CN111770081A - Role authentication-based big data confidential file access method - Google Patents

Role authentication-based big data confidential file access method Download PDF

Info

Publication number
CN111770081A
CN111770081A CN202010595109.XA CN202010595109A CN111770081A CN 111770081 A CN111770081 A CN 111770081A CN 202010595109 A CN202010595109 A CN 202010595109A CN 111770081 A CN111770081 A CN 111770081A
Authority
CN
China
Prior art keywords
authentication
data
terminal
cloud platform
role
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010595109.XA
Other languages
Chinese (zh)
Other versions
CN111770081B (en
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Telecommunication Branch of State Grid Jiangsu Electric Power Co Ltd
Original Assignee
Guangzhou Zhihong Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Zhihong Technology Co ltd filed Critical Guangzhou Zhihong Technology Co ltd
Priority to CN202010595109.XA priority Critical patent/CN111770081B/en
Publication of CN111770081A publication Critical patent/CN111770081A/en
Application granted granted Critical
Publication of CN111770081B publication Critical patent/CN111770081B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Abstract

The invention provides a big data confidential file access method based on role authentication, which comprises the steps that after target credentials and identity identification data of a user are obtained, a terminal loads a role authentication key stored in advance; the terminal generates role authentication data corresponding to the target credential and the timestamp through the role authentication key; the terminal generates a corresponding confidential file at least according to the target credential, the timestamp, the role authentication data and the identity identification data; the terminal displays the confidential document so that the authentication front end can identify the data of the confidential document; the authentication front end analyzes the confidential file to obtain target credentials, a timestamp, identity identification data and mobile authentication data; the authentication front end transmits the target credential, the timestamp, the identity identification data and the role authentication data to the authentication cloud platform; the authentication cloud platform loads a cloud authentication key according to the identity identification data; the authentication cloud platform verifies the role authentication data by using the cloud authentication key and generates a verification result; and the authentication cloud platform transmits the verification result to the authentication front end so that the authentication front end displays the verification result. The invention solves the problems of document copy and falsifying.

Description

Role authentication-based big data confidential file access method
Technical Field
The invention relates to the security access of a big data platform, in particular to a big data confidential file access method based on role authentication.
Background
It is known that electronic vouchers, instead of paper vouchers, can be directly transmitted through a network to improve the information exchange efficiency. If credential documents, such as transaction authentication information, are displayed on a terminal held by a particular user, it is useful for many parsing applications, but it is important how to guarantee the validity and security of the digital credentials while bringing convenience. Since digital vouchers are easily copied and destroyed in a streaming link and thus are impersonated and abused, users must be able to authenticate the validity and security of digital vouchers.
Therefore, how to prevent the document from being copied and identify the true identity of the holder of the document is an urgent problem to be solved.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a role authentication-based big data confidential file access method, which comprises the following steps:
after acquiring target credentials and identity identification data of a user, loading a role authentication key stored in advance by a terminal;
the terminal generates role authentication data corresponding to the target credential and the timestamp through the role authentication key;
the terminal generates a corresponding confidential file at least according to the target credential, the timestamp, the role authentication data and the identity identification data;
the terminal displays the confidential document so that the authentication front end can identify the confidential document data;
the authentication front-end analyzes the confidential file to obtain the target credential, the timestamp, the identification data and the mobile authentication data;
the authentication front end transmits the target credential, the timestamp, the identification data and the role authentication data to an authentication cloud platform;
the authentication cloud platform loads a cloud authentication key according to the identity identification data;
the authentication cloud platform verifies the role authentication data by using the cloud authentication key and generates a verification result;
and the authentication cloud platform transmits the verification result to the authentication front end so that the authentication front end displays the verification result.
Preferably, after the authentication cloud platform transmits the verification result to the authentication front end, the method further includes:
and the authentication front end carries out corresponding transaction according to the transaction identification data contained in the confidential document.
Preferably, before the terminal loads the role authentication key stored in advance, the method further includes:
the terminal transmits the identity identification data to the authentication cloud platform, the authentication cloud platform transmits verification data to the terminal, the terminal transmits the verification data back to the authentication cloud platform, the authentication cloud platform generates the cloud authentication key after judging that the verification data is correct, stores the identity identification data and the cloud authentication key, and transmits the cloud authentication key to the terminal to serve as the role authentication key.
Preferably, before the terminal loads the role authentication key stored in advance, the method further includes:
the terminal downloads an electronic certificate containing the role authentication key and the cloud authentication key, the terminal transmits the identity identification data to the authentication cloud platform, the authentication cloud platform transmits verification data to the terminal, the terminal transmits the verification data and the electronic certificate to the authentication cloud platform, and the authentication cloud platform stores the identity identification data and the cloud authentication key after judging that the verification data is correct and verifying that the electronic certificate is legal.
Preferably, the authentication cloud platform verifies the role authentication data, specifically:
and the authentication cloud platform generates cloud authentication data corresponding to the target credential through the cloud authentication key, and compares the role authentication data with the cloud authentication data.
Preferably, before a user session needs to query a KV database in the authentication cloud platform, the terminal a of the user performs terminal registration in the verification center of the authentication cloud platform through the following processes:
(1) the authentication center generates the identifier ID for terminal A and selects two large prime numbers p, q, and q divides p-1 evenly, and selects the base number g (g ≠ 1) ∈ Z with a power of qp *
(2) Terminal A selects PRAAs its own private key and computes its public key PUA=gPRAmod p;
(3) Terminal A calculates C1=Eps(ID,PUA) And transmits the result to a verification center of the authentication cloud platform, EpsRepresenting an encryption function;
(4) authentication center of authenticated cloud platform receiving C1Then, with its private key SKSolving for C1And will (ID, PU)A) The value of (c) is stored in the KV database corresponding to the ID of the authentication cloud platform S.
Compared with the prior art, the invention has the following advantages:
the invention provides a role authentication-based big data confidential file access method, which is characterized in that corresponding confidential files are generated according to various credentials, and a cloud verifies the parsed role authentication data by a cloud authentication key according to the parsed identity identification data, so that the problems of credential file copying and misuse are solved.
Drawings
Fig. 1 is a flowchart of a role authentication-based big data confidential file access method according to an embodiment of the present invention.
Detailed Description
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details.
One aspect of the invention provides a role authentication-based big data confidential file access method. The invention relates to an authentication front end and an authentication cloud platform. The authentication front end is used for identifying the confidential document displayed by the terminal and analyzing the confidential document to acquire target credential, timestamp, identity identification data and role authentication data, wherein the confidential document is generated by the terminal with a role authentication key and corresponds to the target credential and the timestamp; the authentication cloud platform is connected with the authentication front end and used for loading a cloud authentication key according to the identity identification data, verifying the role authentication data by using the cloud authentication key to generate a verification result, and transmitting the verification result to the authentication front end for display.
The method for accessing the big data confidential file based on role authentication at least comprises the following steps: the terminal acquires target credentials and identity recognition data; loading a role authentication key stored in advance; generating role authentication data corresponding to the target credential and the timestamp through the role authentication key; the terminal generates a corresponding confidential file according to the target credential, the timestamp, the role authentication data and the identity identification data; the terminal displays the confidential file; the authentication front end identifies the confidential document displayed by the terminal; the authentication front end analyzes the confidential file to obtain target credentials, a timestamp, identity identification data and role authentication data; the authentication front end transmits target credentials, timestamps, identity identification data and role authentication data to the authentication cloud platform; the authentication cloud platform loads a cloud authentication key according to the identity identification data; the authentication cloud platform verifies the role authentication data by using the cloud authentication key and generates a verification result; the authentication cloud platform transmits the verification result to the authentication front end; the authentication front end displays the verification result.
According to the invention, after the terminal generates role authentication data corresponding to the target credential by using the role authentication key, a corresponding confidential document is generated according to the target credential, the timestamp, the role authentication data and the identity identification data, after the confidential document displayed by the terminal is identified by the authentication front end, the confidential document is analyzed to obtain the target credential, the timestamp, the identity identification data and the role authentication data, and after the cloud authentication key is loaded by the authentication cloud platform according to the identity identification data, the role authentication data is verified by using the cloud authentication key and a verification result is generated, so that the effects of dynamically providing the confidential document and quickly and simply authenticating are achieved.
The terminal can generate and display the confidential document, and the analyzed target credential, the timestamp, the identity identification data and the role authentication data are transmitted to the authentication cloud platform for verification after the confidential document displayed by the terminal is identified by the authentication front end, so that the verification mechanism with anti-counterfeiting, anti-copying and timeliness is provided.
Fig. 1 is a flowchart of a role authentication-based big data secret file access method according to an embodiment of the present invention.
The target credential of the present invention is data that needs to be verified in the user terminal, and may be identity data of an organization to which the user belongs, ticket data of an electronic ticket, and transaction data of an electronic transaction. A timestamp is data that can represent time. The confidential document is data generated by performing a specific operation on data, such as a two-dimensional code, a picture, and the like. The identification data is data that can correspond to the user, i.e. the ID pre-established by the user, such as an email address, a terminal IMEI, or a call number, etc., but the identification data of the present invention is not limited thereto. The character authentication data of the invention is data generated after specific coding operation, and can be any combination of characters, numbers and symbols. The role authentication key can be data generated by the authentication cloud platform, and can also be a private key in an electronic certificate applied by a user. Additionally, in some embodiments, optionally, the role authentication key is stored after being encrypted.
The terminal comprises a reading module, an authentication data generating module, a coding module, a display module, a transmission module, an input module and an encryption and decryption module. The transmission module is connected with the authentication cloud platform, receives the verification data and the cloud authentication key transmitted by the authentication cloud platform, transmits the identity identification data and the verification data to the authentication cloud platform, and can store the cloud authentication key transmitted by the authentication cloud platform as a role authentication key in a relational database of the terminal.
The reading module is used for reading the target credential, the identity identification data and the role authentication key. In some embodiments, the input module may also read communication data of a user of the terminal. The communication data is data that can be contacted with the user, and includes but is not limited to an email address, a mobile phone number, a social account, and the like. The communication data may be the same as or different from the identification data.
The reading module can read the target credential, the identification data, the communication data, the role authentication key and other data from the relational database of the terminal, read the target credential received by the transmission module from an external server or an application program, analyze the credential file to obtain the data, or provide a user interface to enable the user to directly input the data.
The input module may provide a user interface for inputting a decrypted password by a user when the character authentication key read out by the read module is encrypted. The input module may also provide a user interface when the transport module receives the role authentication key, thereby allowing the user to input a password for encrypting the role authentication key.
The encryption and decryption module can decrypt the role authentication key read out by the reading module according to the input password provided by the input module and provide the decrypted role authentication key to the authentication data generation module. The encryption and decryption module can also encrypt the received role authentication key according to the input password provided by the input module, and store the encrypted role authentication key into a relational database of the terminal.
And the authentication data generation module generates role authentication data through the role authentication key. When the role authentication key is data generated by the authentication cloud platform, the authentication data generation module can use the role authentication key to calculate the target credential according to the message authentication code algorithm, and takes a code generated after calculation as the role authentication data; when the role authentication key is a private key applied by the user, the authentication data generation module can use the existing signature algorithm to calculate the target credential and take the signature generated after the calculation as the role authentication data.
In some embodiments, when the authentication data generation module generates the role authentication data by performing an operation using the role authentication key, the operated data does not only include the target credential but also includes a timestamp indicating the current time. That is, the character authentication data may be generated by the authentication data generation module operating on data including the target credential and the time stamp using the character authentication key, and thus, the character authentication data generated each time by the authentication data generation module may be different.
The encoding module is used for generating the confidential document at least according to the target credential and the identity identification data read by the reading module, the role authentication data generated by the authentication data generation module and the time stamp used by the role authentication data generated by the authentication data generation module.
The display module is used for displaying the confidential documents generated by the operation of the encoding module, so that the confidential documents generated by the encoding module are displayed on a terminal for executing the invention.
The authentication cloud platform is used for verifying data and comprises a KV database, a transmission module, an identification module, a verification center, an optional verification data generation server, a key generation server and a certificate verification server.
The KV database is used for storing data records. Each record in the KV database contains identification data and a corresponding cloud authentication key. In some embodiments, the cloud authentication key is data generated by the key generation server, and in some embodiments, the cloud authentication key is a public key in an electronic credential applied by the user.
The transmission module is connected with the authentication front end and used for exchanging data with the authentication front end, so that the verification of the target credential is completed. The transmission module can also be connected with the terminal to exchange data with the terminal, thereby completing the registration procedure of the terminal user.
The identification module is used for loading the cloud authentication key corresponding to the identity identification data received by the transmission module after the transmission module receives the identity identification data transmitted by the authentication front end. For example, the identification module may retrieve the received identification data in the KV database and read the corresponding cloud authentication key, thereby completing the loading of the cloud authentication key.
In some embodiments, if the cloud authentication key is stored after being encrypted, the identification module may decrypt the cloud authentication key before providing it to the verification center.
The verification center verifies the role authentication data by the cloud authentication key loaded by the identification data loading module, and generates a corresponding verification result after verification. The verification center generates cloud authentication data with the cloud authentication key, and then compares the generated cloud authentication data with the received role authentication data, thereby generating a verification result according to the comparison result. The authentication center needs to use the same algorithm as that used by the authentication data generation module of the terminal to generate the role authentication key to perform operation. That is, if the authentication data generation module generates role authentication data by operating the target credential using the role authentication key according to the MAC algorithm or according to the signature algorithm, the verification center also needs to operate the target credential using the cloud authentication key according to the same algorithm to generate cloud authentication data.
When the cloud authentication data generated by the verification center is the same as the received role authentication data, the role authentication data is verified, the verification center generates a verification result indicating that the role authentication data is verified, if the cloud authentication data is different from the role authentication data, the mobile authentication data cannot be verified, and the verification center can generate a verification result indicating that the role authentication data is not verified.
In some embodiments, after the verification center determines that the character authentication data passes the verification, the verification center does not directly generate the verification result, but further determines whether a difference between the current time and the time indicated by the received timestamp is within a predetermined time range, and if so, the verification center generates the verification result indicating that the character authentication data passes the verification.
And the verification data generation server generates verification data after the transmission module receives the user data transmitted by the terminal, and stores the user data received by the transmission module and the generated verification data into the KV database as a record. The received user data comprises identification data and communication data, and the verification data generated by the verification data generation server is disposable data generated randomly and has a validity period.
The authentication data generation server may also transmit the generated authentication data to the terminal through the transmission module. The transmission module may select to transmit the verification data by using an e-mail or an instant message according to the identification data or the communication data in the user data, but the invention is not limited thereto.
After the transmission module receives the identification data and the verification data transmitted by the terminal, the verification data is read in the KV database according to the received identification data, and the read verification data and the received verification data are compared, so that whether the verification data transmitted by the terminal is correct or not is judged. When the read-out authentication data is the same as the received authentication data, it indicates that the authentication data transmitted by the terminal is correct, and if the read-out authentication data is different from the received authentication data, it indicates that the authentication data transmitted by the terminal is incorrect.
And the key generation server randomly generates a cloud authentication key when judging that the verification data transmitted by the terminal is correct. The generated cloud authentication key and the received user data may also be stored in the KV database as one record. The generated cloud authentication key may also be transmitted to the terminal through the transmission module, so that the terminal uses the received cloud authentication key as the role authentication key. And the transmission module transmits the cloud authentication key according to the identity identification data stored in the KV database or the communication data stored together with the identity identification data.
And the certificate verification server further judges whether the received electronic certificate is correct or not when the transmission module receives the identification data transmitted by the terminal and the electronic certificate applied by the user and judges that the verification data transmitted by the terminal is correct. And if the received electronic certificate is judged to be legal, the certificate verification server takes the public key in the received electronic certificate as a cloud authentication key, and takes the public key in the electronic certificate and the received identity identification data as a record to be stored in the KV database. Similar to the key generation server, the credential verification server encrypts the cloud authentication key first, and then stores the encrypted cloud authentication key and the encrypted identification data in the KV database, but the invention is not limited thereto.
The authentication front end analyzes the confidential document obtained by identification, and acquires target credentials, a timestamp, identity identification data and role authentication data after analysis. And transmitting the data such as the target credential, the timestamp, the identity identification data, the role authentication data and the like acquired by analyzing the confidential document to the authentication cloud platform for verification, and displaying a verification result transmitted back by the authentication cloud platform.
In some embodiments, the confidential document is parsed to obtain transaction identification data, and the authentication front-end performs a corresponding transaction according to the transaction identification data obtained after parsing the confidential document when a verification result generated by the authentication cloud platform indicates that the role authentication data passes the verification.
With some ERP system wishing to verify the identity of an employee by the method of the invention. The employees of the ERP system complete registration on the mobile devices they use. The input module of the terminal provides employee user input identity identification data or employee data such as the identity identification data and communication data, and after the employee completes input, the user data input by the employee is transmitted to the authentication cloud platform through the transmission module of the terminal. In this embodiment, the identification data is an account of the employee in the ERP system, for example, an email address. After a transmission module of the authentication cloud platform receives user data transmitted by the terminal, a verification data generation server of the authentication cloud platform can generate disposable verification data, the generated verification data and the received user data are used as a record to be temporarily stored in a KV database of the authentication cloud platform, and the generated verification data are transmitted to the terminal through the transmission module. In the present embodiment, it is assumed that the transmission module transmits the verification data to the electronic mailbox of the employee by electronic mail. After reading the e-mail containing the verification data transmitted by the authentication cloud platform from the employee to the e-mail box, the employee inputs the verification data through an input module of the terminal, retrieves the received identification data in a KV database of the authentication cloud platform, reads the verification data stored together with the retrieved identification data when the same identification data is retrieved, and then compares the received verification data with the read verification data. If the two are the same, the received verification data is correct, and the key generation server can generate a cloud authentication key; and if the two are different, the verification data is wrong, and the authentication cloud platform does not perform subsequent processing. And the key generation server takes the generated cloud authentication key and the identification data received by the authentication cloud platform as a record, stores the record in a KV database of the authentication cloud platform, and transmits the generated cloud authentication key to the terminal. After receiving the cloud authentication key transmitted by the authentication cloud platform, the terminal stores the received cloud authentication key as a role authentication key in a relational database of the execution terminal. Before the role authentication key is stored, the encryption and decryption module encrypts the role authentication key using the password, so that the encrypted role authentication key is stored in the database. The password of the encrypted role authentication key is input by the encryption and decryption module through a user of the terminal.
When the ERP system requires the employee to perform identity verification, the target credential and the identity identification data are acquired in the relational database of the terminal, and the previously stored role authentication key is loaded. The target credential can be personal data of the employee, or an account of the employee with the same identification data, etc.; since the character authentication key is encrypted, the encryption/decryption module requests the employee to input the same password as that used for encrypting the character authentication key, and decrypts the read character authentication key using the password input by the employee. After the terminal acquires the target credential and the identity identification data and loads the role authentication key, the authentication data generation module of the terminal generates role authentication data corresponding to the target credential and the current timestamp by using the role authentication key. Assume that the authentication data generation module uses the role authentication key to calculate the data composed of the target credential and the current timestamp to generate the one-time role authentication data. After the authentication data generation module of the terminal generates role authentication data with the role authentication key, the encoding module of the terminal generates a secret file. In this embodiment, since the authentication data generation module calculates data composed of the target credential and the timestamp with the role authentication key to generate role authentication data, the encoding module encodes the target credential, the identification data, the role authentication data generated by the authentication data generation module, and the timestamp used by the authentication data generation module, which are acquired by the reading module of the terminal, to generate the corresponding two-dimensional code image, i.e., the confidential document. After the secret document is generated by the encoding module of the terminal, the secret document data generated by the encoding module is displayed so that the secret document is displayed on the terminal.
After the terminal displays the confidential documents, the authentication front end can identify the displayed confidential document data. The authentication front end analyzes the confidential file to obtain data such as target credential, timestamp, identity identification data and role authentication data used by an encoding module of the terminal to generate the confidential file, and transmits the data obtained by analysis to the authentication cloud platform. And the identification module of the authentication cloud platform loads a cloud authentication key according to the received identity identification data. And retrieving the received identification data in a KV database of the authentication cloud platform, and reading a cloud authentication key stored together with the retrieved identification data after retrieving the received identification data.
If the key generation server of the authentication cloud platform encrypts the cloud authentication key first and then stores the encrypted cloud authentication key, the identification module needs to decrypt the encrypted cloud authentication key after reading out the encrypted cloud authentication key, so as to load the cloud authentication key. After the cloud authentication key is loaded by the identification module of the authentication cloud platform, the verification center verifies the role authentication data received by the authentication cloud platform and generates a verification result after verification. Assuming that the verification center firstly uses the cloud authentication key loaded by the identification module, the received target credential and the timestamp are operated by the same algorithm as the role authentication data generated by the authentication data generation module of the terminal, and the cloud authentication data are generated after the operation. The verification center then compares the generated cloud authentication data with the received role authentication data.
When the cloud authentication data is the same as the role authentication data, the verification center further judges whether the time difference between the current time and the time represented by the timestamp received by the transmission module is within a preset time range, if so, the verification center generates a verification result representing that the role authentication data passes the verification, otherwise, the verification center generates a verification result representing that the role authentication data does not pass the verification.
After the verification center of the authentication cloud platform generates a verification result, the transmission module of the authentication cloud platform transmits the verification result generated by the verification center back to the authentication front end. And the authentication front end displays the received authentication result after receiving the authentication result transmitted by the authentication cloud platform. Therefore, the employee can complete the identity verification through the invention.
In summary, the terminal generates role authentication data corresponding to a target credential by using a role authentication key, generates a corresponding confidential document according to the target credential, a timestamp, the role authentication data and identity identification data, reads the confidential document displayed by the terminal by an authentication front end, analyzes the confidential document to obtain the target credential, the timestamp, the identity identification data and the role authentication data, and loads a cloud authentication key by an authentication cloud platform according to the identity identification data, verifies the role authentication data by using the cloud authentication key and generates a verification result, so that the problem that a copied credential document falsely uses an identity in the traditional technology is solved, the confidential document is dynamically provided, and the effect of quickly and simply authenticating is achieved.
In order to enhance the user privacy protection, in the machine-readable file searching stage, a mutual authentication mechanism and the exchange of a single session key are introduced between the terminal and the verification center of the authentication cloud platform. Before a user session needs to query a KV database in an authentication cloud platform, the user session needs to be registered in a verification center of the authentication cloud platform.
(1) The authentication center generates the identifier ID for terminal A and selects two large prime numbers p, q, and q divides p-1 evenly, and selects the base number g (g ≠ 1) ∈ Z with a power of qp *I.e. gqAlways 1 mod p.
(2) Terminal A selects PRAAs its own private key and computes its public key PUA=gPRAmod p。
(3) Terminal A calculates C1=Eps(ID,PUA) And transmitting the result to a verification center of the authentication cloud platform. EpsRepresenting an encryption function.
(4) Authentication center of authenticated cloud platform receiving C1Then, with its private key SKSolving for C1And will (ID, PU)A) The value of (c) is stored in the KV database corresponding to the ID of the authentication cloud platform S.
In the preprocessing stage after registration, the verification center of the authentication cloud platform periodically generates out-of-order KV database copies and corresponding index files encrypted by the public key of the verification center, and stores the KV database copies and the index files in the authentication cloud platform.
When entering the retrieval phase, a random number r is selected for terminal AAAnd C is2=(ID,Eps(rA) ) to the verification center. The verification center uses its private key SKSolving for C2To obtain ID and rA
The verification center then selects a random number rsAnd calculating a single transaction key K rs⊕rA. Then transmit C3=(rs,EK(rA) To terminals A, EKIs a first symmetric encryption algorithm with K as the key.
Proceed to calculate the one-time-transaction key K' ═ r for terminal aA⊕rsAnd solving for E with the key KK(rA). If the result is equal to rAThen terminal A transmits EK’(Search) to a verification center; eK’Second symmetric addition with K' as keyA secret algorithm; otherwise, the query is stopped because the result is not equal to rAThe representative authentication cloud platform does not pass the authentication of the terminal a. Wherein Search is a record query item of the database to be KV.
Terminal A optional random number rK∈ Zq, the values of r, s and M are calculated as follows:
M=EK’(ID,rs,rA),
r=(gkmod p)mod q,
s=[k-1×(h(M)+PRA·r)mod q,
where h () is a hash function for corresponding values belonging to {0, 1} to {1, 2, …, q-1}
Then terminal A sends C4The value of (r, s, M) is transmitted to the verification center.
The verification center calculates t ═ (h (m) × s-1) mod q and u ═ r × s-1) mod q. Then calculating whether or not r is 1. ltoreq. q-1, s is 1. ltoreq. q-1, and r ═ g [ (g)t×PUA u)mod p]mod q. If the terminal A does not pass the authentication of the authentication cloud platform, stopping the query because the terminal A does not pass the authentication of the authentication cloud platform; if the two are true, reading the V required by the terminal A from the disordered database copy according to the corresponding index fileiI.e. the ith record in the KV database, and compare EK(Vi) The value of (a) is transmitted to terminal a.
The terminal A uses the single transaction key pair EK(Vi) Decrypting, i.e. computing D (E)K(Vi) To obtain the V desired by the user)i
The above processes of mutual authentication with the verification center and single transaction key generation must be performed each time the user queries. Therefore, the above embodiments of the present invention perform data encryption and decryption processing by using mutual authentication, and the security of the account and the confidentiality of the queried file are more reliable. When the user transmits information with the authentication cloud platform, firstly, the public key and the private key are used for encrypting and decrypting account data between the user and the authentication cloud platform. Secondly, when the user inquires various information after logging in, the inquiry data of the user side and the authentication cloud platform are encrypted and decrypted by a single transaction key, and the key is formed by generating and combining related elements by the authentication cloud platform and the user side, so that an illegal user cannot simultaneously counterfeit the authentication cloud platform or the user side to steal the data.
In addition, in order to further improve the operation efficiency and enhance the security, in a preferred embodiment of the present invention, for the mutual authentication process, the verification center may be configured as a secure third-party server, and performs message transmission with the authentication cloud platform through a secure channel, and encapsulates the transmitted message using a random variable and a hash operation.
Specifically, after a random variable is randomly selected for a user, the random variable and role authentication data corresponding to the user are subjected to exclusive or operation, then the exclusive or operation result is subjected to hash operation, and a first hash value is output; the user transmits the identification data and the first hash value to the verification center for registration; the verification center performs hash operation on the first hash value to obtain a second hash value; after the connection operation is carried out on the private key selected by the verification center and the random variable, the hash operation is carried out, the connection operation is carried out on the private key and the random variable, and finally, the third hash value is output after the hash operation is carried out; performing XOR operation on the third hash value and the first hash value to obtain a first output value; after the identity identification data and the private key are subjected to hash operation, outputting a fourth hash value; performing connection operation on the identity identification data and the first hash value, performing hash operation, and performing exclusive or operation on the identity identification data and the fourth hash value to obtain a second output value; performing hash operation on the fourth hash value to obtain a fifth hash value; carrying out hash operation on the random variable to obtain a sixth hash value; the verification center transmits the second output value, the first output value, the fifth hash value, the preset one-way hash value and the sixth hash value to the user side; if the user inputs the random variable to the terminal, the terminal comprises the random variable, a second output value, a first output value, a fifth hash value, a one-way hash value and a sixth hash value;
in the mutual authentication stage, a user inputs identity identification data and role authentication data selected by the user to a terminal; performing XOR operation on the random variable and the role authentication data, performing hash operation, performing connection operation on the random variable and the role authentication data, performing hash operation on the random variable and the role authentication data, performing XOR operation on the random variable and the role authentication data and the identity identification data to obtain a third output value; carrying out hash operation on the third output value to obtain a seventh hash value; comparing the seventh hash value with the fifth hash value, if the seventh hash value and the fifth hash value are different, the terminal refuses authentication, and if the seventh hash value and the fifth hash value are the same, the user identity is correct; the terminal generates a user random number; carrying out XOR operation on the first hash value and the first output value to obtain a fourth output value; carrying out hash operation on the first hash value once to obtain an eighth hash value; performing connection operation on the sixth hash value, the user random number and the authentication cloud platform identification data, performing hash operation, and performing exclusive or operation on the sixth hash value and the eighth hash value to obtain a fifth output value; performing connection operation by using the third output value, the fourth output value and the user random number, performing hash operation, and performing exclusive or operation with the first hash value to obtain dynamic identification data; performing hash operation on the authentication cloud platform identification data, the user random number and the fourth output value, and performing exclusive or operation on the hash operation and the third output value to obtain a sixth output value; performing connection operation on the first output value, the fourth output value and the user random number, and performing hash operation to obtain a ninth hash value; transmitting, by the user, a first set of messages to the authentication cloud platform, wherein the first set of messages includes dynamic identification data, a fifth output value, a sixth output value, a ninth hash value, and a user random number;
after receiving the first message set, the authentication cloud platform: performing connection operation on the sixth hash value, the user random number and the authentication cloud platform identification data, performing hash operation, and performing exclusive or operation on the sixth hash value, the user random number and the authentication cloud platform identification data to obtain a seventh output value; after performing connection operation by using the private key selected by the verification center and the random variable, performing hash operation, performing connection operation with a seventh output value, and finally performing hash operation to obtain a tenth hash value; performing connection operation on the tenth hash value, the user random number and the authentication cloud platform identification data, performing hash operation, and performing exclusive or operation on the tenth hash value, the user random number and the authentication cloud platform identification data to obtain an eighth output value; the authentication cloud platform performs connection operation by using the eighth output value, the tenth hash value and the user random number, performs hash operation, and performs exclusive or operation on the authentication cloud platform and the dynamic identification data to obtain an eleventh hash value; performing exclusive-or operation on the eleventh hash value and the tenth hash value to obtain a ninth output value; performing connection operation by using the ninth output value, the tenth hash value and the user random number, and performing hash operation to obtain a twelfth hash value; comparing the twelfth hash value with the ninth hash value, if the twelfth hash value is different from the ninth hash value, refusing authentication by the authentication cloud platform, if the twelfth hash value is different from the ninth hash value, generating a platform random number, performing connection operation by using the ninth output value, the user random number, the tenth hash value and the authentication cloud platform identification data, and performing hash operation to obtain a thirteenth hash value; the authentication cloud platform transmits a second message set to the user, wherein the second message set comprises a thirteenth hash value and a platform random number;
after receiving the second message set, the user performs the following authentication on the authentication cloud platform: performing connection operation on the first output value, the user random number, the fourth output value and the authentication cloud platform identity identification data, and performing hash operation to obtain a fourteenth hash value; comparing the fourteenth hashed value with the thirteenth hashed value, if the fourteenth hashed value is different from the thirteenth hashed value, refusing to receive the second message set by the user, ending the session with the authentication cloud platform, and if the fourteenth hashed value is the same as the thirteenth hashed value, determining that the identity of the authentication cloud platform is correct, performing connection operation on the user by using the first output value, the platform random number, the fourth output value and the authentication cloud platform identity identification data, and performing hash operation to obtain a fifteenth hashed value; the user returns a third message set to the authentication cloud platform, wherein the third message set comprises a fifteenth hash value;
after the authentication cloud platform receives the third message set, the authentication cloud platform performs the following processes to authenticate the user: performing connection operation by using the ninth output value, the platform random number, the tenth hash value and the authentication cloud platform identification data, and performing hash operation to obtain a sixteenth hash value; comparing the sixteenth hash value with the fifteenth hash value, if the sixteenth hash value is not the same as the fifteenth hash value, refusing to receive the third message set by the authentication cloud platform, and ending the session with the user, and if the sixteenth hash value is the same as the fifteenth hash value, determining that the identity of the user is correct;
after the mutual authentication between the user and the authentication cloud platform is completed, a session key is established between the user and the authentication cloud platform, wherein the session key of the authentication cloud platform is obtained by performing connection operation on a ninth output value, a user random number, a platform random number, a tenth hash value and authentication cloud platform identity identification data and performing hash operation; and the session key of the user is obtained by performing connection operation on the authentication cloud platform identification data of the first output value, the user random number, the platform random number and the fourth output value and then performing hash operation. The ninth output value and the tenth hash value of the authentication cloud platform are respectively equal to the first output value and the fourth output value of the user.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented in a general purpose computing system, centralized on a single computing system, or distributed across a network of computing systems, and optionally implemented in program code that is executable by the computing system, such that the program code is stored in a storage system and executed by the computing system. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.

Claims (6)

1. A big data confidential file access method based on role authentication is characterized by comprising the following steps:
after acquiring target credentials and identity identification data of a user, loading a role authentication key stored in advance by a terminal;
the terminal generates role authentication data corresponding to the target credential and the timestamp through the role authentication key;
the terminal generates a corresponding confidential file at least according to the target credential, the timestamp, the role authentication data and the identity identification data;
the terminal displays the confidential document so that the authentication front end can identify the confidential document data;
the authentication front-end analyzes the confidential file to obtain the target credential, the timestamp, the identification data and the mobile authentication data;
the authentication front end transmits the target credential, the timestamp, the identification data and the role authentication data to an authentication cloud platform;
the authentication cloud platform loads a cloud authentication key according to the identity identification data;
the authentication cloud platform verifies the role authentication data by using the cloud authentication key and generates a verification result;
and the authentication cloud platform transmits the verification result to the authentication front end so that the authentication front end displays the verification result.
2. The method of claim 1, wherein after the authentication cloud platform transmits the verification result to the authentication front end, further comprising:
and the authentication front end carries out corresponding transaction according to the transaction identification data contained in the confidential document.
3. The method of claim 1, wherein before the terminal loads the role authentication key stored in advance, the method further comprises:
the terminal transmits the identity identification data to the authentication cloud platform, the authentication cloud platform transmits verification data to the terminal, the terminal transmits the verification data back to the authentication cloud platform, the authentication cloud platform generates the cloud authentication key after judging that the verification data is correct, stores the identity identification data and the cloud authentication key, and transmits the cloud authentication key to the terminal to serve as the role authentication key.
4. The method of claim 1, wherein before the terminal loads the role authentication key stored in advance, the method further comprises:
the terminal downloads an electronic certificate containing the role authentication key and the cloud authentication key, the terminal transmits the identity identification data to the authentication cloud platform, the authentication cloud platform transmits verification data to the terminal, the terminal transmits the verification data and the electronic certificate to the authentication cloud platform, and the authentication cloud platform stores the identity identification data and the cloud authentication key after judging that the verification data is correct and verifying that the electronic certificate is legal.
5. The method according to claim 1, wherein the authentication cloud platform verifies the role authentication data, specifically:
and the authentication cloud platform generates cloud authentication data corresponding to the target credential through the cloud authentication key, and compares the role authentication data with the cloud authentication data.
6. The method according to claim 1, wherein before a user session queries the KV database in the authentication cloud platform, the terminal a of the user performs terminal registration in the verification center of the authentication cloud platform by the following procedures:
(1) the authentication center generates the identifier ID for terminal A and selects two large prime numbers p, q, and q divides p-1 evenly, and selects the base number g (g ≠ 1) ∈ Z with a power of qp *
(2) Terminal A selects PRAAs its own private key and computes its public key PUA=gPRAmod p;
(3) Terminal A meterCalculating C1=Eps(ID,PUA) And transmits the result to a verification center of the authentication cloud platform, EpsRepresenting an encryption function;
(4) authentication center of authenticated cloud platform receiving C1Then, with its private key SKSolving for C1And will (ID, PU)A) The value of (c) is stored in the KV database corresponding to the ID of the authentication cloud platform S.
CN202010595109.XA 2020-06-28 2020-06-28 Role authentication-based big data confidential file access method Expired - Fee Related CN111770081B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010595109.XA CN111770081B (en) 2020-06-28 2020-06-28 Role authentication-based big data confidential file access method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010595109.XA CN111770081B (en) 2020-06-28 2020-06-28 Role authentication-based big data confidential file access method

Publications (2)

Publication Number Publication Date
CN111770081A true CN111770081A (en) 2020-10-13
CN111770081B CN111770081B (en) 2021-11-05

Family

ID=72722215

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010595109.XA Expired - Fee Related CN111770081B (en) 2020-06-28 2020-06-28 Role authentication-based big data confidential file access method

Country Status (1)

Country Link
CN (1) CN111770081B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113037742A (en) * 2021-03-04 2021-06-25 上海华申智能卡应用系统有限公司 Fingerprint authentication method and system
WO2022093168A1 (en) * 2020-10-26 2022-05-05 Hewlett-Packard Development Company, L.P. Access to confidential data

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282222A (en) * 2008-05-28 2008-10-08 胡祥义 Digital signature method based on CSK
CN105095728A (en) * 2015-06-15 2015-11-25 南京市信息中心 Two-dimensional code identification method based on digital signatures and timestamps
CN106027461A (en) * 2016-01-21 2016-10-12 李明 Secret key use method for cloud authentication platform in identity card authentication system
CN106100850A (en) * 2016-06-17 2016-11-09 公安部第三研究所 Intelligent and safe chip signing messages transmission method based on Quick Response Code and system
CN106452721A (en) * 2016-10-14 2017-02-22 牛毅 Method and system for instruction identification of intelligent device based on identification public key
WO2018198036A1 (en) * 2017-04-24 2018-11-01 Just Log Me S.R.L. Authentication system and identity management without password by single-use qr code and related method
CN108737339A (en) * 2017-04-19 2018-11-02 腾讯科技(深圳)有限公司 A kind of activity is registered method, user terminal, server and system
CN110198296A (en) * 2018-04-27 2019-09-03 腾讯科技(深圳)有限公司 Method for authenticating and device, storage medium and electronic device
CN110428292A (en) * 2018-08-16 2019-11-08 深圳市智税链科技有限公司 Electronic bill generation method, device, storage medium and computer equipment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282222A (en) * 2008-05-28 2008-10-08 胡祥义 Digital signature method based on CSK
CN105095728A (en) * 2015-06-15 2015-11-25 南京市信息中心 Two-dimensional code identification method based on digital signatures and timestamps
CN106027461A (en) * 2016-01-21 2016-10-12 李明 Secret key use method for cloud authentication platform in identity card authentication system
CN106100850A (en) * 2016-06-17 2016-11-09 公安部第三研究所 Intelligent and safe chip signing messages transmission method based on Quick Response Code and system
CN106452721A (en) * 2016-10-14 2017-02-22 牛毅 Method and system for instruction identification of intelligent device based on identification public key
CN108737339A (en) * 2017-04-19 2018-11-02 腾讯科技(深圳)有限公司 A kind of activity is registered method, user terminal, server and system
WO2018198036A1 (en) * 2017-04-24 2018-11-01 Just Log Me S.R.L. Authentication system and identity management without password by single-use qr code and related method
CN110198296A (en) * 2018-04-27 2019-09-03 腾讯科技(深圳)有限公司 Method for authenticating and device, storage medium and electronic device
CN110428292A (en) * 2018-08-16 2019-11-08 深圳市智税链科技有限公司 Electronic bill generation method, device, storage medium and computer equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
熊展云: "跨移动平台的电子凭证服务系统的研究与实现", 《中国优秀硕士学位论文全文数据库(电子期刊)》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022093168A1 (en) * 2020-10-26 2022-05-05 Hewlett-Packard Development Company, L.P. Access to confidential data
CN113037742A (en) * 2021-03-04 2021-06-25 上海华申智能卡应用系统有限公司 Fingerprint authentication method and system

Also Published As

Publication number Publication date
CN111770081B (en) 2021-11-05

Similar Documents

Publication Publication Date Title
US20220407720A1 (en) Electronic identification verification methods and systems with storage of certification records to a side chain
AU2017204853B2 (en) Data security service
CN109067524B (en) Public and private key pair generation method and system
US11115197B1 (en) Secret sharing information management and security system
CN109614818B (en) Authorized identity-based keyword search encryption method
JP4866863B2 (en) Security code generation method and user device
WO2020062668A1 (en) Identity authentication method, identity authentication device, and computer readable medium
US6678821B1 (en) Method and system for restricting access to the private key of a user in a public key infrastructure
US20140181520A1 (en) Method using a single authentication device to authenticate a user to a service provider among a plurality of service providers and device for performing such a method
WO2018145127A1 (en) Electronic identification verification methods and systems with storage of certification records to a side chain
CN100512201C (en) Method for dealing inserted-requested message of business in groups
US20030208681A1 (en) Enforcing file authorization access
CN110597836B (en) Information inquiry request response method and device based on block chain network
CN106059760B (en) A kind of cryptographic system from user terminal crypto module calling system private key
CN113282944B (en) Intelligent lock unlocking method and device, electronic equipment and storage medium
US20220014354A1 (en) Systems, methods and devices for provision of a secret
CN111770081B (en) Role authentication-based big data confidential file access method
CN108809936A (en) A kind of intelligent mobile terminal auth method and its realization system based on Hybrid Encryption algorithm
RU2698424C1 (en) Authorization control method
KR20140033824A (en) Encryption systems and methods using hash value as symmetric key in the smart device
CN115941328A (en) Sharable user data encryption processing method, device and system
KR101933090B1 (en) System and method for providing electronic signature service
CN110830252B (en) Data encryption method, device, equipment and storage medium
JP7211519B2 (en) Owner identity confirmation system, terminal and owner identity confirmation method
US20220271948A1 (en) Owner identity confirmation system, certificate authority server and owner identity confirmation method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Wang Pengfei

Inventor after: Du Yuanhan

Inventor after: Shan Xinwen

Inventor after: Other inventors ask not to disclose names

Inventor before: Do not announce the inventor

CB03 Change of inventor or designer information
TA01 Transfer of patent application right

Effective date of registration: 20211015

Address after: No.20, Beijing West Road, Nanjing, Jiangsu Province, 210000

Applicant after: STATE GRID JIANGSU ELECTRIC POWER Co.,Ltd. INFORMATION & TELECOMMUNICATION BRANCH

Address before: 510000 1011, building H5, Luogang Aoyuan Plaza, 1940 Kaichuang Avenue, Huangpu District, Guangzhou City, Guangdong Province

Applicant before: GUANGZHOU ZHIHONG TECHNOLOGY Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20211105

CF01 Termination of patent right due to non-payment of annual fee