CN110460588B

CN110460588B - Method, device, computer system and storage medium for realizing information verification

Info

Publication number: CN110460588B
Application number: CN201910672000.9A
Authority: CN
Inventors: 郭锐; 李茂材; 王宗友; 屠海涛; 孔利; 周开班; 杨常青; 王楠; 丁勇; 时一防
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2018-05-31
Filing date: 2018-05-31
Publication date: 2022-11-22
Anticipated expiration: 2038-05-31
Also published as: CN108848079B; CN110460588A; CN108848079A

Abstract

The disclosure relates to the technical field of block chains, and discloses a method, a device, a computer system and a storage medium for realizing information verification. The method comprises the following steps: a terminal acquires a public key corresponding to a private key held by the terminal; and the terminal sends the public key, the encrypted abstract of the verified information and the digital signature of the encrypted abstract to a receiving end of the network access behavior so as to request the receiving end to verify the digital signature according to the encrypted abstract by using the public key, wherein the verified information is part of key information required to be verified by the terminal. According to the embodiments of the application, the information verification is performed by a third party based on the block chain technology, and any data related to the information needing to be verified except the encrypted abstract is not required to be obtained, so that the safety and the reliability of the information verification are ensured, and only ciphertext interaction exists in the whole information verification process.

Description

Method, device, computer system and storage medium for realizing information verification

The application is a divisional application of Chinese patent application CN201810553455.4, which is filed on 31.5.31.5.2018 and is named as a method, a system, a device and a computer system for realizing information verification.

Technical Field

The present invention relates to the field of data security technologies, and in particular, to a method, an apparatus, a computer system, and a computer-readable storage medium for implementing information verification.

Background

With the rapid development of the internet, before performing a network access behavior for a terminal in various service scenarios, certain information verification is often required, and the network access behavior can be performed for the terminal only on the premise of ensuring that the verified information is correct.

The information verification is a process of identifying whether the terminal triggering the network access behavior has the authority, and for the receiving end corresponding to the network access behavior, the receiving end is limited to execute the triggered network access behavior for the terminal with the authority, and the terminal without the authority is rejected by the receiving end.

In the existing information verification implementation, nothing but true information collected by a user is targeted, and when the information provided by a terminal is verified to be true information corresponding to the user, the terminal is determined to have authority.

For example, the real information is a series of information such as a bank card number, a telephone number, and the like owned by an already real-name user.

However, this is actually a setting for tracing the source and facing the real information. For the receiving end, it is only necessary to confirm whether the terminal initiating the network access behavior has the right, and the receiving end is not concerned with the information content itself.

The realization of the existing information verification inevitably brings the input and the transmission of real information, which also inevitably causes the situation that the information provided by the terminal for information verification is stolen.

Therefore, in the existing information verification, the insecurity that the verified information is leaked, namely all real information is leaked exists, and the realization of information verification is urgently needed to be improved, so that the information safety is improved.

Disclosure of Invention

In order to solve the technical problems that the safety is not high and the information is easy to leak in the information verification implementation of the related technology, the invention provides a method, a device, a computer system and a computer readable storage medium for implementing the information verification.

A method of implementing information verification, the method comprising:

the terminal acquires a public key corresponding to a private key held by the terminal;

the terminal sends the public key, the encrypted digest of the verified information and the digital signature of the encrypted digest to a receiving end of the network access behavior to request the receiving end to verify the digital signature according to the encrypted digest by using the public key,

the verified information is part of key information which needs to be verified by the terminal.

A computer system, the computer system comprising:

a processor; and

a memory having computer readable instructions stored thereon which, when executed by the processor, implement the method as previously described.

A computer readable storage medium having computer readable instructions stored thereon which, when executed by a processor, implement a method as previously described.

An apparatus for implementing information verification for performing information verification on network access behavior of a terminal, the apparatus comprising:

an acquisition unit configured to acquire a public key corresponding to a private key held by a terminal;

a request unit configured to: sending the public key, an encrypted digest of the verified information, and a digital signature of the encrypted digest to a receiving end of the network access behavior to request the receiving end to verify the digital signature from the encrypted digest using the public key,

The technical scheme provided by the embodiment of the invention can have the following beneficial effects:

for the verification of the given information, when the information verification is initiated on the network access behavior of the terminal, the verified information content is obtained, namely the encrypted abstract of the content corresponding to the given information, and the given information is part of key information required to be verified by the terminal, and then the terminal sends the digital signature, the encrypted abstract and the public key to the receiving end of the network access behavior, so that on one hand, the information verification is realized only in a form of a ciphertext without obtaining any data related to the required verification information except the encrypted abstract, the safety and the reliability of the information verification are ensured, and only the interaction of the ciphertext exists in the whole information verification process; on the other hand, the intervention of other information related to the verification is avoided, so that the information verification required by the terminal does not need to use other key information, and the purpose of information verification can be achieved only by part of the key information.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.

FIG. 1 is a schematic, diagrammatic illustration of an environment in which the present invention is practiced, according to an exemplary embodiment;

FIG. 2 is a block diagram illustrating an apparatus in accordance with an exemplary embodiment;

FIG. 3 is a flow diagram illustrating a method of implementing information verification in accordance with an exemplary embodiment;

FIG. 4 is a flow diagram illustrating step 310 according to a corresponding embodiment of FIG. 3;

FIG. 5 is a flow chart depicting step 330, according to a corresponding embodiment of FIG. 3;

FIG. 6 is a flowchart illustrating a description of step 335 according to a corresponding embodiment of FIG. 5;

FIG. 7 is a flow diagram illustrating a method of implementing information verification in accordance with the corresponding embodiment of FIG. 6;

FIG. 8 is a flowchart illustrating a description of step 333 according to a corresponding embodiment of FIG. 6;

FIG. 9 is a flowchart illustrating a description of step 330 according to a corresponding embodiment of FIG. 3;

FIG. 10 is a flowchart illustrating a description of step 370, according to a corresponding embodiment of FIG. 3;

FIG. 11 is a flow diagram illustrating a method of implementing information verification in accordance with an exemplary embodiment;

FIG. 12 is a flow chart illustrating a method of implementing information verification in accordance with another exemplary embodiment;

FIG. 13 is a flowchart illustrating a description of step 850 shown in accordance with a corresponding embodiment in FIG. 11;

FIG. 14 is a simplified schematic diagram of an information validation implementation architecture, shown in accordance with an exemplary embodiment;

FIG. 15 is a schematic diagram illustrating an information validation implementation architecture in accordance with another illustrative embodiment;

fig. 16 is a schematic diagram illustrating data structures respectively corresponding to a third party, a receiving end, and a terminal for implementing information interaction therebetween according to an exemplary embodiment;

FIG. 17 is a block diagram of a system implementing information verification in accordance with an illustrative embodiment;

FIG. 18 is a block diagram illustrating a description of a verification initiation module in accordance with the corresponding embodiment of FIG. 17;

FIG. 19 is a block diagram illustrating a description of a request validation module according to the corresponding embodiment of FIG. 18;

fig. 20 is a block diagram illustrating a third-party configured path search module according to the corresponding embodiment of fig. 17;

FIG. 21 is a block diagram illustrating a cryptographic digest verification module according to the corresponding embodiment of FIG. 17;

FIG. 22 is a block diagram illustrating an apparatus for implementing information verification in accordance with an exemplary embodiment;

FIG. 23 is a block diagram illustrating a correctness verification module according to another exemplary embodiment.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.

FIG. 1 is a schematic, simplified diagram illustrating an implementation environment to which the present invention relates, according to an exemplary embodiment. In an exemplary embodiment, the information verification performed in the network of the present invention provides security guarantee for all the key information held by each terminal, so that any key information is not leaked in the performed information verification, and further, the privacy of the user corresponding to the terminal is protected.

Therefore, as shown in fig. 1, when information verification is required, the receiving end 130 corresponding to the network access behavior requests the deployed third party 150 to verify the encrypted digest provided by the terminal 110, and when it is determined that part of the key information corresponding to the encrypted digest, which needs to be verified, correctly exists in all the key information matched with the corresponding tree structure, the terminal 110 triggering the network access behavior obtains a result that the verification passes.

That is, for any terminal, for example, a terminal 110, network access initiated to any receiver 130, for example, 1 to n receivers 130, will be handed to the third party 150 to perform information verification, so as to ensure information security through this architecture.

The third party 150 stores all the key information, and the third party 150 may be a single organization or may be composed of multiple parties in terms of form.

That is, third party 150 and all critical information storage in third party 150 may be implemented through a zone chain under a distributed architecture to ensure that critical information is not tampered with.

The third party 150, which implements the storage of critical information through the regional chain, will be made up of several node servers. Several node servers are storing critical information and are all intended to be used to effect information verification. Several node servers form a service network based on block chains, i.e. a service network for information verification. Therefore, no matter the collection of the key information, or the provision of the information verification service to the receiving end 130 corresponding to the network access behavior or the terminal 110, is performed based on the area chain.

FIG. 2 is a block diagram illustrating an apparatus in accordance with an example embodiment. The third party shown in fig. 1 may be the apparatus 200, and the apparatus 200 may be a server, for example.

Referring to fig. 2, the apparatus 200 may vary greatly depending on configuration or performance, and may include one or more Central Processing Units (CPUs) 222 (e.g., one or more processors) and memory 232, one or more storage media 230 (e.g., one or more mass storage devices) storing applications 242 or data 244. Memory 232 and storage medium 230 may be, among other things, transient or persistent storage. The program stored in the storage medium 230 may include one or more modules (not shown), each of which may include a series of instruction operations for the server. Still further, the central processor 222 may be configured to communicate with the storage medium 230 to execute a series of instruction operations in the storage medium 230 on the device 200. The device 200 may also include one or more power supplies 226, one or more wired or wireless network interfaces 250, one or more input-output interfaces 258, and/or one or more operating systems 241, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, and so forth. The steps performed by the third party described below in the embodiments illustrated in fig. 3, 4, 5, 6, 7, and 8 may be based on the device structure illustrated in fig. 2.

FIG. 3 is a flow chart illustrating a method of implementing information verification in accordance with an exemplary embodiment. The method for implementing information verification, as shown in fig. 3, in an exemplary embodiment, includes at least the following steps.

In step 310, information verification is initiated on the network access behavior of the terminal, and an encrypted digest of the verified information content is obtained, where the information is part of key information that the terminal needs to verify.

It should be noted that, first of all, the terminal refers to any terminal that performs network access, for example, the terminal may be a portable mobile terminal such as a smart phone and a tablet computer that accesses a certain website, and may also be an electronic device such as a computer.

With network access of the terminal, the corresponding access object, that is, the receiving end of the network access behavior triggered by the terminal, often needs to perform information verification on the terminal according to the configuration of the receiving end, and the triggered network access behavior is executed for the terminal after the terminal passes the information verification.

For example, when the terminal initiates to browse information published by a certain website, the website jumps to an information verification page, and at this time, the terminal needs to perform information verification for this purpose, and then the terminal can browse the information.

Therefore, the network access behavior of the terminal, that is, the behavior initiated by the terminal accessing any object via the network, is different according to the difference of the access correspondences.

At the terminal, information authentication will be initiated for the triggered network access behavior, e.g. the terminal will jump into an information authentication page.

At this time, the terminal will obtain the encrypted digest of the verified information content, i.e. the verified information content exists in the form of ciphertext, and then perform verification, and the verification of the ciphertext of the encrypted digest corresponds to the verification of the requested verification information.

It should be understood that the authentication of information initiated by the network access behavior of the terminal is actually also the authentication of information initiated by the user corresponding to the terminal, and therefore, the information requested to be authenticated is often related to the user. The information requested for authentication is often unique to a user or class of users.

Therefore, the requested authentication information is necessarily key information that the terminal needs to authenticate. However, as mentioned above, the purpose of the access object to authenticate the terminal is to determine whether the terminal has the authority to perform the network access behavior, and the information to be authenticated is the key information held by the terminal, and in a specific implementation of an exemplary embodiment, will also be the real information of the user corresponding to the terminal.

When information verification is initiated on the network access behavior of the terminal, the encrypted digest is obtained only on part of the key information to be verified, not on all the key information.

It should be further noted that the information verification is performed to verify whether the information exists and whether the information is correct for all the key information of the terminal, so as to authenticate the terminal, even if the user corresponding to the terminal is already filed, for example, registered and authorized.

In the execution of step 310, all the verification of the key information is characterized by a part of the key information, so that in order to ensure the accuracy and reliability of the verification, a third party and a tree structure in the third party need to be matched in the subsequent execution of steps.

All the key information referred to is for a terminal, even for a user corresponding to the terminal, and is all information for describing the terminal and the user corresponding to the terminal. For example, all the real information corresponding to the user. And part of the key information is information corresponding to a certain field in all the key information. The partial key information is one or more pieces of key information in all the key information, for example, the key information corresponding to one field.

In some scenarios, the information verification performed for the user corresponding to the terminal is directed to the real information of the user, for example, a series of real information such as the name, sex, mobile phone number, address, etc. of the user, and the real information constitutes all the key information that the user corresponding to the terminal needs to verify after triggering the network access behavior, and the information corresponding to the field of the name is a part of all the key information, and therefore, exists as part of the key information.

Further, the encrypted digest of the verified information content may be a hash value obtained by hashing part of the key information. Of course, the encrypted digest of the verified information content may also be obtained by some other encryption function, which is not limited herein.

Of course, the hash value of the verified information content, i.e. the encrypted digest, is obtained by hashing, and the adoption of the encryption process can convert all the verified information content into a ciphertext with a fixed length, which is beneficial to the execution of the subsequent process.

In an exemplary embodiment, the terminal device performs information verification for the network access jump, and in the information verification performed by the jump, obtains the submitted information, that is, an encrypted digest corresponding to a part of the key information. The encrypted digest uniquely describes the content of the key information of the submitted portion.

For step 310, this will be performed by the terminal. The terminal initiates information verification for the network access behavior triggered by the terminal, and acquires an encrypted abstract of the verified information content for the information verification, wherein the encrypted abstract is used for realizing the information verification of the network access behavior triggered by the terminal by a third party.

It can be clear that, for the terminal, the verified information content is always held by the terminal, and cannot be spread out, so that the security is stably guaranteed.

Fig. 4 is a flow chart describing step 310 according to a corresponding embodiment of fig. 3. This step 310, as shown in FIG. 4, in one exemplary embodiment includes the following steps.

In step 311, an information verification instruction of the network access behavior triggered by the terminal is received.

In step 313, an encrypted digest corresponding to the information content is generated based on the information indicated to be verified by the information verification instruction.

The terminal receives the information verification instruction along with the network behavior triggered by the terminal. The reception of the information verification instruction by the terminal is performed in the terminal, and it is essential that a process of the terminal receives the corresponding information verification instruction in response to the triggered network access behavior.

The information verification instruction is an instruction for skipping to execute information verification under the control of a receiving end corresponding to the network access behavior of the terminal. The information verification process may be a registration and login process of a user, or a process of verifying held information by a certain type of user, which is not limited herein.

But the information authentication instruction is received along with the jump of the terminal into the information authentication and the submitted information, which can not correspond to what information authentication process. For example, in the information verification of the terminal jumping-in, after account information and the like are input and submitted, an information verification instruction is received.

Therefore, the information verification instruction carries information for requesting verification, and the information is part of key information required to be verified by the terminal. Generating a cryptographic digest of this information content may require a third party to verify this.

In step 330, a third party is requested to perform information verification on the terminal for the network access behavior through the encrypted summary.

As mentioned above, the information verification is performed under the control of the receiving end of the network access behavior, that is, the information verification is performed for the network access of the terminal at the receiving end. However, the subject of the information authentication is the third party, so the terminal will request the third party to perform authentication for the network access behavior triggered by itself through the obtained encrypted digest.

The third party is a party different from the terminal and the receiving end, and the third party is independent between the terminal and the receiving end. The third party is used to implement information verification, and therefore, the third party stores all information. That is, all the key information of each terminal or the user corresponding to each terminal is stored in the third party, and the receiving end of the network access behavior does not store any key information and cannot obtain any key information through the information verification, so that the information security is ensured. Even if the receiving end is an illegal website, the receiving end cannot be stolen.

The deployed third party is used for performing information verification for each terminal and each receiving end of the network access behaviors. That is, the information verification requested by the terminal to the third party for the network access behavior by encrypting the digest may be requested by the terminal directly from the third party, or may be requested by the receiving end to which the terminal requests access.

For example, the terminal may request the third party for information verification for the execution of the own network access behavior, so as to provide the information verification result of the third party for the subsequent triggered network access behavior.

In addition, after the terminal is triggered to perform the network access behavior, once the information verification is required, an encrypted digest of the verified information content is obtained for the information verification, the terminal responds to the information verification initiated by the receiving end corresponding to the network access behavior through the encrypted digest, and at the moment, the receiving end requests a third party to perform the information verification on the terminal based on the obtained encrypted digest.

Therefore, as can be understood, the third party is independently deployed for information verification, and exists independently, any terminal and the receiving terminal cannot obtain data stored by the third party, and the information verification performed by the third party cannot be influenced or interfered, so that the independence and the reliability of the information verification performed by the third party are ensured, and any terminal and the receiving terminal cannot be tampered.

In step 350, the third party obtains an authentication path corresponding to the verification information by tracing from the leaf node to the root node in the corresponding tree structure according to the information verification requested by the terminal, and the value corresponding to the leaf node in the corresponding tree structure matches with all the key information required to be verified by the terminal.

And the third party executes the information verification requested by the terminal for the information verification as the network access behavior triggered by the terminal through the encrypted abstract requests the third party for the information verification. The verification of the information is performed by a tree structure deployed in a third party.

It should be understood that the third party, as an independent authentication mechanism, stores all the key information for the terminal and the user corresponding to the terminal through the constructed tree structure. Each constructed tree structure uniquely corresponds to a user or a class of users, which can be flexibly deployed according to the implementation of information verification. For example, if the information verification performed is for each user-oriented verification, such as verifying whether the user currently requesting network access is a real user, not a machine, each tree structure uniquely corresponds to a user in this scenario.

For another example, if the information verification is performed for each type of user, i.e., whether the user currently requesting network access is a certain type or a certain group of users, each tree structure in this scenario uniquely corresponds to a type of user, and the tree structure will be used for storing data common to such users.

And the third party searches leaf nodes corresponding to the encrypted abstract in the corresponding tree structure according to the obtained encrypted abstract, traces the leaf nodes to the root node, and forms an authentication path by the leaf nodes, the child nodes between the leaf nodes and the root node. In terms of encryption, if a tree result consistent with a local part of the tree structure can be reconstructed by the encrypted digest and the nodes on the authentication path, it can be verified that the encrypted digest exists in the corresponding tree structure.

For a user, the content of each field corresponding to all the key information is stored in the form of encrypted digest at the leaf node of the corresponding tree structure. That is, the value corresponding to the leaf node in the tree structure is matched to one field of all key information of the user.

In an exemplary embodiment, the tree structure may be constructed by performing a hierarchical operation on all key information. For example, all the key information corresponds to the information content of each field, a corresponding encryption summary is generated, then, in the obtained encryption summary, every two encryption summaries are combined, and then the corresponding encryption summary is obtained, and by analogy, the operation is advanced forward level by level until a unique numerical value is finally obtained, wherein the numerical value is the numerical value corresponding to the root node in the tree structure.

The numerical value obtained by the intermediate operation is respectively corresponding to each layer of node, and the leaf node is an encrypted summary generated for the information content of all the key information on each field.

For example, the constructed tree structure may be a Merkle tree, and the hash value of the information content corresponding to each field is a numerical value corresponding to a leaf node in the Merkle tree, and the node existing from the top is obtained by merging the hash values corresponding to two nodes at the next level into a character string and then hashing the character string.

The third party constructs a corresponding tree structure for each set of key information, such as all the key information referred to above corresponding to the user, or key information held by a terminal, and associates the tree structure with a public key. The constructed tree structure corresponds to the terminal and the user through the associated public key.

In an exemplary embodiment, the association storage of the tree structure and the public key in the third party is the tree structure storage using the public key as an index. Correspondingly, in the requested information verification, the third party searches the public key stored in the index by using the received public key as an index item, and the searched index maps the tree structure.

In another exemplary embodiment, the public key used as the index may be the public key itself, or of course, the public key may also be subjected to hash value operation through a hash function, and the obtained hash value is used as the index to perform associated storage of the public key and the tree structure, thereby further improving security.

The hash value obtained by operating the public key with a hash function may be a hash value in an exemplary embodiment, or some other form.

The group of key information can realize quick and efficient retrieval for subsequent information verification under the action of the tree structure, and only the encrypted abstract corresponding to each field needs to be stored on the leaf node of the tree structure, so that the key information can not be directly stored, and the safety of a deployed third party is further ensured.

In an exemplary embodiment, the third party exists in the form of a separate organization, for example, the third party is a deployed server or a server cluster, and is implemented under a central architecture, the constructed tree structure is stored in association with the public key, and the storage performed correspondingly elsewhere is used for implementing backup.

In another exemplary embodiment, a distributed architecture is adopted, and the third party is composed of multiple parties, i.e. multiple nodes participate, so as to form an information verification service network. The same data is stored between the nodes of the third party, i.e. all tree structures are stored in each node of the third party.

Further, at each node, a tree structure is stored on a block, and the blocks are linked to each other to form a chain of blocks stored at the node. The constructed tree structure will be stored as block data on the nodes.

Therefore, for a terminal or a receiving end of network access behavior, if a third party is required to perform information verification, the third party only needs to be connected to a node, and a block positioned on the node can find a tree structure for performing information verification for the third party.

The block chain in the node is formed by building a tree structure for each group of key information obtained by collection, then creating a block and connecting the block to the previous block. The earlier the resulting tree structure is built, the earlier the position on the blockchain is, and the last tree structure built is placed at the end of the blockchain.

The third party consists of a plurality of parties, and links of the constructed tree structures are stored in each party in a block chain mode, namely each node.

However, no matter the third-party deployment of the central architecture or the third-party deployment of the distributed architecture, a third party different from a terminal and a network access behavior receiving end is provided for information verification, and an independent, stable and reliable authentication mechanism is realized.

In step 370, the information of the terminal is verified to be correctly present in all the key information matched in the tree structure for the cryptographic digest through the authentication path.

As described above, after the authentication path corresponding to the encrypted digest is obtained from the tree structure, the tree structure may be reconstructed from the node values of each level indicated by the encrypted digest and the authentication path, and if the constructed tree structure is a part of the tree structure corresponding to the user, it may be determined that the requested verification information correctly exists in all the key information matched with the tree structure corresponding to the user.

It should be understood that whether a part of the tree structure exists or the whole tree structure exists, the same root node corresponds to the whole tree structure without exception, so that when a third party verifies whether the information of the terminal of the encrypted digest exists in all the key information matched with the tree structure correctly through the authentication path, the third party only needs to compare values which are not obtained by the reconstructed root node.

If the numerical values are consistent, the third party passes the verification, and the encrypted abstract is the numerical value corresponding to a leaf node on the tree structure corresponding to the user; otherwise, if the numerical values are not consistent, the verification fails, and the encrypted abstract is not the numerical value corresponding to the leaf node on the tree structure corresponding to the user.

The authentication path is used for indicating the corresponding node for information verification performed by a third party, so that the existence and the correctness of the encrypted digest are confirmed, and all nodes on the tree structure are not required to be traversed, so that the method is very quick and efficient.

Fig. 5 is a flow chart illustrating the description of step 330 according to a corresponding embodiment of fig. 3. In an exemplary embodiment, as shown in FIG. 5, step 330 includes at least the following steps.

In step 331, the terminal performs a signature algorithm on the cryptographic digest to obtain a corresponding digital signature.

As described above, the terminal needs to obtain the right for the performed network access as the network access proceeds, and then can continue the current network access, where the right is obtained by performing information verification.

In the information verification, on one hand, an encrypted digest is generated for the content of the requested verification information, that is, part of the key information, on the other hand, in the exemplary embodiment, the encrypted digest is also signed to obtain a digital signature which ensures the security of the encrypted digest and avoids the encrypted digest from being tampered, and in addition, the receiving end is enabled to perform identity verification by means of the digital signature to ensure the validity of the terminal which initiates verification to the receiving end.

After the terminal generates the encrypted digest, the terminal executes a signature algorithm on the encrypted digest by using the held private key to obtain a corresponding digital signature.

It should be understood that each terminal, and also understood as each user corresponding to the terminal, has a unique existing private key and a public key corresponding to the private key. The terminal stores the private key for encrypting the data of the terminal, and the corresponding public key can be interactively transmitted to the receiving end along with the information carried out by the terminal, or stored in the receiving end, or stored in the management server of the digital signature, so that the receiving end obtains the public key from the management server of the digital signature, and the setting of the public key is determined according to the actual operation requirement without limitation.

In step 333, the receiver requesting network access behavior through the digital signature and the cryptographic digest verifies the digital signature.

After the terminal generates a digital signature for the generated encrypted digest, the terminal performs information verification on the terminal through the digital signature and the receiving end which requests the network access behavior through the encrypted digest, however, as mentioned above, the receiving end of the network access behavior does not perform information verification on the receiving end itself, but performs information verification by means of a third party.

However, after receiving an information verification request initiated by the terminal through the digital signature and the encrypted digest, the receiving end verifies the validity of the terminal corresponding to the information verification request, and the process is implemented through the obtained digital signature and the encrypted digest.

In a specific implementation of an exemplary embodiment, a receiving end obtains a public key corresponding to a private key held by a terminal, decrypts a digital signature using the public key to obtain a character string, and compares whether the character string is consistent with an encrypted digest, if the obtained character string is consistent with the encrypted digest, it indicates that the encrypted digest is not tampered, the requested information verification is legal, and the digital signature verification passes.

If the character string and the encrypted digest are not consistent, the encrypted digest is tampered, the requested information verification is illegal, and the digital signature verification fails.

In step 335, if the digital signature is verified, the receiving end of the network access behavior requests a third party to verify the information of the terminal by encrypting the digest.

And the receiving end of the network access behavior requests the third party to execute the information verification requested by the terminal only when the digital signature verification passes.

At this time, the receiving end of the network access behavior requests a third party to perform information verification on the terminal through the encrypted abstract and the public key. The encrypted digest corresponds to the information content requested to be verified, and the public key is used for indexing the data stored in the terminal by a third party, namely, the tree structure corresponding to the pointed terminal.

Through the exemplary embodiment, a third-party implementation under cooperation of the network access behavior receiving end is provided for information verification required by the terminal, and most scenes are information verification processes initiated by the network access behavior receiving end which needs to perform information verification on the terminal.

Fig. 6 is a flowchart illustrating a description of step 335 according to a corresponding embodiment of fig. 5. In one exemplary embodiment, step 335, as shown in FIG. 6, includes at least the following steps.

In step 401, the receiving end of the network access behavior obtains an encrypted digest corresponding to the information to be verified of the terminal and a public key corresponding to a private key held by the terminal.

It should be noted that, first, the information to be verified of the terminal is part of the key information that the terminal needs to verify. The encrypted digest uniquely describes the content of the information to be authenticated of the terminal. For example, if the information verification is performed for the real information of the user, the information to be verified of the terminal is the real information of the user logged in the terminal corresponding to a certain attribute, for example, the real information of the attribute corresponding to the name, and only part of the whole real information corresponding to the user exists. Correspondingly, in the existence form of the data, the information to be verified of the terminal is the information corresponding to a certain field in all the corresponding real information.

The private key held by the terminal is, in an exemplary embodiment, the private key that is uniquely held by the user logged in to the terminal. In other words, the private key held by the terminal may also be understood as a private key stored by the terminal. To ensure security, only a unique private key is deployed at the terminating end for serving the information interaction performed by the terminal, i.e. encrypting the information interacted. This private key has a corresponding public key.

The receiving end of the network access behavior obtains the encrypted abstract corresponding to the information to be verified of the terminal through the information verification requested by the terminal, and at the moment, on one hand, the receiving end obtains the public key transmitted along with the encrypted abstract from the terminal along with the obtaining of the encrypted abstract; on the other hand, the receiving side obtains the public key corresponding to the private key held by the terminal by storing it by itself or from the outside, for example, the management server of the aforementioned digital signature.

At this time, for the public key storage performed by itself or the public key stored externally, the receiving end of the network access behavior can find the required public key according to the account information of the user logged in by the terminal, for example, the user identifier or the terminal identifier.

Therefore, the encrypted digest and the public key which correspond to the terminal and are obtained by the receiving end of the network access behavior correspond to each other.

In step 403, an information verification request is initiated to a third party according to the information verification performed by the terminal for the encrypted digest and the public key, and the information verification request carries the encrypted digest and the public key.

When a receiving end of the network access behavior requests a third party to carry out information verification for the terminal according to the encrypted abstract and the public key, the receiving end generates the information verification request through the encrypted abstract and the public key and initiates the information verification request to the third party.

The receiving end of the network access behavior requests a third party to carry out information verification corresponding to the terminal through the initiated information verification request on one hand, and provides a verified encrypted abstract for the information verification to be executed by the third party and a public key for avoiding identity misuse and finding data corresponding to the terminal on the other hand.

Through the exemplary embodiment, information interaction between the receiving end of the network access behavior and a third party is realized, and the receiving end of any network access behavior can realize the information verification required by accessing the third party when the information verification of the terminal is required, so that the receiving end of the network access behavior does not need to pay attention to the realization of the information verification any more, but pay more attention to the network access content which can be provided for the terminal, on one hand, the difficulty of erecting the receiving end of the network access behavior is reduced, and on the other hand, the safety and the reliability of the receiving end are also improved.

Fig. 7 is a flow chart illustrating a method of implementing information verification in accordance with the corresponding embodiment of fig. 6. In an exemplary embodiment, the information verification request carries a timestamp attached by the terminal to the encrypted digest, and before performing step 350, the method for implementing information verification is shown in fig. 6, and further includes the following steps.

In step 510, the third party determines whether the information verification requested by the terminal is overtime according to the timestamp carried in the information verification request.

As described above, the information verification request carries the encrypted digest and the public key corresponding to the private key held by the terminal, and in addition, in the present exemplary embodiment, the information verification request also carries the timestamp attached to the encrypted digest by the terminal.

The time stamp carried by the information verification request is used for indicating the generation time of the encrypted abstract, and then the time stamp is used for judging whether the information verification currently requested by the terminal is overtime or not, and under the condition of ensuring that the information verification requested by the terminal is not overtime, the encrypted abstract carried by the information verification request can be used for verifying whether the corresponding key information exists in a third party or not according to the public key.

In step 530, if the information authentication requested by the terminal is over time, the information authentication requested by the terminal is rejected.

If the information verification requested by the terminal is determined to be overtime according to the timestamp carried in the information verification request, namely the information verification request is initiated too late relative to the time point indicated by the timestamp and exceeds the set time range currently, the third party refuses to perform the corresponding information verification.

Therefore, the information is prevented from being replayed under the action of the time stamp, and the safety and the reliability of information verification are further ensured.

Fig. 8 is a flow chart illustrating the description of step 333 according to the corresponding embodiment of fig. 6. In an exemplary embodiment, as shown in FIG. 8, this step 333 includes at least the following steps.

In step 601, the terminal obtains a public key corresponding to the held private key.

In step 603, the public key, the digital signature, and the encrypted digest are sent to the receiving end of the network access behavior to request the receiving end to verify the digital signature from the encrypted digest using the public key.

As described above, the terminal deploys a private key for information interaction performed by the terminal, and the private key has a corresponding public key. If the information interaction between the terminal and the receiving end of the network access needs to ensure the security, the terminal encrypts the information by using a private key deployed by the terminal, for example, in the signature process, to obtain a digital signature, and then sends the encrypted digest, the digital signature and the public key to the receiving end of the network access behavior together to respond to the information verification indicated by the receiving end.

The terminal sends the public key during the process of sending the digital signature and the encrypted abstract to the receiving end of the network access behavior, so that on one hand, the information verification is realized only in a ciphertext mode without obtaining any data related to the information needing to be verified except the encrypted abstract, the safety and the reliability of the information verification are ensured, and only ciphertext interaction exists in the whole information verification process.

On the other hand, the intervention of other information related to verification is avoided, so that the information verification required by the terminal does not need to use other key information, and the aim of information verification can be achieved only by part of the key information.

Fig. 9 is a flow chart illustrating the description of step 330 according to the corresponding embodiment of fig. 3. In one exemplary embodiment, as shown in FIG. 3, this step 330 includes at least the following steps.

In step 331, the third party obtains the public key corresponding to the private key held by the terminal through the information verification requested by the terminal.

As mentioned above, along with the information verification initiated by the terminal, the third party will also obtain the public key of the private key held by the corresponding terminal after obtaining the encrypted digest corresponding to the information content requested to be verified by the terminal, for example, the third party obtains the public key from the receiving end of the network access behavior.

With the information verification requested by the terminal, the third party will be the execution subject of the information verification requested by the terminal, and the information verification is performed for the terminal according to the obtained information, such as the encrypted abstract and the public key.

Therefore, no matter how the terminal requests the third party for information verification, for example, the terminal requests the third party for information verification through the receiving end of the network access behavior, or the terminal directly requests the third party for information verification, etc., the third party obtains the public key corresponding to the private key held by the terminal through the information verification requested by the terminal.

The public key is used as a tool for decrypting encrypted information in information interaction, such as a digital signature, but in information verification performed by a third-party application for a terminal, the obtained public key is used as an index of data, and the public key is used for uniquely identifying stored information for the terminal or a user corresponding to the terminal.

In step 333, the corresponding tree structure is located according to the obtained public key, and the third party stores the public key and the tree structure in association.

It should be understood that, in order to implement information verification by a third party, for example, to implement information verification for many users, all the key information corresponding to each user is stored by using the public key of the user as an index.

For the information verification requested by the terminal, the essence is the information verification requested by the user corresponding to the terminal, so that the public key of the user corresponds to the private key held by the terminal, and all the key information corresponding to the user is all the key information corresponding to the terminal. For the third party, the main body requesting the information verification is in the terminal, so the third party performs the information verification for the terminal. However, in essence, the third party also performs information verification for the user corresponding to the terminal.

All the key information is stored in association with the terminal or the user on the terminal by using the public key of the private key held by the terminal as an index.

In order to realize quick and efficient search, all key information is stored in a tree structure mode, and the public key and the tree structure are mutually associated.

Therefore, after the third party obtains the public key through the information verification requested by the terminal, the corresponding tree structure can be found through the public key, namely the tree structure associated with the public key is the tree structure where the encrypted abstract is located.

In step 335, according to the information requested to be verified, a leaf node corresponding to the information is retrieved from the tree structure, and an authentication path formed by a plurality of nodes is obtained from the retrieved leaf node to the root node.

The information requesting verification is verified in a third party in a corresponding encryption digest mode, and the encryption digest is a consistency description of the information requesting verification on the content. And on the tree structure, acquiring a leaf node corresponding to the encrypted abstract according to the encrypted abstract, positioning a corresponding child node at the upper level according to the leaf node, and so on until the root node is reached.

It should be noted that the leaf nodes corresponding to the encrypted abstract are leaf nodes that are pairwise operated with the encrypted abstract to obtain a child node of the previous level; the leaf node locates the corresponding child node at the previous level, and the previous child node corresponding to the node value obtained after the encrypted summary is merged with the node value of the corresponding leaf node is operated with the node value in pairs.

For the sub-nodes obtained by searching the encrypted abstract layer by layer on the tree structure, the path which reaches the root node corresponding to the tree structure in the same way is constructed by matching with the encrypted abstract, namely the path which reaches the root node on the tree structure from the encrypted abstract, therefore, the authentication path of the encrypted abstract is obtained by tracing the leaf node obtained by searching to the root node.

The authentication path is used to determine whether the information content corresponding to the encrypted digest really exists, in other words, whether the encrypted digest really exists on the leaf node of the tree structure is determined through the authentication path.

By retrieving in the tree structure and obtaining the authentication path, the efficiency of information verification by a third party is effectively improved, and a large amount of information verification processes can be completed.

Fig. 10 is a flowchart illustrating a description of step 370, according to a corresponding embodiment of fig. 3. In an exemplary embodiment, as shown in FIG. 10, this step 370, includes at least the following steps.

In step 371, a sequence of node values tracing up to the root node along the leaf nodes of the tree structure is obtained from the authentication path.

It should be understood that the tree structure has several sub-nodes distributed in different levels through several levels, and each sub-node has a unique corresponding parent node in the upper level and at least one sub-node in the lower level.

That is, nodes on the tree structure, including leaf nodes and root nodes, are all connected layer by layer. A plurality of nodes connected layer by layer, namely all nodes distributed on a path tracing from a leaf node to a root node, can be obtained from the obtained authentication path, and node values respectively corresponding to the nodes form a node value sequence.

The node value sequence comprises a plurality of node values which exist in sequence, and the node value sequence is used for judging whether the encrypted digest exists in the located tree structure or not for the encrypted digest.

In step 373, a tree structure corresponding to the encrypted digest is constructed according to the node value sequence, and a numerical value corresponding to a root node of the encrypted digest on the constructed tree structure is obtained.

And constructing a tree structure corresponding to the encrypted digest and the node value sequence on the hierarchy correspondingly to the node values contained in the encrypted digest and the node value sequence according to the hierarchical operation performed on the tree structure.

In step 375, it is verified whether the value corresponding to the root node of the encrypted digest on the constructed tree structure is consistent with the node value corresponding to the root node in the node value sequence.

In the tree structure, no matter which leaf node is used as the starting point, the hierarchical operation is finally integrated to a unique root node. If the encrypted digest is a numerical value corresponding to a leaf node on the positioned tree structure, the numerical value corresponding to the root node on the tree structure constructed by the encrypted digest and the node value sequence is bound to be a numerical value corresponding to the root node on the tree structure positioned by the public key and also be a node value corresponding to the root node in the node value sequence.

In step 377, if the value corresponding to the encrypted digest is consistent with the node value corresponding to the root node, it is verified that the information of the obtained terminal is correct.

In each tree structure constructed by the third party, the numerical values corresponding to the leaf nodes of the tree structure are matched with part of the key information, and so on, the numerical values corresponding to all the leaf nodes on the tree structure are matched with all the key information.

For a tree structure constructed by performing hierarchical operation on the encrypted abstract and the node value sequence, if the value corresponding to the root node on the tree structure is consistent with the node value corresponding to the root node in the node value sequence, the encrypted abstract can be proved to be the value corresponding to a leaf node on the tree structure constructed by a third party, and further the information content corresponding to the encrypted abstract can be determined, namely the information content required to be verified is part of key information matched with a leaf node on the tree structure constructed by the third party.

The tree structure constructed by the third party for comparison is obtained by positioning the public key through the steps, the numerical values on the leaf nodes of the tree structure are matched with all key information required to be verified by the terminal, and the information required to be verified currently is one part of the key information. Therefore, whether the tree structure constructed by the encrypted abstract and the node value sequence is a part of the tree structure positioned by the public key or not is verified, and if the numerical values corresponding to the root nodes of the encrypted abstract and the node value sequence are the same, the verification is passed, and the information of the terminal is verified to be correct.

According to the exemplary embodiment, the terminal and the information interaction system participated by the third party are built for the information verification existing in the internet, and further the information verification is realized for various network access behaviors initiated by the terminal at the third party, so that the receiving end of the network access behavior is ensured not to perform key information, such as storage of various privacy and sensitive information related to the user, and the receiving end of the network access behavior, such as the condition that information is leaked from various unsafe websites, is not required to be worried about in the network access performed by the user, and the security of the network access is ensured.

For the network access of the terminal, the information verification required by the network access is completed by a third party, smooth network access is obtained, and various kinds of registration are not required to be repeatedly performed, so that the information of the terminal does not need to be disclosed to various accessed sites, and the network access of the terminal and the safety of the information are ensured.

For various sites which can be accessed by the terminal, namely the network access behavior receiving end, the realization of information verification is not required to be supported, and the required information verification can be completed only by a third party, so that the aim of verifying information is fulfilled, the terminal which is requested to be accessed at present is confirmed to correspond to a normal user, the lightweight site realization is also obtained, and the site erection in the network is simpler.

The following is an implementation of a third party of the present invention, and the implementation of the following method embodiments provides a third party capable of implementing information verification for a terminal, thereby implementing information verification for various terminals and receiving terminals of various network access behaviors.

FIG. 11 is a flow chart illustrating a method of implementing information verification in accordance with an exemplary embodiment. In an exemplary embodiment, as shown in fig. 11, the method for implementing information verification, as shown in fig. 11, includes at least the following steps.

In step 810, an encrypted digest sent by the terminal for information authentication is received, and the terminal initiates information authentication for performing network access behavior, where the encrypted digest corresponds to a part of key information that the terminal needs to authenticate.

In step 830, the authentication path corresponding to the verification information is obtained by tracing from the leaf node to the root node in the corresponding tree structure, and the value corresponding to the leaf node in the corresponding tree structure is matched with all the key information that the terminal needs to verify.

In step 850, the terminal information is verified for the encrypted digest through the authentication path, and the network access behavior is executed by the corresponding receiving end when the terminal information verification passes.

The terminal requests to perform the encrypted abstract sent by the information verification, the third party searches the encrypted abstract on the corresponding tree structure after receiving the encrypted abstract, and if the encrypted abstract received by the third party also exists in the tree structure, the information verification requested by the terminal is passed.

The quick implementation of the retrieval in the tree structure depends on the existence mode of the subnodes in the tree structure, the path between the leaf node and the root node is searched, and the obtained authentication path is used for carrying out the information verification of the terminal on the encrypted abstract.

The third party is independent of the terminal and the receiving end of the network access behavior, and a group of key information held by the user or the terminal is stored in the third party in a tree structure mode, namely, each group of key information corresponds to one tree structure, so that the third party can realize the required information verification for the terminal.

In an exemplary embodiment, the third party, as an independent authentication mechanism, collects each set of key information in a reliable offline manner, constructs a tree structure for each set of collected key information, and stores the tree structure in association with the corresponding public key in a central architecture or a distributed architecture.

For example, in an off-line manner, identity information is collected for all users, and all identity information collected by each user constitutes a set of key information. And constructing and storing a tree structure for all users on the basis of the tree structure.

Therefore, the realized third party can realize the information verification required by each user, and a safer and faster information verification mode is provided for the network access of the users.

In one exemplary embodiment, step 810 includes: and receiving an information verification request sent by a receiving end corresponding to the network access behavior according to the information verification requested by the terminal triggering the network access behavior, wherein the information verification request carries an encrypted abstract of verified information content and a public key corresponding to a private key held by the terminal.

The receiving end of the network access behavior, such as various sites, has an information verification requirement for the terminal, for example, to verify whether the user initiating the access is a real user or is only a machine, so as to shield false access initiated by the machine.

At this time, the information verification of the terminal is realized by a third party. And the third party receives an information verification request sent by the network access behavior receiving end, wherein the information verification request is used for initiating information verification of a corresponding terminal, and the verified information content corresponds to the encrypted abstract carried by the information verification request.

And transmitting the encrypted abstract corresponding to the verification request information content to the third party, and transmitting a public key corresponding to a private key held by the terminal to the third party so as to facilitate data retrieval.

In another exemplary embodiment, the method for implementing information verification further comprises at least the following steps before step 830.

And positioning the tree structure according to the public key carried in the information verification request to obtain the tree structure corresponding to the verified information.

The tree structures are used for storing the encrypted abstracts corresponding to the information, and each tree structure is stored in association with a unique corresponding public key.

It should be understood that a tree structure is unique to a set of key information, and that information requested to be verified, as part of this set of key information, will also correspond to a tree structure.

The tree structure is at least used for storing the encrypted abstract corresponding to each piece of key information in a group of key information. That is to say, the numerical value corresponding to the leaf node on the tree structure is the encrypted digest corresponding to the key information, which enables the implemented third party to perform information verification without storing real information and without the risk of information leakage.

Of course, each key information may be stored on the leaf node, and at this time, the corresponding encrypted digest is stored in the child node of the previous level.

FIG. 12 is a flow chart illustrating a method of implementing information verification in accordance with another exemplary embodiment. In another exemplary embodiment, the information verification request carries a timestamp attached by the terminal for the encrypted digest, as shown in fig. 12, before step 830 is executed, the method for implementing information verification further includes the following steps.

In step 910, it is determined whether the information verification requested by the terminal is overtime according to the timestamp carried in the information verification request.

In step 930, if the information authentication requested by the terminal is over time, the information authentication requested by the terminal is rejected and the information authentication of the terminal fails.

The information verification request carries a timestamp, and the third party is used for verifying the validity of the received information verification request so as to prevent the encrypted digest carried by the information verification request from being reused, namely, shielding the replay attack.

And the third party verifies whether the information verification request is overtime according to the timestamp, and if the information verification request is overtime, the third party does not verify, so that the stolen encrypted digest cannot be reused.

It should be noted that the timestamp carried by the information verification request is appended to the digital signature when the terminal signs the requested information verification.

Specifically, the terminal generates an encrypted digest corresponding to a part of the key information, for example, a key information, for the requested information verification, and obtains a digital signature for the encrypted digest and the current timestamp signature.

Correspondingly, the time stamp is received by the third party along with the encrypted digest, so that the third party can firstly use the received time stamp to verify whether the information verification requested by the terminal is overtime.

Fig. 13 is a flowchart illustrating a description of step 850 according to a corresponding embodiment of fig. 11. This step 850, in one exemplary embodiment, as shown in FIG. 13, includes at least the following steps.

In step 851, a sequence of node values tracing up to the root node along the leaf nodes of the tree structure is obtained from the authentication path.

In step 853, the encrypted digest is constructed according to the node value sequence, and a value corresponding to the root node of the encrypted digest on the constructed tree structure is obtained.

In step 855, it is verified whether the value corresponding to the root node of the encrypted digest on the constructed tree structure is identical to the node value corresponding to the root node in the node value sequence.

In step 857, if the value corresponding to the encrypted digest is consistent with the node value corresponding to the root node, it is verified that the information of the terminal is correctly present in all the key information matched with the tree structure, and the information of the terminal is verified to be passed.

According to the exemplary embodiment, the third party is constructed in the network, and the third party can support the information verification required by the respective terminal and various network access behaviors, so that a new way is added for the information verification performed by the terminal, and the flexibility and the safety of the information verification are enhanced.

Taking information verification required by a website as an example, the method for realizing the information verification is described in combination with a specific scene. The information verification required by the website is to verify whether a user currently accessing the website is a real user, and only allow the real user to access the website.

At this time, for the terminal, the user referred to is the user currently logged in, and in short, the user referred to is the user corresponding to the terminal. The access initiated by the user to the website is executed by the terminal, so the information verification performed on the user is performed on the user corresponding to the terminal.

FIG. 14 is a simplified schematic diagram of an information validation implementation architecture, shown in accordance with an exemplary embodiment. The information verification implementation architecture comprises a third party 1010, a network access behavior receiving terminal 1030 for performing information verification by means of the third party 1010, and a terminal 1050 for triggering network access behavior.

The website that needs to perform information verification in this scenario is one of the network access behavior receiving terminals 1030, i.e., the Web server 1031 indicated in fig. 14.

After the user corresponding to the terminal 1050 triggers a network access behavior to the Web server 1031 through the terminal 1050, the Web server 1031 requests the third party 1010 to perform information verification on the user.

The third party 1010 stores the real information corresponding to each user, that is, at the third party 1010, the real information corresponding to each user uniquely corresponds to a tree structure, so as to search whether the information requested to be verified exists correctly or not in the tree structure.

For the user, the accessed Web server 1031 is small, and therefore, not familiar with everyday, the third party 1010 is currently used to complete information verification, so as to smoothly execute the triggered network access behavior without leaving the real information of the user on the Web server 1031.

FIG. 15 is a simplified schematic diagram illustrating an information validation implementation architecture in accordance with another illustrative embodiment. In the information verification implementation architecture, as shown in fig. 15, a third party will be composed of multiple parties to form an information verification service network 1110, a receiving end 1030 of a network access behavior will be connected to one node 1111 of the information verification service network through access to the information verification service network, and then information verification required by a terminal is completed through a tree structure stored on a block chain where the node 1111 is located.

Each node 1111 stores the real information of all users through the block chain, and the real information of each user is still stored corresponding to the tree structure, a tree structure exists on a block. The tree structure stored in the block chain is the same at each node 1111.

It should be understood that any node 1111 can collect the real information of the user in an offline manner, and for the real information collected by a user, an encryption digest is generated for the real information corresponding to each field, and so on, to obtain the encryption digest corresponding to all the real information collected by the user.

Each encrypted digest is used as a value corresponding to a leaf child node, so as to perform a hierarchical operation to construct a tree structure, such as a Merkle tree. A tree structure uniquely corresponding to each user having performed the real information collection is obtained at this node 1111.

At this time, this node 1111 will perform point-to-point transmission to other nodes in the information verification service network to achieve synchronization of the constructed tree structure.

At this time, the Web server 1031 connects any node 1111 to enable authentication of information currently requested.

Thus, it can be seen that the verification of information is performed by providing only the encrypted digest, not the plaintext, and only corresponding to a part of the key information, so that the privacy can be effectively protected.

As will be described in further detail, whether the third party is the architecture shown in fig. 14 or the distributed architecture shown in fig. 15, the storage of the actual information therein is substantially the same.

Fig. 16 is a schematic diagram of data structures respectively corresponding to the third party, the receiving end, and the terminal for implementing information interaction therebetween according to an exemplary embodiment. The description is made herein in connection with a process in which a terminal requests information verification.

The information verification performed at the terminal generates a private key and a corresponding public key, where the private key is to be held by the terminal, and the public key is provided to a receiving end of the network access behavior, such as an organization 1330 shown in fig. 16 and a third party, i.e., a third party organization 1350 shown in fig. 16.

Before the terminal accesses the content distributed by the organization 1330, the user authentication, i.e., the information authentication process mentioned above, needs to be performed to allow access after the user is authenticated as a real user; on the contrary, if the authentication fails, the user who initiates the access is considered as a false user, i.e. a machine, and the access of the user is rejected.

Based on this, in the user authentication performed on the terminal, as shown in the data structure in the terminal shown in fig. 16, the information for performing the user authentication is a name, that is, the content corresponding to the name field in the real information corresponding to the user.

The terminal generates an encryption summary for the information content corresponding to the name field in the real information of the terminal, and executes a signature algorithm to the encryption summary HASH (name) and a time stamp by using a Private Key, namely a Private Key to generate a digital signature, wherein the time stamp is correspondingly obtained when the encryption summary HASH (name) is generated.

The terminal sends the generated encrypted digest HASH (name), digital signature Sign, and Public Key to the organization 1330 to request authentication of the user. Since the cryptographic digest, HASH (name), corresponds to the user's name, the verification currently requested is to verify that the user's real name is present and correct.

After receiving the encrypted digest HASH (name), the digital signature Sign, and the Public Key sent by the terminal, the organization 1330 first decrypts the digital signature Sign using the Public Key to obtain a string of characters and a timestamp, then compares whether the string of characters is consistent with the encrypted digest HASH (name), if so, checks the string of characters, and if not, indicates that the encrypted digest HASH (name) is tampered.

After the verification passes, the organization 1330 sends the encrypted digest HASH (name), the timestamp, and the Public Key to the third-party authority 1350, requesting the third-party authority 1350 to authenticate the user.

The third party organization 1350 first verifies the timestamp if it is time out, and if so, rejects the authentication for the user, which results in the authentication failure of the user, and returns the result of the authentication failure to the organization 1330.

If it does not time out, then as shown in FIG. 16 for the data structures in third party machine 1350, third party authority 1350 would look up the tree structures according to the Public Key sent by organization 1330 looking up the Public Key associated with each tree structure to obtain the tree structure associated with the Public Key sent by organization 1330, i.e., merkle tree 1351, as shown in third party authority 1350.

Merkle tree 1351 is stored in association with Public Key. Specifically, the Public Key is stored in association with a node value, i.e., a Root hash, on the Root node 1400 in the Merkle tree 1351.

As shown in the Merkle tree 1351, the information content corresponding to each field in all the real information of the user is stored in each leaf node. For example, the leaf node 1401 stores the information content corresponding to the name field; the leaf node 1402 stores the information content corresponding to the sex field; the leaf node 1403 stores the information content corresponding to the mobile field; the leaf node 1405 stores the information content corresponding to the address field.

Therefore, the information content stored on each leaf node is hashed, and the obtained hash value stores the upper-level child node corresponding to the leaf node. For example, the child node 1501 stores HASH (name), that is, a HASH value of information content corresponding to the name field; the child node 1502 stores HASH (sex), that is, a HASH value of information content corresponding to the sex field; the child node 1503 stores HASH (mobile), that is, a HASH value of information content corresponding to a mobile field; the child node 1505 stores HASH (address), which is a HASH value of the information content corresponding to the address field.

By analogy, every two of the child nodes are hashed upwards until the root node.

Third party organization 1350 constructs Merkle tree 1351 for each user's real information store and stores it in association with that user's public key.

Of course, it should be noted that the Merkle tree 1351 constructed for the real information of each user may also directly store the hash value of the information content corresponding to each field in the leaf node without storing the corresponding information content, so that the verification of the real information content can be realized without storing the real information content, the security is high, and there is no risk that the information is leaked and tampered.

The third party organization 1350 verifies the encrypted digest by searching the obtained Merkle tree 1351, and if the encrypted digest exists and is correct on the Merkle tree 1351, returns a result of passing the verification to the organization 1330, and at this time, the user can realize the triggered network access on the terminal.

In this information interaction, it can be seen that the organization 1330 cannot know the true information of the user, but the information provided by the user on the terminal for authentication is only part of the true information, and the generated encrypted digest is executed on the terminal, so that there is no risk and possibility of information leakage for the terminal, and identity misuse is avoided.

Therefore, only part of real information is provided in the information verification process, so that all real information is verified, the verification accuracy is improved, the privacy is protected, and the information exposure is avoided.

The following is an embodiment of the apparatus of the present invention, which can be used to execute the above-mentioned embodiment of the method for implementing information verification of the present invention. For details that are not disclosed in the embodiments of the apparatus of the present invention, please refer to the embodiments of the method for implementing information verification of the present invention.

FIG. 17 is a block diagram of a system implementing information verification in accordance with an illustrative embodiment. In an exemplary embodiment, the system for implementing information verification is deployed in a terminal and a third party performing information verification on the terminal, as shown in fig. 17, the system includes but is not limited to: a verification initiation module 1710, a request verification module 1730, a path search module 1750, and a cryptographic digest verification module 1770.

A verification initiating module 1710, configured to initiate information verification on a network access behavior of a terminal, to obtain an encrypted digest of verified information content, where the information is part of key information that needs to be verified by the terminal;

a request verification module 1730, configured to request, for the network access behavior, a third party to perform information verification on the terminal through the encrypted digest;

a path search module 1750, configured to perform information verification according to the terminal request by a third party, trace a leaf node to a root node in a corresponding tree structure to obtain an authentication path corresponding to the information verification, where values corresponding to the leaf nodes in the corresponding tree structure are matched with all key information to be verified by the terminal;

and a cryptographic digest verification module 1770, configured to verify, at the third party, that the information of the terminal is correctly present in all the key information matched with the tree structure for the cryptographic digest through the authentication path.

Fig. 18 is a block diagram illustrating a description of a verification initiation module according to the corresponding embodiment of fig. 17. In an exemplary embodiment, the verification initiation module 1710, as shown in fig. 18, includes, but is not limited to: an instruction receiving unit 1711, and an encryption digest generating unit 1713.

The instruction receiving unit 1711 is configured to receive an information verification instruction of a network access behavior triggered by the terminal;

an encrypted digest generating unit 1713, configured to generate an encrypted digest of the corresponding information content according to the information that the information verification instruction indicates to verify.

FIG. 19 is a block diagram illustrating a description of a request validation module according to the embodiment shown in FIG. 18. In an exemplary embodiment, the request verification module 1730, as shown in fig. 19, includes but is not limited to: a signature unit 1731, a request initiation unit 1733, and a third party request unit 1735.

A signature unit 1731 configured to be configured at the terminal, the signature unit being configured to perform a signature algorithm on the encrypted digest to obtain a corresponding digital signature;

a request initiating unit 1733 configured to the terminal, the request initiating unit being configured to request a receiving end of the network access behavior to verify the digital signature through the digital signature and an encrypted digest;

a third party requesting unit 1735, configured to be at a receiving end of the network access behavior, where the third party requesting unit is configured to request, if the digital signature verification passes, the third party to perform information verification on the terminal through the encrypted digest.

In one exemplary embodiment, the third party requesting unit is configured to perform:

acquiring an encrypted abstract corresponding to the information to be verified of the terminal and a public key corresponding to a private key held by the terminal;

and initiating an information verification request to a third party for information verification performed by the terminal according to the encrypted abstract and the public key, wherein the information verification request carries the encrypted abstract and the public key.

In an exemplary embodiment, the information verification request carries a timestamp attached by the terminal for the encrypted digest, and the system for implementing information verification further comprises a timeout verification module.

The overtime verification module is configured in a third party and is used for judging whether the information verification requested by the terminal is overtime or not according to the timestamp carried in the information verification request;

and if the information verification requested by the terminal is overtime, the overtime verification module refuses the information verification requested by the terminal.

In an exemplary embodiment, the request initiation unit 1733 is configured to perform:

acquiring a public key corresponding to the held private key;

and sending the public key, the digital signature and the encrypted abstract to a receiving end of the network access behavior so as to request the receiving end to verify the digital signature according to the encrypted abstract by using the public key.

Fig. 20 is a block diagram illustrating a path search module configured by a third party according to the corresponding embodiment of fig. 17. In an exemplary embodiment, as shown in FIG. 20, the path search module 1750 includes, but is not limited to: a public key acquisition unit 1751, a tree lookup unit 1753, and a path search unit 1755.

A public key obtaining unit 1751, configured to obtain, through information verification requested by a terminal, a public key corresponding to a private key held by the terminal;

a tree searching unit 1753, configured to locate a corresponding tree structure according to the obtained public key, where the third party stores the public key and the tree structure in an associated manner;

a path search unit 1755, configured to retrieve, on the tree structure, a leaf node corresponding to the information according to the information requested to be verified, and trace back to a root node from the retrieved leaf node to obtain an authentication path formed by a plurality of nodes.

Fig. 21 is a block diagram illustrating a cryptographic digest verification module according to a corresponding embodiment of fig. 17. In an exemplary embodiment, as shown in fig. 21, the cryptographic digest verification module 1770 includes, but is not limited to: a sequence acquisition unit 1771, a reconstruction unit 1773 and an alignment verification unit 1775.

A sequence obtaining unit 1771, configured to obtain, from the authentication path, a sequence of node values tracing up to a root node along a leaf node of the tree structure;

a reconstructing unit 1773, configured to construct a tree structure corresponding to the encrypted digest according to the node value sequence, to obtain a value corresponding to a root node of the encrypted digest on the constructed tree structure;

a comparison verification unit 1775, configured to verify whether a numerical value corresponding to a root node on the constructed tree structure of the encrypted digest is consistent with a node value corresponding to the root node in the node value sequence;

if the value corresponding to the encrypted digest is identical to the node value corresponding to the root node, the comparison verification unit 1775 verifies that the information of the terminal is correct.

FIG. 22 is a block diagram illustrating an apparatus for implementing information verification in accordance with an example embodiment. In an exemplary embodiment, the apparatus for implementing information verification, as shown in fig. 22, includes but is not limited to: a cryptographic digest reception module 1810, an authentication path acquisition module 1830, and a correctness verification module 1850.

An encrypted digest receiving module 1810, configured to receive an encrypted digest sent by a terminal requesting information verification, where the terminal initiates the information verification for executing a network access behavior, and the encrypted digest corresponds to part of key information that the terminal needs to verify;

an authentication path obtaining module 1830, configured to trace to a root node from a leaf node in a corresponding tree structure, and obtain an authentication path corresponding to the information to be verified, where a value corresponding to a leaf node in the corresponding tree structure matches all key information that needs to be verified by the terminal;

a correctness verification module 1850, configured to verify, for the encrypted digest, that the information of the terminal is correctly present in all the key information matched in the tree structure through the authentication path, where the network access behavior is to be performed by a corresponding receiving end when the information verification of the terminal passes.

In an exemplary embodiment, the encrypted digest receiving module 1810 is further configured to receive an information verification request sent by a receiving end corresponding to a network access behavior according to information verification requested by a terminal to trigger the network access behavior, where the information verification request carries an encrypted digest of verified information content and a public key corresponding to a private key held by the terminal.

In another exemplary embodiment, the apparatus for implementing information verification further comprises a public key location module. The public key positioning module is used for positioning a tree structure according to the public key carried in the information verification request to obtain the tree structure corresponding to the requested verification information,

In another exemplary embodiment, the apparatus for implementing information verification further comprises a timestamp determination module. The time stamp judging module is used for judging whether the information verification requested by the terminal is overtime according to the time stamp carried in the information verification request;

if the information verification requested by the terminal is overtime, the timestamp judgment module refuses the information verification requested by the terminal, and the information verification of the terminal fails.

FIG. 23 is a block diagram illustrating a correctness verification module according to another exemplary embodiment. In an exemplary embodiment, the correctness verification module 1850, as shown in FIG. 23, includes, but is not limited to: a node tracing unit 1851, a tree reconstructing unit 1853, and a root node comparing unit 1855.

A node tracing-up unit 1851 configured to acquire a node value sequence traced up to a root node along a leaf node of the tree structure from the authentication path;

a tree reconstructing unit 1853, configured to construct a tree structure corresponding to the encrypted digest according to the node value sequence, to obtain a numerical value corresponding to a root node of the encrypted digest on the constructed tree structure;

a root node comparing unit 1855 for verifying whether a value corresponding to a root node on the constructed tree structure of the encrypted digest is identical to a node value corresponding to the root node in the node value sequence;

if the value corresponding to the encrypted digest is consistent with the node value corresponding to the root node, the root node comparing unit 1855 verifies that the information of the terminal is correctly present in all the key information matched with the tree structure, and the information verification of the terminal is passed.

Optionally, the present invention further provides a computer system, which can be used in the foregoing implementation environment to execute all or part of the steps of any one of the methods described above. The computer system includes:

a processor;

a memory for storing processor-executable instructions;

the computer readable instructions, when executed by the processor, implement the foregoing method.

The specific manner in which the processor of the apparatus in this embodiment performs the operations has been described in detail in the foregoing method embodiments, and will not be elaborated upon here.

In an exemplary embodiment, a storage medium is also provided that is a computer-readable storage medium, such as may be transitory and non-transitory computer-readable storage media, that includes instructions. The storage medium, for example, includes a memory of instructions executable by a processor of the apparatus to perform the method described above.

It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.

Claims

1. A method for implementing information verification, which is used for performing information verification on network access behavior of a terminal, and the method comprises:

a terminal acquires a public key corresponding to a private key held by the terminal;

the terminal sends the public key, the encrypted abstract of the verified information and the digital signature of the encrypted abstract to a receiving end of network access behavior so as to request the receiving end to verify the digital signature according to the encrypted abstract by using the public key, wherein the verified information is part of key information required to be verified by the terminal;

if the verification of the digital signature passes, the receiving end of the network access behavior initiates an information verification request to a third party;

the third party obtains an authentication path corresponding to the information from the leaf node to the root node in the corresponding tree structure according to the information verification request, and the numerical value corresponding to the leaf node in the corresponding tree structure is matched with all key information required to be verified by the terminal;

and verifying that the information of the terminal is correctly present in all the key information matched with the tree structure through the encrypted abstract by the authentication path.

2. The method of claim 1, wherein before the terminal sends the public key, the cryptographic digest of the verified information, and the digital signature of the cryptographic digest to a receiving end of the network access behavior, the method further comprises:

the terminal obtains an encrypted abstract of the verified information;

and the terminal executes a signature algorithm on the encrypted digest to obtain the corresponding digital signature.

3. The method of claim 2, wherein the terminal obtaining the cryptographic digest of the verified information comprises:

the method comprises the steps that a terminal receives an information verification instruction aiming at a network access behavior triggered by the terminal;

and generating an encrypted abstract of the information according to the information which is indicated to be verified by the information verification instruction.

4. The method of claim 1, wherein the receiving end of the network access behavior initiates an information verification request to a third party, comprising:

and the receiving end of the network access behavior initiates an information verification request to a third party for information verification performed by the terminal according to the encrypted abstract and the public key, wherein the information verification request carries the encrypted abstract and the public key.

5. The method according to claim 1, wherein the information verification request carries a timestamp attached by a terminal to the encrypted digest, and wherein before the third party obtains an authentication path for verifying the information from a leaf node to a root node in a corresponding tree structure according to the information verification request, the method further comprises:

the third party judges whether the information verification requested by the terminal is overtime according to the timestamp carried in the information verification request;

and if the information verification requested by the terminal is overtime, rejecting the information verification requested by the terminal.

6. The method according to claim 1, wherein the verifying the terminal information correctly exists in all the key information matched with the tree structure through the authentication path to the encrypted digest comprises:

obtaining a node value sequence tracing up to a root node along a leaf node of the tree structure from the authentication path;

constructing a corresponding tree structure of the encrypted abstract according to the node value sequence to obtain a numerical value corresponding to a root node of the encrypted abstract on the constructed tree structure;

verifying whether the numerical value corresponding to the root node of the encrypted abstract on the constructed tree structure is consistent with the node value corresponding to the root node in the node value sequence or not;

and if the numerical value corresponding to the encrypted abstract is consistent with the node value corresponding to the root node, verifying that the information of the terminal is correct.

7. A computer system, the computer system comprising:

a processor; and

a memory having computer readable instructions stored thereon which, when executed by the processor, implement the method of any of claims 1 to 6.

8. A computer readable storage medium having computer readable instructions stored thereon which, when executed by a processor, implement the method of any one of claims 1 to 6.

9. An apparatus for implementing information authentication, configured to perform information authentication on network access behavior of a terminal, the apparatus comprising:

a request unit configured to: sending the public key, the encrypted abstract of the verified information and the digital signature of the encrypted abstract to a receiving end of network access behavior to request the receiving end to verify the digital signature according to the encrypted abstract by using the public key, wherein the verified information is part of key information required to be verified by the terminal; if the verification of the digital signature passes, the receiving end of the network access behavior initiates an information verification request to a third party; the third party obtains an authentication path corresponding to the information from the leaf node to the root node in the corresponding tree structure according to the information verification request, and the numerical value corresponding to the leaf node in the corresponding tree structure is matched with all key information required to be verified by the terminal; and verifying that the information of the terminal is correctly present in all the key information matched with the tree structure through the encrypted abstract by the authentication path.

10. The apparatus of claim 9, wherein the obtaining unit is further configured to:

obtaining an encrypted digest of the verified information;

executing a signature algorithm on the encrypted digest to obtain the corresponding digital signature.

11. The apparatus of claim 10, wherein the obtaining unit is configured to obtain the cryptographic digest of the verified information by:

receiving an information verification instruction aiming at the network access behavior triggered by the terminal;