CN114581091A - Identity authentication method and device, computer equipment and storage medium - Google Patents
Identity authentication method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN114581091A CN114581091A CN202011372439.9A CN202011372439A CN114581091A CN 114581091 A CN114581091 A CN 114581091A CN 202011372439 A CN202011372439 A CN 202011372439A CN 114581091 A CN114581091 A CN 114581091A
- Authority
- CN
- China
- Prior art keywords
- information
- encrypted
- identity
- identifier
- characteristic information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
- G06Q20/40145—Biometric identity checks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
Abstract
The embodiment of the application discloses an identity authentication method, an identity authentication device, computer equipment and a storage medium. The method comprises the steps that encrypted identity information sent by target equipment is received and analyzed, so that an encrypted identifier, encrypted identity characteristic information and an equipment identifier of the target equipment are obtained; when the encrypted identifier meets the preset identity authentication condition, acquiring private key information corresponding to the equipment identifier; decrypting the encrypted identity characteristic information according to the private key information to obtain decrypted identity characteristic information; and verifying the decrypted identity characteristic information to obtain a verification result of the encrypted identity information. The scheme can improve the safety of identity information verification.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to an identity authentication method and apparatus, a computer device, and a storage medium.
Background
With the rapid development of computer technology, the application of face recognition payment systems is becoming more and more common. The face recognition payment system is a payment platform based on the face recognition system, and the system does not need a wallet, a credit card or a mobile phone. When the face recognition payment is carried out, the system can automatically associate the face information of the consumer with the personal account only by facing the camera on the screen of the money receiving equipment by the consumer, so that the payment operation is completed, and the whole transaction process is very convenient.
In the related technology, in the face payment process, the collection equipment collects a face image of a consumer through a camera, and acquires the identity information of the consumer according to the collected face image of the consumer, so as to deduct money from an account bound with the identity information of the consumer.
In the research and practice of the related art, the inventor of the present application found that, in the prior art, after the consumer picture is collected by the money receiving device, the consumer picture may be used as another purpose, thereby causing the identity information of the consumer to be leaked. Therefore, the safety of the existing face payment method is low.
Disclosure of Invention
The embodiment of the application provides an identity authentication method, an identity authentication device, computer equipment and a storage medium, which can improve the security of identity information authentication.
The embodiment of the application provides an identity authentication method, which comprises the following steps:
receiving encrypted identity information sent by target equipment, and analyzing the encrypted identity information to obtain an encrypted identifier, encrypted identity characteristic information and an equipment identifier of the target equipment;
when the encrypted identifier meets the preset identity authentication condition, acquiring private key information corresponding to the equipment identifier;
decrypting the encrypted identity characteristic information according to the private key information to obtain decrypted identity characteristic information;
and verifying the decrypted identity characteristic information to obtain a verification result of the encrypted identity information.
The embodiment of the application provides another identity authentication method, which comprises the following steps:
acquiring equipment identification, user identity characteristic information and public key information for encrypting the user identity characteristic information of target equipment;
encrypting the user identity characteristic information according to the public key information to obtain encrypted identity characteristic information;
acquiring historical encryption times, and determining an encryption identifier corresponding to encryption processing according to the numerical value of the historical encryption times, wherein the historical encryption times are times of encryption operation on user identity characteristic information before encryption processing;
generating encrypted identity information according to the encrypted identity characteristic information, the encrypted identifier and the equipment identifier;
and performing user identity authentication based on the encrypted identity information.
Correspondingly, the embodiment of the present application further provides an identity authentication device, including:
the analysis unit is used for receiving the encrypted identity information sent by the target equipment and analyzing the encrypted identity information to obtain an encrypted identifier, encrypted identity characteristic information and an equipment identifier of the target equipment;
the first obtaining unit is used for obtaining private key information corresponding to the equipment identification when the encrypted identification meets the preset identity verification condition;
the decryption unit is used for decrypting the encrypted identity characteristic information according to the private key information to obtain decrypted identity characteristic information;
and the first verification unit is used for verifying the decrypted identity characteristic information to obtain a verification result of the encrypted identity information.
In some embodiments, the parsing unit comprises:
the first acquiring subunit is used for acquiring a target structure body in the encrypted identity information, wherein the target structure body comprises a first identification field, a characteristic field and a second identification field;
and the extraction subunit is used for extracting the encrypted identification from the first identification field, extracting the encrypted identity characteristic information from the characteristic field, and extracting the equipment identification from the second identification field.
In some embodiments, the first authentication unit includes:
the second obtaining subunit is configured to obtain user identity feature information corresponding to the device identifier from a preset identity information base, where the preset identity information base includes sample user identity feature information corresponding to the sample device identifier;
the matching subunit is used for matching the decrypted identity characteristic information with the user identity characteristic information;
the first determining subunit is used for determining that the encrypted identity information is successfully verified if the decrypted identity characteristic information is successfully matched with the user identity characteristic information;
and the second determining subunit is used for determining that the encrypted identity information fails to be verified if the decrypted identity characteristic information fails to be matched with the user identity characteristic information.
In some embodiments, the apparatus further comprises:
the third obtaining unit is used for obtaining the historical decryption times corresponding to the equipment identifier to obtain a first numerical value, wherein the historical decryption times are times of decryption operation on the encrypted identity characteristic information corresponding to the equipment identifier before decryption processing;
the comparison unit is used for obtaining a second numerical value used for verifying the encrypted identifier based on the numerical value of the encrypted identifier and comparing the first numerical value with the second numerical value;
and the second determining unit is used for determining that the encrypted identifier meets the preset authentication condition if the first numerical value is smaller than the second numerical value.
In some embodiments, the apparatus further comprises:
the first receiving unit is used for receiving a key distribution request sent by target equipment, wherein the key distribution request carries an equipment identifier of the target equipment;
and the third determining unit is used for generating private key information corresponding to the equipment identifier according to the equipment identifier.
Correspondingly, an embodiment of the present application further provides another identity authentication apparatus, including:
the second acquisition unit is used for acquiring the equipment identifier of the target equipment, the user identity characteristic information and public key information used for encrypting the user identity characteristic information;
the encryption unit is used for encrypting the user identity characteristic information according to the public key information to obtain encrypted identity characteristic information;
the first determining unit is used for acquiring historical encryption times and determining an encryption identifier corresponding to encryption processing according to the numerical value of the historical encryption times, wherein the historical encryption times are times of encryption operation on user identity characteristic information before encryption processing;
the generating unit is used for generating encrypted identity information according to the encrypted identity characteristic information, the encrypted identifier and the equipment identifier of the target equipment;
and the second verification unit is used for verifying the user identity based on the encrypted identity information.
In some embodiments, the generating unit comprises:
a third determining subunit, configured to determine a preset structural body for storing information, where the preset structural body includes: a first identification field, a characteristic field and a second identification field;
the writing subunit is used for writing the encrypted identity characteristic information into the characteristic field, writing the encrypted identifier into the first identifier field and writing the equipment identifier into the second identifier field, and generating a target structure body with the information stored;
and the obtaining subunit is used for obtaining the encrypted identity information based on the target structure body.
In some embodiments, the apparatus further comprises:
the detection unit is used for detecting whether public key information exists in the target equipment or not;
the sending unit is used for sending a key distribution request if the public key information does not exist in the target equipment, wherein the key distribution request carries the equipment identifier of the target equipment;
and the second receiving unit is used for receiving the public key information returned by aiming at the key distribution request.
In some embodiments, the second verification unit comprises:
the sub-unit is used for starting the near field communication function of the target equipment and broadcasting the communication signal through the near field communication function of the target equipment;
the establishing subunit is used for receiving a response signal of the response equipment for the communication signal and establishing communication connection with the response equipment based on the response signal;
and the verification subunit is used for sending the encrypted identity information to the response equipment so as to verify the encrypted identity information.
In some embodiments, the apparatus further comprises:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a face image of a user and extracting the characteristics of the face image to obtain face characteristic data of the user;
and the processing unit is used for carrying out serialization processing on the face characteristic data to obtain the user identity characteristic information of the user.
In some embodiments, the first determination unit comprises:
and the calculating subunit is used for determining the sum of the value of the historical encryption times and a preset value and generating an encryption identifier based on the sum.
Accordingly, embodiments of the present application further provide a computer device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the identity authentication method provided in any of the embodiments of the present application.
Correspondingly, the embodiment of the application also provides a storage medium, wherein the storage medium stores a plurality of instructions, and the instructions are suitable for being loaded by the processor to execute the identity authentication method.
Embodiments of the present application also provide a computer program product or computer program comprising computer instructions stored in a storage medium. The processor of the terminal reads the computer instructions from the storage medium, and executes the computer instructions, so that the terminal executes the authentication method provided in the various alternative implementations of the above aspects.
After the encrypted identity information is received, the encrypted identity characteristic information, the encrypted identifier and the equipment identifier are extracted from the encrypted identity information, when the encrypted identifier meets the preset identity verification condition, the encrypted identity characteristic information is decrypted according to the private key information corresponding to the equipment identifier, then the identity characteristic information obtained after decryption is verified, the identity information verification result is obtained, and the security of identity information verification can be improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic view of a scenario of an identity verification system according to an embodiment of the present application.
Fig. 2 is a schematic flowchart of an identity authentication method according to an embodiment of the present application.
Fig. 3 is a schematic flowchart of another identity verification method according to an embodiment of the present application.
Fig. 4 is a schematic flowchart of another identity verification method according to an embodiment of the present application.
Fig. 5 is a block diagram of an authentication apparatus according to an embodiment of the present application.
Fig. 6 is a block diagram of another authentication apparatus according to an embodiment of the present disclosure.
Fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides an identity authentication method, an identity authentication device, a storage medium and a terminal. Specifically, the embodiment of the application provides an identity authentication device suitable for computer equipment. The computer device may be a terminal or a server, the server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content delivery network), a big data and artificial intelligence platform. The terminal may be, but is not limited to, a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the embodiment of the present application is not limited herein.
The identity authentication method in each embodiment of the present application may process the identity information of the user by using Cloud technology (Cloud technology).
The cloud technology is a hosting technology for unifying series resources such as hardware, software, network and the like in a wide area network or a local area network to realize data calculation, storage, processing and sharing. The cloud technology is based on the general names of network technology, information technology, integration technology, management platform technology, application technology and the like applied in the cloud computing business model, can form a resource pool, is used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data of different levels are processed separately, and various industry data need strong system background support and can be realized through cloud computing.
Specifically, the identity authentication method in each embodiment of the present application may use a Cloud Security (Cloud Security) technology in a Cloud technology to authenticate user identity information.
The cloud security refers to a general name of security software, hardware, users, mechanisms and security cloud platforms applied based on the cloud computing business model. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.
The main research directions of cloud security include: the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; the cloud computing of the security infrastructure mainly researches how to newly build and integrate security infrastructure resources by adopting cloud computing and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform by using a cloud computing technology, realizing acquisition and correlation analysis of mass information and improving the handling control capability and risk control capability of the security event of the whole network; the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.
Referring to fig. 1, fig. 1 is a schematic view of a scenario of an authentication system according to an embodiment of the present application, where the scenario includes a terminal and a server, where the terminal and the server may be connected through a network, and the network includes network entities such as a router and a gateway.
The server can receive encrypted identity information sent by the target equipment and analyze the encrypted identity information to obtain an encrypted identifier, encrypted identity characteristic information and an equipment identifier of the target equipment; when the encrypted identifier meets the preset identity authentication condition, acquiring private key information corresponding to the equipment identifier; decrypting the encrypted identity characteristic information according to the private key information to obtain decrypted identity characteristic information; and verifying the decrypted identity characteristic information to obtain a verification result of the encrypted identity information.
The terminal can acquire the device identification of the target device, the user identity characteristic information and public key information used for encrypting the user identity characteristic information; encrypting the user identity characteristic information according to the public key information to obtain encrypted identity characteristic information; acquiring historical encryption times, and determining an encryption identifier corresponding to encryption processing according to the numerical value of the historical encryption times, wherein the historical encryption times are times of encryption operation on user identity characteristic information before encryption processing; generating encrypted identity information according to the encrypted identity characteristic information, the encrypted identifier and the equipment identifier; and performing user identity authentication based on the encrypted identity information.
It should be noted that the scenario diagram of the identity verification system shown in fig. 1 is merely an example, and the identity verification system and the scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not form a limitation on the technical solution provided in the embodiment of the present application, and it is known by a person of ordinary skill in the art that the technical solution provided in the embodiment of the present application is also applicable to similar technical problems with the evolution of the identity verification system and the occurrence of a new service scenario.
Based on the above problems, embodiments of the present application provide a first identity authentication method, apparatus, computer device, and storage medium, which can improve security of identity information authentication. The following are detailed below. It should be noted that the following description of the embodiments is not intended to limit the preferred order of the embodiments.
The identity authentication method in each embodiment of the application can acquire the identity information of the user by using an artificial intelligence technology.
Artificial Intelligence (AI) is a theory, method, technique and application system that uses a digital computer or a machine controlled by a digital computer to simulate, extend and expand human Intelligence, perceive the environment, acquire knowledge and use the knowledge to obtain the best results. In other words, artificial intelligence is a comprehensive technique of computer science that attempts to understand the essence of intelligence and produce a new intelligent machine that can react in a manner similar to human intelligence. Artificial intelligence is the research of the design principle and the implementation method of various intelligent machines, so that the machines have the functions of perception, reasoning and decision making.
The artificial intelligence technology is a comprehensive subject and relates to the field of extensive technology, namely the technology of a hardware level and the technology of a software level. The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, large-scale identity verification technologies, operating/interactive systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.
Specifically, the identity authentication method in each embodiment of the present application may use a face recognition technology in an artificial intelligence technology. For example, a face recognition technology is used when face information is collected by a camera and face image features are extracted.
Face recognition is a biometric technology for identity recognition based on facial feature information of a person. A series of related technologies, also called as face recognition and face recognition, are used to capture an image or video stream containing a face with a camera or a video camera, automatically detect and track the face in the image, and further recognize the detected face.
The embodiment of the present application provides an identity authentication method, which may be executed by a terminal or a server.
As shown in fig. 2, fig. 2 is a schematic flowchart of an authentication method according to an embodiment of the present application. The specific process of the identity authentication method can be as follows:
101. and receiving the encrypted identity information sent by the target equipment, and analyzing the encrypted identity information to obtain an encrypted identifier, encrypted identity characteristic information and an equipment identifier of the target equipment.
The target device is a device that generates encrypted identity information, and the target device may send the encrypted identity information to the server in various ways.
For example, the target device may directly send the encrypted identity information to the server, or the target device may send the encrypted identity information to another device, and then the other device sends the encrypted identity information to the server.
The encrypted identity information refers to user identity characteristic information that needs to be verified, and the user identity characteristic information may include multiple types, for example, the user identity characteristic information may be face information and the like.
In some embodiments, when the encrypted identity information may be sent by the target device to the server, the target device may send the encrypted identity information to the server by sending a request.
For example, the target device may send an information verification request to the server, where the information verification request carries encrypted identity information, and when the server receives the information verification request sent by the target device, the server may obtain the encrypted identity information from the information verification request.
The encryption identifier is used for representing the encryption identity information, and different encryption identifiers can represent different encryption identity information. The encrypted identifier may be composed of a number, for example, the encrypted identifier may be "1" or the like.
For example, the encrypted identification may include: "1", "2", "3", etc., wherein "1" may represent the first encryption identification information, "2" may represent the second encryption identification information, and "3" may represent the third encryption identification information.
In the embodiment of the present application, in order to avoid the occurrence of the same encrypted identifier in different encrypted identity information, when the target device generates the encrypted identifier of the encrypted identity information, the encrypted identifier of the encrypted identity information may be determined according to the number of times of encryption of the user identity feature information. That is, the target device may set a counter, where the counter may be used to record the number of times of encrypting the user identity feature information, and when an encryption operation is completed, the counter may update the recorded number of times and store the updated number of times.
For example, when the user identity feature information is encrypted currently, the encryption frequency stored in the counter may be obtained, for example, 5 times. It may be determined that the current encryption operation is the 6 th encryption operation performed and it may be determined that the current encryption operation results in an encryption identification of the encryption identity information of "6".
The encrypted identity characteristic information refers to identity characteristic information obtained by encrypting initial user identity characteristic information, and the encrypted identity characteristic information may be composed of numbers.
For example, the encrypted identity characteristic information may be "1234" or the like. Specifically, the initial user identity characteristic information and the encryption operation performed on the user identity characteristic information are specifically described in the subsequent steps.
The device identifier of the target device refers to a serial number composed of a character string, and is used to represent an ID (Identity document) of the target device. The device identifier may be composed of numbers, letters and/or symbols, for example, the device identifier may be "ER 374" or the like.
In some embodiments, in order to ensure the validity of the encrypted identity information, the step "analyzing the encrypted identity information to obtain the encrypted identifier, the encrypted identity information, and the device identifier of the target device" may include the following operations:
acquiring a target structure body in the encrypted identity information, wherein the target structure body comprises a first identification field, a characteristic field and a second identification field;
the method comprises extracting an encrypted identification from a first identification field, extracting encrypted identity feature information from a feature field, and extracting a device identification from a second identification field.
A structure (structural element) is a data set composed of a series of data having the same data type or different data types, and is also called a structure.
Where a data type is a collection of a set of qualitatively identical values and a set of operations defined on this set of values. The data type may include a variety of types.
Such as int, long, float, string, etc. Shaping refers to numbers without decimal points and exponential symbols, such as: "1"; floating point type refers to numbers with a fractional part, such as "1.1"; the string type refers to a character sequence such as: "cdf 437".
The target structure is a data set of a plurality of data constituting the encrypted identification information. The first identification field, the characteristic field and the second identification field respectively refer to different data and are used for representing different contents in the encrypted identity information. The data types of the first identification field, the characteristic field, and the second identification field may be determined according to the corresponding contents.
For example, the content of the encrypted identity information includes: the encrypted identity characteristic information, the device identifier and the encrypted identifier, the characteristic field may represent the encrypted identity characteristic information, the second identifier field may represent the device identifier, and the first identifier field may represent the encrypted identifier.
The encrypted identity characteristic information may be a character string sequence, and then, the data type of the characteristic field corresponding to the encrypted identity characteristic information may be a character string type; the device identifier may be a character string sequence, and then the data type of the second identifier field corresponding to the device identifier may be a character string type; the encrypted identifier may be an integer, and then the data type of the first identifier field corresponding to the encrypted identifier may be integer.
Specifically, the feature field, the second identification field, and the content corresponding to the first identification field are respectively extracted from the target structure, so that the encrypted identity feature information, the device identification, and the encrypted identification can be obtained from the encrypted identity information.
For example, a target structure is obtained from encrypted identity information, the target structure including: a feature field "2 DFJFE 632", a second identification field "SN 1", and a first identification field "1". The characteristic field represents encrypted identity characteristic information, the second identification field represents an equipment identifier, and the first identification field represents an encrypted identifier, so that 2DFJFE632 is extracted from the target structure body to obtain the encrypted identity characteristic information; extracting SN1 to obtain equipment identification; and extracting '1' to obtain an encrypted identifier.
102. And when the encrypted identifier meets the preset identity authentication condition, acquiring private key information corresponding to the equipment identifier.
The preset authentication condition is a condition set for judging whether the encrypted identity information is the security data, and the security of authentication of the identity information can be ensured.
In some embodiments, in order to improve the security of the authentication of the identity information, the determining whether the encrypted identifier meets the preset authentication condition may include the following steps:
acquiring historical decryption times corresponding to the equipment identifier to obtain a first numerical value, wherein the historical decryption times are times of decryption operation on the encrypted identity characteristic information corresponding to the equipment identifier before decryption processing;
obtaining a second numerical value for verifying the encrypted identifier based on the numerical value of the encrypted identifier, and comparing the first numerical value with the second numerical value;
and if the first numerical value is smaller than the second numerical value, determining that the encrypted identification meets the preset authentication condition.
The historical decryption times refer to times of decryption operations on the encrypted identity characteristic information corresponding to the equipment identifier before decryption processing is performed on the encrypted identity characteristic information.
For example, before decrypting the encrypted identity characteristic information, the server may perform N times of decryption operations on the encrypted identity characteristic information corresponding to the device identifier, and then determine that the historical decryption times are N times. Wherein, N is a natural number, such as: 1. 2, 3, 4, etc.
The first value is also a value corresponding to the historical encryption times. For example, if the historical encryption times may be 5 times, the first value may be determined as: 5.
wherein the second value is also the value in the encrypted identifier. For example, the encryption flag may be "6", and the second value may be determined to be 6.
As mentioned in the previous step, the encryption identifier may be the number of times of encryption of the user identification information. The historical decryption times can be the decryption times of the user identity characteristic information. Then, whether the same encrypted identity information is subjected to repeated decryption operation can be further judged by judging whether the numerical value of the encryption times is larger than the numerical value of the decryption times, so that the safety of the user information can be ensured.
For example, the user identity feature information is encrypted for the first time in the target device, and the value of the encryption identifier may be determined to be "1", that is, the second value, so as to obtain the encrypted identity information. Then, the target device sends the encrypted identity information to the server, and the server performs decryption operation on the user identity feature information in the encrypted identity information, so that the value of the historical decryption frequency can be determined to be '0', namely the first value. Comparing the first value with the second value can determine that the first value is smaller than the second value, and then, at this time, the decryption operation of the user identity feature information in the encrypted identity information is performed for the first time, and the operation can be determined as the operation of the user himself, which indicates that the current decryption operation is the security operation.
For another example, when the server obtains the encrypted identity information, the extracted encryption identifier may be "3", which indicates that the number of times of encryption operation is 3, and then the server obtains the historical number of times of decryption is 3, which indicates that the number of times of decryption operation is 3, then the decryption operation to be performed currently is the 4 th decryption, then the decryption operation performed on the encrypted identity information is repeated, and if the decryption operation does not meet the preset identity authentication, the 4 th decryption operation is not performed, so that the risk that the user identity feature information is stolen can be avoided.
The private key information is a password used for decrypting the encrypted identity characteristic information, and the password may be composed of a plurality of numbers. For example, the device identification of the target device may correspond to private key information "7483675" or the like.
In some embodiments, to ensure the security of the private key information of the target device, before the step "obtaining the private key information corresponding to the device identifier", the following steps may be further included:
receiving a key distribution request of target equipment, wherein the key distribution request carries an equipment identifier of the target equipment;
and generating private key information corresponding to the equipment identification according to the equipment identification.
The key distribution request is sent to the server by the target device and used for requesting the server to generate private key information of the target device.
When the server receives a key distribution request sent by the target device, the server may obtain a device identifier carried in the key distribution request, that is, the device identifier of the target device. In generating the private key information according to the device identification, the private key information may be generated in various ways, for example, according to an RAS algorithm. The present application is not limited to this, and private key information and the like may be generated in other manners, which will not be described herein.
RSA, belongs to the public key cryptosystem. The so-called public key cryptosystem uses different encryption and decryption keys, and is a cryptosystem in which it is computationally infeasible to derive a decryption key from a known encryption key. In the public key cryptosystem, an encryption key (i.e., a public key) PK is public information, and a decryption key (i.e., a secret key) SK needs to be kept secret. Both encryption algorithm E and decryption algorithm D are also disclosed.
The RSA algorithm is an asymmetric cryptographic algorithm, which means that the algorithm requires a pair of keys, one of which is used for encryption and the other is used for decryption.
The algorithm of RSA involves three parameters: n, e1, e 2. Where n is the product of p and q, two large prime numbers (prime numbers, also called prime numbers, with infinite numbers, which are a natural number greater than 1 and cannot be divided by other natural numbers except 1 and itself), and the number of bits occupied when n is represented in binary is the so-called key length. e1 and e2 are a pair of related values, e1 can be arbitrarily chosen, but e1 is required to be relatively prime (relatively prime, with a common divisor of two integers of 1) to (p-1) x (q-1); further, e2 is selected, and it is required that (e1xe2) be 1(mod (p-1) x (q-1)). A mod operation, i.e., a remainder operation, is an operation of dividing an integer by the remainder of another integer in an integer operation. Then (n, e1) and (n, e2) are the key pair. Where (n, e1) is the public key and (n, e2) is the private key.
In the embodiment of the present application, in order to ensure that different target devices correspond to different key pairs when the key pairs are generated by using the RSA algorithm, the values of p and q may be determined according to the device identifiers of the target devices.
For example, the device identification may be "13 aa". Then, the value of p can be determined from the combination of numbers "13" in the device identification as: 13; the value of q may be determined from the letter "aa" in the device identification as: 11. the determining of the value of q according to the letters in the device identifier may be obtaining a sequence number according to a sequence of each letter in the alphabet, and then combining the sequence numbers corresponding to all the letters in the device identifier, so as to obtain the value of q.
Further, after determining the values of p and q according to the device identifier, determining the value of n as the product of p and q: 143; the value of e1 may be determined from the co-prime of e1 with (p-1) x (q-1): 1; the value of e2, determined from (e1xe2) 1(mod (p-1) x (q-1)), may be: 10. then, the public key can be determined to be (143, 1), and the private key is (143, 10), i.e., the private key information can be determined to be (143, 10).
103. And decrypting the encrypted identity characteristic information according to the private key information to obtain the decrypted identity characteristic information.
The encrypted identity characteristic information is decrypted according to a decryption algorithm of RSA.
The algorithm of the RSA encryption and decryption is the same, if A is a plaintext and B is a ciphertext, then: a ^ B ^ e2 (modn); b ^ A ^ e1(mod n).
Wherein e1, e2 and n have been described in the previous step. In the public key encryption system, a public key is generally used for encryption, and a private key is generally used for decryption.
For example, the encrypted identity feature information may be "2", that is, the ciphertext B is: 2, the private key information may be (143, 10). Then according to the RSA decryption algorithm: and B ^ e2(modn), and the plaintext A can be obtained by calculation: 1024, that is, the decrypted identity characteristic information is "1024".
104. And verifying the decrypted identity characteristic information to obtain a verification result of the encrypted identity information.
The encrypted identity characteristic information is decrypted through the steps, and the decrypted identity characteristic information can be verified after being obtained.
In some embodiments, in order to improve the information verification efficiency, the step "verifying the decrypted identity characteristic information to obtain the verification result of the encrypted identity information" may include the following steps:
acquiring user identity characteristic information corresponding to equipment identification from a preset identity information base;
matching the decrypted identity characteristic information with the user identity characteristic information;
if the decrypted identity characteristic information is successfully matched with the user identity characteristic information, the encrypted identity information is determined to be successfully verified;
and if the decrypted identity characteristic information fails to be matched with the user identity characteristic information, determining that the encrypted identity information fails to be verified.
The method comprises the steps that a plurality of sample user identity characteristic information are stored in an identity information database which is preset in an identity information base, namely the identity information database in a server, and each sample user identity characteristic information can correspond to one sample equipment identifier.
For example, the preset identity information base may store first user identity feature information, second user identity feature information, and third user identity feature information, where the device identifier corresponding to the first user identity feature information may be "1", the device identifier corresponding to the second user identity feature information may be "2", and the device identifier corresponding to the third user identity feature information may be "3". The device identifier of the target device may be "3", and then the user identity feature information corresponding to the device identifier of the target device may be obtained from the preset identity information base as follows: and third user identity characteristic information.
Furthermore, the obtained user identity characteristic information corresponding to the target device can be matched with the decrypted identity characteristic information to obtain a matching result, and the verification result of the encrypted identity information can be obtained according to the matching result.
For example, the user identity characteristic information corresponding to the obtained target device may be "2", the decrypted identity characteristic information may be "2", the user identity characteristic information is matched with the decrypted identity characteristic information, it may be determined that the user identity characteristic information is successfully matched with the decrypted identity characteristic information, and it indicates that the decrypted identity characteristic information is consistent with the user identity characteristic information, it may be determined that the encrypted identity information is successfully verified.
For another example, the obtained user identity characteristic information corresponding to the target device may be "3", the obtained decrypted identity characteristic information may be "2", the user identity characteristic information is matched with the decrypted identity characteristic information, it may be determined that the matching between the user identity characteristic information and the decrypted identity characteristic information fails, it indicates that the decrypted identity characteristic information is inconsistent with the user identity characteristic information, and it may be determined that the verification of the encrypted identity information fails.
The embodiment of the application discloses an identity authentication method, which comprises the following steps: receiving encrypted identity information sent by target equipment, and analyzing the encrypted identity information to obtain an encrypted identifier, encrypted identity characteristic information and an equipment identifier of the target equipment; when the encrypted identifier meets the preset identity authentication condition, acquiring private key information corresponding to the equipment identifier; decrypting the encrypted identity characteristic information according to the private key information to obtain decrypted identity characteristic information; and verifying the decrypted identity characteristic information to obtain a verification result of the encrypted identity information. Therefore, after the encrypted identity information is received, the encrypted identity characteristic information, the encrypted identifier and the equipment identifier are extracted from the encrypted identity information, when the encrypted identifier meets the preset identity verification condition, the encrypted identity characteristic information is decrypted according to the private key information corresponding to the equipment identifier, then the identity characteristic information obtained after decryption is verified, the identity information verification result is obtained, and the security of identity information verification can be improved.
Based on the above description, the authentication method of the present application will be further described below by way of example. In this embodiment, the authentication apparatus will be described by taking an example in which the authentication apparatus is specifically integrated in a terminal. Referring to fig. 3, fig. 3 is a schematic flowchart of another authentication method according to an embodiment of the present application. The specific process can be as follows:
201. and acquiring the equipment identifier of the target equipment, the user identity characteristic information and public key information for encrypting the user identity characteristic information.
The target device is a device for acquiring the user identity characteristic information and encrypting the user identity characteristic information. For example, the target device may be a smartphone or the like.
Wherein the device identification of the target device refers to a serial number for characterizing the target device.
For example, the device identification of the target device may be "123 AB" or the like. The device identifier of the target device may be set when the target device leaves the factory. Different devices may correspond to different device identifications.
The user identity characteristic information refers to information for identifying different user identities, for example, the user identity characteristic information may be face information, fingerprint information, or voice information, and in the embodiment of the present application, the face information may be used as an example.
The public key information is a password used for encrypting the user identity characteristic information, and the password may be composed of a plurality of numbers. For example, the private key information may be "123" or the like.
In some embodiments, in order to ensure the security of the encryption process for the user identity feature information, before the step of "obtaining the device identifier of the target device, the user identity feature information, and the public key information for encrypting the user identity feature information", the following steps may be further included:
detecting whether public key information exists in target equipment;
if the public key information does not exist in the target equipment, sending a key distribution request, wherein the key distribution request carries an equipment identifier of the target equipment;
public key information returned for the key assignment request is received.
The target device may be provided with an se (secure element) chip, which is used to store public key information, and perform encryption and decryption operations on user identity feature information according to the public key information.
The SE is a security module, is a microcomputer, and realizes the functions of data security storage, encryption and decryption operation and the like through a security chip and a chip operating system. The SE may be packaged in various forms, commonly known as a smart card and an embedded security module (eSE), etc. Aiming at an embedded security module (eSE) product developed by an NFC (Near Field Communication) terminal product, an intelligent security chip meeting the security level requirement of CCEAL5+ (security Field high-level information security authentication) is adopted, a security operating system is built in the ESE, and the requirements of a terminal on security key storage, data encryption service and the like are met. The NFC wallet can be widely applied to the fields of finance, mobile payment, urban traffic, medical treatment, retail and the like, can protect the safety of online payment, and can be used as an offline payment wallet by matching with NFC.
Specifically, detecting whether the target device has the public key information may be performed by detecting whether the SE chip of the target device stores the public key information. When it is detected that the SE chip does not store the public key information, in order to ensure the privacy of the public key information, a key allocation request may be sent to the server, and the server generates the public key information corresponding to the target device according to the key allocation request.
After the target device sends a key distribution request to the server, the server obtains a device identifier in the key distribution request, and generates corresponding public key information and private key information according to the device identifier. Specifically, the implementation manner of the server generating the public key information and the private key information according to the device identifier has been described in detail in the previous embodiment, and is not described herein again. Then, the server may send the generated public key information and private key information to the target device, and at the same time, the server may also store the public key information and private key information in correspondence to the device identifier of the target device.
In some embodiments, in order to obtain the user identity information quickly, before the step of "obtaining the device identifier of the target device, the user identity information, and the public key information used for encrypting the user identity information", the following steps may be further included:
acquiring a face image of a user, and extracting features of the face image to obtain face feature data of the user;
and carrying out serialization processing on the face characteristic data to obtain user identity characteristic information of the user.
The target device can comprise a camera, and the target device can acquire a face image of a user by starting the camera.
In the field of artificial intelligence, when face recognition and identity verification are performed by using a face image, features of a face need to be expressed as vectors which can be understood by a computer, that is, the features of the face need to be expressed. Descriptions of facial features can be generally divided into two main categories: geometric features and algebraic features.
The geometric features are features based on the shape and geometric relationship of human face organs, the human face is composed of organs such as eyes, a nose, a mouth, a chin and the like, the geometric positions of the feature points are relatively fixed, the geometric feature description can be used as important features of the human face, namely, the features of main organs of the human face are extracted on the knowledge level by a structure-based method through the prior knowledge of the geometric relationship of the facial topological structure, and the human face is expressed by a group of geometric feature vectors. The algebraic characteristics are determined by the gray distribution of the face image and describe the internal information of the image, and the method captures and describes the characteristics of the face as a whole.
In some embodiments, the facial image may be subjected to feature extraction mainly using facial features according to the above geometric features. Wherein, the features of the five sense organs may include: eyes, eyebrows, nose, mouth, and ears. The face feature extraction may be implemented by various algorithms, for example, an asm (active Shape model) algorithm.
ASM refers to a subjective shape model, i.e., the abstraction of a target object by a shape model. ASM is an algorithm based on a Point Distribution Model (PDM). In PDM, the geometry of objects with similar shapes, such as human faces, human hands, hearts, lungs, etc., can be represented by serially connecting the coordinates of several key feature points (landworks) to form a shape vector. The ASM algorithm can provide a trained feature point model, and when the ASM algorithm is actually applied, the trained feature point model can be directly adopted to extract feature points of the face image.
For example, a face picture of a user is taken through a camera of the target device, and then a face region in the face picture is detected. And acquiring a trained feature point model provided in the ASM algorithm, and extracting human face feature points from the human face region by using the trained feature point model to obtain the human face feature data of the user.
In some embodiments, the face features may also be extracted by LBP (Local Binary Patterns) algorithm. LBP is a nonparametric operator that describes the local spatial structure of an image. The LBP operator can be used to analyze image texture features and describes its strong discriminative power in texture classification. The LBP operator is defined as a texture operator with invariant gray scale, which is derived from the general definition of local neighborhood texture.
The basic idea of LBP is: local texture features are expressed by binary codes obtained by comparing the gray value of a central pixel with the neighborhood of the central pixel as a threshold value. In terms of texture analysis, the LBP operator is one of the best texture descriptors, and its main advantages include: the gray scale of the LBP operator does not change along with any single transformation, so that the robustness of the gray scale is good, namely the robustness under the illumination condition is good; the calculation speed is high. Because it can be obtained by comparison operation in a small neighborhood, it is possible to analyze images under complex real-time conditions; since the LBP operator is a parameterless method, it does not need to be assumed beforehand for its distribution during the application process.
For example, based on the obtained face image, in the neighborhood of the pixel 3x3 of the face image, the gray value of the central pixel in the neighborhood is taken as the threshold, the gray values of the adjacent 8 pixels are compared with the threshold, if the peripheral pixel value is greater than the central pixel value, the position of the pixel point is marked as 1, otherwise, the position is 0. Thus, 8 points in the 3 × 3 neighborhood can be compared to generate 8-bit binary numbers (usually converted into decimal numbers, i.e. LBP codes, 256 types in total), i.e. obtaining the LBP value of the central pixel point in the neighborhood, and using this value to reflect the texture information of the region. And then combining the texture information of all the areas to obtain the texture information of the face image, wherein the texture information of the face image can be used as face feature information.
Because the generated human face feature data has a large data volume and may include various types of data, the human face feature data can be serialized to convert the human face feature data into a serialized character string in order to store the human face feature data conveniently.
Serialization is the process of converting the state information of an object into a form that can be stored or transmitted. During serialization, the object writes its current state to a temporary or persistent store. The object may then be recreated by reading or deserializing the state of the object from the storage area. Serialization allows other code to be viewed or modified, and object instance data that cannot be accessed without serialization.
Typically, all fields of an object instance will be serialized, meaning that the data will be represented as serialized data for the instance. In this way, code capable of interpreting the format may be able to determine the value of the data without relying on the accessibility of the member. Similarly, deserialization extracts data from a serialized representation and sets object states directly, also independent of accessibility rules.
For example, the facial feature data may include: the first data, the second data, the third data, the fourth data and the like are serialized to generate character strings such as '125' and the like corresponding to the face feature data. The face identity information can be determined to be "125".
202. And encrypting the user identity characteristic information according to the public key information to obtain the encrypted identity characteristic information.
The encryption processing of the user identity characteristic information can be according to the encryption algorithm of RSA.
In the above embodiment, it is mentioned that the RSA encryption and decryption algorithms are the same, where a is a plaintext and B is a ciphertext, then: a ^ B ^ e1(mod n); b ^ A ^ e2(mod n). Wherein e1, e2 and n are parameters in the RSA algorithm, and (n, e1) and (n, e2) are key pairs. Where (n, e1) is the public key and (n, e2) is the private key. In the public key encryption system, a public key is generally used for encryption, and a private key is generally used for decryption.
For example, the user identity information may be "125", that is, plaintext a is: 125, the public key information may be (143, 2), and then according to the RSA encryption algorithm: and B is A ^ e1(modn), and the ciphertext B obtained by calculation processing is as follows: 15625, the encrypted id information is "15625".
203. And acquiring historical encryption times, and determining an encryption identifier corresponding to encryption processing according to the numerical value of the historical encryption times.
Wherein, the historical encryption times refers to: the number of times of encryption operation on the user identity characteristic information before the current encryption processing on the user identity characteristic information.
For example, before the current encryption processing is performed on the user identity characteristic information, the target device performs N encryption operations on the user identity characteristic information, and then the historical encryption times may be determined to be N. Wherein, N is a natural number, such as: 1. 2, 3, 4, etc.
In some embodiments, in order to avoid the occurrence of the same encryption identifier in different pieces of encryption identity information, the step "determining an encryption identifier corresponding to the encryption processing according to the value of the historical encryption times" may include the following operations:
and determining the sum of the value of the historical encryption times and a preset value, and generating an encryption identifier based on the sum.
The preset value is used to distinguish the encrypted identifier in each piece of encrypted identity information, and the preset value may be a natural number greater than 0, such as 1, 2, 3, 4, and the like.
For example, the historical encryption number may be 3, and the value of the historical encryption number is: 3, the preset value can be: 1, calculating a sum of the historical encryption times and a preset numerical value, wherein the sum can be obtained as follows: from this sum, an encrypted identification of "4" may be generated.
204. And generating encrypted identity information according to the encrypted identity characteristic information, the encrypted identifier and the equipment identifier of the target equipment.
The encrypted identity information refers to information used for verifying the identity of the user, is identity information obtained by performing encryption operation and other processing on the basis of the initial user identity characteristic information, and is high in safety.
In some embodiments, in order to ensure the privacy of the encrypted identity information, the step "generating the encrypted identity information according to the encrypted identity information, the encrypted identifier and the device identifier" may include the following operations:
determining a preset structural body for storing information, wherein the preset structural body comprises: a first identification field, a characteristic field and a second identification field;
writing the encrypted identity characteristic information into a characteristic field, writing an encrypted identifier into a first identification field and writing an equipment identifier into a second identification field, and generating a target structure body with stored information;
and obtaining the encrypted identity information based on the target structure body.
The definition of the structure has already been explained in the above embodiment, please refer to the above embodiment. Then, the preset structural body refers to a preset data set for storing a plurality of data of the encrypted identification information. The target structure is a data set storing a plurality of data of the encrypted identity information, and the target structure may be a representation of the encrypted identity information.
The encrypted identity information comprises the following contents: the encrypted identity characteristic information, the encrypted identifier and the equipment identifier. At least three kinds of data are included in the encrypted identity information. Then, at least three fields for storing different data, respectively, may be provided in the preset structural body.
For example, it is possible to provide in a preset structure: the device comprises a first identification field, a second identification field and a characteristic field, wherein the first identification field can be used for storing a device identification, the second identification field can be used for storing a device identification, and the encryption field can be used for storing encrypted identity characteristic information. Then, writing the encrypted identity characteristic information in the encrypted identity information into a characteristic field, writing the encrypted identifier in the encrypted identity information into a first identifier field, and writing the device identifier in the encrypted identity information into a second identifier field, thereby generating a target structure body in which the encrypted identity information is stored, wherein the target structure body can represent the encrypted identity information.
205. And performing user identity authentication based on the encrypted identity information.
When the target terminal performs an encryption operation on the user identity characteristic information to obtain encrypted identity information, the encrypted identity information can be used in a variety of application scenarios of identity authentication, such as a payment scenario, a withdrawal scenario, and an access control scenario.
In an actual application scenario, before the encrypted identity information is subjected to user identity authentication, the target device needs to send the encrypted identity information to an authentication end (the authentication end may be a server or other authentication devices, etc.), and then the authentication device authenticates the encrypted identity information to obtain a result of the user identity authentication. When the target device sends the encrypted identity information to the verification end, the encrypted identity information may be sent in various ways, for example, through near field communication, a wireless network, bluetooth, or the like.
In some embodiments, in order to ensure data transmission security, the target terminal may send the encrypted identity information to the verification-side device for verification in a near field communication manner. The step "user authentication based on encrypted identity information" may include the following operations:
starting a near field communication function of the target equipment, and broadcasting a communication signal through the near field communication function of the target equipment;
receiving a response signal of the response equipment for the communication signal, and establishing communication connection with the response equipment based on the response signal;
and sending the encrypted identity information to the response equipment so as to verify the encrypted identity information.
Among them, Near Field Communication (NFC) is a short-range high-frequency radio technology that operates within a 20 cm distance at a frequency of 13.56MHz (megahertz). NFC employs both active and passive read modes. The NFC technology is formed by integrating and evolving a non-contact Radio Frequency Identification (RFID) technology and an interconnection technology, combines the functions of an induction type card reader, an induction type card and point-to-point on a single chip, and can perform identification and data exchange with compatible equipment in a short distance. A wireless connection technology for easy, safe and quick communication is provided, and NFC is a close-range private communication method compared with other connection methods in the wireless world.
For example, the target device may be provided with an NFC chip, and the NFC chip may implement a near field communication function. The NFC chip has a mutual communication function and computing capability.
The response device is a device which is in communication connection with the target device and receives the encrypted identity information sent by the target device. The response device may also be provided with an NFC chip, and the NFC chip completes a communication function with the target device.
For example, when the target terminal approaches the response device, the NFC communication function may be started, and a communication signal is sent to the response device, and after receiving the communication signal of the target device, the response device may respond to the communication signal, that is, feed back the response signal to the target device, that is, may establish an NFC connection between the target device and the response device.
After the target device and the response device establish a communication connection, data transmission can be performed through a peer-to-peer mode in the NFC technology.
The point-to-point mode can be used for data exchange, and is only short in transmission distance, high in transmission establishing speed, high in transmission speed and low in power consumption. The two devices with NFC function are linked, so that data point-to-point transmission can be realized, such as downloading music, exchanging pictures or synchronizing device address books. So that the devices can exchange data or services between themselves via the point-to-point mode of NFC.
For example, the target terminal initiates the NFC communication function, which may act as an NFC initiator (master) providing a radio frequency field throughout communication with the responder device. The target device as the master device may select the transmission speed and then the data (i.e., the encrypted identification information) is transmitted to the responder device. After receiving the encrypted identity information sent by the target device, the response device may perform an identity authentication operation, and the specific identity authentication operation may refer to the above embodiment.
The embodiment of the application discloses an identity authentication method, which comprises the following steps: acquiring equipment identification, user identity characteristic information and public key information for encrypting the user identity characteristic information of target equipment; encrypting the user identity characteristic information according to the public key information to obtain encrypted identity characteristic information; acquiring historical encryption times, and determining an encryption identifier corresponding to encryption processing according to the value of the historical encryption times, wherein the historical encryption times are times of encryption operation on user identity characteristic information before encryption processing; generating encrypted identity information according to the encrypted identity characteristic information, the encrypted identifier and the equipment identifier; and performing user identity authentication based on the encrypted identity information. With this, the public key information through server distribution carries out encryption operation to user's identity characteristic information, and generates the encryption sign that the encryption operation corresponds, then according to encrypting back identity characteristic information, encryption sign and equipment identification component data structure, obtains encryption identity information, can guarantee user's identity characteristic information's privacy nature, simultaneously, has richened the function of brushing face terminal under the line, promotes user's under the line adaptation degree and experience.
As shown in fig. 4, fig. 4 is a schematic flowchart of another authentication method provided in the embodiment of the present application. Taking the interaction among the payment equipment, the collection equipment and the server as an example, the identity authentication method is provided, can be applied to a payment scene, and comprises the following specific processes:
301. when a payment instruction is received, encrypted identity information of a user is obtained.
Wherein the payment instruction instructs the payment device to perform the payment function. The payment device may be equipped with application software that may be used to perform the payment functions of the payment device.
For example, the application software may be payment software. The user may trigger a payment instruction by operating the payment software.
The encrypted identity information refers to user identity information stored in the payment equipment, and the user identity information can be used for verifying the user identity in the payment operation process. The encrypted identity information may be stored in the memory of the payment apparatus in the form of a structure, and the encrypted identity information may include: the encrypted identifier, the device identifier of the payment device and the encrypted identity characteristic information. Specifically, the encrypted identifier, the device identifier, and the encrypted identity characteristic information are described in the above embodiments, and reference may be made to the description of the above embodiments.
For example, the obtained encrypted identity information of the user may be: { "2 DFJFE 632", "sn 1", "1" }, where "2 DFJFE 632" refers to encrypted identity feature information, "sn 1" refers to device identification, and "1" refers to encrypted identification.
In some embodiments, to ensure the security of the user identity information, the payment device may store the encrypted identity information in the SE chip. Upon receiving the payment instruction, the payment device may read the encrypted identity information from the SE chip.
The SE chip can also realize functions such as encryption and decryption operation, the payment equipment can also store the user identity characteristic information in the SE chip, and the SE chip is used for encrypting the user identity characteristic information, so that the encrypted identity characteristic information can be obtained. In the embodiment of the present application, the user identity characteristic information may be face information.
When the user identity is encrypted, asymmetric encryption can be adopted to ensure the security of encryption. Asymmetric encryption algorithms require two keys: public key (publickey) and private key (privatekey). The public key and the private key are a pair, and if the public key is used for encrypting data, only the corresponding private key can be used for decrypting the data; if the data is encrypted with a private key, it can only be decrypted with the corresponding public key. This algorithm is called asymmetric encryption algorithm because two different keys are used for encryption and decryption.
In the embodiment of the present application, the public key and the private key may be generated by the server according to the device identifier of the payment device, and specific generation manners may be referred to in the above embodiments. The server may then send the generated public and private keys to the payment device.
For example, the payment device may send a key allocation request to the server, where the key allocation request may carry an device identifier of the payment device, and after the server receives the key allocation request, the server may obtain the device identifier of the payment device, generate a public key and a private key corresponding to the device identifier, and return the public key and the private key to the payment device.
The encryption operation of the user identity characteristic information can be executed before the terminal receives the payment instruction, and the payment efficiency can be improved.
For example, before receiving a payment instruction, a user may start payment software, and call a camera through the payment software to acquire face information of the user. The collected face information is subjected to operations such as feature extraction through an algorithm, and a character string which can be stored can be obtained, for example: "1F 3D3RT 44", and the like. Then the string may represent the initial user identity information.
Further, writing the initial user identity characteristic information into the SE chip, and encrypting the initial user identity characteristic information in the SE chip to obtain the encrypted identity characteristic information, for example: "2 DFJFE 632".
302. And starting the near field communication function and sending the encrypted identity information to the cash register.
In the embodiment of the present application, in order to ensure security of data transmission, data transmission may be performed through Near Field Communication (NFC). The payment device may be provided with an NFC chip by which the near field communication function is enabled.
Correspondingly, the payment device communicating with the payment device can also be provided with an NFC chip, the payment device and the payment device establish communication connection by starting the respective NFC chip, and then the payment device sends the encrypted identity information to the payment device through near field communication connection.
303. And receiving the encrypted identity information sent by the payment equipment and sending the encrypted identity information to the server.
In some embodiments, in order to improve the security of the authentication, the authentication operation may be centralized on the server side. Then, after receiving the encrypted identity information sent by the payment device, the receiving device may send an identity verification request to the server, where the identity verification request carries the encrypted identity information, so that the server performs a verification operation on the encrypted identity information.
304. And analyzing the encrypted identity information to obtain an encrypted identifier, an equipment identifier and encrypted identity characteristic information.
The encrypted identity information is analyzed, that is, different data is extracted from the encrypted identity information, so as to obtain different contents in the encrypted identity information.
For example, the encrypted identity information received by the server may be: { "2 DFJFE 632", "sn 1", "1" }. Then, the server extracts "2 DFJFE 632" from the encrypted identity information to obtain the encrypted identity characteristic information, extracts "sn 1" to obtain the device identifier, and extracts "1" to obtain the encrypted identifier.
305. And judging whether the encrypted identification meets the preset verification condition.
The preset verification condition is used for verifying the encrypted identification, if the verification is successful, the next verification operation can be continuously executed, and the safety of the identity verification is improved through various verifications of the encrypted identity information.
Specifically, the encrypted identifier may represent the number of times of encryption corresponding to the encrypted identity feature information in the encrypted identity information, for example, the payment device performs the encryption operation on the initial user identity feature information for the first time to obtain the encrypted identity feature information, and at this time, the encrypted identifier may be "1".
The preset verification condition refers to that the encrypted identifier is valid in a single time.
For example, when the server receives the encrypted identity information for the first time, and parses out that the encrypted identifier is "1", it may be determined that the encrypted identifier meets the preset verification condition, and step 306 may be executed.
For another example, when the server receives the encrypted identity information for the second time and the analyzed encrypted identifier is "1", then the server obtains that there is "1" in the encrypted identifiers analyzed from other encrypted identity information before the current analysis operation. Then it may be determined that the current encryption id does not meet the preset authentication condition, i.e. the authentication is not passed, step 309 may be performed.
306. And acquiring private key information corresponding to the equipment identification, and decrypting the encrypted identity characteristic information according to the private key information to obtain decrypted identity characteristic information.
In the above steps, the server may generate a public key and a private key corresponding to the device identifier according to the device identifier of the payment device, and the server may also store the generated device identifier corresponding to the public key and the private key. And then, the encrypted identity characteristic information corresponding to the equipment identifier can be decrypted through the public key and the private key so as to obtain the decrypted identity characteristic information.
Specifically, the operation of decrypting the encrypted identity characteristic information according to the private key information has been described in the above embodiments, and details are not repeated here.
For example, the server obtains the encrypted identity feature information as "2 DFJFE 632" by analyzing the encrypted identity information, and then decrypts the encrypted identity feature information according to the private key information corresponding to the stored device identifier, so as to obtain the decrypted identity feature information as "1F 3D3RT 44".
307. And judging whether the decrypted identity characteristic information is preset identity characteristic information.
The preset identity characteristic information refers to initial user identity characteristic information which is stored in a server in advance by the payment equipment.
For example, the decrypted identity feature information may be "1F 3D3RT 44", the preset identity feature information may be "1F 3D3RT 44", and the decrypted identity feature may be matched with the preset identity feature information, so that it may be determined that the decrypted identity feature is the same as the preset identity feature information, and then step 308 may be performed.
For another example, the decrypted identity feature information may be "1F 3D3RT 44", the preset identity feature information may be "8N 3D3RT 00", and step 309 may be executed if the decrypted identity feature is matched with the preset identity feature information, so that it may be determined that the decrypted identity feature is not the same as the preset identity feature information.
308. And acquiring account information bound with the user identity information, and performing collection operation on the account information.
The account information refers to a user account number for payment, and for example, the account information may be a bank card number or the like.
When the decrypted identity characteristic information is successfully matched with the preset identity characteristic information, the successful authentication of the user identity can be represented, and at the moment, the collection device can acquire account information bound with the user identity information in the payment device.
For example, the account information bound to the user identity information may be: payment account a is paid from which the collection device may then collect.
309. And generating prompt information of the identity information verification failure, and sending the prompt information to the money receiving equipment.
When the decrypted identity characteristic information fails to be matched with the preset identity characteristic information, the failure of the user identity authentication can be represented. At this time, in order to ensure the security of the account information of the user, the server may generate a prompt message for prompting the user that the authentication has failed. For example, the content of the prompt message may be "authentication failed, please re-check! "and the like.
The embodiment of the application discloses an identity authentication method, which comprises the following steps: when the payment equipment receives a payment instruction, acquiring encrypted identity information of a user, starting a near field communication function, and sending the encrypted identity information to the collection equipment; the method comprises the steps that after receiving encrypted identity information sent by payment equipment, the collection equipment sends the encrypted identity information to a server; the server analyzes the encrypted identity information to obtain an encrypted identifier, an equipment identifier and encrypted identity characteristic information, judges whether the encrypted identifier meets a preset verification condition, if the encrypted identifier meets the preset verification condition, acquires private key information corresponding to the equipment identifier, decrypts the encrypted identity characteristic information according to the private key information to obtain decrypted identity characteristic information, judges whether the decrypted identity characteristic information is the preset identity characteristic information, if the decrypted identity characteristic information is the preset identity characteristic information, the verification is successful, the collection equipment can acquire account information bound with the user identity information, and collection operation is performed on the account information. Therefore, when the safety of the user identity information is ensured, the safety of the user account information is ensured.
In order to better implement the identity authentication method provided by the embodiment of the present application, an embodiment of the present application further provides an identity authentication device based on the identity authentication method. The meaning of the noun is the same as that in the above-mentioned authentication method, and the details of the implementation can refer to the description in the method embodiment.
Referring to fig. 5, fig. 5 is a block diagram of an authentication apparatus according to an embodiment of the present disclosure, the apparatus includes:
the analysis unit 401 is configured to receive encrypted identity information sent by a target device, and perform analysis processing on the encrypted identity information to obtain an encrypted identifier, encrypted identity feature information, and a device identifier of the target device;
a first obtaining unit 402, configured to obtain, when the encrypted identifier meets a preset authentication condition, private key information corresponding to the device identifier;
a decryption unit 403, configured to decrypt the encrypted identity feature information according to the private key information to obtain decrypted identity feature information;
and a first verification unit 404, configured to perform verification processing on the decrypted identity feature information to obtain a verification result of the encrypted identity information.
In some embodiments, the parsing unit 401 may include:
the first acquiring subunit is used for acquiring a target structure body in the encrypted identity information, wherein the target structure body comprises a first identification field, a characteristic field and a second identification field;
and the extraction subunit is used for extracting the encrypted identification from the first identification field, extracting the encrypted identity characteristic information from the characteristic field, and extracting the equipment identification from the second identification field.
In some embodiments, the first verification unit 402 may include:
the second obtaining subunit is configured to obtain user identity feature information corresponding to the device identifier from a preset identity information base, where the preset identity information base includes sample user identity feature information corresponding to the sample device identifier;
the matching subunit is used for matching the decrypted identity characteristic information with the user identity characteristic information;
the first determining subunit is used for determining that the encrypted identity information is successfully verified if the decrypted identity characteristic information is successfully matched with the user identity characteristic information;
and the second determining subunit is used for determining that the encrypted identity information fails to be verified if the decrypted identity characteristic information fails to be matched with the user identity characteristic information.
In some embodiments, the apparatus may further comprise:
the third obtaining unit is used for obtaining the historical decryption times corresponding to the equipment identifier to obtain a first numerical value, wherein the historical decryption times are times of decryption operation on the encrypted identity characteristic information corresponding to the equipment identifier before decryption processing;
the comparison unit is used for obtaining a second numerical value used for verifying the encrypted identifier based on the numerical value of the encrypted identifier and comparing the first numerical value with the second numerical value;
and the second determining unit is used for determining that the encrypted identifier meets the preset authentication condition if the first numerical value is smaller than the second numerical value.
In some embodiments, the apparatus may further comprise:
the first receiving unit is used for receiving a key distribution request sent by target equipment, wherein the key distribution request carries an equipment identifier of the target equipment;
and the third determining unit is used for generating private key information corresponding to the equipment identifier according to the equipment identifier.
The embodiment of the application discloses an identity authentication device, which receives encrypted identity information sent by target equipment through an analysis unit 401, and analyzes the encrypted identity information to obtain an encrypted identifier, encrypted identity characteristic information and an equipment identifier of the target equipment; when the encrypted identifier meets the preset authentication condition, the first obtaining unit 402 obtains the private key information corresponding to the device identifier; the decryption unit 403 decrypts the encrypted identity feature information according to the private key information to obtain decrypted identity feature information; the first verification unit 404 performs verification processing on the decrypted identity characteristic information to obtain a verification result of the encrypted identity information. Therefore, after the encrypted identity information is received, the encrypted identity characteristic information, the encrypted identifier and the equipment identifier are extracted from the encrypted identity information, when the encrypted identifier meets the preset identity verification condition, the encrypted identity characteristic information is decrypted according to the private key information corresponding to the equipment identifier, then the identity characteristic information obtained after decryption is verified, the identity information verification result is obtained, and the security of identity information verification can be improved.
Referring to fig. 6, fig. 6 is a block diagram of another authentication apparatus according to an embodiment of the present disclosure, the apparatus includes:
a second obtaining unit 501, configured to obtain a device identifier of a target device, user identity feature information, and public key information used for encrypting the user identity feature information;
an encrypting unit 502, configured to encrypt the user identity feature information according to the public key information to obtain encrypted identity feature information;
a first determining unit 503, configured to obtain a historical encryption frequency, and determine an encryption identifier corresponding to encryption processing according to a value of the historical encryption frequency, where the historical encryption frequency is a frequency of performing encryption operation on user identity feature information before the encryption processing;
a generating unit 504, configured to generate encrypted identity information according to the encrypted identity feature information, the encrypted identifier, and the device identifier of the target device;
and a second authentication unit 505 for performing user authentication based on the encrypted identity information.
In some embodiments, the generating unit 504 may include:
a third determining subunit, configured to determine a preset structural body for storing information, where the preset structural body includes: a first identification field, a characteristic field and a second identification field;
the writing subunit is used for writing the encrypted identity characteristic information into the characteristic field, writing the encrypted identifier into the first identification field and writing the equipment identifier into the second identification field, and generating a target structure body with stored information;
and the obtaining subunit is used for obtaining the encrypted identity information based on the target structure body.
In some embodiments, the apparatus may further comprise:
the detection unit is used for detecting whether public key information exists in the target equipment;
the sending unit is used for sending a key distribution request if the public key information does not exist in the target equipment, wherein the key distribution request carries the equipment identifier of the target equipment;
and the second receiving unit is used for receiving the public key information returned by aiming at the key distribution request.
In some embodiments, the second verification unit 505 may include:
the sub-unit is used for starting the near field communication function of the target equipment and broadcasting the communication signal through the near field communication function of the target equipment;
the establishing subunit is used for receiving a response signal of the response equipment aiming at the communication signal and establishing communication connection with the response equipment based on the response signal;
and the verification subunit is used for sending the encrypted identity information to the response equipment so as to verify the encrypted identity information.
In some embodiments, the apparatus may further comprise:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a face image of a user and extracting the characteristics of the face image to obtain face characteristic data of the user;
and the processing unit is used for carrying out serialization processing on the face characteristic data to obtain the user identity characteristic information of the user.
In some embodiments, the first determining unit 503 may include:
and the calculating subunit is used for determining the sum of the value of the historical encryption times and a preset value and generating an encryption identifier based on the sum.
The embodiment of the application discloses an identity authentication device, which is characterized in that a second obtaining unit 501 is used for obtaining an equipment identifier of target equipment, user identity characteristic information and public key information used for encrypting the user identity characteristic information; the encryption unit 502 encrypts the user identity characteristic information according to the public key information to obtain encrypted identity characteristic information; the first determining unit 503 obtains a historical encryption frequency, and determines an encryption identifier corresponding to encryption processing according to a numerical value of the historical encryption frequency, wherein the historical encryption frequency is the frequency of encryption operation on user identity characteristic information before encryption processing; the generating unit 504 generates encrypted identity information according to the encrypted identity characteristic information, the encrypted identifier and the device identifier of the target device; the second authentication unit 505 performs user authentication based on the encrypted identity information. Therefore, the public key information distributed by the server is used for carrying out encryption operation on the user identity characteristic information, an encryption identifier corresponding to the encryption operation is generated, then the encrypted identity information is obtained according to the encrypted identity characteristic information, the encrypted identifier and the equipment identifier component data structure body, and the privacy of the user identity characteristic information can be guaranteed.
The embodiment of the application also provides computer equipment, and the computer equipment can be a terminal. As shown in fig. 7, the terminal may include components such as a Radio Frequency (RF) circuit 601, a memory 602 including one or more storage media, an input unit 603, a display unit 604, a sensor 605, an audio circuit 606, a Wireless Fidelity (WiFi) module 607, a processor 608 including one or more processing cores, and a power supply 609. Those skilled in the art will appreciate that the terminal structure shown in fig. 7 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the RF circuit 601 may be used for receiving and transmitting signals during the process of transmitting and receiving information, and in particular, for processing the received downlink information of the base station by one or more processors 608; in addition, data relating to uplink is transmitted to the base station. In general, the RF circuit 601 includes, but is not limited to, an antenna, at least one Amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, the RF circuit 601 may also communicate with networks and other devices via wireless communications.
The memory 602 may be used to store software programs and modules, and the processor 608 executes various functional applications and data processing by operating the software programs and modules stored in the memory 602. The memory 602 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function (such as a sound playing function, an image playing function, etc.), and the like. Further, the memory 602 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 602 may also include a memory controller to provide the processor 608 and the input unit 603 access to the memory 602.
The input unit 603 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control. In particular, in one particular embodiment, input unit 603 may include a touch-sensitive surface as well as other input devices. The touch-sensitive surface, also referred to as a touch display screen or a touch pad, may collect touch operations by a user (e.g., operations by a user on or near the touch-sensitive surface using a finger, a stylus, or any other suitable object or attachment) thereon or nearby, and drive the corresponding connection device according to a predetermined program. The input unit 603 may include other input devices in addition to the touch-sensitive surface. In particular, other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
The display unit 604 may be used to display information input by or provided to the user and various graphical user interfaces of the server, which may be made up of graphics, text, icons, video, and any combination thereof. The Display unit 604 may include a Display panel, and optionally, the Display panel may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like. Further, the touch-sensitive surface may overlay the display panel, and when a touch operation is detected on or near the touch-sensitive surface, the touch operation may be transmitted to the processor 608 to determine the type of touch event, and the processor 608 may then provide a corresponding visual output on the display panel based on the type of touch event. Although in FIG. 7 the touch-sensitive surface and the display panel are two separate components to implement input and output functions, in some embodiments the touch-sensitive surface may be integrated with the display panel to implement input and output functions.
The terminal may also include at least one sensor 605, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor that adjusts the brightness of the display panel according to the brightness of ambient light, and a proximity sensor that turns off the display panel and the backlight when the server moves to the ear.
WiFi belongs to a short-distance wireless transmission technology, and the terminal can help a user to receive and send e-mails, browse webpages, access streaming media and the like through the WiFi module 607 and provides wireless broadband internet access for the user. Although fig. 7 shows the WiFi module 607, it is understood that it does not belong to the essential constitution of the terminal, and may be omitted entirely as needed within the scope of not changing the essence of the application.
The processor 608 is a control center of the terminal, connects various parts of the entire handset using various interfaces and lines, and performs various functions of the server and processes data by operating or executing software programs and modules stored in the memory 602 and calling data stored in the memory 602, thereby performing overall monitoring of the handset. Optionally, processor 608 may include one or more processing cores; preferably, the processor 608 may integrate an application processor, which primarily handles operating systems, user interfaces, applications, etc., and a modem processor, which primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 608.
The terminal also includes a power supply 609 (e.g., a battery) for powering the various components, which may preferably be logically connected to the processor 608 via a power management system that may be used to manage charging, discharging, and power consumption. The power supply 609 may also include any component of one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.
Specifically, in this embodiment, the processor 608 in the terminal loads the executable file corresponding to the process of one or more application programs into the memory 602 according to the following instructions, and the processor 608 runs the application programs stored in the memory 602, thereby implementing various functions:
acquiring equipment identification, user identity characteristic information and public key information for encrypting the user identity characteristic information of target equipment;
encrypting the user identity characteristic information according to the public key information to obtain encrypted identity characteristic information;
acquiring historical encryption times, and determining an encryption identifier corresponding to encryption processing according to the value of the historical encryption times, wherein the historical encryption times are times of encryption operation on user identity characteristic information before encryption processing;
generating encrypted identity information according to the encrypted identity characteristic information, the encrypted identifier and the equipment identifier;
and performing user identity authentication based on the encrypted identity information.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
Therefore, the terminal of the embodiment can realize the step of identity authentication, and improve the security of identity information authentication.
The embodiment of the present application further provides a computer device, which may be a server, as shown in fig. 8, which shows a schematic structural diagram of the server according to the embodiment of the present application, and specifically:
the server may include components such as a processor 701 of one or more processing cores, memory 702 of one or more computer-readable storage media, a power supply 703, and an input unit 704. Those skilled in the art will appreciate that the server architecture shown in FIG. 8 is not meant to be limiting, and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the processor 701 is a control center of the server, connects various parts of the entire server using various interfaces and lines, and performs various functions of the server and processes data by running or executing software programs and/or modules stored in the memory 702 and calling data stored in the memory 702, thereby performing overall monitoring of the server. Optionally, processor 701 may include one or more processing cores; preferably, the processor 701 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 701.
The memory 702 may be used to store software programs and modules, and the processor 501 executes various functional applications and data processing by operating the software programs and modules stored in the memory 702. The memory 702 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to the use of the server, and the like. Further, the memory 702 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 702 may also include a memory controller to provide the processor 701 with access to the memory 702.
The server further includes a power source 703 for supplying power to each component, and preferably, the power source 703 may be logically connected to the processor 701 through a power management system, so as to implement functions of managing charging, discharging, and power consumption through the power management system. The power supply 703 may also include any component including one or more of a dc or ac power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
The server may also include an input unit 704, and the input unit 704 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
Although not shown, the server may further include a display unit and the like, which will not be described in detail herein. Specifically, in this embodiment, the processor 701 in the server loads the executable file corresponding to the process of one or more application programs into the memory 702 according to the following instructions, and the processor 701 runs the application program stored in the memory 702, thereby implementing various functions as follows:
receiving encrypted identity information sent by target equipment, and analyzing the encrypted identity information to obtain an encrypted identifier, encrypted identity characteristic information and an equipment identifier of the target equipment;
when the encrypted identifier meets the preset identity authentication condition, acquiring private key information corresponding to the equipment identifier;
decrypting the encrypted identity characteristic information according to the private key information to obtain decrypted identity characteristic information;
and verifying the decrypted identity characteristic information to obtain a verification result of the encrypted identity information.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
Therefore, the server of the embodiment can realize the step of identity authentication, and improve the security of identity information authentication.
It will be understood by those skilled in the art that all or part of the steps in the methods of the above embodiments may be performed by instructions or by instructions controlling associated hardware, which may be stored in a storage medium and loaded and executed by a processor.
To this end, embodiments of the present application provide a storage medium, in which a plurality of instructions are stored, where the instructions can be loaded by a processor to execute steps in any one of the data processing methods provided in the embodiments of the present application. For example, the instructions may perform the steps of:
acquiring equipment identification, user identity characteristic information and public key information for encrypting the user identity characteristic information of target equipment; encrypting the user identity characteristic information according to the public key information to obtain encrypted identity characteristic information; acquiring historical encryption times, and determining an encryption identifier corresponding to encryption processing according to the numerical value of the historical encryption times, wherein the historical encryption times are times of encryption operation on user identity characteristic information before encryption processing; generating encrypted identity information according to the encrypted identity characteristic information, the encrypted identifier and the equipment identifier; and performing user identity authentication based on the encrypted identity information.
Alternatively, the first and second electrodes may be,
receiving encrypted identity information sent by target equipment, and analyzing the encrypted identity information to obtain an encrypted identifier, encrypted identity characteristic information and an equipment identifier of the target equipment; when the encrypted identification meets the preset identity verification condition, private key information corresponding to the equipment identification is obtained; decrypting the encrypted identity characteristic information according to the private key information to obtain decrypted identity characteristic information; and verifying the decrypted identity characteristic information to obtain a verification result of the encrypted identity information.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
Wherein the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
Since the instructions stored in the storage medium may execute the steps in any of the authentication methods provided in the embodiments of the present application, beneficial effects that can be achieved by any of the authentication methods provided in the embodiments of the present application may be achieved, which are detailed in the foregoing embodiments and will not be described herein again.
Embodiments of the present application also provide a computer program product or computer program comprising computer instructions stored in a computer-readable storage medium. The processor of the terminal reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the terminal performs the authentication method provided in the various alternative implementations of the above aspects.
The identity authentication method, the identity authentication device, the computer device, and the storage medium provided in the embodiments of the present application are described in detail above, and a specific example is applied in the present application to explain the principle and the implementation of the present application, and the description of the above embodiments is only used to help understanding the method and the core idea of the present application; meanwhile, for those skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (15)
1. An identity verification method, the method comprising:
receiving encrypted identity information sent by target equipment, and analyzing the encrypted identity information to obtain an encrypted identifier, encrypted identity characteristic information and an equipment identifier of the target equipment;
when the encrypted identification meets a preset identity verification condition, acquiring private key information corresponding to the equipment identification;
decrypting the encrypted identity characteristic information according to the private key information to obtain decrypted identity characteristic information;
and verifying the decrypted identity characteristic information to obtain a verification result of the encrypted identity information.
2. The method of claim 1, wherein the parsing the encrypted identity information to obtain an encrypted identifier, encrypted identity feature information, and a device identifier of the target device comprises:
acquiring a target structure body in the encrypted identity information, wherein the target structure body comprises a first identification field, a characteristic field and a second identification field;
extracting the encrypted identification from the first identification field, extracting the encrypted identity feature information from the feature field, and extracting the device identification from the second identification field.
3. The method according to claim 1, wherein the verifying the decrypted identity information to obtain a verification result of the encrypted identity information includes:
acquiring user identity characteristic information corresponding to the equipment identifier from a preset identity information base, wherein the preset identity information base comprises sample user identity characteristic information corresponding to the sample equipment identifier;
matching the decrypted identity characteristic information with the user identity characteristic information;
if the decrypted identity characteristic information is successfully matched with the user identity characteristic information, determining that the encrypted identity information is successfully verified;
and if the decrypted identity characteristic information fails to be matched with the user identity characteristic information, determining that the encrypted identity information fails to be verified.
4. The method of claim 1, further comprising:
acquiring historical decryption times corresponding to the equipment identifier to obtain a first numerical value, wherein the historical decryption times are times of decryption operation on the encrypted identity characteristic information corresponding to the equipment identifier before decryption processing;
obtaining a second numerical value for verifying the encrypted identifier based on the numerical value of the encrypted identifier, and comparing the first numerical value with the second numerical value;
and if the first numerical value is smaller than the second numerical value, determining that the encrypted identification meets a preset identity authentication condition.
5. The method according to claim 1, further comprising, before the obtaining private key information corresponding to the device identifier:
receiving a key distribution request sent by target equipment, wherein the key distribution request carries an equipment identifier of the target equipment;
and generating private key information corresponding to the equipment identification according to the equipment identification.
6. An identity verification method, the method comprising:
acquiring equipment identification, user identity characteristic information and public key information for encrypting the user identity characteristic information of target equipment;
encrypting the user identity characteristic information according to the public key information to obtain encrypted identity characteristic information;
acquiring historical encryption times, and determining an encryption identifier corresponding to encryption processing according to the numerical value of the historical encryption times, wherein the historical encryption times are times of encryption operation on the user identity characteristic information before the encryption processing;
generating encrypted identity information according to the encrypted identity characteristic information, the encrypted identifier and the equipment identifier;
and performing user identity authentication based on the encrypted identity information.
7. The method of claim 6, wherein generating encrypted identity information according to the encrypted identity information, the encrypted identifier, and the device identifier comprises:
determining a preset structure for storing information, the preset structure comprising: a first identification field, a characteristic field and a second identification field;
writing the encrypted identity characteristic information into the characteristic field, writing the encrypted identifier into the first identification field and writing the equipment identifier into the second identification field to generate a target structure body with the stored information;
and obtaining the encrypted identity information based on the target structure.
8. The method according to claim 6, wherein before the obtaining the device identifier of the target device, the user identity information, and the public key information for encrypting the user identity information, the method further comprises:
detecting whether public key information exists in target equipment;
if the public key information does not exist in the target equipment, sending a key distribution request, wherein the key distribution request carries an equipment identifier of the target equipment;
and receiving the public key information returned by aiming at the key distribution request.
9. The method of claim 6, wherein the performing user authentication based on the encrypted identity information comprises:
starting a near field communication function of the target equipment, and broadcasting a communication signal through the near field communication function of the target equipment;
receiving a response signal of a response device for the communication signal, and establishing a communication connection between the target device and the response device based on the response signal;
and sending the encrypted identity information to the response equipment so as to verify the encrypted identity information.
10. The method according to claim 6, wherein before the obtaining the device identifier of the target device, the user identity information, and the public key information for encrypting the user identity information, the method further comprises:
acquiring a face image of a user, and extracting the features of the face image to obtain face feature data of the user;
and carrying out serialization processing on the face feature data to obtain the user identity feature information of the user.
11. The method according to claim 6, wherein the determining the encryption identifier corresponding to the encryption processing according to the value of the historical encryption times comprises:
and determining the sum of the value of the historical encryption times and a preset value, and generating the encryption identifier based on the sum.
12. An authentication apparatus, the apparatus comprising:
the analysis unit is used for receiving the encrypted identity information sent by the target equipment and analyzing the encrypted identity information to obtain an encrypted identifier, encrypted identity characteristic information and an equipment identifier of the target equipment;
the first obtaining unit is used for obtaining private key information corresponding to the equipment identification when the encrypted identification meets a preset identity verification condition;
the decryption unit is used for decrypting the encrypted identity characteristic information according to the private key information to obtain decrypted identity characteristic information;
and the first verification unit is used for verifying the decrypted identity characteristic information to obtain a verification result of the encrypted identity information.
13. An authentication apparatus, the apparatus comprising:
the second acquisition unit is used for acquiring the equipment identifier of the target equipment, the user identity characteristic information and public key information used for encrypting the user identity characteristic information;
the encryption unit is used for encrypting the user identity characteristic information according to the public key information to obtain encrypted identity characteristic information;
a first determining unit, configured to obtain a historical encryption frequency, and determine an encryption identifier corresponding to the encryption processing according to a value of the historical encryption frequency, where the historical encryption frequency is a frequency of performing an encryption operation on the user identity feature information before the encryption processing;
a generating unit, configured to generate encrypted identity information according to the encrypted identity feature information, the encrypted identifier, and the device identifier;
and the second verification unit is used for verifying the user identity based on the encrypted identity information.
14. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the identity verification method as claimed in any one of claims 1 to 11 when executing the program.
15. A storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the method of any of claims 1 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011372439.9A CN114581091A (en) | 2020-11-30 | 2020-11-30 | Identity authentication method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011372439.9A CN114581091A (en) | 2020-11-30 | 2020-11-30 | Identity authentication method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114581091A true CN114581091A (en) | 2022-06-03 |
Family
ID=81766759
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011372439.9A Pending CN114581091A (en) | 2020-11-30 | 2020-11-30 | Identity authentication method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114581091A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115563598A (en) * | 2022-12-05 | 2023-01-03 | 常州力航电气科技有限公司 | Big data information safety management system and method for hoisting machinery |
| CN116502661A (en) * | 2023-06-29 | 2023-07-28 | 河北祥盛农业科技有限公司 | Radio frequency identification verification method, tracing system and slaughter tracing system |
-
2020
- 2020-11-30 CN CN202011372439.9A patent/CN114581091A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115563598A (en) * | 2022-12-05 | 2023-01-03 | 常州力航电气科技有限公司 | Big data information safety management system and method for hoisting machinery |
| CN116502661A (en) * | 2023-06-29 | 2023-07-28 | 河北祥盛农业科技有限公司 | Radio frequency identification verification method, tracing system and slaughter tracing system |
| CN116502661B (en) * | 2023-06-29 | 2023-08-29 | 河北祥盛农业科技有限公司 | Radio frequency identification verification method, tracing system and slaughter tracing system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112733107B (en) | Information verification method, related device, equipment and storage medium | |
| CN111046365B (en) | Face image transmission method, numerical value transfer method, device and electronic equipment | |
| TWI726046B (en) | Methods for validating online access to secure device functionality | |
| JP2021504860A (en) | Extension of secure key storage for transaction verification and cryptocurrencies | |
| CN104618116B (en) | A kind of cooperative digital signature system and its method | |
| CN111431719A (en) | Mobile terminal password protection module, mobile terminal and password protection method | |
| US10719594B2 (en) | Secure re-enrollment of biometric templates using distributed secure computation and secret sharing | |
| US20220239509A1 (en) | Method for storing and recovering key for blockchain-based system, and device therefor | |
| WO2019010669A1 (en) | Method, apparatus and system for identity validity verification | |
| CN114581091A (en) | Identity authentication method and device, computer equipment and storage medium | |
| CN115001841A (en) | Identity authentication method, identity authentication device and storage medium | |
| CN113569263A (en) | Secure processing method and device for cross-private-domain data and electronic equipment | |
| CN204069000U (en) | Mobile encrypted authenticate device | |
| CN112231768B (en) | Data processing method and device, computer equipment and storage medium | |
| CN113762968A (en) | Authentication method of transaction equipment, related device, equipment and storage medium | |
| CN109005187A (en) | A kind of communication information guard method and device | |
| CN114092101B (en) | Transaction verification method and device, storage medium and electronic equipment | |
| CN112334897A (en) | Method and electronic equipment for authenticating user | |
| CN114844629A (en) | Verification method and device of block chain account, computer equipment and storage medium | |
| WO2019067585A1 (en) | Detailing secure service provider transactions | |
| CN112989370B (en) | Key filling method, system, device, equipment and storage medium | |
| CN109324843A (en) | A kind of finger prints processing system, method and fingerprint equipment | |
| CN114245374B (en) | Security authentication method, system and related equipment | |
| CN115706993A (en) | Authentication method, readable medium, and electronic device | |
| CN113762970A (en) | Data processing method and device, computer readable storage medium and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |