CN109005144B - Identity authentication method, equipment, medium and system - Google Patents
Identity authentication method, equipment, medium and system Download PDFInfo
- Publication number
- CN109005144B CN109005144B CN201810553631.4A CN201810553631A CN109005144B CN 109005144 B CN109005144 B CN 109005144B CN 201810553631 A CN201810553631 A CN 201810553631A CN 109005144 B CN109005144 B CN 109005144B
- Authority
- CN
- China
- Prior art keywords
- authentication
- data
- equipment
- authentication server
- auxiliary
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Abstract
The present invention relates to the field of internet technologies, and in particular, to a method, an apparatus, a medium, and a system for identity authentication. According to the scheme provided by the embodiment of the invention, when identity authentication is carried out, authentication data can be generated by the auxiliary authentication equipment according to the rule agreed with the authentication server in a mode that the auxiliary authentication equipment caches the characteristic data in advance without the mobile equipment through a networking mode, so that the authentication data can be obtained from the auxiliary authentication equipment without networking, the authentication data can be successfully obtained even under a mobile environment or a chemical environment with poor mobile signals, the authentication server can realize successful authentication when the authentication data is subsequently sent to the authentication server, and the success rate of identity authentication is improved.
Description
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a method, an apparatus, a medium, and a system for identity authentication.
Background
At present, mobile devices such as mobile phones and Personal Digital Assistants (PDAs) are widely used in the life of people. In various scenes such as payment, riding, express storage and opening of doors, it is very common to realize identity authentication through mobile equipment, and a common method includes: two-dimensional codes, Near Field Communication (NFC), Bluetooth, visible light interaction, and the like.
Specifically, the authentication data may be generated offline by the mobile device, and transmitted to the authentication device in a two-dimensional code, NFC, bluetooth, or visible light interaction manner, and the authentication device performs authentication. But the security of the authentication data generated off-line is low, so that the reliability of the identity authentication is low.
For example, the two-dimensional code generated offline can be spread or exchanged through an Instant Messaging (IM) tool, so that the two-dimensional code of the user is stolen and swiped; as another example, an application (App) used to generate the offline authentication data may be hacked by a hacker, thereby generating fake authentication data that is acceptable to the authentication device.
Therefore, in practical applications, the mobile device basically adopts an online mode to complete authentication, that is: the mobile device is connected to a remote authentication server through a network, acquires a section of authentication data generated by the authentication server according to user identity information, then sends the authentication data to the authentication device through means of two-dimensional code, NFC, Bluetooth, visible light interaction and the like, the authentication device sends the authentication data back to the remote authentication server through the network for checking, if the authentication data is matched with the authentication data generated by the authentication server, the authentication process is considered to be safe, and the identity authentication of the user is determined to be passed.
However, in the online authentication mode, in a mobile environment such as a bus, or in an environment with poor mobile signals such as a subway or a suburban area, mobile devices such as a mobile phone and a PDA cannot be stably connected to a network, which may result in a failure of online authentication, resulting in a low success rate of online authentication.
Disclosure of Invention
The embodiment of the invention provides an identity authentication method, identity authentication equipment, identity authentication media and an identity authentication system, which are used for solving the problem of low success rate of online identity authentication.
A method of identity authentication, the method comprising:
when an identity authentication request is received, generating authentication data according to characteristic data which is cached in advance and corresponds to user identity information and rules agreed with an authentication server, wherein the characteristic data is generated by the authentication server;
and sending the authentication data to authentication equipment, so that after the authentication equipment sends the authentication data to an authentication server, the authentication server extracts the feature data in the authentication data for authentication according to the agreed rule.
A method of identity authentication, the method comprising:
receiving authentication data, wherein the authentication data is generated by an auxiliary authentication device according to characteristic data which is cached in advance and corresponds to user identity information and a rule agreed with an authentication server, and is sent, and the characteristic data is generated by the authentication server;
and sending the received authentication data to the authentication server.
A method of identity authentication, the method comprising:
receiving an association request which requires association between mobile equipment and auxiliary authentication equipment, wherein the association request carries user identity information corresponding to the mobile equipment and equipment identification corresponding to the auxiliary authentication equipment;
and establishing a corresponding relation between the stored characteristic data written into the auxiliary authentication equipment corresponding to the equipment identifier and the user identity information according to the corresponding relation between the stored characteristic data and the equipment identifier, so that the auxiliary authentication equipment can generate authentication data for authenticating the user identity information according to the characteristic data and a rule agreed with an authentication server.
A secondary authentication device, the device comprising:
the receiving module is used for receiving the identity authentication request;
the information storage module is used for caching characteristic data corresponding to the user identity information in advance, and the characteristic data is generated by the authentication server;
the authentication data generation module is used for generating authentication data according to the characteristic data which is cached in advance by the information storage module and corresponds to the user identity information and the rule agreed with the authentication server when the receiving module receives the identity authentication request;
and the sending module is used for sending the authentication data generated by the authentication data generation module to authentication equipment, so that after the authentication equipment sends the authentication data to the authentication server, the authentication server extracts the feature data in the authentication data for authentication according to the agreed rule.
An authentication device, the authentication device comprising:
the receiving module is used for receiving authentication data, the authentication data is generated by the auxiliary authentication equipment according to characteristic data which is cached in advance and corresponds to the user identity information and a rule appointed by the authentication server, and is sent, and the characteristic data is generated by the authentication server;
and the sending module is used for sending the authentication data received by the receiving module to the authentication server.
An authentication server, the authentication server comprising:
a receiving module, configured to receive an association request that requires association between a mobile device and an auxiliary authentication device, where the association request carries user identity information corresponding to the mobile device and a device identifier corresponding to the auxiliary authentication device;
and the generating module is used for establishing the corresponding relation between the stored characteristic data written into the auxiliary authentication equipment corresponding to the equipment identifier and the user identity information according to the corresponding relation between the stored characteristic data and the equipment identifier, so that the auxiliary authentication equipment can generate authentication data for authenticating the user identity information according to the characteristic data and the rule agreed with an authentication server.
An identity authentication system comprises at least one auxiliary authentication device, at least one corresponding authentication device and at least one corresponding authentication server.
A non-transitory computer storage medium storing an executable program for execution by a processor to perform the steps of any of the above-described identity authentication methods.
An online authentication device comprising a memory, a processor and a computer program stored on the memory, the processor, when executing the program, implementing the steps of any of the above-described identity authentication methods.
According to the scheme provided by the embodiment of the invention, when identity authentication is carried out, authentication data can be generated by the auxiliary authentication equipment according to the rule agreed with the authentication server in a mode that the auxiliary authentication equipment caches the characteristic data in advance without the mobile equipment through a networking mode, so that the authentication data can be obtained from the auxiliary authentication equipment without networking, the authentication data can be successfully obtained even under a mobile environment or a chemical environment with poor mobile signals, the authentication server can realize successful authentication when the authentication data is subsequently sent to the authentication server, and the success rate of identity authentication is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of an identity authentication method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of an identity authentication method according to a second embodiment of the present invention;
fig. 3 is a schematic flowchart of an identity authentication method according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an auxiliary authentication device according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an authentication device according to a fifth embodiment of the present invention;
fig. 6 is a schematic structural diagram of an authentication server according to a sixth embodiment of the present invention;
fig. 7 is a schematic structural diagram of an identity authentication system according to a seventh embodiment of the present invention;
fig. 8 is a schematic structural diagram of an online authentication device according to an eighth embodiment of the present invention.
Detailed Description
Aiming at the problem that in the prior art, in an online identity authentication mode, when a mobile device is in a mobile environment or an environment with poor mobile signals, the success rate of authentication is low because the mobile device cannot be stably connected with a network and cannot successfully obtain authentication data, the embodiment of the invention provides that auxiliary authentication equipment capable of caching feature data generated by an authentication server can be introduced into an online identity authentication system. When identity authentication is needed, the auxiliary authentication equipment generates authentication data according to the cached characteristic data and a rule agreed with the authentication server, and sends the authentication data to the authentication equipment, and the authentication equipment realizes identity authentication.
The authentication device may send the received authentication data to the authentication server in the identity authentication process, and the authentication server may extract the feature data in the authentication data for authentication according to an agreed rule corresponding to the authentication data when the authentication data is generated. Compared with the prior art that authentication data are directly authenticated, the security of identity authentication is further improved.
In particular, according to the rule agreed with the authentication server, the authentication data generated by the auxiliary authentication device for the same user identity information each time may be the same or different. If the authentication data generated each time are different, the dynamically changed authentication data can further improve the security of identity authentication.
Preferably, when generating the authentication data, the auxiliary authentication device may encrypt the feature data according to an encryption key specified by the authentication server and corresponding to the device identifier of the auxiliary authentication device, and may send the encrypted feature data and the device identifier corresponding to the auxiliary authentication device to the authentication device, so that after the authentication device sends the received encrypted feature data and the device identifier to the authentication server, the authentication server may decrypt the encrypted feature data according to the device identifier, thereby implementing authentication on the feature data. The safety of identity authentication is further improved by a mode that one auxiliary authentication device corresponds to one encryption key.
Preferably, when the auxiliary authentication device encrypts the feature data, the auxiliary authentication device may encrypt the time data corresponding to the Real Time Clock (RTC) when receiving the identity authentication request, so that the authentication server may authenticate only the feature data received within the set time period according to the time data. Thereby further improving the security of identity authentication.
Preferably, the authentication device may encrypt the authentication data according to an encryption method agreed with the authentication server, and send the encrypted authentication data to the authentication server, and the authentication server may decrypt the encrypted authentication data according to the agreed encryption method, thereby implementing authentication on the authentication data, and improving security of the identity authentication.
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "comprises" and "comprising," and any variations thereof, in the description and claims of the present invention and the above-described drawings, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
The first embodiment of the present invention provides an identity authentication method, which explains an identity authentication scheme provided by the present invention from an auxiliary authentication device side. The flow of steps of the method can be shown in fig. 1, and includes:
step 101, receiving an identity authentication request.
In this step, the secondary authentication device may receive an identity authentication request. The identity authentication request may be in various forms, and this embodiment is not limited. For example, the identity authentication request may be sent by the authentication device via radio frequency, may be generated by the user clicking a key on the auxiliary authentication device, or may be generated by the user clicking a touch screen on the auxiliary authentication device.
Step 102, generating authentication data.
When receiving an identity authentication request, the auxiliary authentication device may generate authentication data according to a rule agreed with the authentication server, based on feature data corresponding to user identity information, which is cached in advance, and the feature data is generated by the authentication server.
Of course, the feature data may be generated by other servers or devices according to the same rule agreed by the authentication server.
Specifically, in this step, the auxiliary authentication device may encrypt the feature data according to a pre-stored encryption key to generate the authentication data, where the encryption key is an encryption key corresponding to the device identifier and specified by the authentication server.
Step 103, sending the authentication data to the authentication device.
After the secondary authentication device generates the authentication data, the generated authentication data may be transmitted to the authentication device. After the authentication device sends the authentication data to the authentication server, the authentication server can extract the feature data in the authentication data for authentication according to the agreed rule.
Specifically, the auxiliary authentication device may send the generated authentication data to the authentication device in a form that the authentication device can receive, for example, a form of a two-dimensional code, NFC, bluetooth, a sound wave, a visible light signal, or the like.
And in the subsequent identity authentication, the authentication equipment can send the received authentication data to the authentication server, the authentication server can extract the characteristic data in the authentication data and compare the extracted characteristic data with the corresponding characteristic data stored by the authentication server to realize the identity authentication, when the comparison result is consistent, the authentication on the user identity information is determined to be passed, otherwise, the authentication on the user identity information is determined to be failed.
If the auxiliary authentication device encrypts the feature data according to a pre-stored encryption key to generate authentication data in step 102, in this step, the auxiliary authentication device may send the device identifier and the authentication data corresponding to the auxiliary authentication device to the authentication device, so that after the authentication device sends the device identifier and the authentication data to the authentication server, the authentication server may decrypt the authentication data according to the device identifier and authenticate the feature data obtained after decryption.
Specifically, the authentication server may obtain the corresponding encryption key according to the received device identifier plaintext and according to the correspondence between the pre-stored device identifier and the encryption key, so as to decrypt the authentication data.
In this embodiment, since different encryption keys are used for each auxiliary authentication device, the anti-cracking capability of the authentication data generated by the auxiliary authentication device can be greatly improved.
Preferably, in the encryption process, the encrypted data generated each time can be different through various modes such as adding random numbers, increasing numbers, decreasing numbers and the like according to the pre-agreement with the authentication server, so that the security of the authentication data is further improved, and the risk of cracking the authentication data is reduced.
Preferably, in step 102, the method may further include: time data generated by a Real Time Clock (RTC) upon receipt of an authentication request is determined.
Then generating authentication data in step 102 at this point includes: encrypting the characteristic data and the time data according to a pre-stored encryption key to generate authentication data;
step 103 now comprises: and sending the device identifier, the encrypted feature data and the encrypted time data to an authentication device, wherein the sending of the device identifier and the generated authentication data to the authentication device can be understood at this time.
After the authentication device sends the device identifier, the encrypted feature data and the encrypted time data to the authentication server, the authentication server can decrypt the encrypted feature data and the encrypted time data according to the device identifier, and authenticate the feature data within a set duration in which the time corresponding to the time data is the starting time.
In this embodiment, the auxiliary authentication device may generate corresponding time data by integrating the RTC. In generating the authentication data, the time data may be encrypted together. After decryption, the authentication server can acquire the characteristic data and time data, compare the time data with the time corresponding to the authentication server at the moment, directly consider that authentication fails if the time interval is greater than a preset threshold, and compare the characteristic data extracted from the authentication data if the time interval is not greater than the preset threshold to realize identity authentication. Therefore, the effective time window of the authentication data is greatly narrowed, and the safety of the authentication data is greatly improved.
Example two
The second embodiment of the present invention provides an identity authentication method, where from an authentication device side, the authentication device may be, but is not limited to be, a code scanning gun, an NFC communication device, or a visible light signal receiving device, and the like. The flow of steps of the method can be shown in fig. 2, and includes:
step 201, receiving authentication data.
In this step, the authentication device may receive authentication data transmitted by the secondary authentication device.
The authentication data may be feature data corresponding to the user identity information, which is generated by the authentication server and generated according to a rule agreed with the authentication server, and transmitted by the auxiliary authentication device.
Step 202, sending the received authentication data to an authentication server.
In this step, the authentication device may transmit the received authentication data to the authentication server, and the authentication server performs authentication.
Specifically, in this step, the authentication device may send feature information corresponding to the authentication device, such as a device identifier, and the received authentication data to the authentication server, so that the authentication server may return an authentication result of the authentication data according to the feature information.
Of course, if the identity authentication request is sent by the authentication device, before step 101, step 101' may also be included: and sending an identity authentication request to the auxiliary authentication device.
Preferably, after step 201 and before step 202, the method may further include step 202':
step 202', encrypts the received authentication data.
In this step, the authentication device may encrypt the authentication data according to an encryption method agreed with the authentication server.
Step 202 specifically includes:
in this step, the authentication device may send the encrypted authentication data to the authentication server, so that the authentication server may decrypt the encrypted authentication data according to the agreed encryption manner.
EXAMPLE III
The third embodiment of the invention provides an identity authentication method, and the identity authentication scheme provided by the invention is explained from an authentication server side. The flow of steps of the method can be shown in fig. 3, and includes:
step 301, an association request is received.
In this step, the authentication server may receive an association request that requires association between the mobile device and the auxiliary authentication device, where the association request may carry user identity information corresponding to the mobile device and a device identifier corresponding to the auxiliary authentication device.
Step 302, establishing a corresponding relationship.
In this step, the authentication server may establish a correspondence between the stored feature data written in the auxiliary authentication device corresponding to the device identifier and the user identity information according to the correspondence between the stored feature data and the device identifier, so that the auxiliary authentication device may generate authentication data for authenticating the user identity information according to the feature data and a rule agreed with the authentication server.
That is, the authentication server may further establish a corresponding relationship between the authentication data and the user identity information when receiving the association request, so that the auxiliary authentication device may use the feature data cached by itself, and the generated authentication data may be used for authentication of the user identity information.
Generally, it can be understood that the authentication server may generate a batch of feature data in advance, write the feature data into the auxiliary authentication device one by one when the auxiliary authentication device is manufactured, record the corresponding relationship between the feature information and the device identifier when the auxiliary authentication device is written, and associate the device identifier and the user identity information when the association request is received.
Of course, if the authentication server receives the authentication data sent by the authentication device, the authentication server may extract the feature data in the authentication data according to the agreed rule to perform authentication.
After step 302, steps 303 and 304 may be further included:
step 303, receiving an association close request.
In this step, the authentication server receives an association closing request that the mobile device and the auxiliary authentication device require to be disassociated, where the association closing request carries user identity information corresponding to the mobile device.
And step 304, removing the corresponding relation.
In this step, the authentication server may release the correspondence between the user identity information corresponding to the mobile device and the feature data according to the received association close request, so that when the authentication data corresponding to the feature data is authenticated for the user identity information, the authentication results are all authentication failures.
The association request and the association close request may be in various forms. For example, the association request and the association close request may be, but are not limited to, a user login authentication server web page, sent through the web page; alternatively, the association request and the association close request may be, but are not limited to, sent by a user logging in to a pre-installed application APP on the mobile device.
Specifically, when the association request is sent through the APP, the device identifier corresponding to the auxiliary authentication device carried in the association request may be obtained in any manner. For example, the user manually enters, or obtains its device identification by scanning the two-dimensional code of the secondary authentication device.
Corresponding to the methods provided in the first to third embodiments, the following auxiliary authentication device, authentication server, authentication system, medium, and online authentication device are provided.
Example four
A fourth embodiment of the present invention provides an auxiliary authentication device, where the device may use a Micro Control Unit (MCU) or a Central Processing Unit (CPU) with an encryption function or a read protection function as a core to implement its functions, and the structure of the device may be as shown in fig. 4, where:
the receiving module 11 is configured to receive an identity authentication request;
the information storage module 12 is used for caching feature data corresponding to the user identity information in advance, wherein the feature data is generated by the authentication server;
the authentication data generation module 13 is configured to generate authentication data according to a rule agreed with the authentication server according to the feature data corresponding to the user identity information and pre-cached by the information storage module when the receiving module receives the identity authentication request;
the sending module 14 is configured to send the authentication data generated by the authentication data generating module to an authentication device, so that after the authentication device sends the authentication data to the authentication server, the authentication server may extract the feature data in the authentication data according to the agreed rule to perform authentication.
The information storage module 12 is further configured to store an encryption key and an equipment identifier corresponding to the auxiliary authentication equipment, where the encryption key is an encryption key that is specified by the authentication server and corresponds to the equipment identifier corresponding to the auxiliary authentication equipment;
the authentication data generating module 13 is configured to generate authentication data according to a rule agreed with the authentication server, and includes: encrypting the characteristic data according to an encryption key pre-stored by the information storage module to generate authentication data;
the sending module 14 is specifically configured to send the device identifier and the authentication data generated by the authentication data generation module to an authentication device, so that after the authentication device sends the device identifier and the authentication data to the authentication server, the authentication server may decrypt the authentication data according to the device identifier and authenticate the feature data obtained after decryption.
The device further comprises a time data extraction module 15:
the time data extraction module 15 is configured to determine time data generated by the real time clock RTC when the identity authentication request is received;
the authentication data generation module 13 is configured to encrypt the feature data according to a pre-stored encryption key, and includes: encrypting the characteristic data and the time data according to a pre-stored encryption key;
the sending module 14 is configured to send the device identifier and the authentication data corresponding to the sending module to an authentication device, and includes: and sending the device identifier, the encrypted feature data and the encrypted time data to an authentication device, so that after the authentication device sends the device identifier, the encrypted feature data and the encrypted time data to an authentication server, the authentication server can decrypt the encrypted feature data and the encrypted time data according to the device identifier and then authenticate the feature data within a set duration taking the time corresponding to the time data as the starting time.
The receiving module 11 is specifically configured to receive an identity authentication request sent by an authentication device through radio frequency, or an identity authentication request generated by a user clicking a key (at this time, it may be understood that the auxiliary authentication device includes the entity key) or a touch screen (at this time, it may be understood that the auxiliary authentication device includes the touch screen).
EXAMPLE five
An embodiment of the present invention provides an authentication device, where a structure of the authentication device may be as shown in fig. 5, where:
the receiving module 21 is configured to receive authentication data, where the authentication data is generated and sent by an auxiliary authentication device according to feature data that is cached in advance and corresponds to user identity information and according to a rule agreed with an authentication server, and the feature data is generated by the authentication server;
the sending module 22 is configured to send the authentication data received by the receiving module to the authentication server.
The sending module 22 is further configured to send an identity authentication request to the auxiliary authentication device before the receiving module receives the authentication data.
The device further comprises an encryption module 23:
the encryption module 23 is configured to encrypt the authentication data according to a second encryption key that is pre-stored, where the second encryption key is an encryption key that is specified by the authentication server and corresponds to a second device identifier corresponding to the authentication device;
the sending module 22 is specifically configured to send the second device identifier and the encrypted authentication data to the authentication server, so that the authentication server can decrypt the encrypted authentication data according to the second device identifier.
EXAMPLE six
An embodiment of the present invention provides an authentication server, where a structure of the authentication server may be as shown in fig. 6, where:
the receiving module 31 is configured to receive an association request that requires association between a mobile device and an auxiliary authentication device, where the association request carries user identity information corresponding to the mobile device and a first device identifier corresponding to the auxiliary authentication device;
the generating module 32 is configured to establish a correspondence between stored feature data written in to the auxiliary authentication device corresponding to the device identifier and the user identity information according to the correspondence between the stored feature data and the device identifier, so that the auxiliary authentication device can generate authentication data for authenticating the user identity information according to the feature data and a rule agreed with an authentication server.
The receiving module 31 is further configured to receive the authentication data sent by an authentication device;
the authentication server further comprises an authentication module 33:
the authentication module 33 is configured to extract the feature data in the authentication data for authentication according to the agreed rule. Specifically, the authentication module 33 may compare the extracted feature data with the corresponding feature data generated in the generation module 32, and when the comparison result is consistent, determine that the authentication on the user identity information passes, otherwise, determine that the authentication on the user identity information fails.
When the authentication data is obtained by encrypting the feature data by the auxiliary authentication device according to a pre-stored encryption key, the receiving module 31 may be specifically configured to receive the device identifier and the authentication data of the auxiliary authentication device, which are sent by the authentication device;
the authentication module 33 may be specifically configured to determine the corresponding encryption key by using the device identifier received by the receiving module according to a correspondence between a pre-stored device identifier and the encryption key, so as to decrypt the authentication data received by the receiving module, and authenticate the feature data obtained after decryption.
If the authentication data obtained by encryption further includes time data, the authentication module 33 may be specifically configured to determine the corresponding encryption key by using the device identifier received by the receiving module according to a correspondence between a pre-stored device identifier and the encryption key, so as to decrypt the authentication data received by the receiving module, and then authenticate the feature data within a set time duration in which the time corresponding to the time data is the start time.
Of course, if the authentication device further encrypts the authentication data according to the encryption method agreed with the authentication server when sending the authentication data, the authentication module 33 may be further specifically configured to decrypt the encrypted authentication data according to the agreed encryption method to obtain the decrypted authentication data.
The receiving module 31 is further configured to receive an association close request that the mobile device and the auxiliary authentication device require to disconnect association, where the association close request carries user identity information corresponding to the mobile device;
the generating module 32 is further configured to release the corresponding relationship between the user identity information corresponding to the mobile device and the feature data according to the received association closing request, so that when the authentication data corresponding to the feature data is authenticated by the user identity information, authentication results are authentication failures.
EXAMPLE seven
A seventh embodiment of the present invention provides an authentication system, which may have a structure as shown in fig. 7, and includes at least one auxiliary authentication device according to the fourth embodiment, at least one authentication device according to the fifth embodiment, and at least one authentication server according to the sixth embodiment, which are illustrated in fig. 7 by taking an example including one auxiliary authentication device, one authentication device, and one authentication server as an example.
Example eight
An eighth embodiment of the present invention provides an online authentication device, which may have a structure as shown in fig. 8, and includes a memory 41, a processor 42, and a computer program stored on the memory, where the processor 42 implements the steps of the method provided in the first embodiment of the present invention, or implements the steps of the method provided in the second embodiment of the present invention, or implements the steps of the method provided in the third embodiment of the present invention when executing the program.
Optionally, the processor 42 may specifically include a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), one or more integrated circuits for controlling program execution, a hardware circuit developed by using a Field Programmable Gate Array (FPGA), or a baseband processor.
Optionally, the processor 42 may include at least one processing core.
Alternatively, the memory 41 may include a Read Only Memory (ROM), a Random Access Memory (RAM), and a disk memory. The memory 41 is used for storing data required by the at least one processor 42 during operation. The number of the memory 41 may be one or more.
A ninth embodiment of the present invention provides a non-volatile computer storage medium, where the computer storage medium stores an executable program, and when the executable program is executed by a processor, the method includes implementing the steps of the method provided in the first embodiment of the present invention, or implementing the steps of the method provided in the second embodiment of the present invention, or implementing the steps of the method provided in the third embodiment of the present invention.
In particular implementations, computer storage media may include: various storage media capable of storing program codes, such as a Universal Serial Bus flash drive (USB), a mobile hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In the embodiments of the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the described unit or division of units is only one division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical or other form.
The functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be an independent physical module.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the technical solutions of the embodiments of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device, such as a personal computer, a server, or a network device, or a processor (processor) to execute all or part of the steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media that can store program codes, such as a universal serial bus flash drive (usb flash drive), a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above embodiments are only used to describe the technical solutions of the present application in detail, but the above embodiments are only used to help understanding the method of the embodiments of the present invention, and should not be construed as limiting the embodiments of the present invention. Variations or substitutions that may be readily apparent to one skilled in the art are intended to be included within the scope of the embodiments of the present invention.
Claims (25)
1. An identity authentication method, which is applied to an auxiliary authentication device, includes:
when an identity authentication request is received, generating authentication data according to characteristic data which is cached in advance and corresponds to user identity information and rules agreed with an authentication server, wherein the characteristic data is generated by the authentication server;
sending the authentication data to authentication equipment, so that after the authentication equipment sends the authentication data to an authentication server, the authentication server extracts the feature data in the authentication data for authentication according to the agreed rule;
wherein, the corresponding relation between the characteristic data and the user identity information is established in the authentication server in the following way:
the authentication server receives an association request which requires association between mobile equipment and auxiliary authentication equipment, wherein the association request carries user identity information corresponding to the mobile equipment and equipment identification corresponding to the auxiliary authentication equipment;
and establishing a corresponding relation between the feature data written into the auxiliary authentication equipment corresponding to the equipment identifier and the user identity information corresponding to the mobile equipment according to the corresponding relation between the stored feature data and the equipment identifier.
2. The method of claim 1, wherein generating authentication data according to rules agreed upon with the authentication server comprises:
encrypting the characteristic data according to a pre-stored encryption key to generate authentication data, wherein the encryption key is an encryption key which is specified by the authentication server and corresponds to the equipment identifier;
sending the authentication data to an authentication device, comprising:
and sending the corresponding equipment identifier and the authentication data to authentication equipment, so that after the authentication equipment sends the equipment identifier and the authentication data to an authentication server, the authentication server can decrypt the authentication data according to the equipment identifier and authenticate the feature data obtained after decryption.
3. The method of claim 2, wherein the method further comprises:
determining time data generated by a real-time clock (RTC) when an identity authentication request is received;
encrypting the feature data according to a pre-stored encryption key, comprising:
encrypting the characteristic data and the time data according to a pre-stored encryption key;
sending the device identifier corresponding to the authentication device and the authentication data to an authentication device, including:
and sending the device identifier, the encrypted feature data and the encrypted time data to an authentication device, so that after the authentication device sends the device identifier, the encrypted feature data and the encrypted time data to an authentication server, the authentication server can decrypt the encrypted feature data and the encrypted time data according to the device identifier and then authenticate the feature data within a set duration taking the time corresponding to the time data as the starting time.
4. The method according to any one of claims 1 to 3, wherein the identity authentication request is an identity authentication request sent by an authentication device through radio frequency, or an identity authentication request generated by a user clicking a key or a touch screen.
5. An identity authentication method, applied to an authentication device, includes:
receiving authentication data, wherein the authentication data is generated and sent by an auxiliary authentication device according to characteristic data which is cached in advance and corresponds to user identity information and a rule agreed with an authentication server, and the characteristic data is generated by the authentication server;
sending the received authentication data to the authentication server so that the authentication server can extract the feature data in the authentication data for authentication according to the agreed rule;
wherein, the corresponding relation between the characteristic data and the user identity information is established in the authentication server in the following way:
the authentication server receives an association request which requires association between mobile equipment and auxiliary authentication equipment, wherein the association request carries user identity information corresponding to the mobile equipment and equipment identification corresponding to the auxiliary authentication equipment;
and establishing a corresponding relation between the feature data written into the auxiliary authentication equipment corresponding to the equipment identifier and the user identity information corresponding to the mobile equipment according to the corresponding relation between the stored feature data and the equipment identifier.
6. The method of claim 5, wherein prior to receiving authentication data, the method further comprises:
and sending an identity authentication request to the auxiliary authentication device.
7. The method of claim 5 or 6, wherein after receiving authentication data and before sending the received authentication data to the authentication server, the method further comprises:
encrypting the authentication data according to an encryption mode agreed with the authentication server;
sending the received authentication data to the authentication server, including:
and sending the encrypted authentication data to the authentication server, so that the authentication server can decrypt the encrypted authentication data according to the agreed encryption mode.
8. An identity authentication method, applied to an authentication server, includes:
receiving an association request which requires association between mobile equipment and auxiliary authentication equipment, wherein the association request carries user identity information corresponding to the mobile equipment and equipment identification corresponding to the auxiliary authentication equipment;
according to the corresponding relation between the stored characteristic data and the equipment identification, establishing the characteristic data written into the auxiliary authentication equipment corresponding to the equipment identification and the corresponding relation between the characteristic data and the user identity information, so that the auxiliary authentication equipment can generate authentication data for authenticating the user identity information according to the characteristic data and a rule agreed with an authentication server, and sending the authentication data to authentication equipment, and after the authentication equipment sends the authentication data to the authentication server, the authentication server extracts the characteristic data in the authentication data for authentication according to the agreed rule.
9. The method of claim 8, wherein the method further comprises:
receiving an association closing request for requesting to disconnect association between mobile equipment and auxiliary authentication equipment, wherein the association closing request carries user identity information corresponding to the mobile equipment;
and according to the received association closing request, removing the corresponding relation between the user identity information corresponding to the mobile equipment and the feature data, so that when the user identity information authentication is carried out on the authentication data corresponding to the feature data, the authentication results are authentication failures.
10. The method of claim 9, wherein the association request and the association close request are sent via a user login authentication server web page; or the association request and the association closing request are sent by a user through an application APP pre-installed on the mobile device when the user logs in the application APP.
11. An auxiliary authentication device, the device comprising:
the receiving module is used for receiving the identity authentication request;
the information storage module is used for caching characteristic data corresponding to the user identity information in advance, and the characteristic data is generated by the authentication server;
the authentication data generation module is used for generating authentication data according to the characteristic data which is cached in advance by the information storage module and corresponds to the user identity information and the rule agreed with the authentication server when the receiving module receives the identity authentication request;
a sending module, configured to send the authentication data generated by the authentication data generation module to an authentication device, so that after the authentication device sends the authentication data to the authentication server, the authentication server extracts the feature data in the authentication data according to the agreed rule to perform authentication;
wherein, the corresponding relation between the characteristic data and the user identity information is established in the authentication server in the following way:
the authentication server receives an association request which requires association between mobile equipment and auxiliary authentication equipment, wherein the association request carries user identity information corresponding to the mobile equipment and equipment identification corresponding to the auxiliary authentication equipment;
and establishing a corresponding relation between the feature data written into the auxiliary authentication equipment corresponding to the equipment identifier and the user identity information corresponding to the mobile equipment according to the corresponding relation between the stored feature data and the equipment identifier.
12. The apparatus of claim 11,
the information storage module is further configured to store an encryption key and an equipment identifier corresponding to the auxiliary authentication equipment, where the encryption key is an encryption key that is specified by the authentication server and corresponds to the equipment identifier corresponding to the auxiliary authentication equipment;
the authentication data generation module is configured to generate authentication data according to a rule agreed with the authentication server, and includes: encrypting the characteristic data according to an encryption key pre-stored by the information storage module to generate authentication data;
the sending module is specifically configured to send the device identifier and the authentication data generated by the authentication data generation module to an authentication device, so that after the authentication device sends the device identifier and the authentication data to the authentication server, the authentication server may decrypt the authentication data according to the device identifier and authenticate the feature data obtained after decryption.
13. The apparatus of claim 12, wherein the apparatus further comprises:
the time data extraction module is used for determining the time data generated by the real-time clock RTC when the identity authentication request is received;
the authentication data generation module is configured to encrypt the feature data according to a pre-stored encryption key, and includes: encrypting the characteristic data and the time data according to a pre-stored encryption key;
the sending module is configured to send the device identifier and the authentication data corresponding to the sending module to an authentication device, and includes: and sending the device identifier, the encrypted feature data and the encrypted time data to an authentication device, so that after the authentication device sends the device identifier, the encrypted feature data and the encrypted time data to an authentication server, the authentication server can decrypt the encrypted feature data and the encrypted time data according to the device identifier and then authenticate the feature data within a set duration taking the time corresponding to the time data as the starting time.
14. The apparatus according to any one of claims 11 to 13,
the receiving module is specifically configured to receive an identity authentication request sent by an authentication device through radio frequency, or an identity authentication request generated by a user clicking a key or a touch screen.
15. An authentication device, characterized in that the authentication device comprises:
the receiving module is used for receiving authentication data, the authentication data is generated and sent by the auxiliary authentication equipment according to characteristic data which is cached in advance and corresponds to the user identity information and a rule appointed by the authentication server, and the characteristic data is generated by the authentication server;
the sending module is used for sending the authentication data received by the receiving module to the authentication server so that the authentication server can extract the feature data in the authentication data for authentication according to the agreed rule;
wherein, the corresponding relation between the characteristic data and the user identity information is established in the authentication server in the following way:
the authentication server receives an association request which requires association between mobile equipment and auxiliary authentication equipment, wherein the association request carries user identity information corresponding to the mobile equipment and equipment identification corresponding to the auxiliary authentication equipment;
and establishing a corresponding relation between the feature data written into the auxiliary authentication equipment corresponding to the equipment identifier and the user identity information corresponding to the mobile equipment according to the corresponding relation between the stored feature data and the equipment identifier.
16. The device of claim 15, wherein the sending module is further configured to send an identity authentication request to the secondary authentication device before the receiving module receives the authentication data.
17. The apparatus of claim 15 or 16, wherein the apparatus further comprises:
the encryption module is used for encrypting the authentication data according to an encryption mode agreed with the authentication server;
the sending module is specifically configured to send the encrypted authentication data to the authentication server, so that the authentication server can decrypt the encrypted authentication data according to the agreed encryption manner.
18. An authentication server, characterized in that the authentication server comprises:
a receiving module, configured to receive an association request that requires association between a mobile device and an auxiliary authentication device, where the association request carries user identity information corresponding to the mobile device and a device identifier corresponding to the auxiliary authentication device;
the generating module is used for establishing the corresponding relation between the characteristic data written into the auxiliary authentication equipment corresponding to the equipment identifier and the user identity information according to the corresponding relation between the stored characteristic data and the equipment identifier, so that the auxiliary authentication equipment can generate authentication data for authenticating the user identity information according to the characteristic data and the rule agreed with the authentication server, the authentication data is sent to the authentication equipment, and after the authentication equipment sends the authentication data to the authentication server, the authentication server extracts the characteristic data in the authentication data for authentication according to the agreed rule.
19. The authentication server of claim 18, wherein the receiving module is further configured to receive the authentication data sent by an authentication device;
the authentication server further comprises:
and the authentication module is used for extracting the characteristic data in the authentication data for authentication according to the agreed rule.
20. The authentication server according to claim 18 or 19, wherein the receiving module is further configured to receive an association close request that requires the mobile device and the auxiliary authentication device to be disassociated, where the association close request carries user identity information corresponding to the mobile device;
the generating module is further configured to release a corresponding relationship between the user identity information corresponding to the mobile device and the feature data according to the received association closing request, so that when the authentication data corresponding to the feature data is authenticated by the user identity information, authentication results are authentication failures.
21. An identity authentication system, characterized in that it comprises at least one auxiliary authentication device according to claim 11, at least one authentication device according to claim 15 and at least one authentication server according to claim 18.
22. A non-transitory computer storage medium storing an executable program for execution by a processor to perform the steps of the method of any one of claims 1 to 4, or to perform the steps of the method of any one of claims 5 to 7, or to perform the steps of the method of any one of claims 8 to 10.
23. An auxiliary authentication device comprising a memory, a processor and a computer program stored on the memory, the processor implementing the steps of the method of any one of claims 1 to 4 when executing the program.
24. An authentication device comprising a memory, a processor and a computer program stored on the memory, the processor when executing the program implementing the steps of the method of any one of claims 5 to 7.
25. An authentication server comprising a memory, a processor and a computer program stored on the memory, the processor implementing the steps of the method of any one of claims 8 to 10 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810553631.4A CN109005144B (en) | 2018-05-31 | 2018-05-31 | Identity authentication method, equipment, medium and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810553631.4A CN109005144B (en) | 2018-05-31 | 2018-05-31 | Identity authentication method, equipment, medium and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109005144A CN109005144A (en) | 2018-12-14 |
| CN109005144B true CN109005144B (en) | 2021-04-20 |
Family
ID=64573668
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810553631.4A Active CN109005144B (en) | 2018-05-31 | 2018-05-31 | Identity authentication method, equipment, medium and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109005144B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110808966A (en) * | 2019-10-23 | 2020-02-18 | 天津华来科技有限公司 | Identity information generation method and device and storage medium |
| CN110769415B (en) * | 2019-10-30 | 2023-04-18 | 维沃移动通信有限公司 | Authentication method and electronic equipment |
| CN113556365B (en) * | 2021-09-23 | 2022-01-11 | 中国信息通信研究院 | Authentication result data transmission system, method and device |
| CN114338213B (en) * | 2021-12-31 | 2022-09-13 | 电子科技大学 | Temperature-assisted authentication method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102186169A (en) * | 2010-04-30 | 2011-09-14 | 北京华大智宝电子系统有限公司 | Identity authentication method, device and system |
| CN105325021A (en) * | 2013-03-15 | 2016-02-10 | 因特鲁斯特公司 | Method and apparatus for remote portable wireless device authentication |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8020192B2 (en) * | 2003-02-28 | 2011-09-13 | Michael Wright | Administration of protection of data accessible by a mobile device |
-
2018
- 2018-05-31 CN CN201810553631.4A patent/CN109005144B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102186169A (en) * | 2010-04-30 | 2011-09-14 | 北京华大智宝电子系统有限公司 | Identity authentication method, device and system |
| CN105325021A (en) * | 2013-03-15 | 2016-02-10 | 因特鲁斯特公司 | Method and apparatus for remote portable wireless device authentication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109005144A (en) | 2018-12-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10963862B2 (en) | Login using QR code | |
| EP3257194B1 (en) | Systems and methods for securely managing biometric data | |
| KR101727660B1 (en) | Method of using one device to unlock another device | |
| US11764966B2 (en) | Systems and methods for single-step out-of-band authentication | |
| CN106575326B (en) | System and method for implementing one-time passwords using asymmetric encryption | |
| CN104065653B (en) | A kind of interactive auth method, device, system and relevant device | |
| CN106330850B (en) | Security verification method based on biological characteristics, client and server | |
| CN109005144B (en) | Identity authentication method, equipment, medium and system | |
| US20040230807A1 (en) | Apparatus and method for authenticating access to a network resource | |
| CN104144419A (en) | Identity authentication method, device and system | |
| CN105553926A (en) | Authentication method, server, and terminal | |
| CN102916869A (en) | Instant messaging method and system | |
| CN105719131A (en) | Server, client and paying-for-another method of e-payment | |
| US20160381011A1 (en) | Network security method and network security system | |
| EP4037250A1 (en) | Message transmitting system with hardware security module | |
| EP3334086A1 (en) | Online authentication method based on smart card, smart card and authentication server | |
| CN112491907A (en) | Data transmission method, device, system, storage medium and electronic equipment | |
| CN111275855A (en) | Door lock control method, device and system, electronic equipment and storage medium | |
| US10708267B2 (en) | Method and associated processor for authentication | |
| Kaur et al. | A comparative analysis of various multistep login authentication mechanisms | |
| CN108574657B (en) | Server access method, device and system, computing equipment and server | |
| KR101879842B1 (en) | User authentication method and system using one time password | |
| CN103929399A (en) | Identify authentication method and system | |
| CN108667785B (en) | System and method for network identity service based on Open ID | |
| KR101206852B1 (en) | Image based authentication system and method therefor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |