CN113626777A - Identity authentication method, storage medium and electronic device - Google Patents

Identity authentication method, storage medium and electronic device Download PDF

Info

Publication number
CN113626777A
CN113626777A CN202010383065.4A CN202010383065A CN113626777A CN 113626777 A CN113626777 A CN 113626777A CN 202010383065 A CN202010383065 A CN 202010383065A CN 113626777 A CN113626777 A CN 113626777A
Authority
CN
China
Prior art keywords
tee
user
equipment
identity authentication
user equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010383065.4A
Other languages
Chinese (zh)
Inventor
刘玭娉
高贵锦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202010383065.4A priority Critical patent/CN113626777A/en
Publication of CN113626777A publication Critical patent/CN113626777A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Abstract

The application provides an identity authentication method, a storage medium and an electronic device. The method comprises the steps that an IDP determines TEE equipment associated with user equipment according to an authentication request of the user equipment; the user equipment establishes communication connection with the TEE equipment and sends the identity authentication parameters of the user equipment to the TEE equipment; the TEE equipment sends the identity authentication parameters of the user equipment to the IDP; and the IDP also receives the identity authentication parameters of the user equipment sent by the TEE equipment, and performs identity authentication on the user of the user equipment by utilizing the TEE equipment according to the identity authentication parameters. The identity authentication method can be deployed on non-TEE electronic equipment, so that the non-TEE equipment can provide safe authentication service for users by means of the TEE equipment.

Description

Identity authentication method, storage medium and electronic device
Technical Field
One or more embodiments of the present application relate generally to the field of identity authentication of information security technologies, and in particular, to an identity authentication method, a storage medium, and an electronic device.
Background
A Trusted Execution Environment (TEE) is a secure area within the host processor. It may run in a relatively independent environment and in parallel with the main operating system. Confidentiality and integrity of code and data loaded in the TEE can be protected. By using both hardware and software to protect data and code, this parallel system is more secure than a conventional system (i.e., Rich Execution Environment). Trusted applications running in the TEE can access the full functionality of the device main processor and memory while protecting components in these TEE from user-installed applications running in the main operating system through hardware isolation.
Currently, the full-scene service of the intelligent device is widely applied globally, in the full-scene service, in order to provide convenience for user operation, each intelligent device needs to support a user to log in by using a user account and perform corresponding application security authentication, data synchronization, network browsing, message application operation and the like, which requires that all the intelligent devices must use a TEE chip, otherwise, problems such as falsification or counterfeiting of data and the account will occur, and further, the leakage of the account information of the user and malicious control of the user account are caused.
It will be appreciated that if all smart devices use TEE chips, this can significantly increase chip complexity and process/development costs. In addition, smart devices that are not configured with TEE chips that users have purchased before can also pose a safety hazard in the more popular full-scene services.
Disclosure of Invention
Some embodiments of the present application provide an identity authentication method, a storage medium, and an electronic device. The present application is described below in terms of several aspects, embodiments and advantages of which are mutually referenced.
To address the above scenario, in a first aspect, an embodiment of the present application provides an identity authentication method for an identity authentication system, where the identity authentication system includes a user equipment without a Trusted Execution Environment (TEE) unit, a TEE device with the TEE unit, and an identity provider (IDP), and the TEE device is to assist the user equipment in identity authentication, the method includes: the IDP determines TEE equipment associated with the user equipment according to an authentication request sent by the user equipment; after determining the associated TEE equipment of the user equipment, the user equipment establishes communication connection with the associated TEE equipment and sends the identity authentication parameters of the user equipment to the TEE equipment, and the identity authentication parameters are used for identity authentication executed by IDP; the TEE equipment sends the identity authentication parameters of the user equipment to the IDP; and the IDP receives the identity authentication parameters of the user equipment sent by the TEE equipment and performs an authentication step of an authentication protocol with the TEE equipment according to the identity authentication parameters, so that the identity authentication of the user equipment is realized.
As can be seen from the foregoing implementation of the first aspect, the implementation of the present application may be deployed on a non-TEE electronic device, so that the non-TEE device may provide a secure SSO service for a user by using a TEE device such as a smart phone, and the problem that the non-TEE device cannot obtain security protection is solved. And by utilizing the TEE mechanism, the security of the whole authentication process of the user equipment is protected by the TEE.
With reference to the first aspect, in some embodiments, the user equipment is further configured to: a flag indicating that the user equipment does not have a TEE unit is sent to the IDP.
With reference to the first aspect, in some embodiments, determining a TEE device associated with a user equipment includes: the IDP receives an identity authentication account number from the user equipment and an identity authentication account number from the TEE equipment; the IDP determines that the user equipment has the associated TEE equipment under the condition that the identity authentication account of the user equipment is the same as or associated with the identity authentication account from the TEE equipment.
With reference to the first aspect, in some embodiments, the identity authentication system further includes an association device, wherein the method further includes: the association device receives an identity authentication account from the user device and a flag indicating, at least in part, that the user device does not have a TEE unit; the association equipment receives an identity authentication account number from the TEE equipment and at least partially indicates that the TEE equipment has a mark of a TEE unit; and the association equipment associates the user equipment and the TEE equipment with the identity authentication account under the condition that the identity authentication account of the user equipment is determined to be the same as the identity authentication account of the TEE equipment.
With reference to the first aspect, in some embodiments, determining a TEE device associated with a user equipment comprises: the IDP sends a request to the associated device asking the user device whether it has an associated TEE device; the IDP determines a TEE device associated with the user equipment according to the response of the associated device.
In a second aspect, embodiments of the present application provide an identity authentication method for a user equipment, where the user equipment does not have a Trusted Execution Environment (TEE) unit, the method including: establishing a communication connection with a TEE device having a TEE unit, wherein the TEE device is associated with a user equipment; and sending the identity authentication parameter of the user equipment to the TEE equipment, wherein after the TEE equipment sends the identity authentication parameter to an identity provider (IDP), the IDP performs identity authentication on the user of the user equipment by utilizing the TEE equipment according to the identity authentication parameter.
As can be seen from the foregoing embodiments of the second aspect, the embodiments of the present application may be deployed on a non-TEE electronic device, so that the non-TEE device may provide a secure SSO service for a user by using a TEE device such as a smart phone, and the problem that the non-TEE device cannot obtain security protection is solved. And, by using the TEE mechanism, the security of the whole authentication process of the user equipment is protected by the TEE. And as long as the user equipment is associated with at least one TEE device, the TEE device can provide a trusted execution environment for various user equipment without the trusted execution environment, thereby realizing the safe authentication and login of the user equipment.
In combination with the second aspect, in some embodiments, further comprising: sending a flag to the IDP indicating at least in part that the user equipment does not have a TEE unit; receiving a request from the IDP confirming whether to use the TEE equipment for identity authentication; and sending information to the IDP that determines to authenticate the user of the user equipment using the TEE device.
In combination with the second aspect, in some embodiments, further comprising: and sending the identity authentication account of the user equipment to the IDP.
In combination with the second aspect, in some embodiments, further comprising: an identity authentication account of the user device and a flag indicating, at least in part, that the user device does not have a TEE unit are sent to the associated device.
With reference to the second aspect, in some embodiments, the TEE device is associated with the user device in the event that the authentication account of the user device is the same as or associated with the authentication account from the TEE device.
In the embodiment of the application, as long as at least one TEE device is registered under the identity authentication account of the user, the TEE device can provide a trusted execution environment for other various user devices without the trusted execution environment under the identity authentication account of the user, so that the user device can log in safely.
With reference to the second aspect, in some embodiments, the authentication parameters include at least one of a device serial number and a device identification number of the user equipment.
With reference to the second aspect, in some embodiments, the user equipment has another authentication account, where the another authentication account of the user equipment is the same as an authentication account of another TEE device, where the another TEE device has a TEE unit.
In a third aspect, embodiments of the present application provide an identity authentication method for a Trusted Execution Environment (TEE) device, wherein the TEE device has a TEE unit; it is characterized by comprising: establishing a communication connection with a user equipment, wherein the user equipment does not have a TEE unit, wherein the TEE equipment is associated with the user equipment; receiving identity authentication parameters from user equipment, wherein the identity authentication parameters are used for identity authentication of a user of the user equipment; and sending the authentication parameters to an identity provider (IDP) for the IDP to authenticate the user of the user device with the TEE device according to the authentication parameters.
As can be seen from the foregoing embodiments of the third aspect, as long as the user equipment is associated with at least one TEE device, the TEE device may provide a trusted execution environment for various user equipments without a trusted execution environment, so as to implement secure authentication and login of the user equipment.
With reference to the third aspect, in some embodiments, establishing a communication connection with a user equipment includes: receiving a request from the IDP to determine whether the TEE device is online; establishing a communication connection with the user equipment in response to the request; and sending information that the TEE device is online to the IDP.
With reference to the third aspect, in some embodiments, further comprising: the method includes sending an identity authentication account number of the TEE device to the associated device, and a flag indicating at least in part that the TEE device has TEE units.
With reference to the third aspect, in some embodiments, further comprising: sending an identity authentication account number of the TEE device to the IDP, and a flag indicating, at least in part, that the TEE device has TEE units.
With reference to the third aspect, in some embodiments, the TEE device is associated with the user device in the event that the authentication account of the user device is the same as or associated with the authentication account from the TEE device.
With reference to the third aspect, in some embodiments, the authentication parameters include at least one of a device serial number and a device identification number of the user equipment.
In a fourth aspect, an embodiment of the present application provides an identity authentication method for an identity provider (IDP), including: receiving an authentication request of a user device, wherein the user device does not have a Trusted Execution Environment (TEE) unit; in response to the authentication request, determining whether the user equipment has an associated TEE device, wherein the TEE device has a TEE unit; and receiving the identity authentication parameter of the user equipment sent by the TEE equipment at least partially based on the condition that the user equipment has the associated TEE equipment, and authenticating the user of the user equipment by utilizing the TEE equipment according to the identity authentication parameter.
As can be seen from the foregoing implementation manner of the fourth aspect, in the implementation manner of the present application, as long as at least one TEE device is registered under an identity authentication account of a user, the TEE device may provide a trusted execution environment for various other user devices that do not have a trusted execution environment under the identity authentication account of the user, so as to implement secure login of the user device.
With reference to the fourth aspect, in some embodiments, further comprising: information is received from a user device indicating that the user device does not have a Trusted Execution Environment (TEE) unit.
With reference to the fourth aspect, in some embodiments, determining whether the user equipment has an associated TEE device further comprises: a request is sent to the associated device asking the user device whether it has an associated TEE device.
With reference to the fourth aspect, in some embodiments, determining whether the user equipment has an associated TEE device further comprises: receiving an identity authentication account number from user equipment and an identity authentication account number from TEE equipment; determining that the user equipment has associated TEE equipment under the condition that the identity authentication account of the user equipment is the same as or associated with the identity authentication account from the TEE equipment; and determining that the user equipment does not have the associated TEE equipment under the condition that the identity authentication account number of the user equipment is different from or not associated with the identity authentication account number from the TEE equipment.
With reference to the fourth aspect, in some embodiments, further comprising: under the condition that the user equipment has associated TEE equipment, sending a request for confirming that the TEE equipment is on line to the TEE equipment; receiving information from the TEE equipment for confirming that the TEE equipment is on line; and receiving the identity authentication parameters of the user equipment sent by the TEE equipment, and performing identity authentication on the user of the user equipment according to the identity authentication parameters.
With reference to the fourth aspect, in some embodiments, authenticating a user of a user equipment with a TEE device according to an authentication parameter includes: and performing identity authentication on the user of the user equipment by utilizing the identity authentication parameters and interacting encrypted data based on the identity authentication parameters with the TEE equipment.
With reference to the fourth aspect, in some embodiments, encrypting the data comprises: a challenge value encrypted with an encryption key and a credential value encrypted with a verification key, wherein the encryption key and the verification key are generated based on the authentication parameters.
In combination with the fourth aspect, in some embodiments, the authentication parameter includes at least one of a device serial number and a device identification number of the user equipment.
In a fifth aspect, an embodiment of the present application provides an identity authentication method for an associated device, including: receiving an identity authentication account sent by user equipment and TEE equipment, wherein the user equipment does not have a Trusted Execution Environment (TEE) unit, and the TEE equipment has a TEE unit; establishing association between the user equipment and the TEE equipment according to the received identity authentication account; and responding to a request of an identity provider (IDP), determining a TEE device associated with the user equipment requesting identity authentication, wherein the TEE device is used for sending the identity authentication parameters of the user equipment to the IDP, and the IDP authenticates the user of the user equipment according to the identity authentication parameters and by utilizing the TEE device.
As can be seen from the foregoing implementation of the fifth aspect, in the implementation of the present application, as long as at least one TEE device is registered under the user's identity authentication account, the TEE device may provide a trusted execution environment for various other user devices that do not have a trusted execution environment under the user's identity authentication account, so as to implement secure login of the user device.
With reference to the fifth aspect, in some embodiments, establishing an association between the user equipment and the TEE device according to the received identity authentication account includes: and under the condition that the identity authentication account number of the user equipment is determined to be the same as or associated with the identity authentication account number of the TEE equipment, associating the user equipment with the TEE equipment.
With reference to the fifth aspect, in some embodiments, determining, in response to a request by an identity provider (IDP), a TEE device associated with a user device requesting authentication comprises: receiving a request from an identity provider (IDP) to query whether a user device is associated with a TEE device; querying that the user equipment is associated with the TEE equipment; and returning information that the user equipment is associated with the TEE device to the IDP.
In a sixth aspect, the present application provides a computer-readable storage medium, which may be non-volatile. The storage medium contains instructions that, when executed, implement a method as described in any one of the preceding aspects or embodiments.
In a seventh aspect, the present application provides an electronic device, including: a memory for storing instructions for execution by one or more processors of an electronic device, and a processor for executing the instructions in the memory to perform a method as described in any one of the preceding aspects or embodiments.
Drawings
Fig. 1 shows a schematic diagram of an example identity authentication system according to an embodiment of the present application.
Fig. 2 shows an interaction diagram of an example identity authentication method according to an embodiment of the present application.
Fig. 3 is a flowchart illustrating an identity authentication method according to an embodiment of the present application.
Fig. 4 is a schematic flow chart of another identity authentication method according to an embodiment of the present application.
Fig. 5 is a schematic flow chart of another identity authentication method according to an embodiment of the present application.
Fig. 6 is a schematic flow chart of another identity authentication method according to an embodiment of the present application.
Fig. 7 shows an interaction diagram of user equipment registration according to an embodiment of the application.
Fig. 8 shows an interaction diagram of user equipment authentication according to an embodiment of the application.
Fig. 9 shows a flow diagram of an identity provider providing registration according to an embodiment of the application.
Fig. 10 shows a flow diagram of TEE device assisted registration according to an embodiment of the present application.
Fig. 11 shows a flow diagram of an identity provider providing authentication according to an embodiment of the present application.
Fig. 12 shows a flow diagram of TEE device assisted authentication according to an embodiment of the present application.
Fig. 13 shows a schematic diagram of an electronic device according to an embodiment of the application.
Detailed Description
The following description of the embodiments of the present application is provided by way of specific examples, and other advantages and effects of the present application will be readily apparent to those skilled in the art from the disclosure herein. While the description of the present application will be described in conjunction with the preferred embodiments, it is not intended to limit the features of the present invention to that embodiment. Rather, the invention has been described in connection with embodiments for the purpose of covering alternatives and modifications as may be extended based on the claims of the present application. In the following description, numerous specific details are included to provide a thorough understanding of the present application. The present application may be practiced without these particulars. Moreover, some of the specific details have been omitted from the description in order to avoid obscuring or obscuring the focus of the present application. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Further, various operations will be described as multiple discrete operations, in a manner that is most helpful in understanding the illustrative embodiments; however, the order of description should not be construed as to imply that these operations are necessarily order dependent. In particular, these operations need not be performed in the order of presentation.
The terms "comprising," "having," and "including" are synonymous, unless the context dictates otherwise. The phrase "A/B" means "A or B". The phrase "A and/or B" means "(A and B) or (A or B)".
It should be noted that in this specification, like reference numerals and letters refer to like items in the following drawings, and thus, once an item is defined in one drawing, it need not be further defined and explained in subsequent drawings.
As used herein, the term module or unit may refer to or include an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (shared, dedicated, or group) and/or memory (shared, dedicated, or group) that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that provide the described functionality, or may be part of an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (shared, dedicated, or group) and/or memory (shared, dedicated, or group) that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that provide the described functionality.
Currently, a popular user login method is Single Sign On (SSO), and so-called SSO is one-time authentication login of a user. In short, after a user logs in the identity authentication server once, the user can obtain the authority to access other associated systems and application software in the single sign-on system, and meanwhile, the realization does not need an administrator to modify the login state or other information of the user, which means that in a plurality of application systems, the user can access all mutually trusted application systems only by logging in once. This way the time consumption resulting from the login is reduced. However, the security of the central authentication service in this way only depends on SSL (Secure Sockets Layer), so that there is a certain security risk.
The technical scheme of the application hopes to provide an identity authentication method based on a Trusted Execution Environment (TEE) which takes SGX of ARM company Trustzone and Intel company as an architecture, the method is compatible with all existing SSO protocols, and the TEE mechanism is utilized, so that the security of single sign-on is greatly enhanced. In addition, the identity authentication method of the present application can be deployed on non-TEE electronic devices, so that the non-TEE devices can provide secure SSO services for users by means of TEE devices such as smartphones.
Fig. 1 shows a schematic diagram of an example identity authentication system according to an embodiment of the present application.
The Identity authentication system 10 may include a user device 110, a network 120, one or more electronic devices having a Trusted Execution Environment (TEE) such as the SGX architecture of ARM corporation Trustzone, Intel corporation, hereinafter referred to for simplicity as TEE device 130 and Identity Provider (IDP) 140. The user equipment 110 further comprises a control unit 111 and a transceiving unit 112. TEE device 130 may include a TEE unit 132 and a transceiver unit 133, alternatively or additionally TEE device 130 may also include a control unit 131. The identity provider 140 may comprise a control unit 141, a TEE unit 142 and a transceiving unit 143. Wherein, in fig. 1 and the remaining figures, a letter following the reference number, e.g., "130 a," indicates a reference to the element having that particular reference number. The reference number without a subsequent letter in the text, e.g. "130", indicates a general reference to the embodiment of the element bearing the reference number. It is to be understood that the illustrated architecture of embodiments of the present invention does not constitute a specific limitation on user device 110, TEE device 130, and identity provider 140. In other embodiments of the present application, user device 110, TEE device 130, and identity provider 140 may include more or fewer components than shown, or combine certain components, or split certain components, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The user devices 110 may include, but are not limited to, smart speakers, smart refrigerators, home robots, wearable devices (e.g., display glasses or goggles, watches, bracelets, headphones, armbands, jewelry, etc.), IoT devices, and various other electronic devices that typically do not have trusted execution environments.
Network 120 may include various transmission media for enabling user device 110, TEE device 130, and identity provider 140 to communicate data, for example, network 120 may be a local area network or a wide area network that is switched over by a Relay (Relay) device. For example, the local area network may include a WiFi hotspot network, a WiFi P2P network, a bluetooth network, a Zigbee network, or a Near Field Communication (NFC) network, among other short-range Communication networks. The wide area Network may include a third-generation Mobile communication technology (3rd-generation Mobile communication technology, 3G) Network, a fourth-generation Mobile communication technology (4G) Network, a fifth-generation Mobile communication technology (5G) Network, and/or a future-evolution Public Land Mobile Network (PLMN) or the internet, etc.
TEE device 130 may include smart phones, tablets, personal computers, smart televisions, and in-vehicle infotainment devices (e.g., in-vehicle smart screens), as well as various other electronic devices that typically have trusted execution environments.
The identity provider 140 is typically an authentication server, which is responsible for the authentication work for the user's identity. The user device 110 and/or the TEE device 130 may register with the identity provider 140 to associate the registered device with the user's authentication account, after which the identity provider 140 provides the user's authentication service when the user logs into the user's authentication account using the user device 110 and/or the TEE device 130.
Alternatively or additionally, the identity authentication system 10 of the present application may further include an association device (not shown), where the association device may be configured to provide registration and management services for an identity authentication account and a device of a user, and associate multiple devices under the same account, for example, establish an association relationship table between the identity authentication account and the device of the user, and the like. As another example, the associated device may also obtain a user authentication account and device association table from the service provider. In the case where the identity authentication system 10 includes an associated device, the identity provider 140 may provide secure authentication services for a service provider of the associated device, for example, after the user 150 registers the user device 110 on the associated device, or after the service provider of the user 150 transmits a user identity authentication account and a device association relationship table of the user 150 to the associated device, the associated device may transmit the identity authentication account information of the user 150 and the device information of the user device 110 to the identity provider 140, so that the identity provider 140 provides corresponding secure authentication services.
In one or more other embodiments, the association device may be used only to provide registration services for the user's authentication account and device, and to associate multiple devices under the same authentication account. In this case, the identity provider 140 may provide an authenticated service, and the service provider of the service requested by the user may be other devices not shown. Alternatively, the identity provider 140 may also be a service provider of the service requested by the user, and the identity provider 140 may also provide the service for identity authentication.
In one or more other embodiments, the associated device may also be part of the identity provider 140, that is, the associated device may be included as a component or unit in the identity provider 140, and the identity provider 140 may implement all of the functionality of the associated device. In this case, as shown in FIG. 1, the identity authentication system 10 need not have an associated device separate from the identity provider 140.
According to an embodiment of the present Application, the Control units (111, 131, and 141) of the user device 110, the TEE device 130, and the identity provider 140 may be implemented in hardware, software, or a combination of software and hardware, where the hardware includes, but is not limited to, a Processing circuit such as a central Processing Unit (cpu), an Application Processor (Application Processor), or a Micro-programmed Control Unit (MCU). The different processing units may be separate devices or may be integrated into one or more processors. In embodiments herein, the control unit (111, 131 and 141) may be configured to perform some or all of one or more of the interactive processes and method flows described below.
In some embodiments, the TEE units (132 and 142) of the TEE device 130 and the identity provider 140, respectively, may include a Control Unit having a trusted execution environment, for example, the TEE units (132 and 142) may be Processing circuits such as a central Processing Unit (cpu), an Application Processor (Application Processor), or a Micro-programmed Control Unit (MCU) having a trusted execution environment. In this case, as shown in fig. 1, the TEE device 130 and the identity provider 140 may not include the control unit 131 and the control unit 141, the TEE unit 132 of the TEE device 130 may implement all functions of the control unit 131, and the TEE unit 142 of the identity provider 140 may implement all functions of the control unit 141.
In other embodiments, the TEE units (132 and 142) of the TEE device 130 and the identity provider 140 may be security chips that provide a trusted execution environment, such as TEE security chips that are architected with ARM corporation Trustzone, Intel corporation SGX, and provide the TEE device 130 and the identity provider 140 with a TEE security framework and full lifecycle management of secure applications. In this case, the respective TEE units (132 and 142) of the TEE device 130 and the identity provider 140 may jointly implement one or more embodiments of the present application, e.g., as coprocessors for the control unit 131 of the TEE device 130 and the control unit 141 of the identity provider 140, respectively.
The user device 110 may utilize its transceiving unit 112 for data communication with the TEE device 130 and the identity provider 140 over the network 120, similarly the TEE device 130 may utilize its transceiving unit 133 for data communication with the user device 110 and the identity provider 140 over the network 120, and the identity provider 140 may utilize its transceiving unit 143 for data communication with the user device 110 and the TEE device 130 over the network 120.
In some possible scenarios of the identity authentication system 10, the user device 110 or the TEE device 130 may be communicatively connected with the identity provider 140 based on a fifth generation mobile communication technology (5th-generation mobile communication technology, 5G) network. As an example, with the deployment of 5G networks, it can provide users with an ultra-large access bandwidth, and its data transmission rate is much higher than that of the former cellular networks, up to 10Gbit/s, faster than the transmission speed of the current wired internet, and 100 times faster than that of the current 4G LTE cellular networks. Another advantage of 5G networks is lower network delay (faster response time), typically below 1 millisecond.
In other possible scenarios of identity authentication system 10, user device 110 may be in secure data Communication with TEE device 130 based on a WiFi hotspot network, a WiFi P2P network, a bluetooth network, a Zigbee network, or a Near Field Communication (NFC) network.
Briefly described below is a secure authentication process between TEE device 130 and identity provider 140. in authentication system 10, if user 150 uses TEE device 130 to register a user authentication account with identity provider 140 via network 120, TEE unit 132 of TEE device 130 generates a pair of asymmetric key pairs that contain a private key and a public key and are associated with identity information local to user 150, e.g., biometric features such as fingerprints, facemasks, pupils, etc. The private key is reserved in the TEE unit 132 of the TEE device 130 and cannot be read by a hacker, the public key is transmitted to the TEE unit 142 of the identity provider 140, and the identity provider 140 associates the public key with the user identity authentication account corresponding to the user.
Subsequently, when the user 150 logs in to the identity provider 140 for authentication, the private key in the TEE unit 132 of the TEE device 130 signs the Challenge data (Challenge) of the identity provider 140, and the identity provider 140 uses the corresponding public key for verification. The private key in TEE unit 132 of TEE device 130 must be used for signing operations via identification of local user 150, such as pressing a key, pressing a fingerprint, or scanning a face.
Some exemplary scenarios for the identity authentication system 10 are presented below. For example, in a scenario where the user 150 needs to perform mobile payment through the user device 110, the user device 110 may be a smart watch or a bracelet with a mobile payment function, the TEE device may be a smartphone of the user 150, the identity provider 140 may be a payment platform selected by the user, for example, a Pay treasure, a WeChat, a Google Pay, an Apple Pay, and the like, and the identity provider 140 may also be a third-party service provider providing secure authentication for the payment platform, which is not limited herein.
As one example, when user 150 makes a checkout payment at a business location such as a store, restaurant, supermarket, etc., user 150 wishes to make a quick and convenient payment using a wrist-worn user device 110 such as a smart bracelet or smart watch without having to remove TEE device 130 such as a smart phone from a clothing pocket, carry-on handbag, or backpack to make a mobile payment. In this case, if the user device 110 is a device that does not support TEE as shown in fig. 1, when the user device 110 needs to log in the user authentication account to complete payment, the user device 110 may complete the security authentication with the identity provider 140 by using the TEE device 130 under the same user authentication account, and complete the corresponding payment operation on the user device 110.
In another possible scenario of the identity authentication system 10, for example, in a home where the user 150 has various smart home products. The user device 110 may be a smart home accessory or low-end home gateway, e.g., a smart refrigerator, a home robot, a smart speaker, etc., that does not typically have a trusted execution environment, but supports installing applications or triggering smart payments. TEE device 130 may be a smart television in the home, a tablet, a high-end home gateway, and a smart phone for user 150 and/or other family members. The identity provider 140 may be an application installation platform, such as an application store, or a user-selected payment platform, such as a Pay pal, WeChat, Google Pay, Apple Pay, and the like. When the user 150 needs to install an application for the user equipment 110, for example, the user 150 installs a music playing application for the user equipment 110 such as a smart speaker, or the user 150 installs a cooking application for the user equipment 110 such as a smart steamer, or the user 150 installs a food monitoring application or a recipe application for the user equipment 110 such as a smart refrigerator, the user 150 needs to log in an application installation platform through the user equipment 110 for purchase, download and installation of the application, in this case, when the user equipment 110 needs to log in a user identity authentication account of the application installation platform, the security authentication with the identity provider 140 can be completed by means of the TEE equipment 130 under the same user identity authentication account, for example, a smart television or the like, and the corresponding application installation can be completed on the user equipment 110, wherein the identity provider 140 can be an application installation platform, and can be a third party service provider providing security authentication for the application installation platform, and is not particularly limited herein.
In the above scenario, as long as at least one TEE device 130 is registered under the user's identity authentication account, the TEE device 130 may provide a trusted execution environment for other various user devices without a trusted execution environment under the user's identity authentication account, so as to implement secure login of the user device.
As another example, in some cases, a home of user 150 may have multiple family members, some or all of which may control various smart home devices in the home through TEE device 130, such as a smart phone. Assuming TEE device 130 is a smart phone, as shown in fig. 1, family member a (user 150) may control various smart home devices in the home using TEE device 130a, family member B may control various smart home devices in the home using TEE device 130B, and family member C may control various smart home devices in the home using TEE device 130C. Generally, a family account or a family circle may be established by one family member, so that each family member shares use of various smart home devices, the family member establishing the family account or the family circle is generally called a family master member, and the family master member has a main control authority for each smart home device, for example, the authority for configuring, setting an account, updating a system, sharing devices, and the like for the smart home devices. Taking user 150 as the home owner member for example, user 150 uses TEE device 130a to establish a home circle, and after family members B and C join the home circle, TEE device 130a, TEE device 130B, and TEE device 130C are associated with each other based on the home circle. The user 150 may share some or all of the smart home devices in the home to each member in the family circle, and when the family member B or the family member C needs to use the smart home devices, they log in the shared smart home devices, such as the user device 110, through the user account of the TEE device 130B and the user account of the TEE device 130C. Thus, low-end electronic devices, such as user device 110, may be controlled by multiple TEE-enabled devices. In this scenario, when the user device 110 needs to perform the aforementioned application download installation or trigger smart payment, the user device 110 may complete security authentication by means of the user account of any family member. Alternatively or additionally, in the event that the user account with which the user device 110 is subject to has insufficient permissions, the user device 110 may also complete security authentication with other TEE devices 130 (e.g., TEE device 130a) having satisfactory permissions through the home circle. For example, if the user device 110 is securely authenticated by means of the TEE device 130B of family member B or the TEE device 130C of family member C, but the TEE devices 130B and 130C do not have primary control authority over the user device 110, and cannot assist the user device 110 in security authentication, then the user device 110 may request the TEE device 130a with primary control authority to assist the user device 110 in security authentication through the family circle.
In the above scenario, when other family members other than the family master member log in the user equipment without TEE using their respective accounts, security authentication may be completed by the account of the family master member and the TEE equipment. Therefore, the safety authentication of the user equipment without the TEE can be realized, and the authorized login of part of the TEE equipment of the family members can be controlled, so that the cross-account authorization of the identity authentication technology is realized.
The identity authentication method provided by the embodiment of the present application will be exemplarily described below with reference to the drawings and the application scenarios described above. Fig. 2 shows an interaction process of the identity authentication method of the present application. As shown in fig. 2, part of the prior art in the field is not shown in fig. 2, and includes, for example, a process of registering an authentication account with the identity provider 140 by the user 150; how the user 150 operates the user equipment 110 and the TEE equipment 130 to perform equipment registration in the association equipment 160, and the association equipment 160 associates and stores the information of the identity authentication account of the user 150, the equipment information of the user equipment 110 and the equipment information of the TEE equipment 130 with each other; and, a process in which the user 150 operates the TEE device 130a to establish a home circle and joins other TEE devices 130b and 130c to the established home circle and three TEE devices 130a, 130b, and 130c are associated with each other in the home circle. The following describes an interaction process between devices, taking a scenario in which the user 150 uses a smart watch (user device 110) to log in a third-party application as an example. In such a scenario, for example, the user device 110 may be a smart watch without a TEE, the TEE device 130 may be a smartphone of the user 150, the association device 160 may be a device for saving the identity authentication account information and device information registered by the user, and the identity provider 140 may be a device for securely authenticating the identity of the user 150. Optionally, the identity provider 140 may also apply a service provider and may authenticate the identity of the user.
As shown in fig. 2, at 201 a: and sending the information of the identity authentication account of the user and the equipment information of the TEE equipment. When a user 150 registers a TEE device 130, such as a smartphone, with an association device 160, the TEE device 130 may send information of the user's 150 authentication account and device information of the TEE device 130 to the association device 160. The information of the authentication account may include a name of the authentication account registered by the user 150, and the like, where the authentication account may be, for example, a google account, an apple account, or a huawei account registered by the user. The device information may include an ID number and serial number that uniquely identifies TEE device 130, and a flag or the like that identifies TEE device 130 as being provided with TEE unit 132.
In other embodiments, in the scenario of the family circle described in fig. 1, after the user 150 uses the TEE device 130a to establish the family circle, and the family members B and C join the family circle, the TEE device 130a, the TEE device 130B, and the TEE device 130C are associated with each other based on the family circle, the association information of each device in the family circle, and the authority information that the TEE device 130a is a family master member device, and the TEE device 130B and the TEE device 130C are non-family master member devices may be stored in the association device 160.
At 201 b: and sending the information of the identity authentication account of the user and the equipment information of the user equipment. Similar to block 201a described above, when the user 150 registers the user device 110, such as a smart watch, with the association device 160, the user device 110 may transmit information of the user 150's authentication account and device information of the user device 110 to the association device 160. The information of the authentication account may include a name of the authentication account registered by the user 150, and the like. The device information may include an ID number and a serial number that uniquely identifies the user device 110, and a flag that identifies that the user device 110 is not provided with a TEE unit, and the like.
In an alternative embodiment, in the respective processes of registering the TEE device 130 and the user device 110 by the user, the information of the identity authentication account of the user and the device information of the TEE device 130 and the user device 110 may also be sent to the identity provider 140, which is not specifically limited in this application.
It is understood that the association device 160 may associate the user device 110 of the user 150 and the TEE device 130 together based on the information of the authentication account of the user 150, for example, establish an association table between the authentication account of the user 150 and the user device 110 and the TEE device 130, and the like.
After the registration of the user device 110 and the TEE device 130 is completed, when the user 150 uses the user device 110 to log in to the SSO-based third party application, for example, the user 150 needs to log in to the installed third party application on the smart watch (user device 110) using the registered authentication account, at 202: the user device 110 sends an SSO-based application login request and information indicating that the user device 110 does not have a TEE unit to the identity provider 140. Here, the identity provider 140 may be an operator of the third party application, or may be an entity that provides an identity authentication service and is specified by the third party application. In the case of an organization designated by the identity provider 140 for the third party application that provides identity authentication services, login requests initiated by the user device 110 may also be directed to the identity provider 140 through the third party application. In various scenarios described in the present application, since there is no specific limitation on the third-party application that the user device 110 needs to log in, for ease of understanding, the embodiment of the present application is exemplarily described by taking the example that the user device 110 directly sends a login request to the identity provider 140. Alternatively or additionally, a device ID of the user device may be included in the login request, such that the identity provider 140 may determine that the sender of the login request is the user device 110.
After the identity provider 140 determines, based on the information sent by the user device 110, that the user device 110 does not have a TEE unit, i.e. the user device 110 does not have a trusted execution environment, the identity provider 140 sends 203: an inquiry request is sent inquiring whether the user equipment 110 has an associated TEE device. The query request may include the device ID of the user device 110, information of the authentication account of the user, or may include the device ID of the user device 110 and information of the authentication account of the user.
In other embodiments, when the user device 110 logs in with a device in the home circle that does not have login rights, such as using an account of the TEE device 130b or the TEE device 130c, the identity provider 140 determines that the user device 110 does not have a trusted execution environment, and the account of the TEE device 130b or the TEE device 130c does not have primary control rights to the user device 110, the identity provider 140 may query the associated device 160 for a home circle master device associated with the user device 110.
Upon receiving the query request from the identity provider 140, the association device 160 may query, for example, an association table or family circle, retrieve whether there is a TEE device or a home master device (TEE device 130a) associated with the user device 110, and at 204: the query results for the user device 110 are sent to the identity provider 140.
In alternative other embodiments, the user equipment 110 may not send the information indicating that the user equipment 110 does not have a TEE unit at 202. Since the user device 110 already provides information without TEE units when it registers in the association device 160, in this case, the identity provider 140 may send a query request directly to the association device 160 after receiving the login request, and the association device 160 may query that the user device 110 is a device without TEE units according to the device ID of the user device 110 provided by the identity provider 140 in the query request, and then further query whether the user device 110 has an associated TEE device, and send the query result to the identity provider 140.
After the identity provider 140 receives the query result from the associated device 160, the identity provider 140, assuming the query result includes information of the TEE device 130 associated with the user device 110, at 205: a request is sent to acknowledge that the TEE device 130 is online. In some embodiments, the request to confirm that TEE device 130 is online may be a simple handshake request based on a communication protocol, e.g., identity provider 140 sends a request message, such as an ACK message, to TEE device 130, and if TEE device 130 responds to the request message and both devices complete the handshake, identity provider 140 may determine that TEE device 130 is in a network online state.
In other embodiments, the request to confirm that the TEE device 130 is online may be by triggering the TEE device 130 to perform the following example operations and then sending the associated operation results to the identity provider 140, such that the identity provider 140 confirms that the TEE device 130 is in a network online state.
Illustratively, upon the TEE device 130 receiving a request from the identity provider 140 to confirm that the TEE device 130 is online, the TEE device 130, at 206: a request to establish a communication connection with the user equipment 110 and a device authentication request are sent. For example, TEE device 130 may be communicatively coupled to user device 110 via a short-range communication protocol, such as USB, bluetooth, WiFi, etc., that supports existing Secure Remote Password (SRP) authentication protocols and Password-Authenticated Key Exchange (Password) protocols. By employing the SRP protocol or the park protocol in the short-range communication protocol, TEE device 130 and user device 110 are enabled to device authenticate each other and establish secure communications between TEE device 130 and user device 110. Device authentication here is to ensure that devices at both ends of a communication connection are not spoofed by a possible attacker with other devices, e.g., device authentication may cause user device 110 to ensure that the device to which it is connected is TEE device 130 associated with user device 110 and not the other device that the attacker uses to spoof TEE device 130, and at the same time, device authentication may cause TEE device 130 to ensure that the device to which it is connected is associated with TEE device 130 is user device 110 and not the other device that spoofs user device 110.
After device authentication between the TEE device 130 and the user device 110 is successful, the user device 110, at 207: the information that the device authentication passed and the authentication parameters of the user equipment 110 are sent to the TEE device 130. The authentication parameters of the user equipment 110 include parameters such as an equipment ID and an equipment serial number. TEE device 130 may save the authentication parameters of user device 110 and use these parameters for subsequent authentication processes.
Subsequently, TEE device 130, at 208: the device authentication pass information and the authentication parameters of the user device 110 are sent to the identity provider 140. The TEE device 130 indicates to the identity provider 140 that both the local TEE device 130 and the user device 110 are device authenticated to each other and that the TEE device 130 is online and available for subsequent authentication procedures. The identity provider 140 may save the authentication parameters of the user device 110 for subsequent authentication processes.
The identity provider 140 receives a good authentication result from the TEE device 130, at 209: a request is sent to user device 110 confirming authentication of the user of user device 110 using TEE device 130.
User 150 confirms the request from the identity provider on user device 110 and, at 210: information determining to authenticate the user of the user device 1110 using the TEE device 130 is sent to the identity provider 140.
After the identity provider 140 receives the confirmation information from the user device 110, the identity provider 140, at 211: the encrypted data based on the authentication parameters is interacted with the TEE device 103 to authenticate the user of the user equipment 110. One or more subsequent embodiments of the present application will further describe a specific process of authenticating the user of the user device 110.
After the TEE device 130 has assisted the user device 110 in authentication with the identity provider 140, the TEE device 130, at 212: information of successful authentication is sent to the identity provider 140. After the identity provider 140 receives the information from the TEE device 130 that the authentication was successful, at 213: and sending information that the user identity authentication of the user equipment 100 is successful to the user equipment 110, and informing that the user equipment 110 is successful in login.
According to the above interaction process of the present application, as long as at least one TEE device 130 is registered under the user's identity authentication account, the TEE device 130 may provide a trusted execution environment for other various user devices without a trusted execution environment under the user's identity authentication account, so as to implement secure login of the user device.
According to the embodiment of the application, by utilizing the TEE mechanism, the security of the whole authentication process of the user equipment is protected by the TEE. In addition, the identity authentication method can be deployed on non-TEE electronic equipment, so that the non-TEE equipment can provide safe SSO service for a user by means of TEE equipment such as a smart phone, and the problem that the non-TEE equipment cannot obtain safety protection is solved.
The identity authentication method performed by each device shown in fig. 2 is further described below with reference to the accompanying drawings.
Fig. 3 shows a flow diagram of a method 300 of identity authentication of a user equipment 110 according to an example embodiment. In some embodiments, some or all of method 300 may be implemented on user equipment 110 as shown in fig. 1. In other embodiments, different components of user device 110 as shown in FIG. 1 may implement different portions or all of method 300.
For content not described in the embodiments of the above-described method and example scenario, reference may be made to the following method embodiments; likewise, reference may be made to embodiments of the above-described method and example scenarios for what is not described in the method embodiments below. For example, the identity authentication method 300 shown in fig. 3 is a further description of the embodiment shown in fig. 2, and what has been described in the foregoing embodiments will be briefly described below or will not be described again.
As shown in fig. 3, at 301: an identity authentication account of the user device and a flag indicating, at least in part, that the user device does not have a TEE unit are sent to the associated device. When the user 150 registers the user device 110, such as a smart watch, with the association device 160, the user device 110 may send information of the user's 150 authentication account and device information of the user device 110 to the association device 160. The device information may include a flag indicating that the user equipment 110 does not have a TEE unit.
In other embodiments, for example, in the scenario where a plurality of family users form a family circle, the user device 110 may have a plurality of authentication accounts, each authentication account corresponding to a family member. In the case where more than one primary member is included in the family members, the user device 110 may have another authentication account number corresponding to the family primary member, which may be the same as the authentication account number of the TEE device 130 of another family primary member.
At 302: an SSO-based application login request and a flag indicating that the user device does not have a TEE unit are sent to the identity provider. After the user device 110 is registered, when the user 150 uses the user device 110 for a login of an SSO based third party application, the user device 110 sends an SSO based application login request and information indicating that the user device 110 does not have a TEE unit to the identity provider 140.
At 303: communication is established with a TEE device having a TEE unit. After TEE device 130 sends a request to establish a communication connection and a device authentication request to user device 110, user device 110 may be communicatively connected with TEE device 130 through a short range communication protocol such as USB, bluetooth, WiFi, etc.
At 304: the identity authentication parameters of the user equipment are provided to the TEE device. After the direct communication connection between the user equipment 110 and the TEE device 130 is established and the device authentication between the two parties is successful, the user equipment 110 may send the identity authentication parameters, such as the device ID and the device serial number, of the user equipment 110 to the TEE device 130. Alternatively or additionally, the user equipment 110 may further confirm whether the authentication account registered by the user equipment 110 is the same as the authentication account of the TEE device 130, and if the accounts are the same, the user equipment 110 sends the authentication parameters to the TEE device 130.
Thereafter, the user device 110 may receive a confirmation request from the identity provider 140 requesting the user device 110 to confirm that at 305: whether to use the TEE device for identity authentication. User 150 may operate user device 110 to confirm the request by identity provider 140, and if the user agrees to authenticate with TEE device 130, at 306: the user device 110 sends information to the identity provider 140 that determines to authenticate the user of the user device using the TEE device.
Fig. 4 shows a flow diagram of an identity authentication method 400 of a TEE device 130 according to an example embodiment. Among other things, in some embodiments, some or all of method 400 may be implemented on TEE device 130 as shown in fig. 1. In other embodiments, different components of TEE device 130 as shown in fig. 1 may implement different portions or all of method 400.
For content not described in the embodiments of the above-described method and example scenario, reference may be made to the following method embodiments; likewise, reference may be made to embodiments of the above-described method and example scenarios for what is not described in the method embodiments below. For example, the identity authentication method 400 shown in fig. 4 is a further description of the embodiments of fig. 2 and fig. 3, and what has been described in the foregoing embodiments will be briefly described below or will not be described again.
As shown in fig. 4, TEE device 130, at 401: and sending the identity authentication account number of the TEE equipment and a mark indicating that the TEE equipment has a TEE unit to the associated equipment. When a user 150 registers a TEE device 130, such as a smartphone, with an association device 160, the TEE device 130 may send information of the user's 150 authentication account and device information of the TEE device 130 to the association device 160.
At 402: a request is received from an identity provider to determine whether a TEE device is online. Upon receiving the request by the identity provider 140, the TEE device 130 may perform operations to communicate with the user device 110 as required by the request, e.g., the TEE device 130, at 403: in response to the request, communication is established with the user equipment. TEE device 130 may be communicatively coupled to user device 110 via a short-range communication protocol, such as USB, bluetooth, WiFi, and the like.
After TEE device 130 and user device 110 successfully authenticate via security protocols such as SRP protocol, PAKE protocol, etc., TEE device 130: an identity authentication parameter is received from a user equipment. TEE device 130 may save the authentication parameters of user device 110 and use these parameters for subsequent authentication processes.
In some embodiments, TEE device 130 may, at 405: and sending the online information of the TEE equipment and the identity authentication parameters to an identity provider.
After user device 110 agrees to authenticate with TEE device 130, identity provider 140 interacts with TEE device 130 with encrypted authentication parameters, etc., e.g., TEE device 130 via TEE unit 132 at 406: and helping the identity provider to authenticate the user of the user equipment. This portion of the interactive content of TEE device 130 with identity provider 140 will be described in detail below.
Fig. 5 shows a flow diagram of an identity authentication method 500 of an associated device 160 according to an example embodiment. Therein, in some embodiments, some or all of method 500 may be implemented on an associated device 160 as shown in fig. 1. In other embodiments, different components of the associated device 160 as shown in FIG. 1 may implement different portions or all of the method 500.
For content not described in the embodiments of the above-described method and example scenario, reference may be made to the following method embodiments; likewise, reference may be made to embodiments of the above-described method and example scenarios for what is not described in the method embodiments below. For example, the identity authentication method 500 shown in fig. 5 is a further description of the embodiments of fig. 2 to 4, and what has been described in the foregoing embodiments will be briefly described below or will not be described again.
As shown in fig. 5, when user 150 is operating user device 110 and TEE device 130 for device registration at association device 160, association device 160 may, at 501: an identity authentication account is received from the TEE device, and a flag indicating, at least in part, that the user TEE device has a TEE unit. For example, TEE device 130 may send information of the authentication account of user 150 and device information of TEE device 130 to association device 160. The information of the authentication account may include a name of the authentication account registered by the user 150, and the like, where the authentication account may be, for example, a google account, an apple account, or a huawei account registered by the user. The device information may include an ID number and serial number that uniquely identifies TEE device 130, and a flag or the like that identifies TEE device 130 as being provided with TEE unit 132.
Similarly, upon registration of the user device 110, the association device 160 may, at 502: an authentication account is received from the user device 110, and a flag indicating, at least in part, that the user device does not have a TEE unit.
Association device 160 may authenticate an account with the identity of TEE device 130 and user device 110 at the time of registration, at 503: in the event that it is determined that the authentication account of the user device 110 is the same as the authentication account of the TEE device 130, the user device 110 is associated with the TEE device 130. For example, an association table or the like between the authentication account of the user 150 and the user equipment 110 and the TEE equipment 130 is established in the association equipment 160.
Subsequently, after user device 110 initiates SSO application login, association device 160 can, at 504: a request is received from the identity provider 140 inquiring whether the user device 110 is associated with a TEE unit enabled device. The association device 160 may query, for example, an association table, to retrieve whether there is a TEE device associated with the user device 110.
At 505: and under the condition that the user equipment does not support the TEE unit according to the mark of the user equipment, inquiring that the user equipment is associated with the TEE equipment supporting the TEE unit. The association device 160 may query the user device 110 as a device without TEE units based on the device ID of the user device 110 provided by the identity provider 140 in the query request, and then further query that the user device 110 is associated with the TEE device 130.
Thereafter, the associating device 160, at 506: the query results for the user device 110 are sent to the identity provider 140. The associated device may send device information of the TEE device 130 associated with the user device 110 to the identity provider 140 so that the identity provider 140 may communicate with the TEE device 130.
Fig. 6 shows a flow diagram of a method 600 of identity authentication of an identity provider 140 according to an example embodiment. Among other things, in some embodiments, some or all of method 600 may be implemented on an identity provider 140 as shown in fig. 1. In other embodiments, different components of the identity provider 140 as shown in FIG. 1 may implement different portions or all of the method 600.
For content not described in the embodiments of the above-described method and example scenario, reference may be made to the following method embodiments; likewise, reference may be made to embodiments of the above-described method and example scenarios for what is not described in the method embodiments below. For example, the identity authentication method 600 shown in fig. 6 is a further description of the embodiments of fig. 2 to 5, and what has been described in the foregoing embodiments will be briefly described below or will not be described again.
As shown in fig. 6, when the user 150 logs in to the SSO-based third party application using the user device 110, the identity provider 140, at 601: information is received from the user equipment 110 indicating that the user equipment 110 does not have a TEE unit. In this case, the identity provider 140 needs to determine 602: whether user equipment 110 has an associated TEE device.
As one example, the identity provider 140 may send a request to the association device 160 asking whether the user device 110 has an associated TEE device. The identity provider 140 may determine that the user device has an associated TEE device 130 based on the query results of the associated device 160.
As another example, in a case where the user device 110 and the TEE device 130 have sent information of an authentication account of the user 150 and device information of the TEE device 130 and the user device 110 to the identity provider 140 during respective registration of the user 150 with the TEE device 130 and the user device 110, the identity provider 140 may determine that the user device 110 has an associated TEE device 130 by determining that the authentication account on which the user device 110 is logged is the same as the registered authentication account from the TEE device 130. Conversely, in the event that the authentication account on which the user device 110 is logged in is not the same as the registered authentication account from the TEE device 130, the identity provider 140 may determine that the user device 110 does not have an associated TEE device 130.
After the identity provider 140 determines that the user device has an associated TEE device 130, the identity provider 140, at 603: a request is sent to the TEE device 130 to confirm that the TEE device is online. In some embodiments, the request to confirm that the TEE device 130 is online may be a simple handshake request based on a communication protocol. In other embodiments, a request to confirm that the TEE device 130 is online may trigger the TEE device 130 to perform one or more portions of the identity authentication method shown in fig. 2 and 4.
After the identity provider 140 sends a request to the TEE device 130 to confirm whether it is online, if the TEE device 130 is online, the identity provider 140 may, at 604: information from TEE device 130 confirming that it is online is received.
In some implementations, the identity provider 140, upon receiving information from the TEE device 130 confirming that it is online, may also, at 605: the authentication parameters of user equipment 110 are received from TEE device 130. The identity provider 140 may maintain identity authentication parameters for the user device 110 for subsequent authentication of the identity of the user who is logged into the application on the user device 110.
Thereafter, the identity provider 140, through the TEE unit 142, at 606: the user of user device 110 is authenticated using the authentication parameters by interacting with TEE device 130 with encrypted data based on the authentication parameters. As one example, the encrypted data may include a challenge value encrypted with an encryption key and a credential value encrypted with a verification key, where the identity provider 140 may generate the encryption key and the verification key using the authentication parameters of the user device 110. The foregoing is described in detail below with reference to the accompanying drawings.
Fig. 7 shows an interaction diagram of a user device performing an exemplary user authentication account registration at an identity provider by using a TEE device according to an embodiment of the present application. The illustrated interaction process shown in fig. 7 is an improvement over the prior art implementation not shown in fig. 2.
In some possible scenarios where the user 150 registers an authentication account with the identity provider 140, the user may initiate registering the user's authentication account with the identity provider 140 and binding the user device 110 with the authentication account by operating the user device 110. In such a scenario, to protect the security of the registration information of the user's authentication account, user device 110 may assist the registration process with TEE device 130. Compared with the prior art, the user equipment 110 makes the security of the registration process of the user equipment 110 protected by the TEE by using the TEE mechanism, so that the purpose of protecting the registration information of the identity authentication account of the user is achieved.
Fig. 7 shows data interaction between the respective devices with each other. As shown in fig. 7, when the user 150 binds or registers the user device 110 with the identity provider 140 for the first time, the transceiving unit 112 of the user device 110 at 701: information for user device registration is sent to the identity provider 140. The information for user equipment registration may include a name and a password of an authentication account of the user 150, and device information of the user equipment 110, such as a device ID and a serial number of the user equipment 110.
The transceiving unit 143 of the identity provider 140 receives the information from the user device 110 and uses this information to generate the corresponding key and signature value for the user device in the TEE unit 142 of the identity provider 140. The transceiving unit 143 of the identity provider 140 then at 702: the signature value and the registered information of the user device 110 are sent to the TEE device 130.
After the transceiver unit 133 of the TEE device 130 receives the signature value from the identity provider 140 and the registered information of the user device 110, the TEE device 130 verifies the signature value in the TEE unit 132, and if the signature value verification passes, the TEE device 130 generates challenge data and a message authentication code in the TEE unit 132. Thereafter, the transceiving unit 133 of the TEE device 130, at 703: the challenge data and the message authentication code are sent to the identity provider 140.
Subsequently, the identity provider 140 decrypts and verifies the message authentication code in the TEE unit 143, and after the message authentication code verification is passed, the transceiving unit 143: and sends the information of successful registration to the user equipment 110. The registration of the user equipment 110 is completed.
Fig. 8 shows an interaction diagram of the user equipment using the TEE device to perform identity authentication at the identity provider according to the embodiment of the present application. The interaction process shown in fig. 8 is a further description of the interaction process shown in fig. 2, and particularly a further description of the parts of the blocks 211, 212, and 213 shown in fig. 2, which have been described in the foregoing embodiments, and will be briefly described below or will not be described again.
As shown in fig. 8, the transceiving unit 133 of the TEE device 130 at 801: the authentication parameters of the user device 110 are sent to the identity provider 140. For the scenario in which the TEE device 130 sends the identity authentication parameter, reference may be made to the foregoing various embodiments, for example, refer to the description of the block 208 in fig. 2, which is not described herein again. In an alternative embodiment, the identity authentication parameter may include device information of the user equipment, such as a device ID. The following describes the block 211 shown in fig. 2 with reference to the subsequent process of fig. 8, and the parts from block 209 to block 210 in fig. 2 are not repeated.
After the transceiving unit 143 of the identity provider 140 receives the identity authentication parameters of the user device 110 from the TEE device 130, the corresponding key and signature value of the user device 110 are generated in the TEE unit 142 of the identity provider 140. The transceiving unit 143 of the identity provider 140 then at 802: the signature value is sent to TEE device 130.
After the transceiver unit 133 of the TEE device 130 receives the signature value from the identity provider 140, the TEE device 130 verifies the signature value in the TEE unit 132, and if the signature value is verified, the TEE device 130 generates the first challenge data and the first message authentication code in the TEE unit 132. Thereafter, the transceiving unit 133 of the TEE device 130, at 803: the first challenge data and the first message authentication code are sent to the identity provider 140.
Subsequently, the identity provider 140 decrypts and verifies the first message authentication code in the TEE unit 143, and after the first message authentication code is verified, the identity provider 140 generates the second challenge data and the second message authentication code in the TEE unit 142, and via the transceiving unit 143 at 804: send the second challenge data and the second message authentication code to TEE device 130.
After the TEE device 130 receives the second challenge data and the second message authentication code from the identity provider 140, the identity provider 140 decrypts and verifies the second message authentication code in the TEE unit 143, and after the second message authentication code is verified, the TEE device 130, through the transceiving unit 133, at 805: the identity provider 140 is notified that the authentication passed.
Upon receipt of the response by identity provider 140 that the identity of TEE device 130 passed, at 806: agreeing that the user device 110 is authenticated to the user device 110. This information may be transmitted to the user equipment 110 through the transceiving unit 143 and the authentication is completed.
The flow of the registration and authentication performed by the TEE units of the TEE device and the identity provider in fig. 7 and 8 is described in detail below with reference to the accompanying drawings.
Fig. 9 shows a flow of a registration operation performed by the TEE unit 142 of the identity provider 140 of an embodiment of the present application.
As shown in fig. 9, at 901: from the registered information, a corresponding key and signature value for the user equipment 110 is generated. As one example, a signature value Sign (RND) corresponding to the private key of the identity provider 140 is computed at the TEE unit 1421,RND2)SkiWherein RND1And RND2Are two random numbers generated by the identity provider 140 and Ski is the certificate private key of the identity provider 140.
Meanwhile, the TEE unit 142 generates a Key of the user equipment 110 using a password of the registered Authentication account, where the Key includes a symmetric Encryption Key (EK) for encrypting data and a symmetric Authentication Key (AK) for Authentication, where:
EK=KDF1(Hash(PWD),RND1);
AK=KDF2(Hash(PWD),RND2)
hash (PWD) is the hash of the user password PWD, KDF1And KDF2Respectively, Key Derivation Function (KDF).
Thereafter, the transceiver unit 143 at 902: the signature value and information of the registration of the user device is sent to TEE device 130. Wherein the signature value is Sign (RND)1,RND2)SkiThe registered information of the user device 110 may include a user password PWD and a device ID.
At 903: the message authentication code is decrypted and verified. The identity provider 140 receives the challenge data C and the value (Tag) of the Message Authentication Code (MAC) from the TEE device 130, where C ═ E (RND)2,Kp,IDp_dev,MF)EK;Tag=MAC(RND2,Kp,IDp_dev,MF)AK. TEE unit 142 decrypts challenge data C and message authentication code through EK and AK to obtain RND2、Kp、IDp_devAnd MF, wherein KpIs a shared symmetric key, ID, of a user and a certificate authorityp_devIs the device ID of the user equipment 110 and MF is Multi-factor authentication data (MF) required for authentication. Subsequently, the TEE unit 142 verifies the MAC.
If the MAC verification passes, then the TEE unit 142, at 904: storing multi-factor authentication data MF and a shared symmetric key K in the event that the message authentication code passes verificationp
Fig. 10 shows a flow of the TEE unit 132 of the TEE device 130 of the present embodiment performing a secondary registration operation.
As shown in fig. 10, TEE device 130 receives a message from an identity cardSignature value Sign (RND) of donor 1401,RND2)SkiAnd the device ID of user device 110, TEE unit 132, at 1001: the signature value is verified. The TEE device 130 signs the value Sign (RND) with its pre-stored public certificate key of the identity provider 1401,RND2)SkiAnd (6) carrying out verification.
At 1002: in the case that the signature value verification passes, challenge data and a message authentication code are generated. Signature value Sign (RND) is checked at TEE unit 1321,RND2)SkiAfter verification is passed, the TEE unit 132 generates EK KDF1(Hash(PWD),RND1) And AK ═ KDF2(Hash(PWD),RND2) And generates a shared symmetric key Kp
Subsequently, the TEE unit 132 uses the above parameters and the ID of the user equipment 110p_devAnd KpCalculating values for challenge data C and MAC, wherein:
C=E(RND2,Kp,IDp_dev,MF)EK
Tag=MAC(RND2,Kp,IDp_dev,MF)AK
wherein, RND2,Kp,IDp_devThe data MF uses EK for symmetric encryption to generate C, and AK for symmetric encryption to generate a value of MAC (Tag). TEE device 130 then sends the challenge data and message authentication code to identity provider 140.
Fig. 11 shows a flow of the TEE unit 142 of the identity provider 140 performing an authentication operation according to an embodiment of the present application. What has been described with respect to fig. 9 will be briefly described below or will not be described again.
At 1101: from the registered information, a corresponding key and signature value for the user equipment 110 is generated. The process performed by the TEE unit 142 is similar to the process of block 901 in fig. 9 and is not described again here.
At 1102: the first message authentication code is decrypted and verified. Identity provider 140 receives first challenge data C from TEE device 1301And a value Tag of a first message authentication code MAC1Thereafter, TEE unit 142 challenges data C via EK and AK1And Tag1Decryption is performed and then TEE unit 142 verifies the MAC.
If the MAC verification passes, then the TEE unit 142, at 1103: in the case where the first message authentication code passes the verification, second challenge data and a second message authentication code are generated. As an example, the TEE unit 142 logs in the application according to the user equipment 110 and a key K between service providers (e.g., the identity provider 140 and the operator of the application) of the applicationpsAnd a key K between the identity provider 140 and the service providerspNew keys EK 'and AK' are generated as follows:
EK'=KDF1(Ksp,RND3),
AK'=KDF2(Ksp,RND3),
wherein, RND3Is a random number generated by the identity provider 140. Thereafter, TEE unit 142 computes a credential value T using keys EK 'and AK', as follows:
T=E(Kps,IDp_dev)EK',RND3,MAC(KPS,RND3,IDp_dev)AK'
TEE unit 142 based on credential value T and key KpsCalculating second challenge data and second message authentication code, wherein the second challenge data is C2=E(Kps,T)EKThe second message authentication code is Tag2=MAC(Kps,T)AK. Identity provider 140 then sends the second challenge data and the second message authentication code to TEE device 130.
Fig. 12 shows a flow of the TEE unit 132 of the TEE device 130 of the embodiment of the present application performing a secondary authentication operation. What has been described with respect to fig. 10 will be briefly described below or will not be described again.
As shown in fig. 12, after the TEE device 130 receives the signature value Sign (RND1, RND2) Ski from the identity provider 140, the TEE unit 132, at 1201: the signature value is verified. Reference may be made to the description of block 1001 of fig. 10, which is not repeated here.
At 1202: at signature value verificationAnd under the condition of passing the certificate, generating first challenge data and a first message authentication code. Signature value Sign (RND) is checked at TEE unit 1321,RND2)SkiAfter verification is passed, the TEE unit 132 generates EK KDF1(Hash(PWD),RND1,RND2,KpMF) and AK ═ KDF2(Hash(PWD),RND1,RND2,KpMF). TEE unit 132 then calculates first challenge data C using the parameters described above1And a value Tag of the first message authentication code1Wherein, C1=E(RND2)EK,Tag1=MAC(RND2)AK. TEE device 130 then presents first challenge data C1And a value Tag of the first message authentication code1To the identity provider 140.
After the TEE device 130 receives the second challenge data and the second message authentication code from the identity provider 140, the TEE unit 132, at 1203: the second message authentication code is decrypted and verified. TEE unit 132 pairs second challenge data C using EK and AK2=E(Kps,T)EKValue Tag of the second message authentication code2=MAC(Kps,T)AKDecrypt and go to Tag2And (6) carrying out verification.
If the verification passes, the TEE unit 132, at 1204: storing the secret key K in case the second message authentication code passes the verificationpsAnd a credential T.
According to the embodiment of the application, by utilizing the TEE mechanism, the security of the whole authentication process of the user equipment is protected by the TEE. In addition, the identity authentication method can be deployed on non-TEE electronic equipment, so that the non-TEE equipment can provide safe SSO service for a user by means of TEE equipment such as a smart phone, and the problem that the non-TEE equipment cannot obtain safety protection is solved.
Referring now to FIG. 13, shown is a block diagram of an electronic device 1300 in accordance with one embodiment of the present application. The electronic device 1300 may be any one of the user device 110, the TEE device 130, the association device 160, and the identity provider 140. Device 1300 may include one or more processors 1302, system control logic 1308 coupled to at least one of the processors 1302, system memory 1304 coupled to system control logic 1308, non-volatile memory (NVM)1306 coupled to system control logic 1308, and network interface 1310 coupled to system control logic 1308.
Processor 1302 may include one or more single-core or multi-core processors. The processor 1302 may include any combination of general-purpose processors and dedicated processors (e.g., microprocessors, application processors, etc.). In embodiments herein, processor 1302 may be configured to implement the respective functions of the control units (111, 131, and 141) shown in fig. 1 and perform one or more embodiments according to the various embodiments shown in fig. 2-12. In other embodiments, the processor 1302 may be configured to implement the respective functionality of the TEE units (132 and 142) shown in fig. 1 and perform one or more embodiments in accordance with the various embodiments shown in fig. 2-12.
In one possible implementation, the processor 1302 may run an operating system such as an Android, iOS, Windows OS, Linux, and hong meng operating system, among others. In other possible embodiments, the processor 1302 may run specific applications.
A memory may also be provided in processor 1302 for storing instructions and data. In some embodiments, memory in processor 1302 is cache memory. The memory may hold instructions or data that have just been used or recycled by processor 1302. If the processor 1302 needs to use the instruction or data again, it can be called directly from the memory. Avoiding repeated accesses reduces the latency of the processor 1302, thereby increasing the efficiency of the system.
In some embodiments, system control logic 1308 may include any suitable interface controllers to provide any suitable interface to at least one of processors 1302 and/or to any suitable device or component in communication with system control logic 1308.
In some embodiments, system control logic 1308 may include one or more memory controllers to provide an interface to system memory 1304. System memory 1304 may be used to load and store data and/or instructions. Memory 1304 of device 1300 may include any suitable volatile memory in some embodiments, such as suitable Dynamic Random Access Memory (DRAM).
NVM/memory 1306 may include one or more tangible, non-transitory computer-readable media for storing data and/or instructions. In some embodiments, the NVM/memory 1306 may include any suitable non-volatile memory such as flash memory and/or any suitable non-volatile storage device, such as at least one of a HDD (Hard Disk Drive), CD (Compact Disc) Drive, DVD (Digital Versatile Disc) Drive.
The NVM/memory 1306 may include a portion of a storage resource installed on a device of the apparatus 1300, or it may be accessible by, but not necessarily a part of, the apparatus. For example, the NVM/storage 1306 may be accessed over a network via the network interface 1310.
In particular, system memory 1304 and NVM/storage 1306 may each include: a temporary copy and a permanent copy of instructions 1320. The instructions 1320 may include: instructions that, when executed by at least one of the processors 1302, cause the apparatus 1300 to implement the methods shown in fig. 3-6 and 9-12. In some embodiments, the instructions 1320, hardware, firmware, and/or software components thereof may additionally/alternatively be located in the system control logic 1308, the network interface 1310, and/or the processor 1302.
Network interface 1310 may include a transceiver to provide a radio interface for device 1300 to communicate with any other suitable device (e.g., front end module, antenna, etc.) over one or more networks to perform the functions of the various transceiver units (112, 133, and 143) shown in fig. 1. In some embodiments, the network interface 1310 may be integrated with other components of the device 1300. For example, the network interface 1310 may be integrated with at least one of the processor 1302, the system memory 1304, the NVM/storage 1306, and a firmware device (not shown) having instructions that, when executed by at least one of the processors 1302, the device 1300 implements one or more of the various embodiments shown in fig. 2-12.
Network interface 1310 may further include any suitable hardware and/or firmware to provide a multiple-input multiple-output radio interface. For example, network interface 1310 can be a network adapter, a wireless network adapter, a telephone modem, and/or a wireless modem.
In one embodiment, at least one of the processors 1302 may be packaged together with logic for one or more controllers of system control logic 1308 to form a System In Package (SiP). In one embodiment, at least one of processors 1302 may be integrated on the same die with logic for one or more controllers of system control logic 1308 to form a system on a chip (SoC).
The apparatus 1300 may further include: input/output (I/O) devices 1312. The I/O device 1312 may include a user interface to enable a user to interact with the device 1300; the design of the peripheral component interface enables peripheral components to also interact with the device 1300. In some embodiments, the device 1300 further comprises a sensor for determining at least one of environmental conditions and location information related to the device 1300.
In some embodiments, the user interface may include, but is not limited to, a display (e.g., a liquid crystal display, a touch screen display, etc.), a speaker, a microphone, one or more cameras (e.g., still image cameras and/or video cameras), a flashlight (e.g., a light emitting diode flash), and a keyboard.
In some embodiments, the peripheral component interfaces may include, but are not limited to, a non-volatile memory port, an audio jack, and a power interface.
In some embodiments, the sensors may include, but are not limited to, a gyroscope sensor, an accelerometer, a proximity sensor, an ambient light sensor, and a positioning unit. The positioning unit may also be part of the network interface 1310 or interact with the network interface 1310 to communicate with components of a positioning network, such as Global Positioning System (GPS) satellites.
The method embodiments of the present application may be implemented in software, magnetic, firmware, etc.
Program code may be applied to input instructions to perform the functions described herein and generate output information. The output information may be applied to one or more output devices in a known manner. For purposes of this application, a processing system includes any system having a processor such as, for example, a Digital Signal Processor (DSP), a microcontroller, an Application Specific Integrated Circuit (ASIC), or a microprocessor.
The program code may be implemented in a high level procedural or object oriented programming language to communicate with a processing system. The program code can also be implemented in assembly or machine language, if desired. Indeed, the mechanisms described herein are not limited in scope to any particular programming language. In any case, the language may be a compiled or interpreted language.
One or more aspects of at least one embodiment may be implemented by representative instructions stored on a computer-readable storage medium, which represent various logic in a processor, which when read by a machine causes the machine to fabricate logic to perform the techniques described herein. These representations, known as "IP cores" may be stored on a tangible computer-readable storage medium and provided to a number of customers or manufacturing facilities to load into the manufacturing machines that actually make the logic or processor.
In some cases, an instruction converter may be used to convert instructions from a source instruction set to a target instruction set. For example, the instruction converter may transform (e.g., using a static binary transform, a dynamic binary transform including dynamic compilation), morph, emulate, or otherwise convert the instruction into one or more other instructions to be processed by the core. The instruction converter may be implemented in software, hardware, firmware, or a combination thereof. The instruction converter may be on the processor, off-processor, or partially on and partially off-processor.
In some cases, the disclosed embodiments may be implemented in hardware, firmware, software, or any combination thereof. The disclosed embodiments may also be implemented as instructions carried by or stored on one or more transitory or non-transitory machine-readable (e.g., computer-readable) storage media, which may be read and executed by one or more processors. For example, the instructions may be distributed via a network or other computer readable medium. Thus, a machine-readable medium may include any mechanism for storing or transmitting information in a form readable by a machine (e.g., a computer), without limitation, a floppy diskette, optical disk, read-only memory (CD-ROM), magneto-optical disk, read-only memory (ROM), Random Access Memory (RAM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic or optical card, flash memory, or a tangible machine-readable memory for transmitting information over the Internet via electrical, optical, acoustical or other forms of propagated signals (e.g., carrier waves, infrared signals, digital signals, etc.). Thus, a machine-readable medium includes any type of machine-readable medium suitable for storing or transmitting electronic instructions or information in a form readable by a machine (e.g., a computer).
In the drawings, some features of the structures or methods are shown in a particular arrangement and/or order. However, it is to be understood that such specific arrangement and/or ordering may not be required. In some embodiments, these features may be arranged in a manner and/or order different from that shown in the illustrative figures. Additionally, the inclusion of structural or methodical features in a particular figure is not meant to imply that such features are required in all embodiments, and in some embodiments, these features may not be included or may be combined with other features.
It is to be understood that, although the terms first, second, etc. may be used herein to describe various elements or data, these elements or data should not be limited by these terms. These terms are used merely to distinguish one feature from another. For example, a first feature may be termed a second feature, and, similarly, a second feature may be termed a first feature, without departing from the scope of example embodiments.
The above description is only a specific implementation of the embodiments of the present application, but the scope of the embodiments of the present application is not limited thereto, and any changes or substitutions within the technical scope disclosed in the embodiments of the present application should be covered by the scope of the embodiments of the present application. Therefore, the protection scope of the embodiments of the present application shall be subject to the protection scope of the claims.

Claims (31)

1. An identity authentication method for an identity authentication system, wherein the identity authentication system comprises a user device without a Trusted Execution Environment (TEE) unit, a TEE device with a TEE unit, and an identity provider (IDP), the method comprising:
the IDP is used for: determining TEE equipment associated with the user equipment according to the authentication request of the user equipment;
the user equipment is configured to: establishing communication connection with the TEE equipment, and sending the identity authentication parameters of the user equipment to the TEE equipment;
the TEE device is to: sending the identity authentication parameters of the user equipment to the IDP;
the IDP is further to: and receiving the identity authentication parameters of the user equipment sent by the TEE equipment, and performing the identity authentication on the user of the user equipment by utilizing the TEE equipment according to the identity authentication parameters.
2. The method of claim 1, wherein the user device is further configured to: sending a flag to the IDP indicating that the user equipment does not have the TEE unit.
3. The method of claim 1, wherein determining a TEE device associated with the user device comprises:
the IDP receives the identity authentication account number from the user equipment and the identity authentication account number from the TEE equipment;
the IDP determines that the user equipment has the associated TEE equipment when the identity authentication account of the user equipment is the same as or associated with the identity authentication account from the TEE equipment.
4. The method of claim 1, wherein the identity authentication system further comprises an associated device, wherein the method further comprises:
the association device receiving the authentication account from the user device and a flag indicating, at least in part, that the user device does not have the TEE unit;
the association device receiving the identity authentication account number from the TEE device and a flag indicating, at least in part, that the TEE device has the TEE unit; and
the association device associates the user equipment and the TEE equipment with the identity authentication account number under the condition that the identity authentication account number of the user equipment is determined to be the same as the identity authentication account number of the TEE equipment.
5. The method of claim 4, wherein the determining the TEE device associated with the user device comprises:
the IDP sending a request to the associated device asking whether the user equipment has an associated TEE device;
and the IDP determines the TEE equipment associated with the user equipment according to the response of the associated equipment.
6. An identity authentication method for a user device, wherein the user device does not have a Trusted Execution Environment (TEE) unit, comprising:
establishing a communication connection with a TEE device having the TEE unit, wherein the TEE device is associated with the user equipment; and
and sending the identity authentication parameter of the user equipment to the TEE equipment, wherein after the TEE equipment sends the identity authentication parameter to an identity provider (IDP), the IDP performs identity authentication on the user of the user equipment by utilizing the TEE equipment according to the identity authentication parameter.
7. The method of claim 6, further comprising:
sending a flag to the IDP indicating, at least in part, that the user equipment does not have the TEE unit;
receiving a request from the IDP confirming whether to use the TEE device for the identity authentication; and
sending information to the IDP that determines to use the TEE device for the identity authentication of the user device.
8. The method of any one of claims 6-7, further comprising:
and sending the identity authentication account of the user equipment to the IDP.
9. The method of any one of claims 6-7, further comprising:
sending the identity authentication account of the user device and a flag indicating, at least in part, that the user device does not have the TEE unit to an associated device.
10. The method of any of claims 6-7, wherein the TEE device is associated with the user device if the user device's authentication account is the same as or associated with an authentication account from the TEE device.
11. The method of any of claims 6-7, wherein the authentication parameters include at least one of a device serial number and a device identification number of the user device.
12. The method of any of claims 6-11, wherein the user device has another authentication account, wherein the other authentication account of the user device is the same as an authentication account of another TEE device, wherein the other TEE device has the TEE unit.
13. An identity authentication method for a Trusted Execution Environment (TEE) device, wherein the TEE device has a TEE unit; it is characterized by comprising:
establishing a communication connection with a user equipment, wherein the user equipment does not have the TEE unit, wherein the TEE equipment is associated with the user equipment;
receiving an identity authentication parameter from the user equipment, wherein the identity authentication parameter is used for identity authentication of a user of the user equipment; and
sending the authentication parameters to an identity provider (IDP) for the IDP to perform the authentication of the user device with the TEE device according to the authentication parameters.
14. The method of claim 13, wherein establishing the communication connection with the user device comprises:
receiving a request from the IDP to determine whether the TEE device is online;
establishing a communication connection with the user equipment in response to the request; and
and sending the information that the TEE equipment is on line to the IDP.
15. The method of any one of claims 13-14, further comprising:
sending an identity authentication account number of the TEE device to an associated device, and a flag indicating at least in part that the TEE device has the TEE unit.
16. The method of any one of claims 13-14, further comprising:
sending an identity authentication account number of the TEE device to the IDP, and a flag indicating at least in part that the TEE device has the TEE unit.
17. The method of any of claims 13-14, wherein the TEE device is associated with the user device if the user device's authentication account is the same as or associated with an authentication account from the TEE device.
18. The method of any of claims 13-16, wherein the authentication parameters include at least one of a device serial number and a device identification number of the user device.
19. An identity authentication method for an identity provider (IDP), comprising:
receiving an authentication request of a user device, wherein the user device does not have a Trusted Execution Environment (TEE) unit;
determining, in response to the authentication request, whether the user equipment has an associated TEE device, wherein the TEE device has the TEE unit; and
and receiving the identity authentication parameter of the user equipment sent by the TEE equipment at least partially on the basis of the condition that the user equipment has the associated TEE equipment, and performing the identity authentication on the user of the user equipment by utilizing the TEE equipment according to the identity authentication parameter.
20. The method of claim 19, further comprising: receiving information from the user device indicating that the user device does not have a Trusted Execution Environment (TEE) unit.
21. The method of claim 19, wherein the determining whether the user device has an associated TEE device further comprises:
sending a request to an associated device asking whether the user device has an associated TEE device.
22. The method of claim 19, wherein the determining whether the user device has an associated TEE device further comprises:
receiving an identity authentication account number from the user equipment and an identity authentication account number from the TEE equipment;
determining that the user equipment has the associated TEE equipment under the condition that the identity authentication account of the user equipment is the same as or associated with the identity authentication account from the TEE equipment; and
determining that the user equipment does not have the associated TEE device if the identity authentication account of the user equipment is different from or not associated with the identity authentication account from the TEE device.
23. The method of any one of claims 19-22, further comprising:
sending a request for confirming that the TEE equipment is online to the TEE equipment under the condition that the user equipment has the associated TEE equipment;
receiving information from the TEE device confirming that the TEE device is online; and
and receiving the identity authentication parameter of the user equipment sent by the TEE equipment, and performing the identity authentication on the user of the user equipment according to the identity authentication parameter.
24. The method of any of claims 19-23, wherein the authenticating the user of the user device with the TEE device according to the authentication parameters comprises:
and performing the identity authentication on the user of the user equipment by interacting with the TEE equipment through the encrypted data based on the identity authentication parameter by using the identity authentication parameter.
25. The method of claim 24, wherein the encrypting data comprises: a challenge value encrypted with an encryption key and a credential value encrypted with a verification key, wherein the encryption key and verification key are generated based on the authentication parameter.
26. The apparatus of claims 19-25, wherein the authentication parameters include at least one of an equipment serial number and an equipment identification number of the user equipment.
27. An identity authentication method for an associated device, comprising:
receiving an identity authentication account sent by user equipment and TEE equipment, wherein the user equipment does not have a Trusted Execution Environment (TEE) unit, and the TEE equipment has a TEE unit;
establishing association between the user equipment and the TEE equipment according to the received identity authentication account; (ii) a
And responding to a request of an identity provider (IDP), determining the TEE equipment associated with the user equipment requesting identity authentication, so that the TEE equipment sends an identity authentication parameter of the user equipment to the IDP, and performing the identity authentication on the user of the user equipment by the IDP according to the identity authentication parameter and by utilizing the TEE equipment.
28. The identity authentication method of claim 27, wherein establishing the association of the user device with the TEE device according to the received identity authentication account comprises: associating the user device with the TEE device upon determining that the authentication account of the user device is the same as or associated with the authentication account of the TEE device.
29. The identity authentication method of claim 27, wherein determining, in response to a request by an identity provider (IDP), the TEE device associated with the user device requesting identity authentication comprises:
receiving a request from the identity provider (IDP) inquiring whether the user device is associated with the TEE device;
querying that the user device is associated with the TEE device; and
returning information that the user equipment is associated with the TEE equipment to the IDP.
30. A computer-readable storage medium having instructions stored thereon, which when executed on a computer cause the computer to perform the method of any one of claims 1-29.
31. An electronic device, comprising:
a memory for storing instructions for execution by one or more processors of the electronic device, an
A processor for executing the instructions in the memory to perform the method of any of claims 1-29.
CN202010383065.4A 2020-05-08 2020-05-08 Identity authentication method, storage medium and electronic device Pending CN113626777A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010383065.4A CN113626777A (en) 2020-05-08 2020-05-08 Identity authentication method, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010383065.4A CN113626777A (en) 2020-05-08 2020-05-08 Identity authentication method, storage medium and electronic device

Publications (1)

Publication Number Publication Date
CN113626777A true CN113626777A (en) 2021-11-09

Family

ID=78377264

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010383065.4A Pending CN113626777A (en) 2020-05-08 2020-05-08 Identity authentication method, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN113626777A (en)

Similar Documents

Publication Publication Date Title
JP7457173B2 (en) Internet of Things (IOT) device management
US10412061B2 (en) Method and system for encrypted communications
EP3602388B1 (en) Blockchain node communication method and apparatus
US8606234B2 (en) Methods and apparatus for provisioning devices with secrets
US9807610B2 (en) Method and apparatus for seamless out-of-band authentication
US9900774B2 (en) Shared network connection credentials on check-in at a user's home location
CN104205891B (en) Virtual SIM card cloud platform
WO2014142617A1 (en) Secure mobile payment using media binding
EP2887615A1 (en) Cloud-based scalable authentication for electronic devices
US20140181517A1 (en) Cloud Centric Application Trust Validation
EP2879421B1 (en) Terminal identity verification and service authentication method, system, and terminal
US11564094B1 (en) Secondary device authentication proxied from authenticated primary device
KR20160127167A (en) Multi-factor certificate authority
JP2014524073A (en) Service access authentication method and system
JP2018517367A (en) Service provider certificate management
KR20120055728A (en) Method and apparatus for trusted authentication and logon
WO2019056971A1 (en) Authentication method and device
WO2019134494A1 (en) Verification information processing method, communication device, service platform, and storage medium
CN110278084B (en) eID establishing method, related device and system
EP3085007B1 (en) Push-based trust model for public cloud applications
CN115065703A (en) Internet of things system, authentication and communication method thereof and related equipment
CN113626777A (en) Identity authentication method, storage medium and electronic device
CN106789013A (en) Mutual trust and encipher-decipher method and device between a kind of door lock encryption chip and SDK

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination