CN107733644B - Two-dimensional code authentication system based on quantum encryption - Google Patents
Two-dimensional code authentication system based on quantum encryption Download PDFInfo
- Publication number
- CN107733644B CN107733644B CN201710993052.7A CN201710993052A CN107733644B CN 107733644 B CN107733644 B CN 107733644B CN 201710993052 A CN201710993052 A CN 201710993052A CN 107733644 B CN107733644 B CN 107733644B
- Authority
- CN
- China
- Prior art keywords
- authentication
- dimension code
- quantum
- application
- communication service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Abstract
The invention discloses a two-dimensional code authentication system based on quantum encryption, which comprises an application server, an application terminal, a mobile terminal and a quantum communication service station, wherein the application server and the application terminal are respectively provided with a quantum key fob, and a corresponding quantum key is stored between each quantum key fob and the quantum communication service station for encrypted communication or two-dimensional code authentication; when two-dimension code authentication is carried out, the application terminal obtains two-dimension code authentication information from the application server through application, the application terminal obtains an application terminal two-dimension code response value through calculation by utilizing the stored quantum key in the configured quantum key card, and outputs a corresponding two-dimension code; and the mobile terminal acquires the two-dimension code from the application terminal, extracts a two-dimension code response value of the application terminal and sends the response value to the quantum communication service station for authentication through the application server. In the invention, the mobile terminal is used for authenticating the user equipment and the user of the quantum communication network, and the system safety is greatly improved.
Description
Technical Field
The invention relates to the field of network security communication, in particular to a two-dimensional code authentication system based on a quantum communication network.
Background
In identity authentication, static passwords are easily stolen by malicious software or are violently cracked because the static passwords are fixed and unchanged. In order to solve the security problem of static passwords, the dynamic token technology has been the way.
The dynamic token replaces the traditional static password with a one-time password generated based on three variables of time, event and key. Each dynamic token card has a unique key, the keys are simultaneously stored in a server side, and the dynamic token card and the server respectively calculate the dynamic token to be authenticated according to the same key, the same random parameters (time and event) and the same algorithm during each authentication, so that the consistency of passwords is ensured on two sides, and the identity authentication is realized. Because the random parameters in each authentication are different, the dynamic tokens generated in each authentication are also different, and the randomness of the parameters ensures the unpredictability of each password, thereby ensuring the safety of the system in the most basic and important password authentication link. The dynamic token is classified from the terminal to include a hardware token and a handset token. The mobile phone token is client software installed on the mobile phone and used for generating the dynamic token.
International dynamic tokens have 2 major algorithms, one is the SecurID (using AES symmetric algorithm) of RSA and one is the HMAC algorithm used by the OATH organization. The dynamic token algorithm used domestically uses national secrets SM1 and SM 3.
Two-dimensional codes, also known as Quick Response codes, are a very popular encoding method in recent years. Compared with the traditional bar code, the bar code can store more information and represent more data types. After the two-dimensional code is swept a yard payment function and is used the habit and train through what believe a little and pay precious sweeping a yard payment function, has had extensive cognitive degree. At present, the two-dimensional code of each large platform application is generated by a background, and an application terminal user uses a mobile terminal APP to scan the two-dimensional code to perform safe identity authentication. Two-dimensional code technology may be combined with dynamic token technology, for example to carry challenge information for challenge-response dynamic tokens.
Quantum communication is an emerging cross-domain combining quantum theory and information theory, and people are increasingly concerned about the high-security information transmission capability of the quantum communication.
For example, chinese patent application 201510513004.4 discloses a mobile token identity authentication system based on a quantum cryptography network, in which dynamic token authentication of a quantum communication network is introduced. However, the security of the mobile terminal is not considered, and the dynamic password needs to be manually input in the application terminal, so that the operation is inconvenient.
Chinese patent application 201610843356.0 discloses a user identity authentication system and method, which introduces a quantum communication service station and quantum key fob and a method for implementing mutual authentication. However, only the authentication of the quantum communication service station to the quantum communication user equipment equipped with the quantum key fob is described, the internal authentication of the application system in the quantum communication network, that is, the authentication of the application server to the application terminal is not described, and only the authentication of the equipment in the quantum communication network is performed, but not the authentication of the equipment user in the quantum communication network.
Problems in the prior art
1. In the prior art, in the process of identity authentication by using a dynamic token, an application terminal user needs to manually input the dynamic token, so that the operation is too complicated, and potential safety hazards exist.
2. In the prior art, authentication is only performed on the user equipment of the quantum communication network, and authentication is not performed on the user of the user equipment of the quantum communication network.
3. In the prior art, the account authentication centers of each application server are independent, and the application terminals need to maintain a plurality of sets of accounts and corresponding passwords thereof, so that the management is inconvenient.
Disclosure of Invention
The invention provides a two-dimensional code authentication system based on quantum encryption, which is convenient to operate and high in safety.
A two-dimension code authentication system based on quantum encryption comprises an application server, an application terminal, a mobile terminal and a quantum communication service station, wherein the application server and the application terminal are respectively provided with a quantum key fob, and a corresponding quantum key is stored between each quantum key fob and the quantum communication service station for encrypted communication or two-dimension code authentication;
when two-dimension code authentication is carried out, the application terminal obtains two-dimension code authentication information from the application server through application, the application terminal obtains an application terminal two-dimension code response value through calculation by utilizing the stored quantum key in the configured quantum key card, and outputs a corresponding two-dimension code;
and the mobile terminal acquires the two-dimension code from the application terminal, extracts the response value of the two-dimension code of the application terminal and sends the response value to the quantum communication service station through the application server for authentication, and the authentication results are respectively sent to the application server and the application terminal and related services are executed.
In the invention, the two-dimension code authentication information and the corresponding two-dimension code both comprise two-dimension code challenge values which can generate two-dimension code response values through a pre-negotiation algorithm,
the application server sends the two-dimension code challenge value when sending the two-dimension code response value of the application terminal to the quantum communication service station, and the quantum communication service station can calculate and generate the expected response value of the two-dimension code and compare the expected response value with the expected response value of the two-dimension code as the corresponding quantum key is stored between the quantum key card matched with the application terminal and the quantum communication service station, and the two values are consistent and are regarded as successful authentication.
The invention utilizes the mobile terminal to authenticate the user equipment and the user of the quantum communication network, and the system safety is greatly improved. The mobile terminal is adopted to scan and authenticate the two-dimensional code, the operation of a user is fast and convenient, the experience is superior to that of a dynamic password, and after the mobile terminal uses the quantum key fob, the safety is also higher than that of the dynamic password. The quantum communication service station in the quantum communication network is used as the account authentication center of the plurality of application servers, so that the application terminals do not need to maintain a plurality of sets of accounts and corresponding passwords thereof, and the management is convenient.
The same application server can aim at a plurality of application terminals and mobile terminals, the number of quantum communication service stations participating in the authentication process is not limited to one, when a plurality of quantum nodes are involved in mutual communication, the quantum communication service stations can utilize the interstation quantum key obtained by a QKD mode to encrypt communication, or the quantum key card is adopted to encrypt communication with the affiliated quantum communication service stations (namely the quantum key card is issued by the affiliated quantum communication service stations, and corresponding quantum keys are stored between the quantum key card and the affiliated quantum communication service stations).
Optionally, after obtaining the two-dimensional code, the mobile terminal further calculates a corresponding mobile terminal two-dimensional code response value and sends the mobile terminal two-dimensional code response value and the application terminal two-dimensional code response value to the application server;
and the authentication of the two-dimension code response value of the mobile terminal is used as a starting condition for the authentication of the two-dimension code response value of the application terminal.
The two-dimension code authentication information generated by the application server comprises a two-dimension code challenge value and the like, the two-dimension code response value of the application terminal is obtained by calculation at the application terminal according to an agreed authentication algorithm, and the two-dimension code response value of the mobile terminal is obtained by calculation at the mobile terminal in the same way and is used for authenticating the mobile terminal.
Optionally, the application server authenticates the two-dimensional code response value of the mobile terminal, and after the authentication is passed, the two-dimensional code response value of the application terminal is sent to the quantum communication service station for authentication.
The premise of authenticating the two-dimension code response value of the application terminal is that the mobile terminal is legal equipment, namely the two-dimension code response value of the mobile terminal can be authenticated, and the application server and the mobile terminal do not need to be quantum encrypted, for example, the mobile terminal is provided with a two-dimension code authentication module which can be in hardware forms such as a mobile terminal mainboard chip, a UKEY, an SDKEY and the like, and can also be in software forms such as an APP and the like. At this time, the two-dimension code response value of the mobile terminal can be authenticated in the application server.
Optionally, the mobile terminal is configured with a quantum key fob, and a corresponding quantum key is stored between the quantum key fob and the quantum communication service station;
after the mobile terminal acquires the two-dimension code, calculating by using the stored quantum key in the configured quantum key card to obtain a two-dimension code response value of the mobile terminal; and the two-dimension code response value of the mobile terminal is sent to the quantum communication service station for authentication through the application server.
Preferably, the mobile terminal is configured with a quantum key fob, a two-dimensional code response value of the mobile terminal is generated in the quantum key fob, and at this time, a quantum communication service station of a corresponding quantum key in the quantum key fob is required to authenticate the two-dimensional code response value of the mobile terminal, so that the two-dimensional code response value of the mobile terminal is transmitted to the quantum communication service station via the application server for authentication.
The two-dimensional code authentication system can be applied to various systems needing identity authentication, multiple application servers and multiple application terminals can be configured according to needs and scenes, the application servers run business service programs, and the application terminals run business client programs.
Optionally, the application server is a background server of the access control system; an intelligent building background control center or an attendance system background server; the application terminal is correspondingly an access control device; controlled terminal of intelligent building or attendance machine terminal.
Optionally, a user of the application terminal sends application information to the application server through the application terminal to obtain the two-dimensional code, and the application information carries or does not carry an identification number pre-assigned to the user by the application server.
Compared with the portable identification number, if the portable identification number is not carried, the user of the application terminal does not need to input any information to the application terminal, and the application terminal sends an empty user access request to the application server, so that the operation of the user is further facilitated.
Optionally, the application terminal outputs the two-dimensional code through a display screen; or outputting the two-dimensional code in a printing mode.
Optionally, the application server receives a response from the mobile terminal and having the two-dimensional code response value of the application terminal and the two-dimensional code response value of the mobile terminal, extracts corresponding information from the response and performs validity judgment, and starts an authentication process of the two-dimensional code response value of the mobile terminal after judging that the response is valid.
The mobile terminal sends a response to the application server, wherein the response comprises a terminal two-dimensional code response value, a mobile terminal two-dimensional code response value, a two-dimensional code ID and the identity number of each quantum key card; according to the judgment mode, the biological information of the user, such as fingerprint information, iris information, face information, vein information, palm print information and the like, collected by the mobile terminal can be carried in the response.
Optionally, the validity judgment includes at least one of the following judgments:
whether the two-dimension code ID is matched with the pre-stored information of the application server or not is judged;
whether the mobile terminal is matched with the application terminal or not;
whether the biological characteristics of the user are matched with the reserved information in the application server or not;
whether the two-dimensional code authentication time is overdue or not.
If the mobile terminal is not matched with the quantum key card, the application server authenticates the two-dimensional code response value of the mobile terminal, and at this moment, optionally, the quantum key card of the application server issues a first quantum communication service station, and the quantum key card of the application terminal issues a second quantum communication service station;
after receiving the two-dimensional code response value of the application terminal sent by the application server, the first quantum communication service station forwards the response value to the second quantum communication service station for authentication, and the first quantum communication service station also receives and forwards an authentication result from the second quantum communication service station to the application server;
and the application server obtains the authentication result of the first quantum communication service station and forwards the authentication result to the application terminal.
Preferably, the quantum key fob of the application server and the quantum key fob of the application terminal are issued from the same quantum communication service station.
If the mobile terminal is matched with the quantum key card, optionally, the quantum key card of the application server issues from a first quantum communication service station, the quantum key card of the application terminal issues from a second quantum communication service station, and the quantum key card of the mobile terminal issues from a third quantum communication service station;
after receiving the mobile terminal two-dimensional code response value and the application terminal two-dimensional code response value sent by the application server, the first quantum communication service station forwards the mobile terminal two-dimensional code response value to a third quantum communication service station for authentication, and receives an authentication result from the third quantum communication service station;
after the two-dimension code response value of the mobile terminal passes the authentication, the first quantum communication service station forwards the two-dimension code response value of the application terminal to the second quantum communication service station for authentication, and the first quantum communication service station also receives and forwards an authentication result from the second quantum communication service station to the application server;
and the application server obtains the authentication result of the first quantum communication service station and forwards the authentication result to the application terminal.
Preferably, the quantum key fob of the application server, the application terminal and the mobile terminal is issued from the same quantum communication service station.
The invention has the beneficial effects that:
1. the problem of among the prior art, in using dynamic token to carry out the authentication process, need the manual input dynamic token of application terminal user, the operation is too loaded down with trivial details to there is the potential safety hazard is solved.
2. The problem that in the prior art, authentication is only performed on the user equipment of the quantum communication network, and authentication is not performed on a user of the user equipment of the quantum communication network is solved.
3. The problem of inconvenient management caused by the fact that account authentication centers of all application servers are independent respectively and application terminals need to maintain a plurality of sets of accounts and corresponding passwords of the accounts in the prior art is solved.
Drawings
FIG. 1 is a networking diagram of a two-dimensional code authentication system according to the present invention;
FIG. 2 is a flowchart of example 1 of the present invention;
FIG. 3 is a flowchart of example 2 of the present invention;
FIG. 4 is a flowchart of example 3 of the present invention;
FIG. 5 is a flowchart of embodiment 4 of the present invention.
Detailed Description
Referring to fig. 1, in the two-dimensional code authentication system of the present invention, in a quantum communication network, a plurality of quantum communication metropolitan area networks are accessed to a quantum communication trunk, and each quantum communication metropolitan area network can be accessed by a plurality of quantum communication service stations.
The quantum communication service station is internally provided with a plurality of servers such as authentication service, quantum key distribution service, and quantum random number service.
The authentication service is used for authenticating the identity of the user equipment of the quantum communication service station.
The quantum key distribution service is used for quantum key distribution and generation of a pairwise key with another quantum communication service station through a quantum communication metropolitan area network and a quantum communication trunk, and the key distribution protocol is preferably BB 84.
The quantum random number service is used to issue quantum key fobs and quantum communication service stations as a pair of quantum random number key sets, and reference is made to chinese patent application 201610843210.6 for the issue of quantum key fobs.
After the quantum random number service issues a quantum key fob and a quantum communication service station with paired quantum random number key sets, the quantum communication service station issues the quantum key fob to user equipment of the quantum communication service station, and during actual use, the quantum key fob and the user equipment of the quantum communication service station have a one-to-one correspondence relationship. The user equipment of the quantum communication service station can be accessed to the quantum communication service station in the form of fixed user equipment and mobile user equipment. The fixed user equipment can be a common PC/MAC computer, an embedded device, and also can be various servers, such as the application server and the fixed application terminal. The mobile user equipment can be various mobile terminals such as mobile phones/PADs and the like, such as the mobile application terminal of the invention. No matter what kind of quantum communication service station's equipment, it leaves the interface to dock the quantum key card, and can communicate with it. When the user equipment is accessed to the quantum communication service station, the user equipment and a specific quantum key card are in one-to-one correspondence binding relation, otherwise, the user equipment cannot be accessed to the quantum communication service station.
With regard to the implementation of the quantum key fob, reference may be made to chinese patent application 201610843210.6, which discloses a quantum communication service station, a quantum key management apparatus, and a key configuration network and method, and also describes the issue of the quantum key fob.
The invention can be applied to various systems needing identity authentication, and comprises an application server and a plurality of application terminals, wherein the application server runs a service program, and the application terminals run a service client program.
The application system of the invention can be but is not limited to: an access control system; an intelligent building control system; an attendance system; and so on. In the case of the aforementioned three application systems, the application servers are respectively: a background server of the access control system; an intelligent building background control center; a background server of the attendance system; the application terminals are respectively as follows: an access control device; an intelligent building controlled terminal; attendance machine terminal.
The application server and the application terminal are user equipment of the quantum communication service station. Corresponding to the quantum key fob.
The identity of the user of the application terminal is authenticated by the user's mobile terminal that it carries. The user mobile terminal need not be, but may be, a mobile subscriber device of a quantum communication service station.
When the user mobile terminal IS the user equipment of the quantum communication service station, the situation IS marked as MT _ IS _ QT, and the user mobile terminal communicates with the application server through the quantum communication network.
When the user mobile terminal IS NOT the user equipment of the quantum communication service station, the situation IS marked as MT _ IS _ NOT _ QT, and a safe authentication communication network IS arranged between the user mobile terminal and the application server. The possibilities for secure authentication of a communication network are: and the communication network and the like are ensured by a static key, a pre-distributed key, a dynamic token key, a mobile phone dynamic token key, a short message key or a CA certificate.
Each application terminal has the capability of displaying the two-dimensional code image.
The mobile terminals needing to acquire and identify the two-dimensional codes are provided with cameras with enough resolution ratios for acquiring two-dimensional code images and functional modules for analyzing information contained in the two-dimensional codes from the two-dimensional code images, and the modules use technologies known by persons skilled in the art, so the implementation mode is not discussed in the invention.
Example 1
QRA _ FLOW two-dimensional code authentication process
The party directly related to QRA _ FLOW includes a mobile terminal MT, an application terminal AT (the current quantum key fob is ATK, and its identification number is ATKID), an application server AS (the current quantum key fob is ASK, and its identification number is ASK), an authentication service module QAT (its identification number is QATID) of a quantum communication service station corresponding to the current key of ATK, and an authentication service module QAS (its identification number is QASID) of a quantum communication service station corresponding to the current key of ASK.
The AT user holds the MT. The MT possesses unique identification information MTINFO, wherein the MTINFO comprises but is not limited to IMEI code, mobile communication number, network card MAC address and the like of the MT; in the case of MT _ IS _ QT, the MT has a quantum key fob (MTK IS the quantum key fob, MTKID IS the id), the authentication service module QMT (QMTID IS the id) of the quantum communication service station corresponding to the current key of the MTK, and the MTINFO contains MTKID.
The MT has a two-dimensional code authentication module which can be a quantum key fob under the condition of MT _ IS _ QT; under the condition of MT _ IS _ NOT _ QT, the module can be in a hardware form such as a mobile terminal mainboard chip, UKEY, SDKEY and the like, and can also be in a software form such as APP and the like.
The AT user registers the MT with the AS. The ID number distributed by the AS to the AT user is UID; the bound identification information is MTINFO. The AS stores the UID and its corresponding MTINFO to an account database. The AS can also store the user biological characteristics corresponding to the UID into an account database, such AS fingerprint characteristics, iris characteristics, face characteristics, vein characteristics, palm print characteristics and the like.
See fig. 2, QRA _ FLOW is as follows:
3.1 AT sends user Access request to AS
The access request types are: displaying an AT related service interface; executing AT-controlled access switch operation; executing AT controlled electrical switch operation of the intelligent building; the attendance checking of the personnel AT the position of the AT is executed; and so on.
The AT user inputs the UID to the AT. The UID is carried in the user access request sent by AT to AS.
3.2 AS processing user Access requests
The AS judges whether the UID exists or not, if not, a failure message and an error code are returned to the AT, and the process is ended; otherwise, continuing.
And the AS generates and records the related information of the two-dimensional code to a two-dimensional code database of the AS.
The two-dimensional code related information includes two-dimensional code authentication information and two-dimensional code additional information. See table below.
The two-dimension code authentication information comprises a two-dimension code ID and a two-dimension code challenge value. The two-dimensional code ID is a number or a character string inside the AS representing the unique identity of the two-dimensional code. The challenge value of the two-dimension code is a true random number.
The two-dimension code additional information comprises two-dimension code generation time, a two-dimension code applicant ID and a two-dimension code applicant contact way. The two-dimensional code generation time is a time at which the two-dimensional code authentication information is generated. The two-dimensional code applicant ID is UID. The two-dimensional code applicant contact means is the IP address of the AT plus the port number.
The two-dimensional code related information recorded by the AS has a time range in which the authentication is valid, and the time range is called the maximum time difference of the two-dimensional code authentication. And after the time range of the authentication validity is exceeded, the two-dimensional code related information is regarded AS invalid information, and the two-dimensional code related information is deleted from the two-dimensional code database of the AS at irregular intervals. Preferably, the maximum time difference of the two-dimensional code authentication is 60 seconds. The maximum time difference of the two-dimensional code authentication can also be set to infinity.
3.3 AS sends two-dimension code authentication information and two-dimension code generator contact information to AT
And the AS sends the information to the AT according to the contact way of the two-dimension code applicant. The two-dimensional code generator contact address is the IP address of the AS plus the port number.
3.4 AT generates two-dimension code response value and displays two-dimension code picture
3.4.1 AT Generation of two-dimensional code response value
And the AT acquires the two-dimension code authentication information and the contact way of the two-dimension code generator. The two-dimension code authentication information comprises a two-dimension code ID and a two-dimension code challenge value.
And the AT transmits the two-dimension code authentication information into the ATK, the ATK takes out the current authentication key, and the two-dimension code response value of the AT is calculated according to the agreed authentication algorithm. Preferably, the authentication algorithm is a challenge response algorithm, and the response mode is a keyed hash algorithm (e.g., HMAC).
3.4.2 AT generating two-dimensional code picture
And the AT generates a two-dimensional code picture by using the two-dimensional code authentication information, the contact information of the two-dimensional code generator, the ATKID and the two-dimensional code response value of the AT according to the two-dimensional code generation rule.
3.4.3 AT displays two-dimensional code pictures on its display device
3.5 MT collects two-dimensional code picture and obtains related information
And the MT acquires the two-dimension code authentication information, the contact information of the two-dimension code generator, the ATKID and the two-dimension code response value of the AT. The two-dimension code authentication information comprises a two-dimension code ID and a two-dimension code challenge value.
3.6 MT generates two-dimension code authentication response value
The MT transmits the two-dimension code authentication information to the two-dimension code authentication module, the two-dimension code authentication module takes out the current authentication key of the MT, and the two-dimension code challenge value in the two-dimension code authentication information is combined to calculate the two-dimension code response value according to the agreed authentication algorithm. Preferably, the authentication algorithm is a challenge response algorithm, and the response mode is a keyed hash algorithm (e.g., HMAC).
3.7 MT sends MT two-dimension code authentication response information to AS
The MT two-dimension code authentication response information contains a two-dimension code ID, an ATKID, an AT two-dimension code response value, a MTINFO and a MT two-dimension code response value.
Besides the above information, the MT two-dimensional code authentication response information may also carry user biological information collected by the MT, such as fingerprint information, iris information, face information, vein information, palm print information, and the like.
And the MT sends the MT two-dimension code authentication response information to the AS through the contact way of the two-dimension code generator.
In the case of MT _ IS _ QT, the MT two-dimensional code authentication response information IS encrypted and message authenticated using a quantum communication network.
And under the condition of MT _ IS _ NOT _ QT, the MT two-dimension code authentication response information IS encrypted and subjected to message authentication by using a secure authentication communication network between the MT and the AS.
3.8 AS judges the validity of the answer
3.8.1 two-dimensional code validity judgment
The AS searches the related information of the two-dimensional code in a two-dimensional code database of the AS according to the ID of the two-dimensional code, if the related information of the two-dimensional code cannot be found, the related information is judged to be illegal, a failure message and an error code are returned to the MT, and the process is ended; otherwise, continuing.
3.8.2 identity information validity judgment
The AS finds out the UID from the related information of the two-dimensional code, judges whether the MTINFO belongs to the UID according to the account database, if not, judges that the MTINFO is illegal, returns a failure message and an error code to the MT, and finishes the process; otherwise, continuing.
If the information sent by the MT carries user biological information, the AS judges whether the biological information conforms to the user biological characteristics stored by the MT according to the account database, if not, the biological information is judged to be illegal, a failure message and an error code are returned to the MT, and the process is ended; otherwise, continuing.
3.8.3 time validity judgment
The AS records the current time, namely the two-dimension code authentication time. And the AS finds out the two-dimensional code generation time in the two-dimensional code related information. The two-dimensional code authentication time difference is equal to the difference between the two-dimensional code authentication time and the two-dimensional code generation time. If the two-dimension code authentication time difference is larger than the maximum two-dimension code authentication time difference, judging that the two-dimension code authentication time difference is illegal, returning a failure message and an error code to the MT, and ending the process; otherwise, continuing.
3.8.4 (in case of MT _ IS _ NOT _ QT only) authentication of MT two-dimensional code response value
And the AS authenticates the MT two-dimension code response value by utilizing an authentication mechanism of a safe authentication communication network between the AS and the MT.
If the symmetric key is shared between the AS and the MT, the AS takes out the key and performs authentication algorithm calculation by combining the two-dimension code challenge value to obtain an expected response value of the MT two-dimension code. And the AS compares the MT two-dimension code response value with the MT two-dimension code expected response value to obtain a two-dimension code authentication result. If the MT two-dimensional code response value is not equal to the MT two-dimensional code expected response value, judging that the MT is illegal, returning a failure message and an error code to the MT, and ending the process; otherwise, continuing.
If the authentication between the AS and the MT uses the CA certificate, the authentication mechanism of the CA certificate is used for judging the identity of the MT. If the MT is judged to be illegal, a failure message and an error code are returned to the MT, and the process is ended; otherwise, continuing.
3.9 AS sends Quantum Key authentication request to QAS
3.9.1 (MT _ IS _ QT only case) AS sends a quantum key authentication request containing AT and MT responses to QAS
The request comprises a two-dimension code challenge value, an ATKID, an AT two-dimension code response value, an MTKID and an MT two-dimension code response value.
3.9.2 (MT _ IS _ NOT _ QT case only) AS sends a quantum key authentication request with AT response to QAS
The request comprises a two-dimension code challenge value, an ATKID and an AT two-dimension code response value.
3.10 (MT _ IS _ QT case only) QAS sends to QMT MTKID, two-dimensional code challenge value, MT two-dimensional code response value
The QAS finds its corresponding QMT according to the MTKID and then sends the information.
3.11 (MT _ IS _ QT case only) QMT verification of MT two-dimensional code answer value
QMT, searching a quantum random number key corresponding to the MTK according to the MTKID, and performing authentication algorithm calculation by combining the two-dimension code challenge value to obtain an expected response value of the MT two-dimension code. QMT, comparing the MT two-dimension code response value with the MT two-dimension code expected response value to obtain a two-dimension code authentication result. If the response value of the MT two-dimensional code is equal to the expected response value of the MT two-dimensional code, the authentication is successful; otherwise, the authentication fails.
3.12 (MT _ IS _ QT case only) QMT sends MT two-dimensional code authentication result to QAS
3.13 QAS sends ATKID, two-dimension code challenge value and AT two-dimension code response value to QAT
If the authentication result of the MT two-dimensional code sent to the QAS by QMT IS authentication failure (in the case of MT _ IS _ QT only), jumping to 3.16; otherwise, continuing.
And the QAS finds the corresponding QAT according to the ATKID and then sends the information.
3.14 QAT verifies AT two-dimensional code answer value
And the QAT searches a quantum random number key corresponding to the ATK according to the ATKID, and performs authentication algorithm calculation by combining the challenge value of the two-dimension code to obtain an expected response value of the AT two-dimension code. And the QAT compares the AT two-dimension code response value with the AT two-dimension code expected response value to obtain a two-dimension code authentication result. If the response value of the AT two-dimensional code is equal to the expected response value of the AT two-dimensional code, the authentication is successful; otherwise, the authentication fails.
3.15 QAT sends AT two-dimension code authentication result to QAS
3.16 QAS sends two-dimension code authentication result to AS
If the MT two-dimension code authentication result and the AT two-dimension code authentication result are both successful, the two-dimension code authentication result is successful; otherwise, the two-dimension code authentication result is failure.
3.17 AS executes the relevant service according to the two-dimension code authentication result
If the two-dimension code authentication result is successful, the related services of the AS may include, but are not limited to: displaying the successful authentication of the user and a related service interface; recording the successful authentication information to a log module; starting the exclusive service of the successful authentication person; and so on.
If the two-dimension code authentication result is failure, the related services of the AS may include, but are not limited to: displaying user authentication failure and a related service interface; recording authentication failure information to a log module; and so on.
3.18 AS sends two-dimension code authentication result to AT
Data transmission between different quantum communication service stations, between application terminals and application servers, between application servers and mobile terminals, and between application servers and quantum communication service stations is involved in steps 3.1, 3.3, 3.7, 3.9.1, 3.9.2, 3.10, 3.12, 3.13, 3.15, 3.16, and 3.18.
Data encryption transmission and mutual authentication can be carried out between different quantum communication service stations by using an inter-station quantum key;
the application server and the mobile terminal utilize the respective quantum key fobs to perform data encryption transmission and mutual authentication between the quantum communication service stations respectively belonging to the application server and the mobile terminal.
The application terminal and the application server utilize the respective quantum key card to perform data encryption transmission and mutual authentication between the quantum communication service stations respectively belonging to the application terminal and the application server.
The application server utilizes the quantum key card to carry out data encryption transmission and mutual authentication with the quantum communication service station.
Specifically, reference may be made to the relevant contents of chinese patent application 201610845826.7, and 201610842873.6, and the security and reliability of data transmission are ensured by the encryption and decryption method and the message authentication method of the quantum communication network.
3.19 AT executes relevant service according to two-dimension code authentication result
If the two-dimension code authentication result is successful, the related services of the AT may include, but are not limited to: displaying the successful authentication of the user and a related service interface; executing the door access switch operation; executing electrical switch operation of the intelligent building; the attendance checking success operation is executed; recording the successful authentication information to a log module; and so on.
If the two-dimension code authentication result is failure, the related services of the AT may include, but are not limited to: displaying user authentication failure and a related service interface; recording authentication failure information to a log module; and so on.
This completes QRA _ FLOW.
The MT can also get the authentication result, i.e. 3.18 and 3.19 are changed to:
3.18' AS sends two-dimension code authentication result to MT
3.19' MT executes relevant service according to the two-dimension code authentication result, for example, executes operation of displaying authentication result and the like
It is also possible to let the AT and the MT simultaneously obtain the authentication result.
Example 2
Simplified two-dimensional code authentication process QRA _ SFLOW
The special case of QRA _ FLOW is that when the quantum communication service stations corresponding to the quantum key fobs used by the application server and the application terminal are the same, that is, only QAS exists and QAT and QMT do not exist, the FLOW is appropriately simplified. The specific process is similar to QRA _ FLOW of example 1, except that steps of QAS and QMT and QAT communication are omitted.
See fig. 3, QRA _ SFLOW is as follows:
4.1 AT sends user Access request to AS
4.2 AS processing user Access requests
4.3 AS sends two-dimension code authentication information and two-dimension code generator contact information to AT
4.4 AT generates two-dimension code response value and displays two-dimension code picture
4.4.1 AT Generation of two-dimensional code response value
4.4.2 AT Generation of two-dimensional code pictures
4.4.3 AT displays two-dimensional code picture on its display device
4.5 MT collects two-dimensional code picture and obtains related information
4.6 MT generates two-dimension code authentication response value
4.7 MT sends MT two-dimension code authentication response information to AS
4.8 AS judges the validity of the answer
4.8.1 two-dimensional code validity judgment
4.8.2 identity information validity judgment
4.8.3 time validity determination
4.8.4 (in case of MT _ IS _ NOT _ QT only) authentication of MT two-dimensional code response value
4.9 AS sends Quantum Key authentication request to QAS
4.9.1 (MT _ IS _ QT case only) AS sends Quantum Key authentication request containing AT and MT responses to QAS
4.9.2 (MT _ IS _ NOT _ QT case only) AS sends Quantum Key authentication request with AT response to QAS
4.10 QAS verifies two-dimensional code answer value
4.10.1 (MT _ IS _ QT case only) QAS verifies MT two-dimensional code answer value
4.10.2 QAS verifies AT two-dimensional code response value
4.11 QAS sends two-dimension code authentication result to AS
4.12 AS executes the relevant service according to the two-dimension code authentication result
4.13 AS sends two-dimension code authentication result to AT
4.14 AT executes relevant service according to two-dimension code authentication result
This completes QRA _ SFLOW.
The MT may also be allowed to obtain the authentication result. It is also possible to let the AT and the MT simultaneously obtain the authentication result.
Example 3
Two-dimensional code authentication FLOW SQRA _ FLOW for simplifying operation
The QRA _ FLOW and QRA _ SFLOW described above both require the UID to be input to the AT in the first step, and are inconvenient to operate if the UID is input more complicated. To further facilitate user operation, the following FLOW SQRA _ FLOW may be used without the AT user entering the UID.
The direct involved party of SQRA _ FLOW is the same as QRA _ FLOW.
The AT user registers the MT with the AS. The AS records the MTINFO to an account database of the AS. The AS can also store the user biological characteristics corresponding to the MTINFO into an account database, such AS fingerprint characteristics, iris characteristics, face characteristics, vein characteristics, palm print characteristics and the like.
See fig. 4, SQRA _ FLOW is as follows:
5.1 AT sends user Access request to AS
The access request types are: displaying an AT related service interface; executing AT-controlled access switch operation; executing AT controlled electrical switch operation of the intelligent building; the attendance checking of the personnel AT the position of the AT is executed; and so on.
The AT user does not need to enter any information into the AT. The AT sends an empty user access request to the AS.
5.2 AS processing user Access requests
And the AS generates and records the related information of the two-dimensional code to a two-dimensional code database of the AS.
The two-dimensional code related information includes two-dimensional code authentication information and two-dimensional code additional information. See table below.
The two-dimension code authentication information comprises a two-dimension code ID and a two-dimension code challenge value. The two-dimensional code ID is a number or a character string inside the AS representing the unique identity of the two-dimensional code. The challenge value of the two-dimension code is a true random number.
The two-dimension code additional information comprises two-dimension code generation time, a two-dimension code applicant ID and a two-dimension code applicant contact way. The two-dimensional code generation time is a time at which the two-dimensional code authentication information is generated. The two-dimensional code applicant ID is UID. The two-dimensional code applicant contact means is the IP address of the AT plus the port number.
The two-dimensional code related information recorded by the AS has a time range in which the authentication is valid, and the time range is called the maximum time difference of the two-dimensional code authentication. And after the time range of the authentication validity is exceeded, the two-dimensional code related information is regarded AS invalid information, and the two-dimensional code related information is deleted from the two-dimensional code database of the AS at irregular intervals. Preferably, the maximum time difference of the two-dimensional code authentication is 60 seconds. The maximum time difference of the two-dimensional code authentication can also be set to infinity.
5.3 AS sends two-dimension code authentication information and two-dimension code generator contact information to AT
And the AS sends the information to the AT according to the contact way of the two-dimension code applicant. The two-dimensional code generator contact address is the IP address of the AS plus the port number.
5.4 AT generates two-dimension code response value and displays two-dimension code picture
5.4.1 AT Generation of two-dimensional code response value
And the AT acquires the two-dimension code authentication information and the contact way of the two-dimension code generator. The two-dimension code authentication information comprises a two-dimension code ID and a two-dimension code challenge value.
And the AT transmits the two-dimension code authentication information into the ATK, the ATK takes out the current authentication key, and the two-dimension code response value of the AT is calculated according to the agreed authentication algorithm. Preferably, the authentication algorithm is a challenge response algorithm, and the response mode is a keyed hash algorithm (e.g., HMAC).
5.4.2 AT Generation of two-dimensional code Picture
And the AT generates a two-dimensional code picture by using the two-dimensional code authentication information, the contact information of the two-dimensional code generator, the ATKID and the two-dimensional code response value of the AT according to the two-dimensional code generation rule.
5.4.3 AT displays two-dimensional code pictures on its display device
5.5 MT collects two-dimensional code picture and obtains related information
And the MT acquires the two-dimension code authentication information, the contact information of the two-dimension code generator, the ATKID and the two-dimension code response value of the AT. The two-dimension code authentication information comprises a two-dimension code ID and a two-dimension code challenge value.
5.6 MT generates two-dimension code authentication response value
The MT transmits the two-dimension code authentication information to the two-dimension code authentication module, the two-dimension code authentication module takes out the current authentication key of the MT, and the two-dimension code challenge value in the two-dimension code authentication information is combined to calculate the two-dimension code response value according to the agreed authentication algorithm. Preferably, the authentication algorithm is a challenge response algorithm, and the response mode is a keyed hash algorithm (e.g., HMAC).
5.7 MT sends MT two-dimension code authentication response information to AS
The MT two-dimension code authentication response information contains a two-dimension code ID, an ATKID, an AT two-dimension code response value, a MTINFO and a MT two-dimension code response value.
Besides the above information, the MT two-dimensional code authentication response information may also carry user biological information collected by the MT, such as fingerprint information, iris information, face information, vein information, palm print information, and the like.
And the MT sends the MT two-dimension code authentication response information to the AS through the contact way of the two-dimension code generator.
In the case of MT _ IS _ QT, the MT two-dimensional code authentication response information IS encrypted and message authenticated using a quantum communication network.
And under the condition of MT _ IS _ NOT _ QT, the MT two-dimension code authentication response information IS encrypted and subjected to message authentication by using a secure authentication communication network between the MT and the AS.
5.8 AS judges the validity of the answer
5.8.1 two-dimensional code validity judgment
The AS searches the related information of the two-dimensional code in a two-dimensional code database of the AS according to the ID of the two-dimensional code, if the related information of the two-dimensional code cannot be found, the related information is judged to be illegal, a failure message and an error code are returned to the MT, and the process is ended; otherwise, continuing.
5.8.2 identity information validity determination
The AS searches in the account database, judges whether the MTINFO belongs to the AS according to the account database, if not, judges the MTINFO is illegal, returns a failure message and an error code to the MT, and ends the process; otherwise, continuing.
If the information sent by the MT carries user biological information, the AS judges whether the biological information conforms to the user biological characteristics stored by the MT according to the account database, if not, the biological information is judged to be illegal, a failure message and an error code are returned to the MT, and the process is ended; otherwise, continuing.
5.8.3 time validity judgment
The AS records the current time, namely the two-dimension code authentication time. And the AS finds out the two-dimensional code generation time in the two-dimensional code related information. The two-dimensional code authentication time difference is equal to the difference between the two-dimensional code authentication time and the two-dimensional code generation time. If the two-dimension code authentication time difference is larger than the maximum two-dimension code authentication time difference, judging that the two-dimension code authentication time difference is illegal, returning a failure message and an error code to the MT, and ending the process; otherwise, continuing.
5.8.4 (in case of MT _ IS _ NOT _ QT only) authentication of MT two-dimensional code response value
And the AS authenticates the MT two-dimension code response value by utilizing an authentication mechanism of a safe authentication communication network between the AS and the MT.
If the symmetric key is shared between the AS and the MT, the AS takes out the key and performs authentication algorithm calculation by combining the two-dimension code challenge value to obtain an expected response value of the MT two-dimension code. And the AS compares the MT two-dimension code response value with the MT two-dimension code expected response value to obtain a two-dimension code authentication result. If the MT two-dimensional code response value is not equal to the MT two-dimensional code expected response value, judging that the MT is illegal, returning a failure message and an error code to the MT, and ending the process; otherwise, continuing.
If the authentication between the AS and the MT uses the CA certificate, the authentication mechanism of the CA certificate is used for judging the identity of the MT. If the MT is judged to be illegal, a failure message and an error code are returned to the MT, and the process is ended; otherwise, continuing.
5.9 AS sends Quantum Key authentication request to QAS
5.9.1 (MT _ IS _ QT only case) AS sends a quantum key authentication request containing AT and MT responses to QAS
The request comprises a two-dimension code challenge value, an ATKID, an AT two-dimension code response value, an MTKID and an MT two-dimension code response value.
5.9.2 (MT _ IS _ NOT _ QT case only) AS sends a quantum key authentication request with AT response to QAS
The request comprises a two-dimension code challenge value, an ATKID and an AT two-dimension code response value.
5.10 (MT _ IS _ QT case only) QAS sends to QMT MTKID, two-dimensional code challenge value, MT two-dimensional code response value
The QAS finds its corresponding QMT according to the MTKID and then sends the information.
5.11 (MT _ IS _ QT case only) QMT verification of MT two-dimensional code answer value
QMT, searching a quantum random number key corresponding to the MTK according to the MTKID, and performing authentication algorithm calculation by combining the two-dimension code challenge value to obtain an expected response value of the MT two-dimension code. QMT, comparing the MT two-dimension code response value with the MT two-dimension code expected response value to obtain a two-dimension code authentication result. If the response value of the MT two-dimensional code is equal to the expected response value of the MT two-dimensional code, the authentication is successful; otherwise, the authentication fails.
5.12 (MT _ IS _ QT case only) QMT sends MT two-dimensional code authentication result to QAS
5.13 QAS sends ATKID, two-dimension code challenge value and AT two-dimension code response value to QAT
If the result of the MT two-dimension code authentication sent to the QAS by QMT IS authentication failure (in the case of MT _ IS _ QT only), jumping to 5.16; otherwise, continuing.
And the QAS finds the corresponding QAT according to the ATKID and then sends the information.
5.14 QAT verifies AT two-dimensional code answer value
And the QAT searches a quantum random number key corresponding to the ATK according to the ATKID, and performs authentication algorithm calculation by combining the challenge value of the two-dimension code to obtain an expected response value of the AT two-dimension code. And the QAT compares the AT two-dimension code response value with the AT two-dimension code expected response value to obtain a two-dimension code authentication result. If the response value of the AT two-dimensional code is equal to the expected response value of the AT two-dimensional code, the authentication is successful; otherwise, the authentication fails.
5.15 QAT sends AT two-dimension code authentication result to QAS
5.16 QAS sends two-dimension code authentication result to AS
If the MT two-dimension code authentication result and the AT two-dimension code authentication result are both successful, the two-dimension code authentication result is successful; otherwise, the two-dimension code authentication result is failure.
5.17 AS executes the relevant service according to the two-dimension code authentication result
If the two-dimension code authentication result is successful, the related services of the AS may include, but are not limited to: displaying the successful authentication of the user and a related service interface; recording the successful authentication information to a log module; starting the exclusive service of the successful authentication person; and so on.
If the two-dimension code authentication result is failure, the related services of the AS may include, but are not limited to: displaying user authentication failure and a related service interface; recording authentication failure information to a log module; and so on.
5.18 AS sends two-dimension code authentication result to AT
Data transmission between different quantum communication service stations, between an application terminal and an application server, between an application server and a mobile terminal, and between an application server and a quantum communication service station is involved in steps 5.9.1, 5.9.2, 5.10, 5.12, 5.13, 5.15, 5.16, and 5.18.
Data encryption transmission and mutual authentication can be carried out between different quantum communication service stations by using an inter-station quantum key;
the application server and the mobile terminal utilize the respective quantum key fobs to perform data encryption transmission and mutual authentication between the quantum communication service stations respectively belonging to the application server and the mobile terminal.
The application terminal and the application server utilize the respective quantum key card to perform data encryption transmission and mutual authentication between the quantum communication service stations respectively belonging to the application terminal and the application server.
The application server utilizes the quantum key card to carry out data encryption transmission and mutual authentication with the quantum communication service station.
Specifically, reference may be made to the relevant contents of chinese patent application 201610845826.7, and 201610842873.6, and the security and reliability of data transmission are ensured by the encryption and decryption method and the message authentication method of the quantum communication network.
5.19 AT executes relevant service according to two-dimension code authentication result
If the two-dimension code authentication result is successful, the related services of the AT may include, but are not limited to: displaying the successful authentication of the user and a related service interface; executing the door access switch operation; executing electrical switch operation of the intelligent building; the attendance checking success operation is executed; recording the successful authentication information to a log module; and so on.
If the two-dimension code authentication result is failure, the related services of the AT may include, but are not limited to: displaying user authentication failure and a related service interface; recording authentication failure information to a log module; and so on.
This completes SQRA _ FLOW.
The MT can also get the authentication result, i.e. 5.18 and 5.19 are changed to:
5.18' AS sends two-dimension code authentication result to MT
5.19' MT executes relevant service according to the two-dimension code authentication result, for example, executes operation of displaying authentication result and the like
It is also possible to let the AT and the MT simultaneously obtain the authentication result.
Example 4
Two-dimensional code authentication simplified flow SQRA _ SFLOW with simplified operation
The special case of SQRA _ FLOW is that when the quantum communication service stations corresponding to the quantum key fobs used by the application server and the application terminal are the same, i.e., only QAS exists and QAT and QMT do not exist, the FLOW is simplified appropriately. The specific process is similar to SQRA _ FLOW of example 3, but omits QAS and QMT and several steps of QAT communication.
See fig. 5, SQRA _ SFLOW is as follows:
6.1 AT sends user Access request to AS
6.2 AS processing user Access requests
6.3 AS sends two-dimension code authentication information and two-dimension code generator contact information to AT
6.4 AT generates two-dimension code response value and displays two-dimension code picture
6.4.1 AT Generation of two-dimensional code response value
6.4.2 AT Generation of two-dimensional code pictures
6.4.3 AT displays two-dimensional code picture on its display device
6.5 MT collects two-dimensional code picture and obtains related information
6.6 MT generates two-dimension code authentication response value
6.7 MT sends MT two-dimension code authentication response information to AS
6.8 AS judges the validity of the answer
6.8.1 two-dimensional code validity judgment
6.8.2 identity information validity determination
6.8.3 time validity determination
6.8.4 authentication of MT two-dimensional code answer values (MT _ IS _ NOT _ QT case only)
6.9 AS sends Quantum Key authentication request to QAS
6.9.1 (MT _ IS _ QT case only) AS sends Quantum Key authentication request containing AT, MT response to QAS
6.9.2 (MT _ IS _ NOT _ QT case only) AS sends a quantum key authentication request with AT response to QAS
6.10 QAS verifies two-dimensional code answer value
6.10.1 (MT _ IS _ QT case only) QAS verifies MT two-dimensional code answer value
6.10.2 QAS verifies AT two-dimension code answer value
6.11 QAS sends two-dimension code authentication result to AS
6.12 AS executes the relevant service according to the two-dimension code authentication result
6.13 AS sends two-dimension code authentication result to AT
6.14 AT executes relevant service according to two-dimension code authentication result
This completes SQRA _ SFLOW.
The MT may also be allowed to obtain the authentication result. It is also possible to let the AT and the MT simultaneously obtain the authentication result.
The above disclosure is only for the specific embodiments of the present invention, but the present invention is not limited thereto, and those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. For example, the step of scanning and transmitting data by the two-dimensional code may be replaced by any other short-distance communication technology, such as bluetooth, WIFI, infrared, NFC, ZigBee, UWB, and the like. It is to be understood that such changes and modifications are intended to be included within the scope of the appended claims. Furthermore, although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.
Claims (8)
1. A two-dimension code authentication system based on quantum encryption comprises an application server, an application terminal and a mobile terminal, and is characterized by further comprising a quantum communication service station, wherein quantum key fobs are respectively configured on the application server, the application terminal and the mobile terminal, and corresponding quantum keys are stored between the quantum key fobs and the quantum communication service station for encrypted communication or two-dimension code authentication;
when two-dimension code authentication is carried out, an application terminal obtains two-dimension code authentication information from an application server through application, the two-dimension code authentication information comprises a two-dimension code challenge value, the application terminal obtains an application terminal two-dimension code response value through calculation by utilizing the two-dimension code challenge value and a stored quantum key in a configured quantum key card, and outputs a corresponding two-dimension code, and the two-dimension code comprises the two-dimension code challenge value;
the mobile terminal acquires the two-dimension code from the application terminal, extracts the two-dimension code response value and the two-dimension code challenge value of the application terminal, calculates the two-dimension code response value of the mobile terminal by utilizing the two-dimension code challenge value and the stored quantum key in the configured quantum key card,
the application server receives a response from the mobile terminal and provided with the two-dimension code response value of the application terminal, the biological information of the user acquired by the MT and the two-dimension code response value of the mobile terminal, corresponding information is extracted from the response and legality judgment is carried out, whether the biological characteristics of the user are matched with reserved information in the application server or not needs to be judged when the legality judgment is carried out, the two-dimension code response value of the mobile terminal is sent to the quantum communication service station for authentication through the application server after the legality judgment, authentication results are respectively sent to the application server and the application terminal, and related services are executed.
2. The two-dimension code authentication system based on quantum cryptography according to claim 1, wherein the mobile terminal further calculates a corresponding mobile terminal two-dimension code response value after acquiring the two-dimension code and sends the corresponding mobile terminal two-dimension code response value and the corresponding application terminal two-dimension code response value to the application server;
and the authentication of the two-dimension code response value of the mobile terminal is used as a starting condition for the authentication of the two-dimension code response value of the application terminal.
3. The two-dimensional code authentication system based on quantum encryption as claimed in claim 2, wherein the application server authenticates the two-dimensional code response value of the mobile terminal, and after the authentication is passed, the two-dimensional code response value of the application terminal is sent to the quantum communication service station for authentication.
4. The two-dimensional code authentication system based on quantum cryptography according to claim 1, wherein the application server is an access control system background server; an intelligent building background control center or an attendance system background server; the application terminal is correspondingly an access control device; controlled terminal of intelligent building or attendance machine terminal.
5. The two-dimension code authentication system based on quantum cryptography according to claim 1, wherein a user of the application terminal sends application information to the application server through the application terminal to acquire the two-dimension code, and the application information carries or does not carry an identification number pre-assigned to the user by the application server.
6. The two-dimensional code authentication system based on quantum cryptography according to claim 1, wherein said validity judgment comprises at least one of the following judgments:
whether the two-dimension code ID is matched with the pre-stored information of the application server or not is judged;
whether the mobile terminal is matched with the application terminal or not;
whether the two-dimensional code authentication time is overdue or not.
7. The two-dimensional code authentication system based on quantum cryptography according to claim 3, wherein the quantum key fob of the application server issues from a first quantum communication service station, and the quantum key fob of the application terminal issues from a second quantum communication service station;
after receiving the two-dimensional code response value of the application terminal sent by the application server, the first quantum communication service station forwards the response value to the second quantum communication service station for authentication, and the first quantum communication service station also receives and forwards an authentication result from the second quantum communication service station to the application server;
and the application server obtains the authentication result of the first quantum communication service station and forwards the authentication result to the application terminal.
8. The two-dimensional code authentication system based on quantum cryptography according to claim 1, wherein the quantum key fob of the application server issues from a first quantum communication service station, the quantum key fob of the application terminal issues from a second quantum communication service station, and the quantum key fob of the mobile terminal issues from a third quantum communication service station;
after receiving the mobile terminal two-dimensional code response value and the application terminal two-dimensional code response value sent by the application server, the first quantum communication service station forwards the mobile terminal two-dimensional code response value to a third quantum communication service station for authentication, and receives an authentication result from the third quantum communication service station;
after the two-dimension code response value of the mobile terminal passes the authentication, the first quantum communication service station forwards the two-dimension code response value of the application terminal to the second quantum communication service station for authentication, and the first quantum communication service station also receives and forwards an authentication result from the second quantum communication service station to the application server;
and the application server obtains the authentication result of the first quantum communication service station and forwards the authentication result to the application terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710993052.7A CN107733644B (en) | 2017-10-23 | 2017-10-23 | Two-dimensional code authentication system based on quantum encryption |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710993052.7A CN107733644B (en) | 2017-10-23 | 2017-10-23 | Two-dimensional code authentication system based on quantum encryption |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107733644A CN107733644A (en) | 2018-02-23 |
| CN107733644B true CN107733644B (en) | 2020-11-17 |
Family
ID=61213145
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710993052.7A Active CN107733644B (en) | 2017-10-23 | 2017-10-23 | Two-dimensional code authentication system based on quantum encryption |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107733644B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR3110749B3 (en) * | 2020-05-20 | 2022-07-01 | D Home Smaart | Personalization of access badges to premises. |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104917766B (en) * | 2015-06-10 | 2018-01-05 | 飞天诚信科技股份有限公司 | A kind of two-dimension code safe authentication method |
| CN106470101B (en) * | 2015-08-18 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Identity authentication method, device and system for quantum key distribution process |
| CN106712931B (en) * | 2015-08-20 | 2019-12-03 | 上海国盾量子信息技术有限公司 | Handset token identity authorization system and method based on quantum cryptography networks |
| CN106357649B (en) * | 2016-09-23 | 2020-06-16 | 浙江神州量子网络科技有限公司 | User identity authentication system and method |
| CN206100008U (en) * | 2016-10-19 | 2017-04-12 | 长春大学 | Be used for mobile device quantum cryptography to bear device |
-
2017
- 2017-10-23 CN CN201710993052.7A patent/CN107733644B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN107733644A (en) | 2018-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111614637B (en) | Secure communication method and system based on software cryptographic module | |
| CN105389500B (en) | The method for unlocking another equipment using an equipment | |
| CN106161032B (en) | A kind of identity authentication method and device | |
| CN101340436B (en) | Method and apparatus implementing remote access control based on portable memory apparatus | |
| CN107257334B (en) | Identity authentication method for Hadoop cluster | |
| WO2017201809A1 (en) | Communication method and system for terminal | |
| KR101485230B1 (en) | Secure multi-uim authentication and key exchange | |
| US8769289B1 (en) | Authentication of a user accessing a protected resource using multi-channel protocol | |
| CN107911211B (en) | Two-dimensional code authentication system based on quantum communication network | |
| JP2016502377A (en) | How to provide safety using safety calculations | |
| CN107800539A (en) | Authentication method, authentication device and Verification System | |
| WO2017185450A1 (en) | Method and system for authenticating terminal | |
| CN110247881A (en) | Identity identifying method and system based on wearable device | |
| WO2014141263A1 (en) | Asymmetric otp authentication system | |
| CN105868975B (en) | Management method, management system and the mobile terminal of electronic banking account | |
| US20080181401A1 (en) | Method of Establishing a Secure Communication Link | |
| CN111800377B (en) | Mobile terminal identity authentication system based on safe multi-party calculation | |
| US20210256102A1 (en) | Remote biometric identification | |
| CN108964896A (en) | A kind of Kerberos identity authorization system and method based on group key pond | |
| CN107786978B (en) | NFC authentication system based on quantum encryption | |
| CN114765534A (en) | Private key distribution system based on national password identification cryptographic algorithm | |
| CN107888376B (en) | NFC authentication system based on quantum communication network | |
| CN108667801A (en) | A kind of Internet of Things access identity safety certifying method and system | |
| CN105592056A (en) | Password safety system for mobile device and password safety input method thereof | |
| CN107733644B (en) | Two-dimensional code authentication system based on quantum encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |