CN111917536A

CN111917536A - Identity authentication key generation method, identity authentication method, device and system

Info

Publication number: CN111917536A
Application number: CN201910384523.3A
Authority: CN
Inventors: 马东辉; 张永新
Original assignee: Beijing CHJ Automotive Information Technology Co Ltd
Current assignee: Beijing CHJ Automotive Information Technology Co Ltd
Priority date: 2019-05-09
Filing date: 2019-05-09
Publication date: 2020-11-10

Abstract

The embodiment of the disclosure discloses a method for generating an identity authentication key, a method, a device and a system for identity authentication, relates to the technical field of identity authentication, and mainly aims to improve the security of identity authentication of terminal equipment under the condition that a preset key is not arranged in the terminal equipment. The method comprises the following steps: receiving a key acquisition request sent by a client, wherein the key acquisition request carries an equipment identity; generating an identity authentication key for authenticating the identity of the client; and establishing a binding relationship between the identity authentication key and the equipment identity identifier, and sending the identity authentication key to the client for storage. Compared with the prior art, a software manufacturer does not need to cooperate with a terminal device manufacturer, but when a user uses software (client), the client is attached with an identity authentication key bound with the device identity of the client, so that the server can perform identity authentication on the client by inquiring the identity authentication key of the binding relationship established between the client and the device identity.

Description

Identity authentication key generation method, identity authentication method, device and system

Technical Field

The embodiment of the disclosure relates to the technical field of identity authentication, in particular to a method for generating an identity authentication key, a method, a device and a system for identity authentication.

Background

Based on the development of the internet, before a user performs information interaction with external equipment on the internet through terminal equipment (such as a mobile phone, a notebook computer, a tablet computer, a desktop computer and the like), the identity of the user needs to be authenticated, and after the authentication, online transactions such as online shopping, asset financing and the like can be performed, so that the use is convenient and fast.

In the current identity authentication technology, one of the commonly adopted schemes is that a user side stores a private account and a private password, and the user inputs the account and the password in a login interface of a terminal device to perform identity authentication on a remote server. In the scheme, if the private account and the password stored in the user are stolen by people through illegal means such as trojan horse and the like, the stolen account and the stolen password can be subjected to identity authentication on any terminal equipment, and the safety is poor.

And the other is that a software manufacturer cooperates with a terminal equipment manufacturer, and a preset secret key built in the software manufacturer is preset in the terminal equipment for identity identification. In the case that the terminal device does not cooperate with the manufacturer of the terminal device, the key preset by the software manufacturer cannot be built in the terminal device.

Disclosure of Invention

In view of this, embodiments of the present disclosure provide a method for generating an identity authentication key, a method, an apparatus, and a system for identity authentication, and mainly aim to improve security of identity authentication of a terminal device without building a preset key in the terminal device.

In order to achieve the above purpose, embodiments of the present disclosure mainly provide the following technical solutions:

in a first aspect, an embodiment of the present disclosure provides a method for generating an authentication key, where the method includes:

receiving a key acquisition request sent by a client, wherein the key acquisition request carries an equipment identity;

generating an identity authentication key for authenticating the identity of the client;

and establishing a binding relationship between the identity authentication key and the equipment identity identifier, and sending the identity authentication key to the client for storage.

In some embodiments, before receiving the key obtaining request sent by the client, the method further includes:

after receiving an equipment identity acquisition request sent by the client, establishing an equipment identity for the client;

and sending the equipment identity to the client.

In some embodiments, when the device identity carried in the key obtaining request is the device identity encrypted by using the encryption key preset by the client, before generating an identity authentication key for authenticating the identity of the client, the method further includes:

decrypting the encrypted equipment identity by using a decryption key corresponding to an encryption key preset by the client;

generating an identity authentication key for authenticating the client identity comprises:

and if the decryption is successful, generating the identity authentication key.

In some embodiments, when the key acquisition request further carries signature information signed by using a signature key preset by the client, if the decryption is successful, before generating the identity authentication key, the method further includes:

verifying the signature information by using a signature verification key preset by the client;

and if the signature verification passes, generating the identity authentication key.

In some embodiments, the establishing a binding relationship between the identity authentication key and the device identity includes:

directly establishing a binding relationship between the identity authentication key and the equipment identity;

alternatively, the first and second electrodes may be,

establishing a pre-binding relationship between the identity authentication key and the equipment identity, sending the pre-binding identity authentication key to the client, receiving a key verification request sent by the client, wherein the key verification request carries the equipment identity, verification information encrypted by the identity authentication key is utilized, searching the identity authentication key corresponding to the pre-binding relationship of the equipment identity, decrypting the verification information by using the searched identity authentication key to verify the key of the client, and modifying the pre-binding relationship between the identity authentication key and the equipment identity into a binding relationship if the key verification is passed.

In some embodiments, the sending the identity authentication key to the client for storage specifically includes:

and encrypting the identity authentication key by using the preset encryption key in the client and then sending the encrypted identity authentication key to the client, so that the client decrypts the received identity authentication key by using the preset decryption key and stores the decrypted identity authentication key.

In a second aspect, an embodiment of the present disclosure provides a method for generating an identity authentication key, where the method includes:

sending a key acquisition request to a server so that the server generates an identity authentication key for authenticating the identity of a client, and establishing a binding relationship between the identity authentication key and an equipment identity carried in the key acquisition request;

and receiving and storing the identity authentication key sent by the server.

In some embodiments, before sending the key obtaining request to the server, the method further includes:

sending an equipment identity acquisition request to a server so that the server can create an equipment identity;

and receiving the equipment identity sent by the server.

In some embodiments, wherein sending a key acquisition request to a server for the server to generate an identity authentication key for authenticating the identity of a client comprises:

encrypting the equipment identity by using an encryption key preset by the client;

and sending a key acquisition request carrying the encrypted equipment identity to a server so that the server decrypts the encrypted equipment identity by using a decryption key corresponding to an encryption key preset by the client, and if decryption is successful, generating the identity authentication key.

In some embodiments, before generating the authentication key if the decryption is successful, the method further includes:

generating signature information by using a signature key signature preset by the client;

and sending a key acquisition request carrying the signature information to a server so that the server checks the signature of the signature information by using a signature checking key preset by the client, and if the signature checking passes, generating the identity authentication key.

In some embodiments, the receiving and storing the identity authentication key sent by the server includes:

receiving and directly storing the identity authentication key sent by the server;

alternatively, the first and second electrodes may be,

after receiving an identity authentication key sent by the server, sending a key verification request to the server, wherein the key verification request carries an equipment identity identifier and verification information encrypted by using the identity authentication key, so that the server searches for the identity authentication key having a pre-binding relationship with the equipment identity identifier, decrypts the verification information by using the searched identity authentication key to verify the key of the client, and if the key verification is passed, modifies the pre-binding relationship between the identity authentication key and the equipment identity identifier into a binding relationship; after receiving the key verification passing information sent by the server, storing the identity authentication key sent by the server

In some embodiments, the receiving and storing the identity authentication key sent by the server specifically includes:

and after the received identity authentication key is decrypted by using a preset decryption key, the decrypted identity authentication key is stored.

In a third aspect, an embodiment of the present disclosure provides an identity authentication method, where the method includes:

receiving a client identity authentication request and an equipment identity identifier which are sent by a client and encrypted by an identity authentication key, wherein the identity authentication key is generated by the method of the first aspect;

searching an identity authentication key corresponding to the equipment identity;

and decrypting the encrypted client authentication request by using the searched authentication key to authenticate the client.

In a fourth aspect, an embodiment of the present disclosure provides a method of identity authentication, where the method includes:

obtaining an identity authentication key, the identity authentication key being generated by the method of the second aspect;

encrypting the client identity authentication request by using the identity authentication key;

and sending the encrypted client identity authentication request to a server by carrying an equipment identity identifier, so that the server searches an identity authentication key corresponding to the equipment identity identifier, and decrypts the encrypted client identity authentication request by using the searched identity authentication key to authenticate the identity of the client.

In a fifth aspect, an embodiment of the present disclosure provides an apparatus for generating an identity authentication key, where the apparatus includes:

the system comprises a receiving unit, a sending unit and a receiving unit, wherein the receiving unit is used for receiving a key obtaining request sent by a client, and the key obtaining request carries an equipment identity;

the generating unit is used for generating an identity authentication key for authenticating the identity of the client;

an establishing unit, configured to establish a binding relationship between the identity authentication key and the device identity,

and the sending unit is used for sending the identity authentication key to the client for storage.

In some embodiments, there is further included:

the system comprises a creating unit, a key obtaining unit and a key obtaining unit, wherein the creating unit is used for creating an equipment identity for a client after receiving an equipment identity obtaining request sent by the client before receiving a key obtaining request sent by the client;

and the sending unit is used for sending the equipment identity to the client.

In some embodiments, there is further included:

a decryption unit, configured to decrypt the encrypted device identity with a decryption key corresponding to an encryption key preset by the client before generating an identity authentication key for authenticating the identity of the client when the device identity carried in the key acquisition request is the device identity encrypted with the encryption key preset by the client;

the generating unit is specifically configured to generate the identity authentication key if the decryption is successful.

In some embodiments, there is further included:

the signature verification unit is used for verifying the signature information by using a signature verification key preset by the client before generating the identity authentication key if the decryption is successful when the key acquisition request also carries the signature information signed by using the signature key preset by the client;

the generating unit is specifically configured to generate the identity authentication key if the verification passes.

In some embodiments, wherein

The establishing unit is specifically configured to directly establish a binding relationship between the identity authentication key and the device identity;

alternatively, the first and second electrodes may be,

the establishing unit is specifically configured to establish a pre-binding relationship between the identity authentication key and the device identity, send the pre-bound identity authentication key to the client, receive a key verification request sent by the client, where the key verification request carries the device identity, utilize verification information encrypted by the identity authentication key, search for an identity authentication key corresponding to the pre-binding relationship between the device identity and the device identity, decrypt the verification information by using the searched identity authentication key, perform key verification on the client, and modify the pre-binding relationship between the identity authentication key and the device identity as a binding relationship if the key verification passes.

In some embodiments, wherein

The establishing unit is specifically configured to encrypt the identity authentication key with an encryption key preset in the client and send the encrypted identity authentication key to the client, so that the client decrypts the received identity authentication key with a preset decryption key and stores the decrypted identity authentication key.

In a sixth aspect, an embodiment of the present disclosure provides an apparatus for generating an identity authentication key, where the apparatus includes: a sending unit, configured to send a key acquisition request to a server, so that the server generates an identity authentication key for authenticating a client identity, and establishes a binding relationship between the identity authentication key and an equipment identity carried in the key acquisition request;

and the storage unit is used for receiving and storing the identity authentication key sent by the server.

In some embodiments, there is further included:

a sending unit, configured to send an equipment identity obtaining request to a server before sending the key obtaining request to the server, so that the server creates an equipment identity;

and the receiving unit is used for receiving the equipment identity identifier sent by the server.

In some embodiments, the sending unit, among others, includes:

an encryption module for encrypting the device ID by using an encryption key preset by the client,

and the sending module is used for sending the key acquisition request carrying the encrypted equipment identity to the server so that the server decrypts the encrypted equipment identity by using a decryption key corresponding to the encryption key preset by the client, and if the decryption is successful, the identity authentication key is generated.

In some embodiments, the sending unit further includes:

the signature module is used for generating signature information by using a signature key signature preset by the client;

the sending module is further configured to send a key acquisition request carrying the signature information to the server, so that the server checks the signature of the signature information by using a signature checking key preset by the client before generating the identity authentication key if decryption is successful, and generates the identity authentication key if the signature checking passes.

In some embodiments, wherein

The storage unit is specifically used for receiving and directly storing the identity authentication key sent by the server;

alternatively, the first and second electrodes may be,

the storage unit is specifically configured to send a key verification request to the server after receiving the identity authentication key sent by the server, where the key verification request carries an equipment identity and verification information encrypted by using the identity authentication key, so that the server searches for an identity authentication key having a pre-binding relationship with the equipment identity, decrypts the verification information by using the searched identity authentication key, and performs key verification on the client, and if the key verification passes, modifies the pre-binding relationship between the identity authentication key and the equipment identity into a binding relationship; and after receiving the key verification passing information sent by the server, storing the identity authentication key sent by the server.

In some embodiments, wherein

And the storage unit is specifically used for decrypting the received identity authentication key by using a preset decryption key and then storing the decrypted identity authentication key.

In a seventh aspect, an embodiment of the present disclosure provides an apparatus for identity authentication, where the apparatus includes:

a receiving unit, configured to receive a client identity authentication request and an equipment identity identifier, which are sent by a client and encrypted by an identity authentication key, where the identity authentication key is generated by the method of the first aspect;

the searching unit is used for searching the identity authentication key corresponding to the equipment identity identification;

and the identity verification unit is used for verifying the identity of the client by decrypting the encrypted client identity authentication request by using the searched identity authentication key.

In an eighth aspect, an embodiment of the present disclosure provides an apparatus for identity authentication, where the apparatus includes:

an obtaining unit, configured to obtain an identity authentication key, where the identity authentication key is generated by the method according to the second aspect;

the encryption unit is used for encrypting the client identity authentication request by using the identity authentication key;

and the sending unit is used for carrying the equipment identity identifier and sending the encrypted client identity authentication request to the server so that the server searches an identity authentication key corresponding to the equipment identity identifier and decrypts the encrypted client identity authentication request by using the searched identity authentication key to authenticate the identity of the client.

In a ninth aspect, an embodiment of the present disclosure provides a storage medium including a stored program, where the program controls a device on the storage medium to execute the method for generating an authentication key according to the first aspect when the program runs, or controls the device on the storage medium to execute the method for generating an authentication key according to the second aspect when the program runs.

In a tenth aspect, an embodiment of the present disclosure provides a storage medium, where the storage medium includes a stored program, and when the program runs, a device in which the storage medium is located is controlled to perform the method for identity authentication in the third aspect or the fourth aspect.

In an eleventh aspect, embodiments of the present disclosure provide an apparatus for generating an identity authentication key, the apparatus including a storage medium; and one or more processors, the storage medium coupled with the processors, the processors configured to execute program instructions stored in the storage medium; the program instructions are operable to perform the method for generating an authentication key according to the first aspect.

In a twelfth aspect, an embodiment of the present disclosure provides an apparatus for generating an identity authentication key, the apparatus including a storage medium; and one or more processors, the storage medium coupled with the processors, the processors configured to execute program instructions stored in the storage medium; the program instructions are operable to perform the method for generating an authentication key according to the second aspect.

In a thirteenth aspect, embodiments of the present disclosure provide an apparatus for identity authentication, the apparatus including a storage medium; and one or more processors, the storage medium coupled with the processors, the processors configured to execute program instructions stored in the storage medium; the program instructions when executed perform the method of identity authentication of the third aspect.

In a fourteenth aspect, embodiments of the present disclosure provide an apparatus for identity authentication, the apparatus including a storage medium; and one or more processors, the storage medium coupled with the processors, the processors configured to execute program instructions stored in the storage medium; the program instructions when executed perform the method of identity authentication of the fourth aspect.

In a fifteenth aspect, an embodiment of the present disclosure provides a system for generating an identity authentication key, including: a terminal and a server;

the server comprises the identity authentication key generation device of the eleventh aspect;

the terminal comprises the identity authentication key generation device of the twelfth aspect.

In a sixteenth aspect, an embodiment of the present disclosure provides a system for identity authentication, including: a terminal and a server;

the server comprises the identity authentication device of the thirteenth aspect;

the terminal comprises the identity authentication device of the fourteenth aspect.

In a seventeenth aspect, embodiments of the present disclosure provide a vehicle, comprising: the apparatus for generating an authentication key according to the sixth aspect.

In an eighteenth aspect, embodiments of the present disclosure provide a vehicle including: the apparatus for authenticating identity according to the eighth aspect.

In a nineteenth aspect, an embodiment of the present disclosure provides a system for generating an identity authentication key, including: a vehicle and a server;

the server comprises the identity authentication key generation device of the fifth aspect;

the vehicle includes the apparatus for generating an authentication key according to the sixth aspect.

In a twentieth aspect, an embodiment of the present disclosure provides a system for identity authentication, including: a vehicle and a server;

the server comprises the identity authentication key generation device of the seventh aspect;

the vehicle comprises the identity authentication device of the eighth aspect.

By the above technical solution, the method for generating an identity authentication key, the method, the device and the system for identity authentication provided by the embodiments of the present disclosure have at least the following advantages:

according to the method for generating the identity authentication key, the method for identity authentication, the device and the system, which are provided by the embodiment of the disclosure, the binding relationship between the identity authentication key for authenticating the identity of the client and the equipment identity identifier is established for the client according to the key acquisition request carrying the equipment identity identifier sent by the client, and the identity authentication key is sent to the client so that the client stores the identity authentication key. Compared with the prior art, a software manufacturer does not need to cooperate with a terminal device manufacturer, but when a user uses software (client), the client is attached with an identity authentication key bound with the device identity of the client, so that the server can perform identity authentication on the client by inquiring the identity authentication key of the binding relationship established between the client and the device identity.

The foregoing description is only an overview of the embodiments of the present disclosure, and in order to make the technical means of the embodiments of the present disclosure more clearly understood, the embodiments of the present disclosure may be implemented in accordance with the content of the description, and in order to make the foregoing and other objects, features, and advantages of the embodiments of the present disclosure more clearly understood, the following detailed description of the embodiments of the present disclosure is given.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the embodiments of the present disclosure. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

fig. 1 shows a flowchart of a method for generating an identity authentication key provided in an embodiment of a first aspect of the present disclosure;

fig. 2 shows a flowchart of a method for generating an identity authentication key provided by an embodiment of a second aspect of the present disclosure;

fig. 3 shows a flowchart of a method for generating an identity authentication key according to an embodiment of a third aspect of the present disclosure;

fig. 4 shows a flowchart of a method for generating an identity authentication key according to a fourth aspect of the present disclosure;

fig. 5 shows a flowchart of a method for generating an identity authentication key provided in an embodiment of a fifth aspect of the present disclosure;

fig. 6 shows a flowchart of a method of identity authentication provided by an embodiment of a sixth aspect of the present disclosure;

fig. 7 shows a flowchart of a method for identity authentication provided in a seventh aspect embodiment of the present disclosure;

fig. 8 is a schematic structural diagram illustrating an apparatus for generating an identity authentication key according to an eighth embodiment of the present disclosure;

fig. 9 is a schematic structural diagram of a specific apparatus for generating an identity authentication key according to an eighth aspect of the present disclosure;

fig. 10 shows a schematic structural diagram of an apparatus for generating an identity authentication key provided by an embodiment of a ninth aspect of the present disclosure;

fig. 11 shows a schematic structural diagram of a specific apparatus for generating an identity authentication key according to a ninth aspect of the present disclosure;

fig. 12 is a schematic structural diagram of an identity authentication apparatus provided in a tenth embodiment of the disclosure;

fig. 13 shows a schematic structural diagram of an identity authentication apparatus provided in an embodiment of an eleventh aspect of the present disclosure.

Detailed Description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

The embodiment of the disclosure provides a method for generating an identity authentication key, which can be applied to configuring an identity authentication key for identity authentication between a terminal provided with a client (application program) and a server.

In a first aspect, as shown in fig. 1, an embodiment of the present disclosure provides a method for generating an identity authentication key, which is applicable to a server side, where an execution action of the server may be a service of a cloud or a server side, and for example, the method may include: application Programming Interface (API), encryption service, device service, but not limited thereto. As shown in fig. 1, the method mainly includes:

101, receiving a key acquisition request sent by a client, wherein the key acquisition request carries an equipment identity;

in actual applications, different servers may receive the key obtaining request in different ways, such as directly receiving the key obtaining request, or receiving the key obtaining request by configuring an API service.

The device identity is an identity of a terminal interacting with the server identity authentication data, and may be implemented as a combination of one or more of a mobile phone number, a user-defined account number, a terminal identity (e.g., a Media Access Control Address (MAC), which is abbreviated as MAC)), a biological characteristic (e.g., a voiceprint, an iris), a random allocation identity, and the like, which is not limited in the embodiment of the present invention.

102 generating an identity authentication key for authenticating the identity of the client;

the identity authentication key may include at least one of a symmetric key and an asymmetric key, the number of keys is not limited to one or more, for example, the identity authentication key may include an information encryption key and an information signature key, and may also include an information encryption key or an information signature key. The symmetric key may be generated by using a symmetric Encryption algorithm, such as a Data Encryption Standard (DES) Encryption algorithm, an Advanced Encryption Standard (AES) Encryption algorithm. The asymmetric key is generated by using an asymmetric encryption algorithm, such as an RSA encryption algorithm.

In some embodiments, the generated authentication key is actually an exclusive authentication key configured for the corresponding device identity, and the exclusive authentication keys generated correspondingly to different device identities are different, so that uniqueness of the exclusive authentication keys generated correspondingly to different device identities is ensured, and it can be ensured that identity authentication of the device identity can be subsequently realized to the server only in a client of the unique terminal.

103, establishing a binding relationship between the identity authentication key and the equipment identity, and sending the identity authentication key to the client for storage.

The binding relationship may be understood as an association mapping relationship, that is, a mapping relationship is established between an identity authentication key and an equipment identity identifier, and a specific establishment form may be, but is not limited to, table establishment association. When the identity authentication key contains the asymmetric key, the private key can be sent to the client for storage, or the private key and the public key are simultaneously sent to the client for storage.

In the embodiment of the disclosure, according to a key acquisition request carrying an equipment identity sent by a client, a binding relationship between an identity authentication key for authenticating the identity of the client and the equipment identity is established for the client, and the identity authentication key is sent to the client, so that the client is stored.

In a second aspect, based on the method for generating an identity authentication key provided in the embodiment of the first aspect, an embodiment of the present disclosure provides a method for generating an identity authentication key, which is applicable to a server side, where an execution action of the server may be a service of a cloud or a server side, and for example, the method may include: API services, encryption services, device services, but are not limited thereto. As shown in fig. 2, the method mainly includes:

201, after receiving an equipment identity acquisition request sent by the client, creating an equipment identity for the client;

the device identity is an identity of a terminal interacting with the server identity authentication data, and may be implemented as a combination of one or more of a mobile phone number, a user-defined account number, a terminal identity (e.g., a MAC, a biometric feature (e.g., a voiceprint, an iris), a random allocation identity, and the like, which is not limited in the embodiment of the present invention.

Correspondingly, the mode of the device identity obtaining request may have various forms, for example, the device identity obtaining request carries a user-defined account number, a biometric feature, and the like entered by the user. Or may carry data read from the terminal, such as a mobile phone number, a terminal identifier, and the like. Or the equipment identity obtaining request carries information of the random application identifier and the like. Corresponding to different request modes, equipment identity identification is created for the user.

202 sending the device identity to the client to complete the service of creating the device identity for the client.

In some embodiments, in the service of creating the device identifier for the client, the service time of the service of creating the device identifier for the client is also recorded at the same time, and the recorded service time is not limited to the time point of receiving the device identifier obtaining request sent by the client or the time point of sending the device identifier to the client, and can be selected according to settings.

203, receiving a key acquisition request sent by a client, wherein the key acquisition request carries an equipment identity;

204, verifying the validity of the key obtaining request, and if the key obtaining request is valid, generating an identity authentication key for authenticating the identity of the client;

the validity verification may include at least one of decryption validity verification, signature validity verification, time validity verification, unique validity verification, format validity verification, and repeated-acquisition validity verification of the key acquisition request.

In the decryption validity verification, the device identity carried in the key acquisition request is the device identity encrypted by using an encryption key preset by the client, the encrypted device identity is decrypted by using a decryption key corresponding to the encryption key preset by the client, and if the decryption is successful, an identity authentication key for authenticating the identity of the client is generated. The preset encryption key and the preset decryption key may be configured in advance, the preset encryption key is configured in an installation application program of the client, the preset decryption key is configured in the server and corresponds to different clients, and the preset encryption key and the preset decryption key may be the same. The preset encryption key and the preset decryption key may be symmetric keys or asymmetric keys, such as RSA encryption keys.

In the signature validity verification, the key acquisition request also carries signature information signed by using a signature key preset by the client, the signature key can sign basic parameter information of the client and a terminal to which the client belongs, the signature information is verified by using a signature verification key preset by the client, and if the signature verification passes, an identity authentication key for authenticating the identity of the client is generated. The preset signature verification key is configured in advance, and can be configured in an installation application program and a server of the client, and can be generated by adopting a symmetric encryption algorithm by adopting a symmetric key, and the signature algorithm can adopt a Hash-based Message Authentication Code (HAMC) encryption algorithm. The basic parameter information of the client may include a software name, a version, and the like, and the basic parameter information of the terminal may include a MAC, a mobile phone number, and the like.

In the time validity verification, the time interval between the time of receiving a key acquisition request sent by a client and the service time of creating the service of the equipment identity for the client is calculated, if the time interval is less than the preset interval time, the time validity verification is passed, and an identity authentication key for authenticating the identity of the client is generated.

In the unique validity verification, whether the received key acquisition request is the unique key acquisition request correspondingly sent by the equipment identity identifier is inquired, and if so, an identity authentication key for authenticating the identity of the client is generated.

And in the format validity verification, verifying whether the equipment identity of the received key acquisition request meets a preset format requirement, and if so, generating an identity authentication key for authenticating the identity of the client.

And in the repeated validity verification, inquiring whether an identity authentication key corresponding to the binding relationship of the equipment identity of the key acquisition request exists in the server or not, and if not, generating an identity authentication key for authenticating the identity of the client after passing the verification.

It is easy to understand that, in the above validity verification method, one method can be adopted for verification, and in implementation, only one verification condition needs to be satisfied to generate an identity authentication key for authenticating the identity of the client. When at least 2 methods are adopted for verification, all verification conditions need to be met at the same time, namely after all verification is passed, an identity authentication key for authenticating the identity of the client is generated.

Take the verification of decryption validity and signature validity at the same time as examples:

if the decryption is successful, the signature verification key preset by the client is used for verifying the signature of the signature information;

It should be understood that the steps of decrypting and verifying are actually determined according to the protocol of the identity authentication between the server and the client, and are not limited to the above sequence.

205, establishing a binding relationship between the identity authentication key and the device identity, and sending the identity authentication key to the client for storage.

The process of establishing the binding relationship between the identity authentication key and the equipment identity identifier can adopt a direct establishment mode. However, the method of directly establishing the binding relationship has a disadvantage, and when the client does not actually receive and store the identity authentication key due to a communication failure between the client and the server or a failure of the client itself, the server establishes an invalid binding relationship between the identity authentication key and the device identity because the client does not store the identity authentication key. In order to solve the above problem, establishing a binding relationship between the identity authentication key and the device identity may include:

establishing a pre-binding relationship between the identity authentication key and the equipment identity identifier, and sending the pre-binding identity authentication key to the client; the pre-bound identity authentication key sent to the client can be encrypted by using an encryption key preset in the client, so that the client can decrypt the received identity authentication key by using a preset decryption key;

receiving a key verification request sent by the client, wherein the key verification request carries an equipment identity identifier and verification information encrypted by using an identity authentication key;

and searching an identity authentication key corresponding to the equipment identity pre-binding relationship, decrypting the verification information by using the searched identity authentication key to verify the key of the client, and modifying the pre-binding relationship between the identity authentication key and the equipment identity as the binding relationship if the key verification is passed.

Before searching the identity authentication key corresponding to the equipment identity pre-binding relationship, verifying the validity of the key verification request, and if the identity authentication key is valid, searching the identity authentication key corresponding to the equipment identity pre-binding relationship;

the validity of the key verification request may include a time validity verification of the key verification request.

In the time validity verification of the key verification request, the time interval between the time of receiving the key verification request sent by the client and the time of time validity verification of the key acquisition request can be verified, and if the time interval is less than the preset interval time, the identity authentication key corresponding to the equipment identity pre-binding relationship is searched. It is easy to understand that the time validity verification of the key verification request is actually a time verification method, and a specific algorithm thereof may be variously changed, for example, the time interval between the time of receiving the key verification request sent by the client and the time of receiving the key acquisition request sent by the client may be verified, and if the time interval is less than the preset interval time, the identity authentication key corresponding to the device identity pre-binding relationship is searched.

In some embodiments, the step of sending the identity authentication key to the client for storage specifically includes:

and encrypting the identity authentication key by using the preset encryption key in the client and then sending the encrypted identity authentication key to the client, so that the client decrypts the received identity authentication key by using the preset decryption key and stores the decrypted identity authentication key. The encrypted identity authentication key is sent to the client, so that the confidentiality of the identity authentication key can be improved to a certain extent.

In a third aspect, an embodiment of the present disclosure provides a method for generating an identity authentication key, which can be applied to a client side, as shown in fig. 3, where the method mainly includes:

301, sending a key acquisition request to a server, so that the server generates an identity authentication key for authenticating the identity of a client, and establishes a binding relationship between the identity authentication key and an equipment identity carried in the key acquisition request;

in actual applications, different servers may have different requests for sending the key obtaining request, and may send the key obtaining request to the device service directly, or send the key obtaining request to the device service by configuring an application programming interface API service.

302 receives and stores the identity authentication key sent by the server.

In the embodiment of the disclosure, the server establishes a binding relationship between an identity authentication key for authenticating the identity of the client and the device identity for the client through a key acquisition request sent to the server, and sends the identity authentication key to the client, so as to receive and store the identity authentication key sent by the server.

In a fourth aspect, based on the method for generating an identity authentication key provided in the embodiment of the third aspect, an embodiment of the present disclosure provides a method for generating an identity authentication key, which can be applied to a client side, as shown in fig. 4, where the method mainly includes:

401 sending an equipment identity acquisition request to a server so that the server can create an equipment identity;

correspondingly, the mode of the device identity obtaining request may have various forms, for example, the device identity obtaining request carries a user-defined account number, a biometric feature, and the like entered by the user. Or may carry data read from the terminal, such as a mobile phone number, a terminal identifier, and the like. Or the equipment identity obtaining request carries information of the random application identifier and the like. Corresponding to different request modes, the created device identity may be determined according to the mode of obtaining the request by the device identity, for example, but not limited to, creating the device identity according to a user-defined account number, a biometric feature, data read from a terminal, a random application identifier, and the like entered by a user.

402, receiving the device identity sent by the server;

403, sending a key acquisition request to a server, so that the server generates an identity authentication key for authenticating the identity of a client, and establishing a binding relationship between the identity authentication key and an equipment identity carried in the key acquisition request;

in some embodiments, the key obtaining request may carry the encrypted device identity, and the key obtaining request is sent to the server, so that the server generates an identity authentication key for authenticating the identity of the client, specifically: encrypting the equipment identity by using an encryption key preset by the client; and sending a key acquisition request carrying the encrypted equipment identity to a server so that the server decrypts the encrypted equipment identity by using a decryption key corresponding to an encryption key preset by the client, and if decryption is successful, generating the identity authentication key.

In some embodiments, the key acquisition request may carry signature information, and the key acquisition request is sent to a server, so that the server generates an identity authentication key for authenticating the identity of the client, specifically: generating signature information by using a signature key signature preset by the client; and sending a key acquisition request carrying the signature information to a server so that the server checks the signature of the signature information by using a signature checking key preset by the client, and if the signature checking passes, generating the identity authentication key.

In some embodiments, the key acquisition request may simultaneously carry the encrypted device identity and the encrypted signature information, and the key acquisition request is sent to the server, so that the server generates an identity authentication key for authenticating the identity of the client, specifically:

and sending a key acquisition request carrying signature information and carrying the encrypted equipment identity to a server so that the server decrypts the encrypted equipment identity by using a decryption key corresponding to an encryption key preset by the client, if decryption is successful, the server checks the signature of the signature information by using a signature checking key preset by the client, and if signature checking is passed, the identity authentication key is generated.

Or the light source is used for emitting light,

and sending a key acquisition request carrying signature information and carrying the encrypted equipment identity to a server so that the server checks the signature information by using a signature checking key preset by the client, if the signature checking passes, decrypting the encrypted equipment identity by using a decryption key corresponding to an encryption key preset by the client by using the server, and if the decryption is successful, generating the identity authentication key.

The specific flow sequence may be determined according to a predetermined authentication protocol.

404 receives and stores the authentication key sent by the server.

The process of storing the identity authentication key can adopt a direct storage mode. However, the direct storage method has a disadvantage that, when the client does not actually receive and store the identity authentication key due to a communication failure between the client and the server or a failure of the client itself, the server establishes an invalid binding relationship between the identity authentication key and the device identity because the client does not store the identity authentication key. In order to solve the above problem, the receiving and storing the identity authentication key sent by the server may include:

after receiving an identity authentication key sent by the server, sending a key verification request to the server, wherein the key verification request carries an equipment identity identifier and verification information encrypted by using the identity authentication key, so that the server searches for the identity authentication key having a pre-binding relationship with the equipment identity identifier, decrypts the verification information by using the searched identity authentication key to verify the key of the client, and if the key verification is passed, modifies the pre-binding relationship between the identity authentication key and the equipment identity identifier into a binding relationship;

and after receiving the key verification passing information sent by the server, storing the identity authentication key sent by the server.

In some embodiments, the server sends the encrypted authentication key to the client, and receives and stores the authentication key sent by the server, specifically:

In a fifth aspect, based on the identity authentication key generation methods provided in the embodiments of the above four aspects, embodiments of the present disclosure provide an identity authentication key generation method, which is applied to interaction between a client and a server, where an execution action of the server may be a service at a cloud or the server, and for example, the method may include: API services, encryption services, device services, but are not limited thereto. As shown in fig. 5, the method mainly includes:

501, for an unregistered client, sending an equipment identity acquisition request to a server, after receiving the equipment identity acquisition request sent by the client, the server creating an equipment identity for the client and recording service time of a service for creating the equipment identity for the client;

502 the server sends the device identity to the client to complete the service of creating a device identity for the client.

503, the client encrypts the device identity by using an encryption key preset by the client;

504, the client uses a signature key preset by the client to sign and generate signature information;

505, sending a key acquisition request carrying the encrypted equipment identity and the encrypted signing key to a server;

506, time validity verification and unique validity verification of the key obtaining request by the API service;

507, the encryption service verifies the validity of the signature of the key acquisition request;

508 the device service verifies the validity of the key acquisition request format and repeatedly obtains the validity;

509 the device service decrypts the validity verification of the key acquisition request;

510 if the decryption validity verification, the signature validity verification, the time validity verification, the only validity verification, the format validity verification and the repeated acquisition validity verification pass, generating an identity authentication key for authenticating the identity of the client;

511 establishing a pre-binding relationship between the identity authentication key and the equipment identity;

512, encrypting the identity authentication key by using an encryption key preset in the client; the preset encryption key stored in the client can be stored in the server in advance, and can be a symmetric key, and the preset encryption key stored in the client and the server in the implementation process can also be an asymmetric key;

513 the encryption service generates signature information of the server using an encryption key preset in the server in advance;

514API service sends the signature information of server and encrypted ID authentication key to client;

the 515 client checks the received signature information by using a preset decryption key;

516, the client decrypts the received identity authentication key by using a preset decryption key;

517, if the signature verification and the decryption pass, the client sends a key verification request to the server, wherein the key verification request carries the equipment identity, verification information encrypted by using an identity authentication key, and a client signature;

the 518 encryption service signs the client signature using the identity authentication key stored in the server;

519 time validity verification of the key verification request by the device service;

520 if the signature verification and the time validity verification pass, searching an identity authentication key corresponding to the equipment identity pre-binding relationship, and decrypting the verification information by using the searched identity authentication key to verify the key of the client;

521, if the key passes the verification, modifying the pre-binding relationship between the identity authentication key and the equipment identity into a binding relationship;

522 encrypting the identity authentication key by using a key preset by the server;

523, server signature information is generated by using a key preset by the server;

524 the API service sends the signature information of the server and the encrypted identity authentication key to the client again;

the 525 client checks the signature of the received signature information by using a preset decryption key;

526 the client decrypts the received identity authentication key by using a preset decryption key;

and if the verification and decryption are passed, the client stores the identity authentication key.

The embodiment of the disclosure provides an identity authentication method, which can be applied to identity authentication between a terminal provided with a client (application program) and a server.

In a sixth aspect, an embodiment of the present disclosure provides an identity authentication method, which is applicable to a server side, where an execution action of the server may be a service of a cloud or the server side, and for example, the method may include: application programming interface API services, encryption services, device services, but are not so limited. As shown in fig. 6, the method mainly includes:

601, receiving a client identity authentication request and an equipment identity identifier sent by a client and encrypted by an identity authentication key, wherein the method for generating the identity authentication key comprises the following steps: receiving a key acquisition request sent by a client, wherein the key acquisition request carries an equipment identity; generating an identity authentication key for authenticating the identity of the client; establishing a binding relationship between the identity authentication key and the equipment identity identifier, and sending the identity authentication key to the client for storage;

602, searching an identity authentication key corresponding to the equipment identity;

the server is pre-stored with an identity authentication key bound with the equipment identity, namely the identity authentication key corresponding to the equipment identity.

603 and performs authentication on the client by decrypting the encrypted client authentication request using the found authentication key.

When the identity authentication key adopts a symmetric key, the decryption method of the identity authentication can adopt a symmetric encryption algorithm, such as a DES encryption algorithm and an AES encryption algorithm, the identity authentication request of the client is encrypted by using the identity authentication key through the symmetric encryption algorithm and then sent to the server, and the server decrypts the encrypted identity authentication request by using the identity authentication key and then performs authentication judgment to perform identity authentication on the user. When the asymmetric key is adopted, the identity authentication method can adopt an asymmetric encryption algorithm, such as an RSA encryption algorithm, the identity authentication request of the client is encrypted by using an identity authentication key (private key) through the asymmetric encryption algorithm and then sent to the server, and the server decrypts the encrypted identity authentication request through the identity authentication key (public key) and then performs authentication judgment to authenticate the identity of the user.

For a method for generating an identity authentication key, reference may be made to the method for generating an identity authentication key in the first aspect or the second aspect, which is not described in detail in this embodiment.

In a seventh aspect, an embodiment of the present disclosure provides an identity authentication method, which can be applied to a client side, as shown in fig. 7, where the method mainly includes:

701, obtaining an identity authentication key, wherein the method for generating the identity authentication key comprises the following steps: sending a key acquisition request to a server so that the server generates an identity authentication key for authenticating the identity of a client, and establishing a binding relationship between the identity authentication key and an equipment identity carried in the key acquisition request; and receiving and storing the identity authentication key sent by the server.

702 encrypting the client authentication request by using the authentication key;

703 sending the encrypted client authentication request to a server with the equipment identity so that the server searches for an authentication key corresponding to the equipment identity, and decrypting the encrypted client authentication request by using the searched authentication key to authenticate the client.

For a method for generating an identity authentication key, reference may be made to the method for generating an identity authentication key in the third aspect or the fourth aspect, which is not described in detail in this embodiment.

Based on the same technical idea, in an eighth aspect, according to the method shown in fig. 1 or fig. 2, another embodiment of the present disclosure further provides an apparatus for generating an identity authentication key, as shown in fig. 8, the apparatus mainly includes:

a receiving unit 810, configured to receive a key acquisition request sent by a client, where the key acquisition request carries an equipment identity;

a generating unit 820, configured to generate an identity authentication key for authenticating the identity of the client;

an establishing unit 830, configured to establish a binding relationship between the identity authentication key and the device identity,

a sending unit 840, configured to send the identity authentication key to the client for storage.

In some embodiments, as shown in fig. 9, further comprising:

a creating unit 850, configured to, before receiving a key obtaining request sent by a client, create an equipment identity for the client after receiving an equipment identity obtaining request sent by the client;

a sending unit 840, configured to send the device identity to the client.

In some embodiments, there is further included:

a decryption unit 860, configured to, when the device identity carried in the key acquisition request is the device identity encrypted by using the encryption key preset by the client, decrypt the encrypted device identity by using a decryption key corresponding to the encryption key preset by the client before generating an identity authentication key for authenticating the identity of the client;

the generating unit 820 is specifically configured to generate the identity authentication key if the decryption is successful.

In some embodiments, there is further included:

a signature verification unit 870, configured to, when the key acquisition request further carries signature information signed by using a signature key preset by the client, if decryption is successful, verify the signature information by using a signature verification key preset by the client before generating the identity authentication key;

the generating unit 820 is specifically configured to generate the identity authentication key if the verification passes.

In some embodiments, wherein

The establishing unit 830 is specifically configured to directly establish a binding relationship between the identity authentication key and the device identity;

alternatively, the first and second electrodes may be,

the establishing unit 830 is specifically configured to establish a pre-binding relationship between the identity authentication key and the device identity identifier, send the pre-bound identity authentication key to the client, receive a key verification request sent by the client, where the key verification request carries the device identity identifier, search for an identity authentication key corresponding to the pre-binding relationship between the device identity identifier and the device identity identifier by using verification information encrypted by the identity authentication key, decrypt the verification information by using the searched identity authentication key to perform key verification on the client, and modify the pre-binding relationship between the identity authentication key and the device identity identifier into a binding relationship if the key verification passes.

In some embodiments, wherein

The establishing unit 830 is specifically configured to encrypt the identity authentication key by using a preset encryption key in the client and send the encrypted identity authentication key to the client, so that the client decrypts the received identity authentication key by using a preset decryption key and stores the decrypted identity authentication key.

The identity authentication key generation device provided by the embodiment of the eighth aspect may be configured to execute the identity authentication key generation method provided by the embodiment of the first aspect or the second aspect, and the related meanings and specific implementations may refer to the related descriptions in the embodiment of the first aspect or the second aspect, and are not described in detail here.

Based on the same inventive concept, in a ninth aspect, according to the method shown in fig. 3 or fig. 4, another embodiment of the present disclosure further provides an apparatus for generating an identity authentication key, as shown in fig. 10, the apparatus mainly includes:

a sending unit 910, configured to send a key acquisition request to a server, so that the server generates an identity authentication key for authenticating a client identity, and establishes a binding relationship between the identity authentication key and an equipment identity carried in the key acquisition request;

a saving unit 920, configured to receive and save the identity authentication key sent by the server.

In some embodiments, as shown in fig. 11, further comprising:

a sending unit 910, configured to send an equipment identity obtaining request to a server before sending the key obtaining request to the server, so that the server creates an equipment identity;

a receiving unit 930, configured to receive the device identity sent by the server.

In some embodiments, the sending unit 910 includes:

an encryption module 911, configured to encrypt the device id with an encryption key preset by the client,

a sending module 912, configured to send a key obtaining request carrying the encrypted device identity to the server, so that the server decrypts the encrypted device identity using a decryption key corresponding to the encryption key preset by the client, and if decryption is successful, generates the identity authentication key.

In some embodiments, the sending unit 910 further includes:

a signature module 913, configured to generate signature information by using a signature key preset by the client;

the sending module 912 is further configured to send a key obtaining request carrying the signature information to the server, so that before the identity authentication key is generated if decryption is successful, the server checks the signature of the signature information by using a signature checking key preset by the client, and if the signature checking passes, the identity authentication key is generated.

In some embodiments, wherein

A storing unit 920, specifically configured to receive and directly store the identity authentication key sent by the server;

alternatively, the first and second electrodes may be,

the saving unit 920 is specifically configured to send a key verification request to the server after receiving the identity authentication key sent by the server, where the key verification request carries an equipment identity and verification information encrypted by using the identity authentication key, so that the server searches for an identity authentication key having a pre-binding relationship with the equipment identity, decrypts the verification information by using the searched identity authentication key, and performs key verification on the client, and if the key verification passes, modifies the pre-binding relationship between the identity authentication key and the equipment identity to be a binding relationship; and after receiving the key verification passing information sent by the server, storing the identity authentication key sent by the server.

In some embodiments, wherein

The saving unit 920 is specifically configured to decrypt the received identity authentication key with a preset decryption key, and then save the decrypted identity authentication key.

The identity authentication key generation device provided by the embodiment of the ninth aspect may be configured to execute the identity authentication key generation method provided by the embodiment of the third aspect or the fourth aspect, and the related meanings and specific embodiments may be referred to in the description of the embodiment of the third aspect or the fourth aspect, and are not described in detail here.

In a tenth aspect, as shown in fig. 12, an embodiment of the present disclosure provides an apparatus for identity authentication, the apparatus including:

a receiving unit 111, configured to receive a client identity authentication request and an equipment identity identifier sent by a client and encrypted by an identity authentication key, where the identity authentication key is generated by the method of the first aspect or the second aspect;

a searching unit 112, configured to search for an identity authentication key corresponding to the device identity;

an identity verification unit 113, configured to perform identity verification on the client by decrypting the encrypted client identity authentication request using the found identity authentication key.

In an eleventh aspect, as shown in fig. 13, an embodiment of the present disclosure provides an apparatus for identity authentication, the apparatus including:

an obtaining unit 121, configured to obtain an identity authentication key, where the identity authentication key is generated by the method according to the third aspect or the fourth aspect;

an encrypting unit 122, configured to encrypt the client authentication request using the authentication key;

a sending unit 123, configured to send the encrypted client authentication request to a server with an equipment identity, so that the server searches for an authentication key corresponding to the equipment identity, and decrypts the encrypted client authentication request by using the searched authentication key to perform authentication on the client.

In a twelfth aspect, an embodiment of the present disclosure provides a storage medium, where the storage medium includes a stored program, and when the program runs, the apparatus where the storage medium is located is controlled to execute the method for generating an identity authentication key according to the first aspect, the second aspect, the fourth aspect, or the fifth aspect.

The storage medium may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.

In a thirteenth aspect, an embodiment of the present disclosure provides a storage medium, where the storage medium includes a stored program, where the apparatus where the storage medium is located is controlled to perform the method for authenticating an identity according to the first aspect, the second aspect, the fourth aspect, or the fifth aspect when the program runs.

In a fourteenth aspect, an embodiment of the present disclosure provides an apparatus for generating an identity authentication key, the apparatus including a storage medium; and one or more processors, the storage medium coupled with the processors, the processors configured to execute program instructions stored in the storage medium; the program instructions are operable to perform the method for generating an authentication key according to the first aspect or the second aspect.

In a fifteenth aspect, an embodiment of the present disclosure provides an apparatus for generating an authentication key, the apparatus including a storage medium; and one or more processors, the storage medium coupled with the processors, the processors configured to execute program instructions stored in the storage medium; the program instructions when executed perform the method for generating an identity authentication key according to the third aspect or the fourth aspect.

In a sixteenth aspect, embodiments of the present disclosure provide an apparatus for identity authentication, the apparatus including a storage medium; and one or more processors, the storage medium coupled with the processors, the processors configured to execute program instructions stored in the storage medium; the program instructions when executed perform the identity authentication method of the fifth aspect.

In a seventeenth aspect, embodiments of the present disclosure provide an apparatus for identity authentication, the apparatus comprising a storage medium; and one or more processors, the storage medium coupled with the processors, the processors configured to execute program instructions stored in the storage medium; the program instructions when executed perform the method of identity authentication of the sixth aspect.

In an eighteenth aspect, an embodiment of the present disclosure provides a system for generating an identity authentication key, including: a terminal and a server; the server comprises the identity authentication key generation device of the fourteenth aspect; the terminal comprises the identity authentication key generation device of the fifteenth aspect.

In a nineteenth aspect, an embodiment of the present disclosure provides a system for identity authentication, including: a terminal and a server; the server comprises the identity authentication key generation device of the sixteenth aspect; the terminal comprises the identity authentication key generation device of the seventeenth aspect.

In a twentieth aspect, embodiments of the present disclosure provide a vehicle including: the apparatus for generating an authentication key according to the ninth aspect of the present invention is described in the detailed description.

In a twenty-first aspect, embodiments of the present disclosure provide a vehicle, comprising: an apparatus for authenticating an identity as set forth in the eleventh aspect of the detailed description.

In a twenty-second aspect, an embodiment of the present disclosure provides a system for generating an identity authentication key, including: a vehicle and a server;

the server comprises an identity authentication key generation device according to the eighth aspect of the specific embodiment;

the vehicle includes the apparatus for generating an authentication key according to the ninth aspect of the embodiment.

In a twenty-third aspect, an embodiment of the present disclosure provides a system for identity authentication, including: a vehicle and a server;

the server comprises an identity authentication key generation device according to the tenth aspect of the specific embodiment;

the vehicle comprises an identity authentication device according to the eleventh aspect of the specific embodiment.

As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, embodiments of the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.

The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. A method for generating an authentication key, the method comprising:

2. The method according to claim 1, before receiving the key obtaining request sent by the client, further comprising:

and sending the equipment identity to the client.

3. The method according to claim 1, wherein when the device identity carried in the key acquisition request is the device identity encrypted by using the encryption key preset by the client, before generating an identity authentication key for authenticating the identity of the client, the method further comprises:

4. The method according to claim 3, wherein when the key acquisition request further carries signature information signed by using a signature key preset by the client, if decryption is successful, before generating the identity authentication key, the method further comprises:

5. The method of claim 1, wherein establishing the binding relationship between the authentication key and the device identity comprises:

alternatively, the first and second electrodes may be,

6. The method according to claim 1, wherein sending the identity authentication key to the client for storage specifically comprises:

7. A method for generating an authentication key, the method comprising:

and receiving and storing the identity authentication key sent by the server.

8. The method of claim 7, further comprising, prior to sending the key acquisition request to the server:

and receiving the equipment identity sent by the server.

9. The method of claim 7, wherein sending a key acquisition request to a server for the server to generate an identity authentication key for authenticating the identity of a client comprises:

10. The method of claim 9, wherein before generating the authentication key if the decryption is successful, further comprising:

11. The method of claim 7, wherein receiving and storing the authentication key sent by the server comprises:

alternatively, the first and second electrodes may be,

after receiving an identity authentication key sent by the server, sending a key verification request to the server, wherein the key verification request carries an equipment identity identifier and verification information encrypted by using the identity authentication key, so that the server searches for the identity authentication key having a pre-binding relationship with the equipment identity identifier, decrypts the verification information by using the searched identity authentication key to verify the key of the client, and if the key verification is passed, modifies the pre-binding relationship between the identity authentication key and the equipment identity identifier into a binding relationship; and after receiving the key verification passing information sent by the server, storing the identity authentication key sent by the server.

12. The method according to claim 1, wherein receiving and storing the identity authentication key sent by the server specifically includes:

13. A method of identity authentication, the method comprising:

receiving a client identity authentication request and an equipment identity identifier which are sent by a client and encrypted by an identity authentication key, wherein the identity authentication key is generated by the method of any one of claims 1-6;

14. A method of identity authentication, the method comprising:

obtaining an authentication key, the authentication key being generated by the method of any one of claims 7-12;

15. An apparatus for generating an authentication key, the apparatus comprising:

16. An apparatus for generating an authentication key, the apparatus comprising:

a sending unit, configured to send a key acquisition request to a server, so that the server generates an identity authentication key for authenticating a client identity, and establishes a binding relationship between the identity authentication key and an equipment identity carried in the key acquisition request;

17. An apparatus for identity authentication, the apparatus comprising:

a receiving unit, configured to receive a client identity authentication request and an equipment identity identifier sent by a client and encrypted by an identity authentication key, where the identity authentication key is generated by the method of any one of claims 1 to 6;

18. An apparatus for identity authentication, the apparatus comprising:

an obtaining unit, configured to obtain an authentication key, where the authentication key is generated by the method of any one of claims 7 to 12;

19. A system for generating an authentication key, comprising: a terminal and a server;

the server comprises the generation device of the identity authentication key of claim 15;

the terminal comprises the apparatus for generating an authentication key according to claim 16.

20. A system for identity authentication, comprising: a terminal and a server;

the server comprises the identity authentication apparatus of claim 17;

the terminal comprises the identity authentication apparatus of claim 18.

21. A vehicle comprising the apparatus for generating an authentication key according to claim 16.

22. A vehicle comprising the apparatus for authenticating identity of claim 18.

23. A system for generating an authentication key, comprising: a vehicle and a server;

the vehicle includes the apparatus for generating an authentication key according to claim 16.

24. A system for identity authentication, comprising: a vehicle and a server;

the server comprises the generation device of the identity authentication key of claim 17;

the vehicle comprising the apparatus for identity authentication of claim 18.