CN115442037A - Account management method, device, equipment and storage medium - Google Patents
Account management method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115442037A CN115442037A CN202211079267.5A CN202211079267A CN115442037A CN 115442037 A CN115442037 A CN 115442037A CN 202211079267 A CN202211079267 A CN 202211079267A CN 115442037 A CN115442037 A CN 115442037A
- Authority
- CN
- China
- Prior art keywords
- account
- private key
- mirror
- key
- target user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The invention discloses an account management method, an account management device, account management equipment and a storage medium. The invention is based on the identity identification cryptographic technology, directly uses the identity identification as the user public key, and the user does not need a third party to ensure the authenticity of the public key, thereby simplifying the user identity authentication process, having high efficiency and being easy to deploy and use. The private key of the mirror image account is encrypted for the second time by adopting the private key of the primary account, when other users log in the service platform by adopting the private key of the mirror image account, the private key of the mirror image account which logs in can be verified by adopting the private key of the primary account, and only when the verification is passed, the users are allowed to enter the service platform to process corresponding services, so that the security of the account is improved. Corresponding authority and time efficiency are granted to the private key of each mirror image account, the leakage of the primary account of the user and the risk of unauthorized service processing of other users are avoided, and the account security is improved.
Description
Technical Field
The present invention relates to computer application technologies, and in particular, to an account management method, apparatus, device, and storage medium.
Background
With the rapid development of the internet, the authentication mode of each service platform on the internet mostly adopts a registration system, that is, a user registers a personal account on the service platform, sets a password, then logs in by adopting the account and the password, and the service platform verifies the account and the password to confirm the identity of the user.
The account registered on the service platform can have multiple rights, and the user can process corresponding services by using the rights. In some specific cases, a user may need to delegate a certain service to other users for processing, and at this time, the user can only notify other users of an account and a password, and the other users log in a service platform for processing. This can result in the user's account and password being revealed, and in addition, there is a risk that other users will be unauthorized to handle other services.
Disclosure of Invention
The invention provides an account management method, device, equipment and storage medium, which are used for avoiding the leakage of a primary account of a user and the risk of unauthorized service processing of other users and improving the account security.
In a first aspect, the present invention provides an account management method, including:
responding to a mirror account creating request sent by a target user through a user terminal, and acquiring personal basic information authorized by the target user, wherein the personal basic information comprises a key identity identifier and a plurality of additional identifiers of the target user;
taking the key identity as a public key of a primary account number, and generating a private key matched with the public key of the primary account number based on an identity cryptographic technology;
aiming at each additional identification, taking the additional identification as a public key of a mirror account, and generating a private key matched with the public key of the mirror account based on an identity identification cryptographic technology;
performing secondary encryption on the private key of the mirror account by adopting the private key of the primary account;
and granting corresponding authority and timeliness to the private key of each mirror image account, and authorizing the mirror image account to other users for temporary use.
Optionally, before the step of acquiring the personal basic information authorized by the target user in response to the mirror account creation request sent by the target user through the user terminal, the method further includes:
responding to a primary account registration application sent by a target user through a user terminal, and acquiring a key identity input by the target user;
acquiring physiological characteristics of the target user, and identifying the physiological characteristics by adopting a biological identification technology to verify whether the key identity identification corresponds to the identity of the target user;
and when the verification is passed, receiving a plurality of additional identifications input by the target user, and executing a step of responding to a mirror account creation request sent by the target user through a user terminal to acquire personal basic information authorized by the target user.
Optionally, performing secondary encryption on the private key of the mirror account by using the private key of the primary account, including:
and digitally signing the private key of the mirror image account by adopting the private key of the primary account.
Optionally, the digitally signing the private key of the mirror account with the private key of the primary account includes:
calculating a private key of the mirror account by adopting a Hash algorithm to obtain a first Hash value;
and encrypting the first hash value by adopting the private key of the primary account number to obtain a digital signature of the private key of the mirror account number.
Optionally, the granting of corresponding authority and time efficiency to the private key of each mirror account includes:
establishing an effective account list, adding a public key and a private key of the mirror account into the effective account list, and setting the time effectiveness of the mirror account;
and writing the private key of the mirror account and the identifier representing the authority into an electronic key.
Optionally, the account management method further includes:
acquiring a public key of a mirror account input by other users during login;
verifying whether the public key of the input mirror image account is matched with the private key in the electronic secret key by using the private key of the mirror image account in the electronic secret key inserted by the user;
when the public key of the input mirror image account number is matched with the private key in the electronic secret key, verifying the timeliness of the private key of the mirror image account number;
and when the verification is passed, determining the authority of the private key of the mirror account.
Optionally, the account management method further includes:
decrypting the digital signature by adopting a public key of a primary account number;
when the digital signature is decrypted successfully to obtain the first hash value, determining that the digital signature is issued by a target user;
calculating a private key of the mirror account by adopting a Hash algorithm to obtain a second Hash value;
and comparing the first hash value with the second hash value, and when the first hash value is the same as the second hash value, performing a step of verifying whether the input public key of the mirror account and the input private key in the electronic key are matched by using the private key of the mirror account inserted by the user.
In a second aspect, the present invention further provides an account management apparatus, including:
the system comprises an information acquisition module, a management module and a management module, wherein the information acquisition module is used for responding to a mirror account creation request sent by a target user through a user terminal and acquiring personal basic information authorized by the target user, and the personal basic information comprises a key identity identifier and a plurality of additional identifiers of the target user;
the first private key generation module is used for taking the key identity as a public key of a primary account number and generating a private key matched with the public key of the primary account number based on an identity cryptographic technology;
the second private key generation module is used for taking the additional identification as a public key of the mirror account for each additional identification and generating a private key matched with the public key of the mirror account based on an identity identification cryptographic technology;
the secondary encryption module is used for carrying out secondary encryption on the private key of the mirror account by adopting the private key of the primary account;
and the authorization module is used for granting corresponding authority and time efficiency to the private key of each mirror image account and authorizing the mirror image accounts to other users for temporary use.
In a third aspect, the present invention further provides an electronic device, including:
one or more processors;
a memory for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors implement the account management method according to the first aspect of the present invention.
In a fourth aspect, the present invention also provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the account management method according to the first aspect of the present invention.
The account management method provided by the invention comprises the following steps: the method comprises the steps of responding to a mirror account creation request sent by a target user through a user terminal, obtaining personal basic information authorized by the target user, wherein the personal basic information comprises a key identity of the target user and a plurality of additional identities, taking the key identity as a public key of a primary account, generating a private key matched with the public key of the primary account based on an identity cryptography technology, regarding each additional identity, taking the additional identity as the public key of the mirror account, generating a private key matched with the public key of the mirror account based on the identity cryptography technology, carrying out secondary encryption on the private key of the mirror account by adopting the private key of the primary account, granting corresponding authority and time effectiveness to the private key of each mirror account, and authorizing the mirror account to other users for temporary use. The invention is based on the identity identification cryptographic technology, directly uses the identity identification as the user public key, and the user does not need a third party to ensure the authenticity of the public key, thereby simplifying the user identity authentication process, having high efficiency and being easy to deploy and use. The private key of the mirror image account is encrypted for the second time by adopting the private key of the primary account, when other users log in the service platform by adopting the private key of the mirror image account, the private key of the mirror image account which logs in can be verified by adopting the private key of the primary account, and only when the verification is passed, the users are allowed to enter the service platform to process corresponding services, so that the security of the account is improved. Corresponding authority and time efficiency are granted to the private key of each mirror image account, the leakage of the primary account of the user and the risk of unauthorized service processing of other users are avoided, and the account security is improved.
It should be understood that the statements in this section are not intended to identify key or critical features of the embodiments of the present invention, nor are they intended to limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of an account management method according to an embodiment of the present invention;
fig. 2 is a flowchart of another account management method according to an embodiment of the present invention;
fig. 3 is a flowchart of another account management method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an account management apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be emphasized that the technical solutions of the present application, such as obtaining, storing, using, and processing of data, all conform to relevant regulations of national laws and regulations.
Fig. 1 is a flowchart of an account management method according to an embodiment of the present invention, where this embodiment is applicable to a case where a user entrusts another user to temporarily handle a certain service, and the method may be executed by an account management apparatus according to an embodiment of the present invention, where the account management apparatus may be implemented by software and/or hardware, and is generally configured in a service platform, as shown in fig. 1, where the method specifically includes the following steps:
s101, responding to a mirror account creating request sent by a target user through a user terminal, and obtaining personal basic information authorized by the target user, wherein the personal basic information comprises a key identity identifier and a plurality of additional identifiers of the target user.
In the embodiment of the invention, when a target user wants to entrust other users to process a certain service in the service platform, the target user can log in the service platform through the user terminal and establish a request through a mirror account sent by the user terminal. After receiving the mirror account creating request, the service platform acquires personal basic information authorized by the target user, wherein the personal basic information comprises a key identity identifier and a plurality of additional identifiers of the target user. In an authentication system, the core part of an account is account number + password + certificate type and certificate number, besides these several elements, there are other elements, such as name, mobile phone number, mailbox address, etc. In the embodiment of the present invention, the key id of the target user may be a key unique id in the core part of the account for characterizing the identity of the target user, for example, an identity card number or other certificate numbers for characterizing the identity of the user. The additional identification of the target user refers to a user identification which has uniqueness in an account number and is not a key element of the account in an authentication system, such as a mailbox address, a telephone number and the like.
The mirror image account is a mirror image of an account of a target user, and can have partial or all permissions of the account of the target user, the target user can inform other users of the mirror image account, and the other users log in a service platform by using the mirror image account to process one or more services entrusted by the target user.
The mirror account creation request is used to indicate an action of a user terminal of a target user applying for creating a mirror account, and a manner of triggering the mirror account creation request may be configured in advance according to actual needs. For example, when the application scenario is a bidding application scenario, and another user is entrusted to process a certain service in the service platform, a virtual button for triggering the mirror account creation request may be set in the interface of the user terminal of the target user, and when the target user clicks the virtual button, it is determined that the user has triggered the mirror account creation request.
S102, the key identity is used as a public key of the primary account number, and a private key matched with the public key of the primary account number is generated based on an identity cryptographic technology.
In the embodiment of the present invention, the Identity-Based Cryptograph (IBC) is Based on an asymmetric public key cryptosystem. The cipher technology based on the identity identification utilizes an elliptic curve bilinear pairing theory and uses the unique identity identification of the user to realize the direct binding of the user identity and the secret key. The cryptographic technology can use the unique identity of the other party as a public Key, and the private Key of the user is calculated by a Key Generation Center (KGC) according to the system master Key and the user identity. When a Public Key of a traditional asymmetric algorithm, such as RSA (Rivest, shamir, adleman), is distributed, because the Public Key is only a meaningless string of random numbers, a PKI (Public Key Infrastructure) system needs to be used to add extra identity authentication to the Public Key, so that when a secret Key is transmitted, a digital certificate needs to be taken, and the authentication process is complicated. Based on the identity identification cryptographic technology, the identity identification is directly used as the user public key, and the user does not need a third party to ensure the authenticity of the public key, so that the user identity authentication process is simplified, the efficiency is high, and the deployment and the use are easy. Illustratively, in a specific embodiment of the present invention, the SM9 algorithm is used to generate a private key paired with the public key of the primary account number. SM9 belongs to one of the identity cryptographic algorithms,
in the embodiment of the invention, the key identity is used as the public key of the primary account number, and the private key matched with the public key of the primary account number is generated based on the identity cryptographic technology. Specifically, the key generation center provides a security parameter K and outputs a system parameter params and a master key MasterKey. Wherein the system parameter params is public, and the master key MasterKey is known only by the key generation center. And then calculating a private key matched with the public key of the primary account number by using the system parameters params, the master key MasterKey and the key identity through a mathematical mode.
S103, aiming at each additional identification, taking the additional identification as a public key of the mirror account, and generating a private key matched with the public key of the mirror account based on an identity identification cryptographic technology.
In the embodiment of the invention, aiming at each additional identifier, the additional identifier is used as a public key of the mirror account, and a private key matched with the public key of the mirror account is generated based on an identity identifier cryptography technology. Specifically, the process and the principle of generating a private key paired with the public key of the mirror account based on the identity cryptographic technology with the additional identifier as the public key of the mirror account are similar to the process and the principle of generating a private key paired with the public key of the primary account based on the key identity as the public key of the primary account based on the identity cryptographic technology, and the embodiment of the present invention is not repeated herein.
And S104, carrying out secondary encryption on the private key of the mirror account by adopting the private key of the primary account.
In the embodiment of the invention, after the public key and the private key of the primary account and the public key and the private key of the mirror image account are obtained, the private key of the mirror image account is encrypted for the second time by adopting the private key of the primary account, so that the private key of the primary account is used as the root private key of the mirror image account, when other users log in the service platform by adopting the private key of the mirror image account, the private key of the mirror image account which logs in can be verified by adopting the private key of the primary account, and only when the verification is passed, the users are allowed to enter the service platform to process corresponding services, so that the security of the account is improved. For example, in the embodiment of the present invention, the form of the secondary encryption is not limited, and may be, for example, a form of a digital signature.
And S105, granting corresponding authority and time efficiency to the private key of each mirror image account, and granting the mirror image account to other users for temporary use.
In the embodiment of the invention, after the private keys of the mirror account numbers are encrypted for the second time, the corresponding authority and time efficiency are granted to the private key of each mirror account number, and the mirror account numbers are granted to other users for temporary use. For example, different permissions can be granted to mirror accounts corresponding to different accessory identifications to process different services. In addition, since the target user only temporarily gives the mirror account to another user, and the temporary agent processes one or several services, a corresponding time period may be granted to the private key of each mirror account, for example, within the day, within one week, and the like. In the time efficiency, other entrusted users can log in the service platform by the mirror account number to process the service in the granted authority range, and once the time efficiency is exceeded, the private key of the mirror account number is invalid and cannot log in the service platform.
The account management method provided by the embodiment of the invention comprises the following steps: the method comprises the steps of responding to a mirror account creation request sent by a target user through a user terminal, obtaining personal basic information authorized by the target user, wherein the personal basic information comprises a key identity of the target user and a plurality of additional identifications, taking the key identity as a public key of a primary account, generating a private key matched with the public key of the primary account based on an identity cryptographic technology, taking the additional identification as the public key of the mirror account for each additional identification, generating a private key matched with the public key of the mirror account based on the identity cryptographic technology, performing secondary encryption on the private key of the mirror account by adopting the private key of the primary account, granting corresponding authority and time effectiveness to the private key of each mirror account, and authorizing the mirror account to other users for temporary use. The invention is based on the identity identification cryptographic technology, directly uses the identity identification as the user public key, and the user does not need a third party to ensure the authenticity of the public key, thereby simplifying the user identity authentication process, having high efficiency and being easy to deploy and use. The private key of the mirror image account is encrypted for the second time by adopting the private key of the primary account, when other users log in the service platform by adopting the private key of the mirror image account, the private key of the mirror image account which logs in can be verified by adopting the private key of the primary account, and only when the verification is passed, the users are allowed to enter the service platform to process corresponding services, so that the security of the account is improved. Corresponding authority and time efficiency are granted to the private key of each mirror image account, the leakage of the primary account of the user and the risk of unauthorized service processing of other users are avoided, and the account security is improved.
In order to make the technical solution of the present application more clearly understood by those skilled in the art, the steps in the above embodiments will be described in detail below.
Fig. 2 is a flowchart of another account management method according to an embodiment of the present invention, and as shown in fig. 2, the account management method includes:
s201, responding to a primary account registration application sent by a target user through a user terminal, and acquiring a key identity input by the target user.
In the embodiment of the invention, when a target user logs in the service platform for the first time, the service platform gives a registration prompt to prompt the target user to register a primary account. The service platform responds to a primary account registration application sent by a target user through a user terminal, and acquires a key identity input by the target user. As mentioned above, the key id of the target user may be a unique id that is key in the core part of the account and is used to characterize the identity of the target user, for example, an id number or other certificate number used to characterize the identity of the user.
S202, verifying whether the key identity identification corresponds to the identity of the target user.
In the embodiment of the invention, in order to confirm that the registered main account number is the target user, avoid other people pretending to be the target user for registration, the physiological characteristics of the target user can be collected, and the physiological characteristics are identified by adopting a biological identification technology so as to verify the key identity. For example, in the embodiment of the present invention, the physiological characteristic may be a face feature, a voiceprint feature, a fingerprint feature, and the like, and the embodiment of the present invention is not limited herein. And after the physiological characteristics are collected, comparing the collected physiological characteristics with physiological characteristic samples of target users stored in a characteristic library in advance, if the physiological characteristics are consistent with the physiological characteristic samples of the target users, confirming that the registered primary account number is the identity of the target user, and enabling the key identity to correspond to the identity of the target user. When the verification is passed, step S203 is executed, and if the verification is not passed, the flow ends.
S203, receiving a plurality of additional identifications input by the target user.
After verifying that the key identity corresponds to the identity of the target user, receiving a plurality of additional identities input by the target user, where, as described above, the additional identity of the target user refers to a user identity that is unique in the account but not a key element of the account in the authentication system, such as a mailbox address, a telephone number, and the like.
S204, in response to a mirror account creating request sent by a target user through a user terminal, acquiring personal basic information authorized by the target user, wherein the personal basic information comprises a key identity identifier and a plurality of additional identifiers of the target user.
In the embodiment of the invention, when a target user wants to entrust other users to process a certain service in the service platform, the target user can log in the service platform through the user terminal and establish a request through a mirror account sent by the user terminal. After receiving the mirror account creating request, the service platform acquires personal basic information authorized by the target user, wherein the personal basic information comprises a key identity identifier and a plurality of additional identifiers of the target user.
S205, the key identity is used as a public key of the primary account, and a private key matched with the public key of the primary account is generated based on an identity cryptography technology.
In the embodiment of the invention, the key identity is used as the public key of the primary account number, and the private key matched with the public key of the primary account number is generated based on the identity cryptography. Specifically, the key generation center provides a security parameter K and outputs a system parameter params and a master key MasterKey. Wherein the system parameter params is public, and the master key MasterKey is known only by the key generation center. And then calculating a private key matched with the public key of the primary account number by using the system parameters params, the master key MasterKey and the key identity through a mathematical mode.
S206, aiming at each additional identification, taking the additional identification as a public key of the mirror account, and generating a private key matched with the public key of the mirror account based on an identity identification cryptographic technology.
In the embodiment of the invention, aiming at each additional identifier, the additional identifier is used as a public key of the mirror account, and a private key matched with the public key of the mirror account is generated based on an identity identifier cryptography technology. Specifically, the process and the principle of generating a private key paired with the public key of the mirror account based on the identity cryptographic technology with the additional identifier as the public key of the mirror account are similar to the process and the principle of generating a private key paired with the public key of the primary account based on the key identity as the public key of the primary account based on the identity cryptographic technology, and the embodiment of the present invention is not repeated herein.
And S207, digitally signing the private key of the mirror image account by adopting the private key of the primary account.
In the embodiment of the invention, the private key of the mirror account is digitally signed by adopting the private key of the primary account. The digital signature is a digital string which can be generated only by a sender of the information and cannot be forged by others, and the digital string is also a valid proof of the authenticity of the information sent by the sender of the information. Illustratively, the specific process of digitally signing the private key of the mirror account by using the private key of the primary account is as follows:
1. and calculating the private key of the mirror account by adopting a Hash algorithm to obtain a first Hash value.
For example, in the embodiment of the present invention, after the private key of the mirror account is generated, a hash algorithm is used to calculate the private key of the mirror account, so as to obtain a first hash value, where the first hash value may also be referred to as a digest of the private key of the mirror account. The hash algorithm maps a binary string with any length to a binary string with a fixed length, and illustratively, in the embodiment of the present invention, an MD5 algorithm is used to calculate a private key of a mirror account, so as to obtain a 128-bit first hash value.
2. And encrypting the first hash value by adopting a private key of the primary account number to obtain a digital signature of the private key of the mirror account number.
After the private key of the mirror account is calculated by adopting a hash algorithm to obtain a first hash value, the private key of the primary account is used for encrypting the first hash value to obtain a digital signature of the private key of the mirror account, and the digital signature is attached to the private key of the mirror account.
S208, establishing an effective account list, adding the public key and the private key of the mirror account into the effective account list, and setting the time effectiveness of the mirror account.
In the embodiment of the invention, in order to manage the mirror account, the public key and the private key of the mirror account are added to the effective account list, and the time efficiency of the mirror account is set. In the time limit, other entrusted users can log in the service platform by the public key and the private key of the mirror account number to process services in the granted authority range, once the time limit is exceeded, the mirror account number is automatically removed from the effective account number list, the private key is invalid, and the users cannot log in the service platform.
S209, writing the private key of the mirror account and the identifier representing the authority into the electronic key.
In the embodiment of the invention, the private key of the mirror account is written into an electronic key (Ukey) and distributed to other delegated users. While writing the private key of the mirror account into the Ukey, writing an identifier representing the authority, illustratively, different authority identifiers represent different authorities, and corresponding services can be processed.
The following describes a verification process of a service platform when a delegated user logs in by using a mirror account in the embodiment of the present invention.
Fig. 3 is a flowchart of another account management method according to an embodiment of the present invention, and as shown in fig. 3, the account management method includes:
s301, creating a mirror account of the primary account.
Illustratively, a service platform responds to a mirror account creating request sent by a target user through a user terminal, obtains personal basic information authorized by the target user, wherein the personal basic information comprises a key identity of the target user and a plurality of additional identities, the key identity is used as a public key of a primary account, a private key matched with the public key of the primary account is generated based on an identity cryptographic technology, the additional identity is used as a public key of the mirror account for each additional identity, a private key matched with the public key of the mirror account is generated based on the identity cryptographic technology, the private key of the mirror account is secondarily encrypted by the private key of the primary account, corresponding authority and time efficiency are granted to the private key of each mirror account, and the mirror account is authorized to other users for temporary use. Specifically, the specific process of creating the mirror account is described in detail in the foregoing embodiments, and the embodiments of the present invention are not described herein again.
S302, acquiring a public key of the mirror account input by other users during login.
And logging in a service platform through the mirror account number at other entrusted users, inputting the public key of the mirror account number, and reading the private key of the mirror account number in the electronic secret key inserted by the user. Illustratively, in the embodiment of the present invention, as described above, the public key is an additional identifier of the target user, and the private key is written into the electronic key along with the authority identifier. And after other entrusted users open the login page, inputting the public key, and inserting the electronic secret key into the login equipment, so that the login equipment can read the private key of the mirror account in the electronic secret key.
And S303, decrypting the digital signature by adopting the public key of the primary account number, and judging whether decryption is successful.
As described above, the digital signature is encrypted and issued by using the private key of the primary account of the target user, and can only be decrypted by using the public key of the primary account of the target user. And after the private key of the mirror account is acquired, decrypting the digital signature attached to the mirror account. If the decryption can be carried out successfully, the digital signature is signed by the target user, and the first hash value is obtained through decryption. If the decryption fails, the digital signature is not signed and issued by the target user, the verification fails, the login fails, and the process is ended.
S304, when the digital signature is successfully decrypted to obtain the first hash value, the digital signature is determined to be issued by the target user.
In the embodiment of the invention, the public key of the primary account number is adopted to decrypt the digital signature, namely, whether the digital signature is issued by the target user is verified. If the decryption can be carried out smoothly, the digital signature is signed by the target user, and the first hash value is obtained through decryption.
S305, calculating a private key of the mirror account by adopting a hash algorithm to obtain a second hash value.
In the embodiment of the invention, after the digital signature is verified, the private key of the mirror account is calculated by adopting a Hash algorithm to obtain a second Hash value.
S306, comparing the first hash value with the second hash value.
Comparing a first hash value obtained by decrypting the digital signature with a second hash value, if the first hash value is the same as the second hash value, the private key of the mirror account is not tampered in the transmission process, executing step S307, if the first hash value is different from the second hash value, the private key of the mirror account is tampered in the transmission process, the verification fails, the login fails, and the process ends.
S307, verifying whether the public key of the input mirror account is matched with the private key in the electronic secret key.
In the embodiment of the invention, the verification of whether the public key of the input mirror account is matched with the private key in the electronic key is to verify whether the public key of the mirror account is correct. Illustratively, the service platform generates a random number and encrypts the random number by using the public key of the mirror account. And then, decrypting the encrypted random number by using a private key in the mirror account, if the decryption is successful, considering that the public key of the input mirror account is matched with the private key in the electronic private key, and executing step S308, if the decryption is failed, considering that the public key of the input mirror account is not matched with the private key in the electronic private key, failing to pass the verification, failing to log in, and ending the process.
And S308, verifying the timeliness of the private key of the mirror account.
Exemplarily, in the embodiment of the present invention, it is determined whether the mirror account is in the valid account list, if so, it indicates that the mirror account is still within the valid period, and the step S309 is executed after the mirror account passes the verification; if not, the aging of the mirror account is overdue, the verification is not passed, the login is failed, and the process is ended.
S309, determining the authority of the private key of the mirror account.
And when the timeliness of the private key of the mirror image account passes the verification, the successful login is determined, and the authority of the private key of the mirror image account is further determined. Illustratively, the authority corresponding to the authority identifier is determined by reading the authority identifier in the electronic key, so as to determine the service that the mirror account can proxy to process.
An account management apparatus is further provided in an embodiment of the present invention, and fig. 4 is a schematic structural diagram of an account management apparatus provided in an embodiment of the present invention, where as shown in fig. 4, the account management apparatus includes:
an information obtaining module 401, configured to, in response to a mirror account creation request sent by a target user through a user terminal, obtain basic personal information authorized by the target user, where the basic personal information includes a key identity identifier and multiple additional identifiers of the target user;
a first private key generation module 402, configured to use the key identity as a public key of a primary account number, and generate a private key paired with the public key of the primary account number based on an identity cryptographic technique;
a second private key generating module 403, configured to, for each additional identifier, use the additional identifier as a public key of a mirror account, and generate a private key paired with the public key of the mirror account based on an identity cryptography;
a secondary encryption module 404, configured to perform secondary encryption on the private key of the mirror account by using the private key of the primary account;
and the authorization module 405 is configured to grant corresponding authority and time efficiency to the private key of each mirror account, and authorize the mirror account to be temporarily used by another user.
In some embodiments of the invention, the account managing transpose further comprises:
the key identity acquisition module is used for responding to a primary account registration application sent by a target user through a user terminal and acquiring a key identity input by the target user before responding to a mirror account creation request sent by the target user through the user terminal and acquiring personal basic information authorized by the target user;
the physiological characteristic verification module is used for acquiring the physiological characteristics of the target user and identifying the physiological characteristics by adopting a biological identification technology so as to verify whether the key identity identification corresponds to the identity of the target user;
and the additional identification receiving module is used for receiving a plurality of additional identifications input by the target user when the verification is passed, and executing the step of responding to a mirror account creating request sent by the target user through a user terminal and acquiring the personal basic information authorized by the target user.
In some embodiments of the invention, the secondary encryption module 404 includes:
and the digital signature sub-module is used for digitally signing the private key of the mirror account by adopting the private key of the primary account.
In some embodiments of the invention, the digital signature sub-module comprises:
the first hash value calculation unit is used for calculating the private key of the mirror account by adopting a hash algorithm to obtain a first hash value;
and the encryption unit is used for encrypting the first hash value by adopting the private key of the primary account number to obtain a digital signature of the private key of the mirror account number.
In some embodiments of the invention, the authorization module 405 comprises:
the account list establishing submodule is used for establishing an effective account list, adding a public key and a private key of the mirror account into the effective account list, and setting the time effectiveness of the mirror account;
and the writing sub-module is used for writing the private key of the mirror account and the identifier representing the authority into the electronic key.
In some embodiments of the invention, the account managing transpose further comprises:
the mirror account key acquisition module is used for acquiring a public key of a mirror account input by other users during login;
the first verification module is used for verifying whether the public key of the input mirror image account is matched with the private key in the electronic secret key by using the private key of the mirror image account in the electronic secret key inserted by the user;
the second verification module is used for verifying the timeliness of the private key of the mirror account when the public key of the input mirror account is matched with the private key in the electronic secret key;
and the permission determining module is used for determining the permission of the private key of the mirror account when the verification is passed.
In some embodiments of the invention, the account managing transpose further comprises:
the digital signature decryption module is used for decrypting the digital signature by adopting a public key of the primary account number;
the determining module is used for determining that the digital signature is issued by a target user when the digital signature is decrypted successfully to obtain the first hash value;
the second hash value calculation module is used for calculating the private key of the mirror account by adopting a hash algorithm to obtain a second hash value;
and the comparison module is used for comparing the first hash value with the second hash value, and when the first hash value is the same as the second hash value, executing a step of verifying whether an input public key of the mirror account and an input private key in the electronic secret key are matched by using a private key of a mirror account in the electronic secret key inserted by a user.
The account management device can execute the account management method provided by any embodiment of the application, and has the corresponding functional modules and beneficial effects of executing the account management method.
An embodiment of the present application provides an electronic device, which may be a service platform in the foregoing embodiment of the present application, and fig. 5 is a schematic structural diagram of an electronic device provided in an embodiment of the present invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 can perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from a storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data necessary for the operation of the electronic apparatus 10 can also be stored. The processor 11, the ROM 12, and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The processor 11 performs the various methods and processes described above, such as the account management method.
In some embodiments, the account management method may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the account management method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the account management method in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the Internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
An embodiment of the present invention further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the account management method provided in any embodiment of the present application is implemented.
Computer program product in implementing the computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + +, and including conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired result of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. An account management method is characterized by comprising the following steps:
responding to a mirror account creating request sent by a target user through a user terminal, and acquiring personal basic information authorized by the target user, wherein the personal basic information comprises a key identity identifier and a plurality of additional identifiers of the target user;
taking the key identity as a public key of a primary account number, and generating a private key matched with the public key of the primary account number based on an identity cryptographic technology;
aiming at each additional identification, taking the additional identification as a public key of a mirror account, and generating a private key matched with the public key of the mirror account based on an identity identification cryptographic technology;
carrying out secondary encryption on the private key of the mirror image account by adopting the private key of the primary account;
and granting corresponding authority and time efficiency to the private key of each mirror image account, and authorizing the mirror image account to other users for temporary use.
2. The account management method according to claim 1, before acquiring the personal basic information authorized by the target user in response to a mirror account creation request issued by the target user through the user terminal, further comprising:
responding to a primary account registration application sent by a target user through a user terminal, and acquiring a key identity input by the target user;
acquiring physiological characteristics of the target user, and identifying the physiological characteristics by adopting a biological identification technology to verify whether the key identity identification corresponds to the identity of the target user;
and when the verification is passed, receiving a plurality of additional identifications input by the target user, and executing a step of responding to a mirror account creation request sent by the target user through a user terminal to acquire personal basic information authorized by the target user.
3. The account management method according to claim 1, wherein the secondary encryption of the private key of the mirror account using the private key of the primary account comprises:
and digitally signing the private key of the mirror image account by adopting the private key of the primary account.
4. The account management method according to claim 3, wherein digitally signing the private key of the mirror account with the private key of the primary account comprises:
calculating a private key of the mirror account by adopting a hash algorithm to obtain a first hash value;
and encrypting the first hash value by adopting the private key of the primary account number to obtain a digital signature of the private key of the mirror account number.
5. The account management method according to any one of claims 1 to 4, wherein granting corresponding authority and aging to the private key of each mirror account includes:
establishing an effective account list, adding a public key and a private key of the mirror account into the effective account list, and setting the time effectiveness of the mirror account;
and writing the private key of the mirror account and the identifier representing the authority into an electronic key.
6. The account management method according to claim 4, further comprising:
acquiring a public key of a mirror account input by other users during login;
verifying whether the public key of the input mirror account is matched with the private key in the electronic secret key by using the private key of the mirror account in the electronic secret key inserted by the user;
when the public key of the input mirror account is matched with the private key in the electronic secret key, verifying the timeliness of the private key of the mirror account;
and when the verification is passed, determining the authority of the private key of the mirror account.
7. The account management method according to claim 6, further comprising:
decrypting the digital signature by adopting a public key of a primary account number;
when the digital signature is successfully decrypted to obtain the first hash value, determining that the digital signature is issued by a target user;
calculating a private key of the mirror account by adopting a hash algorithm to obtain a second hash value;
and comparing the first hash value with the second hash value, and when the first hash value is the same as the second hash value, executing a step of verifying whether the public key of the input mirror account number is matched with the private key in the electronic secret key by using the private key of the mirror account number in the electronic secret key inserted by the user.
8. An account management apparatus, comprising:
the system comprises an information acquisition module, a management module and a management module, wherein the information acquisition module is used for responding to a mirror account creation request sent by a target user through a user terminal and acquiring personal basic information authorized by the target user, and the personal basic information comprises a key identity identifier and a plurality of additional identifiers of the target user;
the first private key generation module is used for taking the key identity as a public key of a primary account number and generating a private key matched with the public key of the primary account number on the basis of an identity cryptographic technology;
the second private key generation module is used for taking the additional identification as a public key of the mirror account for each additional identification and generating a private key matched with the public key of the mirror account based on an identity identification cryptographic technology;
the secondary encryption module is used for secondarily encrypting the private key of the mirror account by adopting the private key of the primary account;
and the authorization module is used for granting corresponding authority and time efficiency to the private key of each mirror account and authorizing the mirror accounts to other users for temporary use.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the account management method of any of claims 1-7.
10. A computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing the account management method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211079267.5A CN115442037A (en) | 2022-09-05 | 2022-09-05 | Account management method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211079267.5A CN115442037A (en) | 2022-09-05 | 2022-09-05 | Account management method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115442037A true CN115442037A (en) | 2022-12-06 |
Family
ID=84245869
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211079267.5A Pending CN115442037A (en) | 2022-09-05 | 2022-09-05 | Account management method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115442037A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115941180A (en) * | 2023-02-15 | 2023-04-07 | 华中科技大学 | Key distribution method and system based on post-quantum security and identity identification |
-
2022
- 2022-09-05 CN CN202211079267.5A patent/CN115442037A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115941180A (en) * | 2023-02-15 | 2023-04-07 | 华中科技大学 | Key distribution method and system based on post-quantum security and identity identification |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220191012A1 (en) | Methods For Splitting and Recovering Key, Program Product, Storage Medium, and System | |
| US11930103B2 (en) | Method, user device, management device, storage medium and computer program product for key management | |
| WO2020073513A1 (en) | Blockchain-based user authentication method and terminal device | |
| WO2018145127A1 (en) | Electronic identification verification methods and systems with storage of certification records to a side chain | |
| US8195951B2 (en) | Data processing system for providing authorization keys | |
| EP2639997A1 (en) | Method and system for secure access of a first computer to a second computer | |
| CN106452764B (en) | Method for automatically updating identification private key and password system | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN109495268B (en) | Two-dimensional code authentication method and device and computer readable storage medium | |
| CN112232814A (en) | Encryption and decryption method of payment key, payment authentication method and terminal equipment | |
| CN110020869B (en) | Method, device and system for generating block chain authorization information | |
| CN110932850A (en) | Communication encryption method and system | |
| CN109272314A (en) | A kind of safety communicating method and system cooperateing with signature calculation based on two sides | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| WO2022042745A1 (en) | Key management method and apparatus | |
| CN115442037A (en) | Account management method, device, equipment and storage medium | |
| CN116112242B (en) | Unified safety authentication method and system for power regulation and control system | |
| KR102056612B1 (en) | Method for Generating Temporary Anonymous Certificate | |
| CN116599719A (en) | User login authentication method, device, equipment and storage medium | |
| CN109768969A (en) | Authority control method and internet-of-things terminal, electronic equipment | |
| KR101868564B1 (en) | Apparatus for authenticating user in association with user-identification-registration and local-authentication and method for using the same | |
| CN114329610A (en) | Block chain privacy identity protection method, device, storage medium and system | |
| CN114282254A (en) | Encryption and decryption method and device, and electronic equipment | |
| CN109104393B (en) | Identity authentication method, device and system | |
| JP2013179473A (en) | Account generation management system, account generation management server, account generation management method, account generation management program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |