initiating unit is used for initiating communication to a preset interface of a number server by adopting a number-based communication mode, and the communication content comprises the identifier of the requester;
a number information receiving unit, configured to receive user number information returned by the number server through the connection, where the user number information is generated according to a user number communicated with a preset interface of the number server, and a requester identifier in communication content of the user number is the same as a requester identifier in a connection request for establishing the connection; the user number information is used for being provided to the authentication server by the terminal during user authentication and is matched with the service end number information reserved by the user at the authentication server.
The application provides a device for obtaining user number information, uses at number service end, includes:
a connection request receiving unit, configured to receive a connection request sent by a terminal and establish a connection, where the connection request includes a requester identifier;
the number-based communication receiving unit is used for receiving communication initiated by the terminal to a preset interface of the server side in a user number-based communication mode, acquiring a user number and a requester identifier in communication content and establishing a corresponding relation between the user number and the requester identifier;
a number information issuing unit, configured to generate user number information according to the user number, and return the user number information to a terminal through a connection having a requester identifier corresponding to the user number; the user number information is used for being provided to the authentication server by the terminal during user authentication and is matched with the service end number information reserved by the user at the authentication server.
According to the technical scheme, in the embodiment of the user authentication method and device, the terminal uploads the acquired user number information of the equipment to the authentication server side in the authentication request, and the authentication server side authenticates the user according to whether the service side number information reserved by the user is matched with the uploaded user number information or not, so that the authentication server side can authenticate the user number without sending a verification code through a short message, authentication failure caused by short message communication failure is avoided, the user does not need to check and input the verification code, and the authentication speed is increased while user operation is simplified.
In the embodiment of the method and the device for acquiring the user number information, the terminal respectively adopts a connection and number-based communication mode to interact with the number server, the number server acquires the user number information and the requester identification of the terminal through the number-based communication initiated by the terminal and returns the user number information to the connection initiator with the same requester identification, so that the terminal obtains the user number information of the equipment, after the user number information is used for a user authentication process, the authentication server is prevented from authenticating the user number by sending a short message check code, a user does not need to check and input the check code, the user operation is simplified, and the authentication speed is increased.
Drawings
Fig. 1 is a flowchart of a method applied to a terminal for obtaining user number information according to an embodiment of the present application;
fig. 2 is a flowchart of a method for obtaining user number information by a number server in an embodiment of the present application;
fig. 3 is a flowchart of a method for user authentication applied to a terminal according to a second embodiment of the present application;
fig. 4 is a flowchart of a user authentication method applied to an authentication server according to a second embodiment of the present application;
FIG. 5 is a schematic diagram of a network structure of a scenario in which an application example of the present application is located;
FIG. 6 is a hardware block diagram of a terminal, a device where a number server resides, or a device where an authentication server resides;
fig. 7 is a logic structure diagram of an apparatus for acquiring user number information, applied to a terminal in an embodiment of the present application;
fig. 8 is a logic structure diagram of an apparatus for acquiring user number information applied to a number server in an embodiment of the present application;
fig. 9 is a logical block diagram of a user authentication apparatus applied to a terminal according to an embodiment of the present application;
fig. 10 is a logic structure diagram of a device for user authentication applied to an authentication server in an embodiment of the present application.
Detailed Description
In the prior art, in an authentication mode using a short message verification code, an authentication server sends a verification code to a user number reserved for a user in plain text with a short message, the user inputs an original text of the received verification code into an application program and sends the original text to the authentication server, and the authentication server compares whether the verification codes are consistent to determine whether the user (the terminal) passes authentication. It can be seen that the fact that the short message authentication code uniquely authenticates is whether the terminal using the reserved subscriber number is in the control of the subscriber. In most application scenarios, a user usually controls only one terminal, and the fact of actual verification is whether the user number used by the terminal running the application program is the reserved user number. Therefore, in the embodiment of the application, the terminal actively uploads the user number information when requesting the authentication of the authentication server, and the authentication server determines whether the user passes the authentication after comparing whether the user number information uploaded by the terminal is matched with the service side number information reserved by the user.
In a Mobile communication system, an International Mobile Subscriber Identity (IMSI) is used to uniquely identify a Mobile communication subscriber, and the IMSI is stored on and bound to a subscriber identity card. The Subscriber Identity card is used to identify a Subscriber Identity in a mobile communication network, such as a Subscriber Identity Module (SIM) card, a Universal Subscriber Identity Module (USIM) card, and the like.
When the subscriber identity card of the subscriber is installed on the terminal, the terminal can communicate with the IMSI bound to the terminal. The user identification card may be damaged, so that a user does not need to change the contact way when changing the user identification card, another way of uniquely identifying one user is adopted in the Mobile communication system, namely MSISDN (Mobile station international Subscriber Directory Number), also called Subscriber Number. The corresponding relation between the IMSI and the user number is stored in the equipment of the mobile communication network service provider, when the terminal of the user A adopts the IMSI to initiate communication (such as making a call or sending a short message) with the terminal of the user B to the service provider, the mobile communication network service provider searches the user number corresponding to the IMSI of the user A and sends the user number to the terminal of the user B, so that the user B can know that the opposite end initiating the communication is the user A through the user number of the opposite end of the communication.
In the information interaction between the application running on the terminal and the server thereof, the terminal is usually represented by an identifier of the terminal, such as an International Mobile Equipment Identity (IMEI), without using the IMSI of the user (i.e., not based on the communication of the user number), so that the terminal and the server of the application thereof cannot know the user number used by the terminal from the mutual information interaction process.
In the prior art, some mobile communication network service providers write a subscriber number into a subscriber identity card before delivering the subscriber identity card to a subscriber for use; in such an application scenario, the terminal may read out the subscriber number used by the terminal from the subscriber identity card through an API (application programming Interface). For an application scenario in which the user number is not stored in the subscriber identity module, the terminal may obtain the user number used by the terminal by using the technical scheme of the first embodiment of the application.
The embodiment of the application provides a method for acquiring user number information, a terminal uploads a requester identifier representing the terminal to a number server through a connection mode and a number-based communication mode respectively, the number server obtains a user number from the number-based communication mode, generates user number information and issues the user number information to a connected terminal with the same requester identifier, so that the terminal can directly upload the user number information to an authentication server when user verification is carried out, authentication of the user number can be realized without issuing, inputting and uploading a short message verification code, authentication failure caused by short message receiving faults is avoided, user operation is reduced, and authentication speed is increased.
In the first embodiment of the application, a terminal performs information interaction with a number server through two different communication modes, wherein one mode is communication based on a user number, namely communication performed by adopting the IMSI of the terminal, such as making a call or sending a short message; another is non-subscriber number based communication, i.e. instead of using the IMSI, a connection is made using other identification information on behalf of the terminal or subscriber, such as a connection established by an application running on the terminal with the server side of the application.
In this embodiment, the terminal may be any device capable of performing mobile communication by using the above two communication methods, such as a mobile phone, a tablet computer, a notebook computer with an SIM card or a USIM card, and the like; the number server may be any physical or logical device or a combination of physical or logical devices that can adopt the above two communication modes, and is not limited.
In the first embodiment, a flow of the method for acquiring the user number information applied to the terminal is shown in fig. 1, and a flow of the method applied to the number server is shown in fig. 2.
On the terminal, step 110, a connection request is sent to the number server and a connection is established, where the connection request includes a requester identifier.
At the number server, step 210, a connection request sent by the terminal is received and a connection is established.
The terminal sends a connection request to the number server in a non-user number-based mode, wherein the connection request carries a requester identifier. The Identifier of the requestor may be any Identifier information that can uniquely represent the terminal or a user using the terminal at the number server, for example, the Identifier of the terminal may be an Identifier of the terminal, such as an IMEI of the terminal, a UUID (universal unique Identifier) of the terminal, and the like; may be a Media Access Control (MAC) address of the terminal; the identification of the user account using the terminal at the number server can be used, such as the name of the user account, the code of the user account, and the like.
And the number server establishes connection with the terminal after receiving the connection request of the terminal.
On the terminal, step 120, initiating communication to a preset interface of a number server by adopting a number-based communication mode, wherein the communication content comprises a requester identifier of the terminal.
At the number server, step 220, the receiving terminal initiates communication to a preset interface of the server in a communication mode based on the user number, acquires the user number and the requester identifier in the communication content, and establishes a corresponding relationship between the user number and the requester identifier.
The number server opens a preset interface to the terminal, and the preset interface is used for carrying out communication based on the user number. The terminal initiates communication based on the user number to a preset interface of the number server, and transmits the requester identification of the equipment to the number server in the communication content. In number-based communication, a service provider of a mobile communication network notifies a receiving end of a user number of a sending end, and when the number service end receives communication initiated by the terminal based on the user number from a preset interface, the user number of the terminal can be obtained, and a requester identifier of the terminal (namely, a requester identifier corresponding to the user number) can be obtained from communication contents, so that the user number of the terminal and the requester identifier are corresponding.
For example, the number server uses a preset short message gateway as a preset interface, and the terminal edits the requester identifier of the device into the short message content and sends the short message to the preset short message gateway of the number server. After the preset short message gateway receives the short message, the number service end extracts the identifier of the requester from the content of the short message, and establishes a corresponding relation with the identifier of the requester by taking the number of a sender of the short message as a user number.
For another example, the number server may use a preset telephone access interface, and the terminal generates the requester identifier of the device into voice and transmits the voice to the preset telephone access interface of the number server in a telephone manner. The number server identifies the voice received by the preset telephone access interface to obtain the identification of the requesting party, and establishes the corresponding relation with the identification of the requesting party by taking the dialing party number of the telephone as the user number.
It should be noted that there is no timing relationship between step 110 and step 120 on the terminal, and there is no timing relationship between steps 210 and 220 of the number server.
At the number server, step 230, subscriber number information is generated from the subscriber number, which is returned to the terminal via the connection with the identifier of the requester corresponding to the subscriber number. The user number information is used for being provided to the authentication server by the terminal during user authentication and is matched with the service end number information reserved by the user at the authentication server.
On the terminal, step 130, receiving the user number information returned by the number server through the established connection, wherein the user number information is generated according to the user number communicated with the number server preset interface, and the requester identification in the communication content of the user number is the same as the requester identification in the connection request for establishing the connection. The user number information is used for being provided to an authentication server by a terminal during user authentication and is matched with the service end number information reserved by the user at the authentication server.
In the embodiment of the present application, the user number information may be any data that is associated with the user number and can be matched with a reserved number used by the user for authentication. For example: the user number information may be the user number itself; may be a mapping value obtained by converting the user number into one by using a predetermined algorithm (e.g. a user number hash value calculated by using a predetermined hash algorithm); or may be data having a one-to-one correspondence relationship with the user number or the mapping value of the user number (e.g., the user number is indexed in a database table used by the number server to store the user number). Correspondingly, when the user number information is generated, the number server can directly take the user number as the user number information; the number server can take the user number as the input of a preset algorithm and take the output of the preset algorithm as the user number information; the number server may also search (e.g., search a database table storing the user number), calculate (e.g., randomly generate and have uniqueness), and use the data having a one-to-one correspondence relationship with the user number or the mapping value of the user number as the user number information.
After generating the user number information, the number server obtains the identifier of the requester corresponding to the user number used for generating the user number information according to the established corresponding relation, searches the connection established according to the connection request carrying the same identifier of the requester, and sends the user number information to the terminal of the opposite terminal through the connection.
After receiving the user number information, the terminal can send the user number information to the authentication server when requesting the user authentication from the authentication server, so that the authentication server matches with the service end number information reserved by the user to determine whether the user authentication passes.
Because the user number used by the terminal is rarely changed by the user, the user number information received by the terminal can be stored, so that the process of acquiring the user number information does not need to be executed before user authentication every time. In order to improve the security degree of user authentication using the user number information, the terminal may store the received user number information in a security area of the terminal, such as a TEE (Trusted Execution Environment) or a TE (Secure Element).
The user can usually change the user number used by the terminal only when the subscriber identity card mounted on the terminal is changed. Therefore, the terminal can detect the state of the user identification card, when the user identification card is detected to be inserted, the terminal sends a connection request carrying the identifier of the requester to the number server and establishes connection, initiates communication to a preset interface of the number server by adopting a number-based communication mode, carries the identifier of the requester in communication content, and performs the process of acquiring the user number corresponding to the newly inserted user identification card again. When the withdrawal of the subscriber identity card is detected, the terminal may delete the subscriber number information stored in its secure area.
On the terminal, the method in the first embodiment can be operated in the operating system layer, that is, the method in the first embodiment is implemented in the operating system of the terminal, so that the plugging and unplugging of the subscriber identity module card can be more conveniently detected. Such as at the Application framework layer of the android system.
In addition, in order to increase the security of the user number information acquisition process, the number server generates the user number information, then performs digital signature by using a private key of the number server, and then returns the user number information and the digital signature to the terminal through the connection established between the user number information and the terminal. And after the terminal receives the returned user number information and the digital signature on the connection with the number server, the public key of the number server is adopted to check the signature of the digital signature, the received user number information is stored after the signature is checked, and the received user number information is discarded if the signature checking fails.
It can be seen that, in the first embodiment of the present application, the terminal interacts with the number server through the connection mode and the number-based communication mode, the number server obtains the user number from the number-based communication mode, generates the user number information, and issues the user number information to the connected terminal with the same requester identifier, so that the terminal uses the user number information for user authentication, thereby avoiding the authentication server authenticating the user number by sending a short message check code, simplifying the user operation in the authentication process, and accelerating the authentication speed.
The second embodiment of the application provides a new user authentication method, the terminal actively sends the user number information of the equipment to an authentication server in an authentication request, and the authentication server compares the user number information uploaded by the terminal with the number information of a service end reserved by a user to determine whether the user passes authentication or not, so that whether the number used by the terminal is the number reserved by the user can be verified without issuing and uploading a check code, authentication failure caused by short message communication failure and operation of checking and inputting the check code by the user are avoided, the authentication process is completed with fewer operations and higher speed, and the problems in the prior art are solved.
In the second embodiment of the present application, the terminal and the authentication server can access each other through the mobile communication network. Generally, in the authentication process, an application running on a terminal establishes a connection with an authentication server, and performs information interaction with the authentication server in a request/response mode. The terminal can be any equipment capable of adopting the user number to carry out mobile communication, such as a mobile phone, a tablet computer, a notebook computer and the like; the authentication server may be one physical or logical server, or two or more physical or logical servers sharing different responsibilities and cooperate with each other to implement various functions of the authentication server in the embodiment of the present application.
In this embodiment, a flow of the method for user authentication applied to the terminal is shown in fig. 3, and a flow of the method applied to the authentication server is shown in fig. 4.
On the terminal, step 310, the user number information of the device is obtained.
As described above, if the user number is written in the user identification card of the terminal, the terminal may call an interface for providing the user number to obtain the user number used by the device, and generate user number information according to the user number. The user number information may be the user number itself, or may be a mapping value (e.g., a hash value of the user number) obtained by converting the user number into one or more than one by using a predetermined algorithm.
If the user number information of the device cannot be obtained from the terminal, the user number information can be obtained from the number server by adopting the scheme provided by the first embodiment. For an application scenario in which the user number information obtained from the number service terminal is stored in a security area (e.g., TEE or SE) of the device, the terminal may read the stored user number information from the security area. The user number information from the number server can be a user number; the mapping value after the conversion of the user number from more than one can be realized by adopting a preset algorithm; or may be data having a one-to-one correspondence relationship with the user number, or the mapping value of the user number.
On the terminal, step 320, an authentication request is sent to the authentication server, where the authentication request includes the user number information.
At the authentication server, step 410, an authentication request sent by the terminal is received.
The terminal sends an authentication request to the authentication server, and the user number information of the equipment is packaged in the authentication request. The authentication request may be a request for initiating the service side to perform user identity authentication on the terminal in any business process, such as a login request, a payment request, and the like, without limitation. The authentication server receives an authentication request of the terminal and extracts user number information of the terminal from the authentication request.
At the authentication server, step 420, obtaining the number information of the service side reserved by the user, and matching the number information of the service side with the received number information of the user.
In the prior art, a terminal generally uploads account information of a user using the terminal to an authentication server in a process of establishing connection with the authentication server; or the terminal uploads the account information of the user to the authentication server in the authentication request. That is, the authentication server can know which user sent the authentication request.
In an application scenario of performing identity authentication by using a user number, each user reserves the user number used by the user on a service side. And the service side generates the service end number information of each user according to the reserved user number and stores the service end number information in a preset storage position. The service end number information may be the user number itself, a mapping value obtained by converting the user number into more than one by using a predetermined algorithm (e.g., a hash value of the user number), or data having a one-to-one correspondence relationship with the user number or the mapping value of the user number (e.g., a mapping value obtained by mapping one to one by using a predetermined algorithm, an index value of a database table storing the user number, a numerical value randomly generated and uniquely corresponding to one user number, etc.).
After receiving the authentication request of the terminal, the authentication server searches the service end number information reserved by the user in a preset storage position according to the user sending the authentication request, and matches the service end number information with the received user number information. The specific matching method is determined according to the user number information and the server number information adopted in the actual application scene, and is not described again.
It should be noted that the user number information and the server number information in one application scenario may be the same or different, as long as the authentication server can match the two. In one example, the user number information is a hash value obtained by inputting the user number into a certain predetermined hash algorithm, and the service side number information is the user number; when the two are matched, the authentication server inputs the number information of the service end into the same preset hash algorithm, compares the output hash value with the number information of the user, and if the two are the same, the two are matched. In another example, the user number information is an index value of a database table in which the service side stores the user number, and the service side number information is the user number; when matching, the authentication server uses the user number information as an index to inquire a database table for storing the user number, and if the found user number is the same as the service end number information, the two are matched.
In order to increase the security of the user authentication process, the terminal may perform digital signature on the authentication request by using the requester private key, and send the authentication request with the requester identifier and the digital signature to the authentication server. The authentication server adopts the public key of the requester of the terminal to check the signature of the digital signature in the authentication request, if the signature is not passed, the matching result is set to be unmatched, the authentication server acquires the number information of the service end reserved by the user after the signature is passed, and the matching result is determined according to whether the number information of the service end is matched with the number information of the user.
The requester private key and the requester public key may be various device keys of the terminal or various keys of the user, and embodiments of the present application are not limited. Some terminal manufacturers can embed a root key (a device private key) of the terminal in a secure area (such as TEE or SE) of the terminal before the terminal leaves a factory, because the root key is safer and non-repudiatable relative to other keys, the root key of the terminal is adopted to digitally sign an authentication request carrying user number information, and an authentication server adopts a public key corresponding to the root key of the terminal to check and sign, so that higher security is achieved.
At the authentication server, step 430, an authentication response generated according to the matching result is sent to the terminal.
On the terminal, step 330, an authentication response returned by the authentication server is received, and the authentication response is generated by the authentication server after matching the server number information reserved by the user and the uploaded user number information.
And the authentication server generates an authentication response according to the matching result of the service end number information and the user number information, and the authentication response carries the authentication result of whether the authentication is successful or not. If the authentication result of the user identity is only carried out based on the user number, the authentication is successful when the matching result of the service end number information and the user number information is matched; and when the matching result is not matched, the authentication fails. If the result of the user identity authentication is not only based on the user number but also based on other identity authentication modes, the authentication is successful only when the matching result is matching and the results of the other identity authentication modes are passing, otherwise the authentication is failed.
The authentication server sends the authentication response to the terminal, and the terminal obtains the authentication result from the authentication response.
Therefore, in the second embodiment of the application, the terminal actively sends the user number information of the device to the authentication server in the authentication request, and the authentication server authenticates the user according to whether the number information of the service end reserved by the user is matched with the uploaded user number information, so that whether the user number used by the terminal is the number reserved by the user can be verified without sending a short message and uploading a check code between the terminal and the authentication server, authentication failure caused by short message communication failure is avoided, the user does not need to check and input the check code, and the authentication speed is increased while the user operation is simplified.
In an application example of the present application, the terminal obtains a hash value (a kind of user number information) of the user number of the device by using the scheme in the first embodiment, and performs identity authentication using the user number by using the scheme in the second embodiment.
Referring to fig. 5, in the present application example, a manufacturer of a terminal embeds a software module for acquiring user number information in the terminal, and runs in an operating system layer of the terminal in the form of terminal number service; and at the service side, the number server runs the number hash service and the short message gateway, and the number hash service and the short message gateway are used as the number server and the terminal number service on the terminal to realize the scheme of the first embodiment of the application in a cooperative manner. And the authentication server at the service side is used as an authentication server and is cooperated with the App on the terminal to realize the scheme of the second embodiment of the application.
Specifically, a terminal number service on the terminal monitors the plugging and unplugging condition of the SIM card. When finding that the SIM is inserted, the terminal number service sends a connection request to a number hash service running on a number server, carries the IMEI (a requester identifier) of the terminal in the connection request, and establishes connection with the number hash service. In addition, the terminal number service sends a short message to a short message gateway of the number server, and the content of the short message is the IMEI of the terminal.
And a short message gateway of the number server receives a short message sent by the terminal, extracts the user number of the short message sender and the IMEI in the short message content, and corresponds the user number and the IMEI. And the number hash service of the number server acquires the corresponding user number and the IMEI (international mobile equipment identity) of the terminal from the short message gateway, and generates a user number hash value by adopting a preset hash algorithm and taking the user number as input. The number hash service searches for a connection established according to a connection request carrying an IMEI corresponding to the user number, and sends the generated user number hash value and a digital signature performed by a private key of a number server from the connection to a terminal number service of an opposite terminal.
And the terminal number service on the terminal transmits the received digital signature and the user number hash value to the TEE or SE of the equipment. The TEE or SE of the terminal checks the received digital signature by using the public key of the number server, and if the signature fails, the received user number hash value is discarded; and if the signature verification is passed, saving the received user number hash value in a safe area.
And when the terminal number service detects that the SIM card of the terminal is pulled out, deleting the user number hash value stored in the TEE safety area or the SE safety area.
When the App on the terminal needs to perform identity authentication based on the user number, the App reads the stored user number hash value and a root key built in the terminal from a TEE safety region or an SE safety region of the device. And the App encapsulates the hash value of the user number in the authentication request, signs the authentication request by adopting the root key and then sends the signed authentication request to the authentication server.
And the authentication server receives the authentication request, searches a public key corresponding to the root key of the terminal sending the authentication request, and verifies the digital signature in the authentication request by using the public key. And if the verification is not passed, marking the matching result as unmatched, generating an authentication response carrying the authentication result as failure, and replying to the App.
If the signature passes, the authentication server finds out the user number (a service side number information) reserved by the user using the App. The authentication server adopts a preset hash algorithm which is the same as the number hash service of the number server, and obtains a reserved number hash value by taking the reserved user number as input. The authentication server compares the user number hash value and the reserved number hash value in the authentication request, if the user number hash value and the reserved number hash value are the same, matching is carried out, and the authentication result is successful; if the two are different, the authentication result is failure.
And the authentication server packages the authentication result in an authentication response and sends the authentication response to the App.
Corresponding to the above flow implementation, the embodiment of the present application further provides a device for obtaining user number information applied to the terminal, a device for obtaining user number information applied to the number service end, a device for user authentication applied to the terminal, and a device for user authentication applied to the authentication service end. The above devices can be realized by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, the device in the logical sense is formed by reading a corresponding computer program instruction into a memory for running through a Central Processing Unit (CPU) of a device in which a terminal, a number server or an authentication server is located. In terms of hardware, in addition to the CPU, the memory, and the nonvolatile memory shown in fig. 6, the terminal generally includes other hardware such as a chip for performing wireless signal transmission and reception, and the device in which the number server exists or the device in which the authentication server exists generally includes other hardware such as a board card for implementing a network communication function.
Fig. 7 shows a user authentication apparatus applied to a terminal according to an embodiment of the present application, which includes a number information obtaining unit, an authentication request sending unit, and an authentication response receiving unit, where: the number information acquisition unit is used for acquiring the user number information of the equipment; the authentication request sending unit is used for sending an authentication request to an authentication server, wherein the authentication request comprises user number information; the authentication response receiving unit is used for receiving an authentication response returned by the authentication server, and the authentication response is generated by the authentication server according to the matching result of the number information of the service end reserved by the user and the number information of the user.
Optionally, the number information obtaining unit is specifically configured to: the user number information stored in the security area of the device is read.
In one example, the authentication request further includes: digital signature by using a private key of a requester; and the authentication response is generated by the authentication server according to the signature verification result of the digital signature by the public key of the requester and the matching result of the number information of the service end reserved by the user and the number information of the user.
In the above example, the requesting private key includes: and the device root key is built in the security area of the device.
Optionally, the secure area includes: the trusted execution environment TEE or the secure element SE.
Optionally, the user number information includes one of: the user number adopts a preset algorithm to convert the mapping value of the user number into more than one, and the mapping value of the user number and the user number or the data of the mapping value of the user number have one-to-one correspondence at the authentication server; the service side number information includes one of: the user number is a mapping value obtained by converting the user number into one by adopting a preset algorithm, and the mapping value has one-to-one correspondence with the user number or the mapping value of the user number.
Fig. 8 shows a user authentication device applied to an authentication server, which includes an authentication request receiving unit, a number information matching unit, and an authentication response sending unit, where: the authentication request receiving unit is used for receiving an authentication request sent by a terminal, wherein the authentication request comprises user number information; the number information matching unit is used for acquiring the number information of the service end reserved by the user and matching the number information of the service end with the number information of the user; and the authentication response sending unit is used for sending the authentication response generated according to the matching result to the terminal.
In one example, the authentication request further includes: a digital signature by the terminal using the requester private key; the number information matching unit is specifically configured to: and after the digital signature passes the verification of the digital signature by adopting the public key of the requester, acquiring the number information of the service end reserved by the user, and matching the number information of the service end with the number information of the user.
In the above example, the requester public key includes: and the public key corresponds to the root key of the terminal.
Optionally, the user number information includes one of: the user number adopts a preset algorithm to convert the mapping value of the user number into more than one, and the mapping value of the user number and the user number or the data of the mapping value of the user number have one-to-one correspondence at the authentication server; the service side number information includes one of: the user number is a mapping value obtained by converting the user number into one by adopting a preset algorithm, and the mapping value has one-to-one correspondence with the user number or the mapping value of the user number.
Fig. 9 shows a device for acquiring user number information, which is applied to a terminal and includes a connection request sending unit, a number-based communication initiating unit, and a number information receiving unit, where: the connection request sending unit is used for sending a connection request to the number server and establishing connection, wherein the connection request comprises a requester identifier; the number-based communication initiating unit is used for initiating communication to a preset interface of a number server in a number-based communication mode, and communication contents comprise the requester identification; the number information receiving unit is used for receiving user number information returned by the number server through the connection, the user number information is generated according to a user number communicated with a preset interface of the number server, and a requester identifier in the communication content of the user number is the same as a requester identifier in a connection request for establishing the connection; the user number information is used for being provided to the authentication server by the terminal during user authentication and is matched with the service end number information reserved by the user at the authentication server.
In one example, the apparatus further comprises: and a number information saving unit for saving the received user number information in a secure area of the present apparatus.
In the above example, the number information receiving unit is specifically configured to: receiving user number information returned by the number server through the connection and a digital signature carried out by a private key of the number server; the number information storage unit is specifically configured to: and after the digital signature passes the verification of the digital signature by adopting the public key of the number server, storing the received user number information in a safety area of the equipment.
Optionally, the secure area includes: the trusted execution environment TEE or the secure element SE.
In one implementation, the connection request sending unit is specifically configured to: when a user identification card of the terminal is inserted, sending a connection request to a number server and establishing connection;
the number-based communication initiating unit is specifically configured to: when the user identification card of the terminal is inserted, a communication mode based on the number is adopted to initiate communication to a preset interface of a number server.
In the foregoing implementation manner, the apparatus further includes: and the number information deleting unit is used for deleting the stored user number information when the user identification card of the terminal is pulled out.
Optionally, the number-based communication initiating unit is specifically configured to: and sending a short message with the content including the identifier of the requester to a preset short message gateway of the number service end.
Optionally, the requester identifier includes: an identification of the user account or an identification code of the terminal.
Optionally, the user number information includes one of: the user number is converted into a mapping value after the conversion from one to more by adopting a preset algorithm, and the mapping value of the user number or the mapping value of the user number has data in one-to-one correspondence relationship.
Optionally, the apparatus runs in an operating system layer of the terminal.
Fig. 10 shows a device for acquiring user number information, which is applied to a number server and includes a connection request receiving unit, a number-based communication receiving unit, and a number information issuing unit, where: the connection request receiving unit is used for receiving a connection request sent by a terminal and establishing connection, wherein the connection request comprises a requester identifier; the number-based communication receiving unit is used for receiving communication initiated by the terminal to a preset interface of the server side in a user number-based communication mode, acquiring a user number and a requester identifier in communication content and establishing a corresponding relation between the user number and the requester identifier; the number information issuing unit is used for generating user number information according to the user number and returning the user number information to the terminal through the connection with the requester identifier corresponding to the user number; the user number information is used for being provided to the authentication server by the terminal during user authentication and is matched with the service end number information reserved by the user at the authentication server.
Optionally, the number information issuing unit is specifically configured to: and generating user number information according to the user number, and after a private key of a number server is adopted for digital signature, returning the user number information to the terminal through connection with a requester identifier corresponding to the user number.
Optionally, the preset interface of the server includes: presetting a short message gateway; the communication initiated by the terminal to the preset interface of the server side in a communication mode based on the user number comprises the following steps: the content sent by the terminal to the preset short message gateway comprises a short message of a requester identifier.
Optionally, the requester identifier includes: an identification of the user account or an identification code of the terminal.
Optionally, the user number information includes one of: and the user number adopts a preset algorithm to convert the mapping value of the user number into more than one, and the mapping value of the user number or the mapping value of the user number has one-to-one corresponding relation.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Claims (16)

1. A method for obtaining user number information is applied to a terminal, and is characterized by comprising the following steps:
when a user identification card of a terminal is inserted, sending a connection request to a number server and establishing connection, wherein the connection request comprises a requester identifier;
when a user identification card of the terminal is inserted, initiating communication to a preset interface of a number server by adopting a number-based communication mode, wherein the communication content comprises the identifier of the requester;
receiving user number information returned by the number server through the connection, wherein the user number information is generated according to a user number communicated with a preset interface of the number server, and a requester identifier in the communication content of the user number is the same as a requester identifier in a connection request for establishing the connection; the user number information is used for being provided to an authentication server by a terminal during user authentication and is matched with the service end number information reserved by the user at the authentication server;
and storing the received user number information in a safety area of the equipment.
2. The method of claim 1, wherein the receiving the number information returned by the number server via the connection comprises: receiving user number information returned by the number server through the connection and a digital signature carried out by a private key of the number server;
the storing the received user number information in a security area of the device comprises: and after the digital signature passes the verification of the digital signature by adopting the public key of the number server, storing the received user number information in a safety area of the equipment.
3. The method of claim 1 or 2, wherein the secure area comprises: the trusted execution environment TEE or the secure element SE.
4. The method of claim 1, further comprising: and when the user identification card of the terminal is pulled out, deleting the stored user number information.
5. The method of claim 1, wherein initiating communication to a preset interface of a number server in a number-based communication manner comprises: and sending a short message with the content including the identifier of the requester to a preset short message gateway of the number service end.
6. The method of claim 1 or 5, wherein the requestor identification comprises: an identification of the user account or an identification code of the terminal.
7. The method of claim 1, wherein the subscriber number information comprises one of: the user number is converted into a mapping value after the conversion from one to more by adopting a preset algorithm, and the mapping value of the user number or the mapping value of the user number has data in one-to-one correspondence relationship.
8. The method of claim 1, wherein the method runs at an operating system layer of the terminal.
9. A device for obtaining user number information is applied to a terminal, and is characterized by comprising:
a connection request sending unit, configured to send a connection request to a number server and establish a connection when a subscriber identity card of a terminal is inserted, where the connection request includes a requester identifier;
the number-based communication initiating unit is used for initiating communication to a preset interface of a number server by adopting a number-based communication mode when a user identification card of the terminal is inserted, and the communication content comprises the identifier of the requester;
a number information receiving unit, configured to receive user number information returned by the number server through the connection, where the user number information is generated according to a user number communicated with a preset interface of the number server, and a requester identifier in communication content of the user number is the same as a requester identifier in a connection request for establishing the connection; the user number information is used for being provided to an authentication server by a terminal during user authentication and is matched with the service end number information reserved by the user at the authentication server;
and storing the received user number information in a safety area of the equipment.
10. The apparatus according to claim 9, wherein the number information receiving unit is specifically configured to: receiving user number information returned by the number server through the connection and a digital signature carried out by a private key of the number server;
the number information storage unit is specifically configured to: and after the digital signature passes the verification of the digital signature by adopting the public key of the number server, storing the received user number information in a safety area of the equipment.
11. The apparatus of claim 9 or 10, wherein the secure area comprises: the trusted execution environment TEE or the secure element SE.
12. The apparatus of claim 9, further comprising: and the number information deleting unit is used for deleting the stored user number information when the user identification card of the terminal is pulled out.
13. The apparatus of claim 9, wherein the number-based communication initiating unit is specifically configured to: and sending a short message with the content including the identifier of the requester to a preset short message gateway of the number service end.
14. The apparatus of claim 9 or 13, wherein the requestor identification comprises: an identification of the user account or an identification code of the terminal.
15. The apparatus of claim 9, wherein the subscriber number information comprises one of: the user number is converted into a mapping value after the conversion from one to more by adopting a preset algorithm, and the mapping value of the user number or the mapping value of the user number has data in one-to-one correspondence relationship.
16. The apparatus of claim 9, wherein the apparatus runs at an operating system layer of the terminal.
CN201710016046.6A 2017-01-10 2017-01-10 User authentication method and device, and method and device for acquiring user number information Active CN106878280B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710016046.6A CN106878280B (en) 2017-01-10 2017-01-10 User authentication method and device, and method and device for acquiring user number information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710016046.6A CN106878280B (en) 2017-01-10 2017-01-10 User authentication method and device, and method and device for acquiring user number information

Publications (2)

Publication Number Publication Date
CN106878280A CN106878280A (en) 2017-06-20
CN106878280B true CN106878280B (en) 2020-07-24

Family

ID=59165498

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710016046.6A Active CN106878280B (en) 2017-01-10 2017-01-10 User authentication method and device, and method and device for acquiring user number information

Country Status (1)

Country Link
CN (1) CN106878280B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108055132B (en) 2017-11-16 2020-04-28 阿里巴巴集团控股有限公司 Method, device and equipment for service authorization
CN108712439B (en) * 2018-05-31 2021-06-29 中国联合网络通信集团有限公司 User information management method, device, server and storage medium
CN111010363B (en) * 2019-09-20 2022-04-05 中国银联股份有限公司 Information authentication method and system, authentication module and user terminal
CN111245870B (en) * 2020-04-26 2020-08-14 国网电子商务有限公司 Identity authentication method based on mobile terminal and related device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1200532C (en) * 2001-12-05 2005-05-04 上海卓扬科技有限公司 Broad access network user identifying method
CN101795263B (en) * 2009-12-28 2012-12-12 中国联合网络通信集团有限公司 Secure broadband access method, authentication method, device and system
US9338287B1 (en) * 2012-10-09 2016-05-10 Whatsapp Inc. Automated verification of a telephone number
CN103856940A (en) * 2012-11-29 2014-06-11 中国电信股份有限公司 Security authentication method and system
CN103152331B (en) * 2013-02-07 2016-01-20 百度在线网络技术(北京)有限公司 The method, system and the cloud server that log in/register is carried out by mobile terminal

Also Published As

Publication number Publication date
CN106878280A (en) 2017-06-20

Similar Documents

Publication Publication Date Title
US10285050B2 (en) Method and apparatus for managing a profile of a terminal in a wireless communication system
US11281762B2 (en) Method and apparatus for facilitating the login of an account
CN106878280B (en) User authentication method and device, and method and device for acquiring user number information
US10516666B2 (en) Authentication method, apparatus, and system
CN105188055A (en) Wireless network access method, wireless access point and server
JP6880055B2 (en) Message anti-counterfeiting implementation method and device
CN110266656B (en) Secret-free authentication identity identification method and device and computer equipment
TW201545526A (en) Method, apparatus, and system for providing a security check
US11838752B2 (en) Method and apparatus for managing a profile of a terminal in a wireless communication system
JP2016538623A (en) Authentication for applications
WO2019149006A1 (en) Method and device for obtaining and providing access information of wireless access point, and medium
CN105450614A (en) Server account login method, apparatus and system
CN113472716B (en) System access method, gateway device, server, electronic device and storage medium
US20180212954A1 (en) Information registration and authentication method and device
US11032272B2 (en) Mobile number verification for mobile network-based authentication
US9680814B2 (en) Method, device, and system for registering terminal application
CN108696538B (en) Secure communication method of IMS (IP multimedia subsystem) system based on key file
CN108809969B (en) Authentication method, system and device
EP3079329B1 (en) Terminal application registration method, device and system
CN114826719A (en) Trusted terminal authentication method, system, device and storage medium based on block chain
CN109040013B (en) Authentication method and device of intelligent earphone
US20240106820A1 (en) Generation and verification of a temporary authentication value for use in a secure transmission
CN115190483B (en) Method and device for accessing network
CN111711628B (en) Network communication identity authentication method, device, system, equipment and storage medium
CN117376439A (en) Access method and device of information website system and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20200923

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee after: Innovative advanced technology Co.,Ltd.

Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee before: Advanced innovation technology Co.,Ltd.

Effective date of registration: 20200923

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee after: Advanced innovation technology Co.,Ltd.

Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands

Patentee before: Alibaba Group Holding Ltd.

TR01 Transfer of patent right