CN115426106A - Identity authentication method, device, system, electronic equipment and storage medium - Google Patents

Identity authentication method, device, system, electronic equipment and storage medium Download PDF

Info

Publication number
CN115426106A
CN115426106A CN202211034032.4A CN202211034032A CN115426106A CN 115426106 A CN115426106 A CN 115426106A CN 202211034032 A CN202211034032 A CN 202211034032A CN 115426106 A CN115426106 A CN 115426106A
Authority
CN
China
Prior art keywords
quantum key
identity authentication
target account
identifier
quantum
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211034032.4A
Other languages
Chinese (zh)
Other versions
CN115426106B (en
Inventor
安晓江
胡伯良
蒋红宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Haitai Fangyuan High Technology Co Ltd
Original Assignee
Beijing Haitai Fangyuan High Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Haitai Fangyuan High Technology Co Ltd filed Critical Beijing Haitai Fangyuan High Technology Co Ltd
Priority to CN202211034032.4A priority Critical patent/CN115426106B/en
Publication of CN115426106A publication Critical patent/CN115426106A/en
Application granted granted Critical
Publication of CN115426106B publication Critical patent/CN115426106B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The application discloses an identity authentication method, a device, a system, electronic equipment and a storage medium, wherein a quantum key filling module in the identity authentication system fills quantum key information acquired from a first quantum key distribution device into hardware password equipment of a target account, and the hardware password equipment also comprises a digital certificate and a signature key issued by a certificate authority to the target account; the method comprises the following steps: the client side of the target account selects a first quantum key from the hardware password device; the method comprises the steps of utilizing a signature key to sign a first quantum key to generate a signature value, a first quantum key identification and a target account identification, sending the signature value, the first quantum key identification and the target account identification to an identity authentication center, enabling the identity authentication center to obtain a digital certificate of a target account from a certificate issuing center according to the target account identification, obtaining a second quantum key corresponding to the first quantum key identification from second quantum key distribution equipment according to the first quantum key identification, and verifying the signature value according to the second quantum key and a public key in the digital certificate.

Description

Identity authentication method, device, system, electronic equipment and storage medium
Technical Field
The present application relates to the field of information security technologies, and in particular, to an identity authentication method, apparatus, system, electronic device, and storage medium.
Background
In the related art, the identity authentication mode comprises user name and password authentication, short message authentication, fingerprint authentication, face authentication, digital certificate authentication and the like, and the identity authentication mode based on the digital certificate has high safety and is widely applied. The general flow of identity authentication based on digital certificates is as follows: the certificate issuing center issues a digital certificate and a corresponding signature key for an account number, the digital certificate and the signature key are stored in hardware password equipment, during identity authentication, an identity authentication server returns a generated random number to a client of an account, the client signs the random number by using the signature key in the hardware password equipment to obtain a signature value, the signature value and an account identifier are sent to the identity authentication server, the server acquires the digital certificate of the account from the certificate issuing center according to the account identifier, the signature value is verified by using a public key in the digital certificate, and if the verification is passed, the identity authentication is successful.
However, the random number generated by the authentication server is transmitted to the client in clear text from the server, and is easily intercepted to forge a signature, so that the existing authentication method based on a digital certificate has a security risk.
Disclosure of Invention
In order to solve the problem that an existing identity authentication mode based on a digital certificate has a security risk, the embodiment of the application provides an identity authentication method, an identity authentication device, an identity authentication system, electronic equipment and a storage medium, and the identity authentication security is improved.
In a first aspect, an embodiment of the present application provides an identity authentication method implemented by a client side, which is applied to an identity authentication system, where the identity authentication system includes a certificate issuing center, a quantum key filling module, and an identity authentication center, where the quantum key filling module is configured with a first quantum key distribution device, the identity authentication center is configured with a second quantum key distribution device, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module obtains quantum key information from the first quantum key distribution device, fills the quantum key information into a hardware cryptographic device of a target account, and the hardware cryptographic device further includes a digital certificate and a signature key that are issued by the certificate issuing center to the target account; the method comprises the following steps:
the client of the target account selects a first quantum key from the hardware password device;
signing the first quantum key by using the signature key to generate a signature value;
and sending the signature value, the first quantum key identification and the target account identification to the identity authentication center, so that the identity authentication center obtains the digital certificate of the target account from the certificate issuing center according to the target account identification, obtains a second quantum key corresponding to the first quantum key identification from the second quantum key distribution equipment according to the first quantum key identification, and verifies the signature value according to the second quantum key and a public key in the digital certificate to obtain an identity authentication result.
In a possible implementation manner, the selecting, by the client of the target account, the first quantum key from the hardware cryptographic device specifically includes:
the client of the target account selects a first quantum key segment with a set length from the first quantum key, and records the offset of the first quantum key segment; and
when the signature value, the first quantum key identification and the target account identification are sent to the identity authentication center, the method further comprises the following steps:
and sending the offset to the identity authentication center so that the identity authentication center obtains the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier and the offset.
In a possible implementation manner, the selecting, by the client of the target account, the first quantum key from the hardware cryptographic device specifically includes:
the client of the target account selects a first quantum key segment with any length from the first quantum key, and records the offset of the first quantum key segment and the length of the first key segment; and
the steps of sending the signature value, the first quantum key identifier and the target account identifier to the identity authentication center, further include:
and sending the offset and the length to the identity authentication center so that the identity authentication center obtains a second quantum key segment with the length in a second quantum key corresponding to the first quantum key identification from the second quantum key distribution equipment according to the first quantum key identification, the offset and the length.
In a second aspect, an embodiment of the present application provides an identity authentication apparatus implemented on a client side, which is applied to an identity authentication system, where the identity authentication system includes a certificate issuing center, a quantum key filling module, and an identity authentication center, where the quantum key filling module is configured with a first quantum key distribution device, the identity authentication center is configured with a second quantum key distribution device, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module obtains quantum key information from the first quantum key distribution device, fills the quantum key information into a hardware cryptographic device of a target account, and the hardware cryptographic device further includes a digital certificate and a signature key that are issued by the certificate issuing center to the target account; the device, comprising:
a selection unit, configured to select a first quantum key from the hardware cryptographic device;
the signature unit is used for signing the first quantum key by using the signature key to generate a signature value;
a sending unit, configured to send the signature value, the first quantum key identifier, and a target account identifier to the identity authentication center, so that the identity authentication center obtains the digital certificate of the target account from the certificate issuing center according to the target account identifier, obtains a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, and verifies the signature value according to the second quantum key and a public key in the digital certificate, to obtain an identity authentication result.
In a possible implementation manner, the selecting unit, specifically, the client of the target account, selects a first quantum key segment with a set length from the first quantum key, and records an offset of the first quantum key segment; and
the sending unit is further configured to send the signature value, the first quantum key identifier, and the target account identifier to the identity authentication center, and at the same time, send the offset to the identity authentication center, so that the identity authentication center obtains, according to the first quantum key identifier and the offset, the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device.
In a possible implementation manner, the selecting unit is specifically configured to select a first quantum key segment with an arbitrary length from the first quantum key, and record an offset of the first quantum key segment and a length of the first key segment; and
the sending unit is further configured to send the signature value, the first quantum key identifier, and the target account identifier to the identity authentication center, and at the same time, send the offset and the length to the identity authentication center, so that the identity authentication center obtains, according to the first quantum key identifier, the offset, and the length, a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device.
In a third aspect, an embodiment of the present application provides an identity authentication method implemented by an identity authentication center, which is applied to an identity authentication system, where the identity authentication system includes a certificate issuing center, a quantum key filling module, and an identity authentication center, where the quantum key filling module is configured to deploy a first quantum key distribution device, the identity authentication center is configured to deploy a second quantum key distribution device, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module obtains quantum key information from the first quantum key distribution device, fills the quantum key information into a hardware cryptographic device of a target account, and the hardware cryptographic device further includes a digital certificate and a signature key that are issued by the certificate issuing center to the target account; the method comprises the following steps:
the identity authentication center receives a signature value generated by signing a first quantum key selected from the hardware password equipment by using the signature key, a first quantum key identifier and a target account identifier, which are sent by a client of the target account;
acquiring the digital certificate of the target account from the certificate authority according to the target account identification;
acquiring a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier;
and verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
In one possible embodiment, the method further comprises:
receiving an offset of a first quantum key segment sent by a client of the target account, wherein the first quantum key segment is a quantum key segment with a set length selected from the first quantum key by the client of the target account; and
obtaining, from the second quantum key distribution device, a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, which specifically includes:
and acquiring the second quantum key section with the set length in the second quantum key corresponding to the first quantum key identification from the second quantum key distribution equipment according to the first quantum key identification and the offset.
In one possible embodiment, the method further includes:
receiving an offset of a first quantum key segment and a length of the first quantum key segment sent by a client of the target account, wherein the first quantum key segment is a quantum key segment with any length selected by the client of the target account from the first quantum key; and
obtaining, from the second quantum key distribution device, a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, which specifically includes:
and acquiring a second quantum key segment with the length in a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier, the offset and the length.
In a possible implementation manner, before obtaining, from the second quantum key distribution device, the second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, the method further includes:
determining that the offset corresponding to the first quantum key identification has not been sent by the client of the target account before the current round of identity authentication.
In a fourth aspect, an embodiment of the present application provides an identity authentication apparatus implemented by an identity authentication center side, which is applied to an identity authentication system, where the identity authentication system includes a certificate issuing center, a quantum key filling module, and an identity authentication center, where the quantum key filling module is configured with a first quantum key distribution device, the identity authentication center is configured with a second quantum key distribution device, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module acquires quantum key information from the first quantum key distribution device, fills the quantum key information into a hardware cryptographic device of a target account, and the hardware cryptographic device further includes a digital certificate and a signature key that are issued by the certificate issuing center to the target account; the device, comprising:
a receiving unit, configured to receive a signature value, the first quantum key identifier, and a target account identifier, where the signature value is generated by signing, by using the signature key, a first quantum key selected from the hardware cryptographic device and sent by a client of the target account;
a first obtaining unit, configured to obtain the digital certificate of the target account from the certificate authority according to the target account identifier;
a second obtaining unit, configured to obtain, from the second quantum key distribution device according to the first quantum key identifier, a second quantum key corresponding to the first quantum key identifier;
and the authentication unit is used for verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
In a possible implementation manner, the receiving unit is further configured to receive an offset of a first quantum key segment sent by the client of the target account, where the first quantum key segment is a quantum key segment of a set length selected from the first quantum key by the client of the target account; and
the second obtaining unit is specifically configured to obtain, from the second quantum key distribution device, a second quantum key segment with the set length in a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier and the offset.
In a possible implementation manner, the receiving unit is further configured to receive an offset of a first quantum key segment and a length of the first quantum key segment, where the offset of the first quantum key segment and the length of the first quantum key segment are sent by a client of the target account, and the first quantum key segment is a quantum key segment of any length selected by the client of the target account from the first quantum key; and
the second obtaining unit is specifically configured to obtain, from the second quantum key distribution device, a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, the offset, and the length.
In a possible implementation, the apparatus further includes:
a determining unit, configured to determine that the offset corresponding to the first quantum key identifier has not been sent by the client of the target account before the current round of identity authentication before a second quantum key corresponding to the first quantum key identifier is acquired from the second quantum key distribution device according to the first quantum key identifier.
In a fifth aspect, an embodiment of the present application provides an identity authentication system, including: the authentication system comprises a certificate issuing center, a quantum key filling module and an identity authentication center, wherein a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, and the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, wherein:
the certification center is used for issuing a digital certificate and a signature key to the target account, and the digital certificate and the signature key are stored in hardware key equipment of the target account;
the quantum key filling module is configured to acquire quantum key information from the first quantum key distribution device, and fill the quantum key information to the hardware cryptographic device of the target account;
the identity authentication center is configured to receive a signature value, the first quantum key identifier, and a target account identifier, which are sent by the client of the target account and generated by signing the first quantum key selected from the hardware cryptographic device with the signature key; acquiring the digital certificate of the target account from the certificate authority according to the target account identification; acquiring a second quantum key corresponding to the first quantum key identification from the second quantum key distribution equipment according to the first quantum key identification; and verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
In a sixth aspect, an embodiment of the present application provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the identity authentication method described in the present application when executing the program.
In a seventh aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the identity authentication method described in the present application.
The beneficial effect of this application is as follows:
the identity authentication system comprises a certificate issuing center, a quantum key filling module and an identity authentication center, wherein a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device are used for generating the same quantum key, the quantum key filling module is used for acquiring quantum key information from the first quantum key distribution device and filling the quantum key information into a hardware password device of a target account, a digital certificate and a signature key issued by a target account of the certificate issuing center are also stored in the hardware password device, and a client of the target account selects the first quantum key from the hardware password device during identity authentication, the method comprises the steps of signing a first quantum key by using a signature key to generate a signature value, sending the signature value, a first quantum key identifier and a target account identifier to an identity authentication center for authentication by a client of a target account, obtaining a digital certificate of the target account from an issuing center according to the target account identifier by the identity authentication center, obtaining a second quantum key corresponding to the first quantum key identifier from a second quantum key distribution device according to the first quantum key identifier, verifying the signature value by the identity authentication center according to a public key in the second quantum key and the digital certificate to obtain an identity authentication result, and compared with the mode of signing and verifying by using a random number when identity authentication is carried out based on the digital certificate in the prior art, the signature is carried out by using the quantum key instead of the random number in the embodiment of the application, and the quantum key does not need to be sent to the client of the target account by the identity authentication center, the method is characterized in that a quantum key filling module is filled into hardware password equipment of a target account in advance, a client can obtain a quantum key from the hardware password equipment directly, the signature key is used for signing the quantum key to obtain a signature value, an identity authentication center can obtain the corresponding quantum key according to a quantum key identifier after receiving the signature value sent by the client of the target account, and then the signature value is verified through an obtained public key in a digital certificate, whether the decrypted quantum key is consistent with the obtained quantum key or not is verified, and whether identity authentication is successful or not can be judged, so that the quantum key for signing can not be obtained by a third party (such as an attacker), and the safety of identity authentication is improved.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating an implementation of an identity authentication method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of an implementation of an identity authentication method implemented on a client side according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an identity authentication apparatus implemented on a client side according to an embodiment of the present application;
fig. 5 is a schematic flowchart of an implementation of an identity authentication method implemented by an identity authentication center according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an identity authentication device implemented at an identity authentication center according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to solve the problems in the background art, embodiments of the present application provide an identity authentication method, an identity authentication device, an electronic device, and a storage medium.
The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it should be understood that the preferred embodiments described herein are merely for illustrating and explaining the present application, and are not intended to limit the present application, and that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Referring to fig. 1, which is a schematic view of an application scenario of the identity authentication method according to the embodiment of the present application, the identity authentication system 101 and the client 100 of the target account may include a certificate issuing center 1011, a quantum key filling module 1012 and an identity authentication center 1013, the client 100 of the target account is connected to the certificate issuing center 1011 via a network, the client 100 of the target account is connected to the identity authentication center 1013 via a network, and the client 100 of the target account is connected to the quantum key filling module 1012 via a network. A first Quantum Key Distribution device (QKD) is deployed at the Quantum Key filling module 1012, a second Quantum Key Distribution device is deployed at the identity authentication center 1013, the first Quantum Key Distribution device and the second Quantum Key Distribution device are used for generating the same Quantum Key, and the process of issuing the Quantum Key by the first Quantum Key Distribution device and the second Quantum Key Distribution device can be issued in a digital envelope manner.
And the certification center 1011 is used for issuing the digital certificate and the signature key to the target account, and the digital certificate and the signature key are stored in the hardware key device of the target account.
In specific implementation, a user inserts a hardware password device of a target account into the client 100, the user may send a certificate request to the certification center 1011 through the client 100, the certification center 1011 issues a digital certificate and a signature key for the target account, and the digital certificate and the signature key are sent to the hardware password device on the client 100 for storage. The certification center may be a CA (Certificate Authority) certification center, and the hardware password device may be, but is not limited to, a usb key device, which is not limited in this embodiment of the present disclosure.
And the quantum key encapsulation module 1012 is configured to obtain quantum key information from the first quantum key distribution device, and encapsulate the quantum key information into the hardware cryptographic device of the target account.
In specific implementation, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key according to a preconfigured key generation strategy, the first quantum key distribution device and the second quantum key distribution device can ensure that both devices can safely generate the same quantum key, the configured key generation strategy may include the number of generated quantum keys, the length of the generated quantum keys, and the like, for example, 10 quantum keys may be generated at a time, each quantum key has a length of 800 kbytes, and the key generation strategy may be set by itself according to actual needs, which is not limited in the embodiment of the present application. After the first quantum key distribution device and the second quantum key distribution device generate quantum keys, unique identifiers are set for the quantum keys, the same identifier (namely an index value) is set for the same quantum key, and each quantum key identifier is used for uniquely identifying one quantum key. The quantum key filling module 1012 obtains the quantum key information generated by the first quantum key distribution device from the first quantum key distribution device, where the quantum key information includes a quantum key identifier and a quantum key, fills the obtained quantum key information into the hardware cryptographic device of the target account on the client 100, and the total size of the quantum key filled into the hardware cryptographic device at each time may be determined according to the size of the capacity of the hardware cryptographic device, and does not exceed the capacity of the hardware cryptographic device.
The identity authentication center 1013 is configured to receive a signature value, a first quantum key identifier, and a target account identifier, where the signature value is generated by signing a first quantum key selected from a hardware cryptographic device with a signature key and is sent by the client 100 of the target account; acquiring a digital certificate of a target account from a certification center 1011 according to the target account identifier; acquiring a second quantum key corresponding to the first quantum key identification from second quantum key distribution equipment according to the first quantum key identification; and verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
The certification center 1011 is further configured to return a digital certificate corresponding to the target account identifier to the identity authentication center 1013.
In specific implementation, the identity authentication center 1013 decrypts the signature value sent by the client 100 by using the public key in the digital certificate of the target account acquired from the certificate issuing center 1011 to obtain the first quantum key, compares the first quantum key with the second quantum key, passes the verification if the first quantum key and the second quantum key are consistent, and succeeds in identity authentication, otherwise, fails in identity authentication, and returns an identity authentication failure message to the client 100.
The identity authentication center 1013 may be a server, which may be an independent physical server, or a cloud server that provides basic cloud computing services such as a cloud server, a cloud database, and cloud storage. The client 100 may be, but is not limited to: the smart phone, the tablet computer, the notebook computer, the desktop computer, and the like are not limited in this application.
Based on the above application scenarios, an exemplary embodiment of the present application will be described in more detail below with reference to fig. 2, it should be noted that the above application scenarios are only shown for facilitating understanding of the spirit and principles of the present application, and the embodiments of the present application are not limited thereto. Rather, embodiments of the present application may be applied to any scenario where applicable.
As shown in fig. 2, which is a schematic diagram of an implementation flow of an identity authentication method provided in an embodiment of the present application, the identity authentication method may be applied to the identity authentication system 101, and specifically includes the following steps:
and S21, the quantum key filling module fills the quantum key information acquired from the first quantum key distribution equipment into the hardware password equipment of the target account on the client.
During specific implementation, the quantum key filling module acquires quantum key information from the first quantum key distribution device deployed by the quantum key filling module, namely acquires a quantum key identifier and a quantum key, and fills the acquired quantum key information into the hardware cryptographic device of the target account spliced on the client.
S22, the client selects a first quantum key from the hardware password equipment.
In specific implementation, the client of the target account selects a quantum key from the hardware cryptographic device of the target account, and the quantum key can be recorded as the first quantum key.
In one embodiment, the client may select a complete quantum key, i.e., the first quantum key is used for signing.
In order to save the computing resources of the client, in another implementation, the client may further select a segment of characters with a set length from the first quantum key, that is, the first quantum key segment is used for signing, and record an offset of the first quantum key segment, where the client may agree in advance with the authentication center on the set length of the characters used for signing, which is not limited in this application.
For example, the length of the first quantum key is 800K, and the client may select the first quantum key segment with a length of 8K from the first quantum key each time, and may select the first quantum key segment sequentially or may not select the first quantum key segment sequentially, which is not limited in this embodiment of the application. Assuming that the offset of the first quantum key selected for the first time is 0, the selected characters are 1-8K as a first quantum key segment, and the offset of the second time is 1, the selected characters are 2-9K as the first quantum key segment, and so on until the first quantum key segment in the first quantum key is selected, and the next client selects the first quantum key segment from the next first quantum key segment according to the first quantum key segment identifier, so as to ensure that the first quantum key segment for signature selected each time is not repeated, and achieve the effect of one-time pad. After a first quantum key in the hardware password device is used up, the client can request a new quantum key for the quantum key filling module, a first quantum key distribution device deployed by the quantum key filling module and a second quantum key distribution device deployed by the identity authentication center generate a new same quantum key, and the quantum key filling module acquires newly generated quantum key information from the first quantum key distribution device and fills the newly generated quantum key information into the hardware password device of the target account on the client.
As another possible implementation, the client of the target account may further select a first quantum key segment with an arbitrary length from the first quantum key, and record an offset of the first quantum key segment and a length of the first key segment.
And S23, the client signs the first quantum key by using the signature key to generate a signature value.
In specific implementation, the client signs the first quantum key segment by using the signature key stored in the hardware cryptographic device of the target account to obtain a signature value.
And S24, the client sends the signature value, the first quantum key identification and the target account identification to an identity authentication center.
In specific implementation, when the client of the target account selects the first quantum key segment with the set length from the first quantum key, the client sends the signature value, the first quantum key identifier and the target account identifier to the identity authentication center for authentication, and simultaneously needs to send the offset of the first quantum key segment to the identity authentication center.
When the client of the target account selects the first quantum key segment with any length from the first quantum key, the client needs to send the offset of the first quantum key segment and the length of the first quantum key segment to the identity authentication center while sending the signature value, the first quantum key identifier and the target account identifier to the identity authentication center for authentication.
And S25, the identity authentication center requests the digital certificate of the target account from the certificate issuing center according to the target account identification.
And S26, the certificate issuing center returns the digital certificate of the target account to the identity authentication center.
And S27, the identity authentication center acquires a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier.
In specific implementation, if the client of the target account sends a signature value, a first quantum key identifier, an offset of the first quantum key segment, and a target account identifier to the identity authentication center, the identity authentication center compares the offset of the first quantum key segment of the original identity authentication with the offset corresponding to the first quantum key identifier sent by the client of the target account before the current round of identity authentication, and if it is determined that the offset of the first quantum key identifier sent this time is not sent by the client of the target account before the original identity authentication, a quantum key segment (which may be denoted as a second quantum key segment) with a set length in a quantum key (which is a second quantum key) corresponding to the first quantum key identifier is obtained from a second quantum key distribution device deployed by the identity authentication center according to the first quantum key identifier and the offset of the first quantum key segment, that is, that the second quantum key segment is the same as the first quantum key segment. Because the identity authentication center directly obtains the second quantum key segment from the deployed quantum key distribution equipment, the client can finish signing the first quantum key segment without transmitting the first quantum key segment to the client, and the security of the identity authentication process is improved.
If the client of the target account sends the signature value, the first quantum key identification, the offset of the first quantum key segment, the length of the first quantum key segment and the target account identification to the identity authentication center, and the identity authentication center determines that the client of the target account does not send the offset of the first quantum key identification sent this time before the original identity authentication, the second quantum key segment of the length in the second quantum key corresponding to the first quantum key identification is obtained from the second quantum key distribution equipment according to the first quantum key identification, the offset of the first quantum key segment and the length of the first quantum key.
It should be noted that, in the embodiment of the present application, the execution sequence of step S25 and step S27 is not limited, and these two steps may also be performed simultaneously.
And S28, the identity authentication center verifies the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
Specifically, the identity authentication center decrypts the signature value sent by the client according to the second quantum key segment acquired from the second quantum key distribution device and the public key in the digital certificate acquired from the certificate issuing center, verifies whether the acquired first quantum key segment is consistent with the second quantum key segment acquired from the second quantum key distribution device, if so, verifies the first quantum key segment, if not, the identity authentication is successful, and if not, the identity authentication is not successful, the identity authentication is failed, and an identity authentication failure message is returned to the client.
The identity authentication method provided by the embodiment of the application is applied to an identity authentication system, the identity authentication system provided by the embodiment of the application comprises an authentication center, a quantum key filling module and an identity authentication center, wherein a first quantum key distribution device is deployed at the quantum key filling module, a second quantum key distribution device is deployed at the identity authentication center, the first quantum key distribution device and the second quantum key distribution device are used for generating the same quantum key, the quantum key filling module is used for acquiring quantum key information from the first quantum key distribution device and filling the quantum key information into a hardware password device of a target account, a digital certificate and a signature key issued by a target account of the authentication center are also stored in the hardware password device, and a client of the target account selects the first quantum key from the hardware password device during identity authentication, the method comprises the steps of signing a first quantum key by using a signature key to generate a signature value, sending the signature value, a first quantum key identifier and a target account identifier to an identity authentication center for authentication by a client of a target account, obtaining a digital certificate of the target account from an issuing center according to the target account identifier by the identity authentication center, obtaining a second quantum key corresponding to the first quantum key identifier from a second quantum key distribution device according to the first quantum key identifier, verifying the signature value by the identity authentication center according to a public key in the second quantum key and the digital certificate to obtain an identity authentication result, and compared with the mode of signing and verifying by using a random number when identity authentication is carried out based on the digital certificate in the prior art, the signature is carried out by using the quantum key instead of the random number in the embodiment of the application, and the quantum key does not need to be sent to the client of the target account by the identity authentication center, the method is characterized in that a quantum key filling module is filled into hardware password equipment of a target account in advance, a client can obtain a quantum key from the hardware password equipment directly, the signature key is used for signing the quantum key to obtain a signature value, an identity authentication center can obtain the corresponding quantum key according to a quantum key identifier after receiving the signature value sent by the client of the target account, and then the signature value is verified through an obtained public key in a digital certificate, whether the decrypted quantum key is consistent with the obtained quantum key or not is verified, and whether identity authentication is successful or not can be judged, so that the quantum key for signing can not be obtained by a third party (such as an attacker), and the safety of identity authentication is improved.
Based on the same inventive concept, the embodiment of the present application further provides an identity authentication method implemented by the client side, and since the principle of solving the problem of the identity authentication method implemented by the client side is similar to that of the identity authentication method, the implementation of the identity authentication method implemented by the client side can refer to the implementation of the identity authentication method, and repeated details are not repeated.
As shown in fig. 3, which is a schematic diagram of an implementation flow of an identity authentication method implemented by a client side according to an embodiment of the present application, where the identity authentication method implemented by the client side may be applied to the identity authentication system provided by the embodiment of the present application, where the identity authentication system includes a certificate issuing center, a quantum key encapsulation module, and an identity authentication center, a first quantum key distribution device is deployed in the quantum key encapsulation module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate a same quantum key, the quantum key encapsulation module obtains quantum key information from the first quantum key distribution device, encapsulates the quantum key information into a hardware cryptographic device of a target account, and the hardware cryptographic device further includes a digital certificate and a signature key that are issued by the certificate issuing center to the target account; the identity authentication method may include the steps of:
s31, the client of the target account selects a first quantum key from the hardware password device.
And S32, signing the first quantum key by using the signature key to generate a signature value.
S33, the signature value, the first quantum key identification and the target account identification are sent to an identity authentication center, so that the identity authentication center obtains a digital certificate of a target account from a certificate issuing center according to the target account identification, obtains a second quantum key corresponding to the first quantum key identification from second quantum key distribution equipment according to the first quantum key identification, and verifies the signature value according to the second quantum key and a public key in the digital certificate to obtain an identity authentication result.
In a possible implementation manner, the selecting, by the client of the target account, the first quantum key from the hardware cryptographic device specifically includes:
the client of the target account selects a first quantum key segment with a set length from the first quantum key, and records the offset of the first quantum key segment; and
the steps of sending the signature value, the first quantum key identifier and the target account identifier to the identity authentication center, further include:
and sending the offset to the identity authentication center so that the identity authentication center obtains the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier and the offset.
In a possible implementation manner, the selecting, by the client of the target account, the first quantum key from the hardware cryptographic device specifically includes:
the client of the target account selects a first quantum key segment with any length from the first quantum key, and records the offset of the first quantum key segment and the length of the first key segment; and
the steps of sending the signature value, the first quantum key identifier and the target account identifier to the identity authentication center, further include:
and sending the offset and the length to the identity authentication center so that the identity authentication center obtains a second quantum key segment with the length in a second quantum key corresponding to the first quantum key identification from the second quantum key distribution equipment according to the first quantum key identification, the offset and the length.
Based on the same inventive concept, embodiments of the present application further provide an identity authentication apparatus implemented by a client side, and since a principle of solving the problem of the identity authentication apparatus implemented by the client side is similar to that of the identity authentication method, reference may be made to the implementation of the identity authentication method for the implementation of the identity authentication apparatus implemented by the client side, and repeated details are not repeated.
As shown in fig. 4, which is a schematic structural diagram of an identity authentication apparatus implemented by an identity authentication center side provided in this embodiment of the present application, where the identity authentication apparatus implemented by a client side may be applied to the identity authentication system provided in this embodiment of the present application, where the identity authentication system includes a certificate issuing center, a quantum key filling module and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module obtains quantum key information from the first quantum key distribution device, fills the quantum key information into a hardware cryptographic device of a target account, and the hardware cryptographic device further includes a digital certificate and a signature key issued by the certificate issuing center to the target account; the apparatus may include:
a selecting unit 41, configured to select a first quantum key from the hardware cryptographic device;
a signature unit 42, configured to generate a signature value by signing the first quantum key with the signature key;
a sending unit 43, configured to send the signature value, the first quantum key identifier, and the target account identifier to the identity authentication center, so that the identity authentication center obtains the digital certificate of the target account from the certificate authority according to the target account identifier, obtains a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, and verifies the signature value according to the second quantum key and a public key in the digital certificate, to obtain an identity authentication result.
In a possible implementation manner, the selecting unit 41 is specifically configured to select, by the client of the target account, a first quantum key segment with a set length from the first quantum key, and record an offset of the first quantum key segment; and
the sending unit 43 is further configured to send the signature value, the first quantum key identifier, and the target account identifier to the identity authentication center, and at the same time, send the offset to the identity authentication center, so that the identity authentication center obtains, according to the first quantum key identifier and the offset, the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device.
In a possible implementation manner, the selecting unit 41 is specifically configured to select a first quantum key segment with an arbitrary length from the first quantum key, and record an offset of the first quantum key segment and a length of the first key segment; and
the sending unit 43 is further configured to send the signature value, the first quantum key identifier, and the target account identifier to the identity authentication center, and at the same time, send the offset and the length to the identity authentication center, so that the identity authentication center obtains, according to the first quantum key identifier, the offset, and the length, a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device.
Based on the same inventive concept, the embodiment of the present application further provides an identity authentication method implemented by the identity authentication center side, and since the principle of solving the problem of the identity authentication method implemented by the identity authentication center side is similar to that of the identity authentication method, the implementation of the identity authentication method implemented by the identity authentication center side can refer to the implementation of the identity authentication method, and repeated details are not repeated.
As shown in fig. 5, which is a schematic diagram of an implementation flow of an identity authentication method implemented by an identity authentication center side provided in this embodiment of the present application, where the identity authentication method implemented by the identity authentication center side may be applied to the identity authentication system provided in this embodiment of the present application, where the identity authentication system includes a certificate issuing center, a quantum key filling module and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module obtains quantum key information from the first quantum key distribution device, fills the quantum key information into a hardware cryptographic device of a target account, and the hardware cryptographic device further includes a digital certificate and a signature key that are issued by the certificate issuing center to the target account; the method may comprise the steps of:
s51, the identity authentication center receives a signature value generated by signing the first quantum key selected from the hardware password equipment by using the signature key, a first quantum key identifier and a target account identifier, wherein the signature value is sent by the client of the target account.
And S52, acquiring the digital certificate of the target account from the certification center according to the target account identifier.
And S53, acquiring a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier.
And S54, verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
In one possible embodiment, the method further includes:
receiving an offset of a first quantum key segment sent by a client of the target account, wherein the first quantum key segment is a quantum key segment with a set length selected from the first quantum key by the client of the target account; and
obtaining, from the second quantum key distribution device, a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, which specifically includes:
and acquiring the second quantum key section with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier and the offset.
In one possible embodiment, the method further includes:
receiving an offset of a first quantum key segment and a length of the first quantum key segment sent by a client of the target account, where the first quantum key segment is a quantum key segment of any length selected from the first quantum key by the client of the target account; and
obtaining, from the second quantum key distribution device, a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, which specifically includes:
and acquiring a second quantum key segment with the length in a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier, the offset and the length.
In a possible implementation manner, before obtaining, from the second quantum key distribution device, the second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, the method further includes:
determining that the offset corresponding to the first quantum key identification has not been sent by the client of the target account before the current round of identity authentication.
Based on the same inventive concept, the embodiment of the present application further provides an identity authentication device implemented by an identity authentication center side, and since the principle of solving the problem of the identity authentication device implemented by the identity authentication center side is similar to that of the identity authentication method, the implementation of the identity authentication device implemented by the identity authentication center side can refer to the implementation of the identity authentication method, and repeated details are omitted.
As shown in fig. 6, the structural diagram of the identity authentication apparatus implemented by the identity authentication center side provided in this embodiment of the present application is shown, where the identity authentication apparatus implemented by the identity authentication center side may be applied to the identity authentication system provided in this embodiment of the present application, the identity authentication system includes a certificate issuing center, a quantum key filling module and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module obtains quantum key information from the first quantum key distribution device, fills the quantum key information into a hardware cryptographic device of a target account, and the hardware cryptographic device further includes a digital certificate and a signature key issued by the certificate issuing center to the target account; the apparatus, comprising:
a receiving unit 61, configured to receive a signature value, the first quantum key identifier, and a target account identifier, which are sent by a client of the target account and generated by signing a first quantum key selected from the hardware cryptographic device with the signature key;
a first obtaining unit 62, configured to obtain the digital certificate of the target account from the certificate authority according to the target account identifier;
a second obtaining unit 63, configured to obtain, according to the first quantum key identifier, a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device;
and the authentication unit 64 is configured to verify the signature value according to the second quantum key and the public key in the digital certificate, so as to obtain an identity authentication result.
In a possible implementation manner, the receiving unit 61 is further configured to receive an offset of a first quantum key segment sent by the client of the target account, where the first quantum key segment is a quantum key segment with a set length selected from the first quantum key by the client of the target account; and
the second obtaining unit 63 is specifically configured to obtain, from the second quantum key distribution device, a second quantum key segment with the set length in a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier and the offset.
In a possible implementation manner, the receiving unit 61 is further configured to receive an offset of a first quantum key segment and a length of the first quantum key segment, where the offset of the first quantum key segment and the length of the first quantum key segment are sent by a client of the target account, and the first quantum key segment is a quantum key segment of any length selected by the client of the target account from the first quantum key; and
the second obtaining unit 63 is specifically configured to obtain, from the second quantum key distribution device, a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, the offset, and the length.
In a possible implementation, the apparatus further includes:
a determining unit, configured to determine that the offset corresponding to the first quantum key identifier has not been sent by the client of the target account before the current round of identity authentication before a second quantum key corresponding to the first quantum key identifier is acquired from the second quantum key distribution device according to the first quantum key identifier.
Based on the same technical concept, an embodiment of the present application further provides an electronic device 700, as shown in fig. 7, where the electronic device 700 is configured to implement the identity authentication method or the identity authentication apparatus described in the foregoing method embodiment, and the electronic device 700 of this embodiment may include: a memory 701, a processor 702, and a computer program, such as an authentication program, stored in the memory and executable on the processor. The processor, when executing the computer program, implements the steps in the above-described embodiments of the identity authentication method, such as step S21 shown in fig. 2.
In the embodiment of the present application, a specific connection medium between the memory 701 and the processor 702 is not limited. In the embodiment of the present application, the memory 701 and the processor 702 are connected by the bus 703 in fig. 7, the bus 703 is indicated by a thick line in fig. 7, and the connection manner between other components is merely schematically illustrated and is not limited thereto. The bus 703 may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.
The memory 701 may be a volatile memory (volatile memory), such as a random-access memory (RAM); the memory 701 may also be a non-volatile memory (non-volatile memory) such as, but not limited to, a read-only memory (rom), a flash memory (flash memory), a Hard Disk Drive (HDD) or a solid-state drive (SSD), or any other medium which can be used to carry or store desired program code in the form of instructions or data structures and which can be accessed by a computer 701. Memory 701 may be a combination of the above.
A processor 702 configured to implement the identity authentication methods of the various exemplary embodiments of the present application.
The embodiment of the present application further provides a computer-readable storage medium, which stores computer-executable instructions required to be executed by the processor, and includes a program required to be executed by the processor.
In some possible embodiments, the various aspects of the identity authentication method provided in the present application may also be implemented in the form of a program product, which includes program code for causing an electronic device to perform the steps in the identity authentication method according to various exemplary embodiments of the present application described above in this specification, when the program product is run on the electronic device.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. An identity authentication method is characterized in that the identity authentication method is applied to an identity authentication system, the identity authentication system comprises a certificate issuing center, a quantum key filling module and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module acquires quantum key information from the first quantum key distribution device, the quantum key information is filled into a hardware password device of a target account, and the hardware password device further comprises a digital certificate and a signature key issued by the certificate issuing center to the target account; the method comprises the following steps:
the client of the target account selects a first quantum key from the hardware cryptographic device;
signing the first quantum key by using the signature key to generate a signature value;
and sending the signature value, the first quantum key identification and the target account identification to the identity authentication center, so that the identity authentication center obtains the digital certificate of the target account from the certificate issuing center according to the target account identification, obtains a second quantum key corresponding to the first quantum key identification from the second quantum key distribution equipment according to the first quantum key identification, and verifies the signature value according to the second quantum key and a public key in the digital certificate to obtain an identity authentication result.
2. The method of claim 1, wherein the client of the target account selecting the first quantum key from the hardware cryptographic device specifically comprises:
the client of the target account selects a first quantum key segment with a set length from the first quantum key, and records the offset of the first quantum key segment; and
when the signature value, the first quantum key identification and the target account identification are sent to the identity authentication center, the method further comprises the following steps:
and sending the offset to the identity authentication center so that the identity authentication center obtains the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier and the offset.
3. The method of claim 1, wherein the client of the target account selecting the first quantum key from the hardware cryptographic device specifically comprises:
the client of the target account selects a first quantum key segment with any length from the first quantum key, and records the offset of the first quantum key segment and the length of the first key segment; and
the steps of sending the signature value, the first quantum key identifier and the target account identifier to the identity authentication center, further include:
and sending the offset and the length to the identity authentication center so that the identity authentication center obtains a second quantum key segment with the length in a second quantum key corresponding to the first quantum key identification from the second quantum key distribution equipment according to the first quantum key identification, the offset and the length.
4. An identity authentication method is characterized in that the identity authentication method is applied to an identity authentication system, the identity authentication system comprises a certificate issuing center, a quantum key filling module and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module acquires quantum key information from the first quantum key distribution device, the quantum key information is filled into a hardware password device of a target account, and the hardware password device further comprises a digital certificate and a signature key issued by the certificate issuing center to the target account; the method comprises the following steps:
the identity authentication center receives a signature value generated by signing a first quantum key selected from the hardware password equipment by using the signature key, a first quantum key identifier and a target account identifier, which are sent by a client of the target account;
acquiring the digital certificate of the target account from the certificate authority according to the target account identifier;
acquiring a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier;
and verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
5. The method of claim 4, further comprising:
receiving an offset of a first quantum key segment sent by a client of the target account, wherein the first quantum key segment is a quantum key segment with a set length selected from the first quantum key by the client of the target account; and
obtaining, from the second quantum key distribution device, a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, which specifically includes:
and acquiring the second quantum key section with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier and the offset.
6. The method of claim 4, further comprising:
receiving an offset of a first quantum key segment and a length of the first quantum key segment sent by a client of the target account, wherein the first quantum key segment is a quantum key segment with any length selected by the client of the target account from the first quantum key; and
obtaining, from the second quantum key distribution device, a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, which specifically includes:
and acquiring a second quantum key segment with the length in a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier, the offset and the length.
7. An identity authentication device is applied to an identity authentication system, the identity authentication system comprises a certificate issuing center, a quantum key filling module and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module acquires quantum key information from the first quantum key distribution device, the quantum key information is filled into a hardware password device of a target account, and the hardware password device further comprises a digital certificate and a signature key issued by the certificate issuing center to the target account; the apparatus, comprising:
a selection unit, configured to select a first quantum key from the hardware cryptographic device;
the signature unit is used for signing the first quantum key by using the signature key to generate a signature value;
a sending unit, configured to send the signature value, the first quantum key identifier, and a target account identifier to the identity authentication center, so that the identity authentication center obtains the digital certificate of the target account from the certificate issuing center according to the target account identifier, obtains a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, and verifies the signature value according to the second quantum key and a public key in the digital certificate, to obtain an identity authentication result.
8. An identity authentication system, comprising: the authentication system comprises a certificate issuing center, a quantum key filling module and an identity authentication center, wherein a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, and the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, wherein:
the certification center is used for issuing a digital certificate and a signature key to the target account, and the digital certificate and the signature key are stored in hardware key equipment of the target account;
the quantum key filling module is configured to acquire quantum key information from the first quantum key distribution device, and fill the quantum key information into the hardware cryptographic device of the target account;
the identity authentication center is configured to receive a signature value, a first quantum key identifier, and a target account identifier, which are sent by the client of the target account and generated by signing a first quantum key selected from the hardware cryptographic device with the signature key; acquiring the digital certificate of the target account from the certificate authority according to the target account identifier; acquiring a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier; and verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the identity authentication method according to any one of claims 1 to 6 when executing the program.
10. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the steps of the identity authentication method according to any one of claims 1 to 6.
CN202211034032.4A 2022-08-26 2022-08-26 Identity authentication method, device and system, electronic equipment and storage medium Active CN115426106B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211034032.4A CN115426106B (en) 2022-08-26 2022-08-26 Identity authentication method, device and system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211034032.4A CN115426106B (en) 2022-08-26 2022-08-26 Identity authentication method, device and system, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115426106A true CN115426106A (en) 2022-12-02
CN115426106B CN115426106B (en) 2023-05-23

Family

ID=84200682

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211034032.4A Active CN115426106B (en) 2022-08-26 2022-08-26 Identity authentication method, device and system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115426106B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115955306A (en) * 2022-12-30 2023-04-11 北京海泰方圆科技股份有限公司 Data encryption transmission method and device, electronic equipment and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001265735A (en) * 2000-03-22 2001-09-28 Ntt Communications Kk Authentication method, signature method, communication method and system utilizing id/password
US20140122888A1 (en) * 2012-10-31 2014-05-01 Industry-Academia Cooperation Group Of Sejong University Method for password based authentication and apparatus executing the method
CN105991285A (en) * 2015-02-16 2016-10-05 阿里巴巴集团控股有限公司 Identity authentication methods, devices and system applied to quantum key distribution process
CN106301769A (en) * 2015-06-08 2017-01-04 阿里巴巴集团控股有限公司 Quantum key output intent, storage consistency verification method, Apparatus and system
CN107769913A (en) * 2016-08-16 2018-03-06 广东国盾量子科技有限公司 A kind of communication means and system based on quantum UKey
CN108243166A (en) * 2016-12-27 2018-07-03 航天信息股份有限公司 A kind of identity identifying method and system based on USBKey
CN111917543A (en) * 2020-08-14 2020-11-10 国科量子通信网络有限公司 User access cloud platform security access authentication system and application method thereof
CN114221765A (en) * 2022-02-17 2022-03-22 浙江九州量子信息技术股份有限公司 Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm
CN114218548A (en) * 2021-12-14 2022-03-22 北京海泰方圆科技股份有限公司 Identity verification certificate generation method, authentication method, device, equipment and medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001265735A (en) * 2000-03-22 2001-09-28 Ntt Communications Kk Authentication method, signature method, communication method and system utilizing id/password
US20140122888A1 (en) * 2012-10-31 2014-05-01 Industry-Academia Cooperation Group Of Sejong University Method for password based authentication and apparatus executing the method
CN105991285A (en) * 2015-02-16 2016-10-05 阿里巴巴集团控股有限公司 Identity authentication methods, devices and system applied to quantum key distribution process
CN106301769A (en) * 2015-06-08 2017-01-04 阿里巴巴集团控股有限公司 Quantum key output intent, storage consistency verification method, Apparatus and system
CN107769913A (en) * 2016-08-16 2018-03-06 广东国盾量子科技有限公司 A kind of communication means and system based on quantum UKey
CN108243166A (en) * 2016-12-27 2018-07-03 航天信息股份有限公司 A kind of identity identifying method and system based on USBKey
CN111917543A (en) * 2020-08-14 2020-11-10 国科量子通信网络有限公司 User access cloud platform security access authentication system and application method thereof
CN114218548A (en) * 2021-12-14 2022-03-22 北京海泰方圆科技股份有限公司 Identity verification certificate generation method, authentication method, device, equipment and medium
CN114221765A (en) * 2022-02-17 2022-03-22 浙江九州量子信息技术股份有限公司 Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115955306A (en) * 2022-12-30 2023-04-11 北京海泰方圆科技股份有限公司 Data encryption transmission method and device, electronic equipment and storage medium
CN115955306B (en) * 2022-12-30 2023-11-14 北京海泰方圆科技股份有限公司 Data encryption transmission method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN115426106B (en) 2023-05-23

Similar Documents

Publication Publication Date Title
US10790976B1 (en) System and method of blockchain wallet recovery
US11196745B2 (en) Blockchain-based account management
CN109409472B (en) Two-dimensional code generation method, data processing device and server
CN110677376B (en) Authentication method, related device and system and computer readable storage medium
CN112559993B (en) Identity authentication method, device and system and electronic equipment
CN113472720B (en) Digital certificate key processing method, device, terminal equipment and storage medium
CN112115205B (en) Cross-chain trust method, device, equipment and medium based on digital certificate authentication
CN110401615A (en) A kind of identity identifying method, device, equipment, system and readable storage medium storing program for executing
CN112069550B (en) Electronic contract evidence-storing system based on intelligent contract mode
CN110286849B (en) Data processing method and device of data storage system
CN104836776A (en) Data interaction method and device
CN114282193A (en) Application authorization method, device, equipment and storage medium
CN110611647A (en) Node joining method and device on block chain system
CN110740038A (en) Block chain and communication method, gateway, communication system and storage medium thereof
CN114691669A (en) Electronic certificate storage method and device, electronic equipment and storage medium
CN113326525A (en) Data processing method and device based on intelligent contract
CN101582876A (en) Method, device and system for registering user generated content (UGC)
CN111062059B (en) Method and device for service processing
CN110798322B (en) Operation request method, device, storage medium and processor
CN115426106B (en) Identity authentication method, device and system, electronic equipment and storage medium
CN113609213B (en) Method, system, device and storage medium for synchronizing device keys
JP2015513156A (en) Byzantine fault tolerance and threshold coin toss
CN116506134B (en) Digital certificate management method, device, equipment, system and readable storage medium
CN112235276B (en) Master-slave equipment interaction method, device, system, electronic equipment and computer medium
CN117240473A (en) Electronic contract signing method, electronic contract signing device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant