CN115529591A - Token-based authentication method, device, equipment and storage medium - Google Patents

Token-based authentication method, device, equipment and storage medium Download PDF

Info

Publication number
CN115529591A
CN115529591A CN202211199515.XA CN202211199515A CN115529591A CN 115529591 A CN115529591 A CN 115529591A CN 202211199515 A CN202211199515 A CN 202211199515A CN 115529591 A CN115529591 A CN 115529591A
Authority
CN
China
Prior art keywords
token
hash value
authentication
server
biological characteristic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211199515.XA
Other languages
Chinese (zh)
Inventor
张文华
刘子羿
田炳霖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202211199515.XA priority Critical patent/CN115529591A/en
Publication of CN115529591A publication Critical patent/CN115529591A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]

Abstract

The application provides an authentication method, an authentication device, authentication equipment and a storage medium based on tokens. The method comprises the following steps: after an authentication request of a user is obtained, prompting the user to input biological identification information, and generating a biological characteristic hash value according to the biological identification information input by the user; decrypting the pre-stored encrypted token according to the biological feature hash value to obtain a decrypted token; sending authentication information to the server, wherein the authentication information comprises a token and a biological characteristic hash value after the public key is encrypted, so that the server verifies the biological characteristic hash value in the authentication information by generating the biological characteristic hash value of the token after the private key is decrypted; and after the verification is passed, acquiring an authentication response sent by the server, wherein the authentication response is used for indicating the success of the authentication. The method solves the problems that the current login authentication method can not simultaneously keep the convenience experience of the user and give consideration to the performance overhead while ensuring the information security of the user.

Description

Token-based authentication method, device, equipment and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to an authentication method, an authentication device, an authentication apparatus, and a storage medium based on a token.
Background
With the popularization of smart phones and the development of internet finance, financial mobile applications develop rapidly, but due to the characteristics of the application field of financial mobile applications, the security guarantee becomes critical.
Compared with non-financial applications, the financial application function relates to high-risk transactions such as user information, account transfer and the like, so that higher requirements on safety are met. Among the functions provided by the financial applications, login and authentication are in the core position of user information protection and application security in the mobile applications. At present, the safety problem of login and authentication is solved by combining automatic login and secondary authentication. That is, after the user logs in once, the user does not need to log in again, and the user can log in automatically through some business logic in the subsequent operation. When some high-risk transactions are carried out, the identity of the user is verified through secondary authentication of the biological identification data.
The current login authentication method has the problems that the user convenience experience cannot be kept and the performance overhead is considered at the same time while the user information safety is ensured.
Disclosure of Invention
The application provides an authentication method, an authentication device, authentication equipment and a storage medium based on a token, which are used for solving the problems that the user convenience experience cannot be simultaneously kept and the performance overhead is considered while the user information safety is ensured in the current login authentication method.
In one aspect, the present application provides a token-based authentication method applied to a terminal, including:
after an authentication request of a user is acquired, prompting the user to input biological identification information, and generating a biological characteristic hash value according to the biological identification information input by the user;
decrypting a pre-stored encrypted token according to the biological characteristic hash value to obtain a decrypted token, wherein the token is sent to a terminal by the server side;
sending authentication information to the server, wherein the authentication information comprises a token and a biological characteristic hash value after public key encryption, so that the server verifies the biological characteristic hash value in the authentication information by generating the biological characteristic hash value of the token after a private key is decrypted;
and after the verification is passed, acquiring an authentication response sent by the server, wherein the authentication response is used for indicating that the authentication is successful.
Optionally, the decrypting the pre-stored encrypted token according to the biometric hash value to obtain a decrypted token includes:
obtaining a decryption key through an SM4 encryption algorithm according to the biological feature hash value and the identifier of the terminal;
and decrypting the pre-stored encrypted token through the decryption key to obtain the decrypted token.
Optionally, after obtaining the authentication request of the user, before prompting the user to input biometric information and generating a biometric hash value according to the biometric information input by the user, the method further includes:
after the user successfully logs in for the first time, prompting the user to carry out biological identification so as to obtain biological identification information of the user, and generating a biological characteristic hash value based on an SM3 algorithm according to the biological identification information;
encrypting the biological characteristic hash value through the public key and sending the biological characteristic hash value to a server so that the server decrypts the biological characteristic hash value through the private key and generates a token based on the decrypted biological characteristic hash value, wherein the public key and the private key are generated by the server based on an SM2 encryption algorithm, and the public key is obtained by the terminal from the server in advance;
receiving a token encrypted by the server through a private key, and decrypting the token through the public key;
and obtaining an encryption key through an SM4 encryption algorithm according to the biological characteristic hash value and the identifier of the terminal, and encrypting and storing the token through the encryption key.
Optionally, after the user successfully logs in automatically, or after an authentication response sent by the server is obtained, the method further includes:
receiving a new token encrypted by the server through the private key;
decrypting the new token by the public key;
and encrypting and storing the new token through the encryption key.
In another aspect, the present application provides a token-based authentication method applied to a server, including:
acquiring authentication information sent by a terminal, wherein the authentication information comprises a token and a biological characteristic hash value after public key encryption;
decrypting the encrypted token and the biological characteristic hash value through a private key to obtain a decrypted token and a decrypted biological characteristic hash value;
verifying the biological characteristic hash value in the authentication information according to the biological characteristic hash value of the token generated by the server;
and after the verification is passed, sending an authentication response to the terminal, wherein the authentication response is used for indicating that the authentication is successful.
Optionally, before obtaining the authentication information sent by the client, the method further includes:
after the user successfully logs in for the first time, receiving the biological characteristic hash value which is sent by the terminal and encrypted by the public key;
decrypting the biological characteristic hash value through the private key, and generating a token based on the decrypted biological characteristic hash value, wherein the public key and the private key are generated by the server based on an SM2 encryption algorithm;
and encrypting the token through the private key and sending the encrypted token to the terminal.
Optionally, after the user successfully logs in automatically or sends an authentication response to the terminal, the method further includes:
generating a new token based on the biometric hash value;
encrypting the new token with the private key;
and sending the encrypted new token to the terminal.
In a third aspect, the present application provides a token-based authentication apparatus, applied to a terminal, including:
the acquisition module is used for prompting the user to input the biological identification information after acquiring the authentication request of the user, and generating a biological characteristic hash value according to the biological identification information input by the user;
the decryption module is used for decrypting a pre-stored encrypted token according to the biological characteristic hash value to obtain a decrypted token, wherein the token is sent to the terminal by the server side;
the sending module is used for sending authentication information to the server, wherein the authentication information comprises a token and a biological characteristic hash value after public key encryption, so that the server verifies the biological characteristic hash value in the authentication information by generating the biological characteristic hash value of the token after a private key is decrypted;
and the acquisition module is further used for acquiring an authentication response sent by the server after the verification is passed, wherein the authentication response is used for indicating the success of the authentication.
Optionally, the decryption module is specifically configured to:
obtaining a decryption key through an SM4 encryption algorithm according to the biological characteristic hash value and the identifier of the terminal;
and decrypting the pre-stored encrypted token through the decryption key to obtain the decrypted token.
Optionally, the obtaining module is further configured to:
after the user successfully logs in for the first time, prompting the user to carry out biological identification so as to obtain biological identification information of the user, and generating a biological characteristic hash value based on an SM3 algorithm according to the biological identification information;
encrypting the biological characteristic hash value through the public key and sending the biological characteristic hash value to a server so that the server decrypts the biological characteristic hash value through the private key and generates a token based on the decrypted biological characteristic hash value, wherein the public key and the private key are generated by the server based on an SM2 encryption algorithm, and the public key is obtained by the terminal from the server in advance;
receiving a token encrypted by the server through a private key, and decrypting the token through the public key;
and obtaining an encryption key through an SM4 encryption algorithm according to the biological feature hash value and the identifier of the terminal, and encrypting and storing the token through the encryption key.
Optionally, the obtaining module is further configured to:
receiving a new token encrypted by the server through the private key;
decrypting the new token by the public key;
and encrypting and storing the new token through the encryption key.
In a fourth aspect of the present application, the present application provides a token-based authentication apparatus, applied to a server, including:
the acquisition module is used for acquiring authentication information sent by a terminal, wherein the authentication information comprises a token and a biological characteristic hash value after a public key is encrypted;
the decryption module is used for decrypting the encrypted token and the encrypted biological characteristic hash value through a private key to obtain a decrypted token and a decrypted biological characteristic hash value;
the verification module is used for verifying the biological characteristic hash value in the authentication information according to the biological characteristic hash value of the token generated by the server;
and the sending module is used for sending an authentication response to the terminal after the verification is passed, wherein the authentication response is used for indicating the success of the authentication.
Optionally, the obtaining module is further configured to:
after the user successfully logs in for the first time, receiving the biological characteristic hash value which is sent by the terminal and encrypted by the public key;
decrypting the biological characteristic hash value through the private key, and generating a token based on the decrypted biological characteristic hash value, wherein the public key and the private key are generated by the server based on an SM2 encryption algorithm;
and encrypting the token through the private key and sending the token to the terminal.
Optionally, the sending module is further configured to:
generating a new token based on the biometric hash value;
encrypting the new token with the private key;
and sending the encrypted new token to the terminal.
In a fifth aspect of the present application, there is provided an electronic device including:
a processor and a memory;
the memory stores computer execution instructions;
the processor executes computer-executable instructions stored by the memory to cause the electronic device to perform the method of any one of the first aspects.
In a sixth aspect of the present application, a computer-readable storage medium is provided, in which computer-executable instructions are stored, and the computer-executable instructions are executed by a processor to implement the method for determining the driver of the hardware peripheral according to any one of the first aspect.
The embodiment provides an authentication method, an authentication device, authentication equipment and a storage medium based on a token, wherein the method prompts a user to input biological identification information after acquiring an authentication request of the user through a terminal, and generates a biological characteristic hash value according to the biological identification information input by the user; the terminal decrypts the pre-stored encrypted token according to the biological characteristic hash value to obtain a decrypted token; the terminal sends authentication information to the server; the terminal sends authentication information to the server; the server decrypts the encrypted token and the biological characteristic hash value through the private key to obtain the decrypted token and the biological characteristic hash value; the server side verifies the biological characteristic hash value in the authentication information according to the biological characteristic hash value of the token generated by the server side; after the verification is passed, the server side sends an authentication response to the terminal; and the terminal acquires the authentication response sent by the server. According to the method, the biological characteristic hash value is used for replacing biological identification information for storage, the server side generates the token related to the biological characteristic hash value, the token is encrypted by using the biological characteristic hash value, the secret key is used for encryption in communication, so that the terminal and the server side do not store sensitive information, the biological information is used for participating in secondary authentication, the authentication process is simplified, the risk of information leakage is reduced, the privacy of a user is protected, and the reliability of the authentication result is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a specific application scenario diagram of the token-based authentication method provided in the present application;
fig. 2 is a flowchart of a token-based authentication method according to an embodiment of the present disclosure;
fig. 3 is a flowchart of a token-based authentication method according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a token-based authentication apparatus according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an authentication apparatus based on a token according to an embodiment of the present disclosure;
fig. 6 is a hardware structure diagram of a token-based authentication device according to an embodiment of the present disclosure.
Specific embodiments of the present application have been shown by way of example in the drawings and will be described in more detail below. The drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the concepts of the application by those skilled in the art with reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the appended claims.
First, the terms referred to in the present application will be explained.
The token is a string of fixed-length character strings generated by negotiation between the client and the server, and the token does not carry any client information.
The equipment number is an electronic serial number consisting of 15 digits, corresponds to each mobile phone one by one, is unique all over the world and is generated for the client according to a specific algorithm.
The keyhide storage technology is a secure storage container that is owned by the iOS system. The keypain service provides a secure way to store private information (passwords, private keys, certificates, etc.), with a separate keypain store for each iOS program. The data inside the Keychain is automatically encrypted. Keychain storage security is much higher than localStorage.
The keystore storage technology provides a service for saving and acquiring a private key or a certificate for an application by an Android key bank system. The keystore is a native background daemon. First, the keystore may prevent the key material from being extracted from the application process and the Android device as a whole, thereby avoiding the use of the key material outside of the Android device in an unauthorized manner. Second, the keystore can let applications specify the authorized usage of keys and enforce these restrictions outside the application process, thereby avoiding unauthorized usage of key material on Android devices.
The national cipher algorithm is a set of encryption and decryption algorithms issued by the national cipher administration and consists of a national cipher SM2 algorithm, a national cipher SM3 algorithm and a national cipher SM4 algorithm.
The SM2 cryptographic algorithm is an asymmetric encryption algorithm, and the security intensity and the operation speed are higher than those of the RSA algorithm.
The SM3 cryptographic algorithm is a hash algorithm, generates a hash value with the length of 256 bits, and has complex algorithm design and higher safety.
The SM4 cryptographic algorithm is a packet symmetric encryption algorithm, and the security is higher than that of the DES encryption algorithm.
The automatic login means that the user opens the app which is logged in once again, and the user can use the app without inputting the account password again.
The biological information authentication means that login and identity recognition are realized by using biological information of a user, such as fingerprints, human faces and the like.
The identity authentication information refers to the authentication of the identity of the user through information such as certificate information, mobile phone information and the like of the user.
The biometric hash refers to a unique data string calculated according to a fixed algorithm based on the biometric feature of the user.
Fig. 1 is a specific application scenario diagram of the token-based authentication method provided in the present application. As shown in fig. 1, the application scenario includes: a user 101, a financial application 102 and a server 103. Illustratively, when a user 101 uses a financial application 102 on a terminal, an account password is required to log in when entering the application, the financial application 102 receives a login request of the user, and communicates with a server to confirm the identity of the user 101, and then the user can use the financial application 102 in a background, or when the user 101 conducts high-risk transaction, the user 101 is required to input the account password again to conduct identity verification, so that the user experience is reduced, and when the terminal has a function of storing the account password and the user simultaneously selects the function of storing the account password, the account password of the user is at risk of being stolen.
The application provides a token-based authentication method, the method replaces biological identification information with a biological characteristic hash value for storage, a server generates a token related to the biological characteristic hash value, the token is encrypted by using the biological characteristic hash value, and the secret key is used for encryption in communication, so that the terminal and the server do not store sensitive information, and the biological information participates in secondary authentication, the authentication flow is simplified, the risk of information leakage is reduced, the privacy of a user is protected, and the reliability of an authentication result is improved.
The present application provides a token-based authentication method, which aims to solve the above technical problems in the prior art.
The following describes the technical solution of the present application and how to solve the above technical problems in detail by specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 2 is a first flowchart of a token-based authentication method according to an embodiment of the present disclosure. As shown in fig. 2, the present embodiment first describes the process of performing the secondary authentication after the terminal successfully logs in. The method provided by the embodiment comprises the following steps:
s201, after acquiring an authentication request of a user, a terminal prompts the user to input biological identification information and generates a biological characteristic hash value according to the biological identification information input by the user;
in this embodiment, the secondary authentication is mainly performed in a secure token manner. In the financial mobile application, the implementation logic of the secondary authentication mainly includes the following: one is that the mobile application locally stores the login name and password of the user, and uses the information stored by the terminal to log in the subsequent automatic login action; one is to use long connection, the terminal and the server establish long connection which is not released for a long time, and retrieve the login state through the long connection; one is to use a security token generated according to some logic to perform operations as credentials in subsequent auto-login procedures. The method comprises the steps that an account password is used for manual login or automatic login, so that the risk that a message is intercepted and replayed exists, and the protection of user information is not facilitated; the long connection is used for automatic login, the load pressure on the server side is high, and the performance of the service provider is greatly checked. Therefore, the method and the system adopt the safety token based on the user biological information for authentication, the basic flow is that the server generates the token corresponding to the user biological information and stores the corresponding relation between the token and the biological information, then the token is sent to the terminal, when the terminal carries out secondary authentication, the token and the hash value corresponding to the biological information are carried and sent to the server, and the server verifies whether the token sent by the terminal corresponds to the hash value of the biological information sent by the server, so that the user can be authenticated.
After acquiring the authentication request of the user, the terminal acquires the biometric information of the user, so as to generate the biometric hash value according to the biometric information. The biometric hash value is a data string related to the biometric and has uniqueness. The terminal does not store the biometric information of the user after acquiring the biometric information, but uses the biometric hash value as the original input data and generates the biometric hash value by using an algorithm, so that the biometric information is not stored in the terminal, and the biometric information is prevented from being stolen.
S202, the terminal decrypts the pre-stored encrypted token according to the biological characteristic hash value to obtain a decrypted token, wherein the token is sent to the terminal by the server side;
in this embodiment, when performing the second authentication, the token sent to the terminal by the server is already obtained after the first login is successful. The token is stored in the keyhain or keystore of the terminal, and is encrypted during storage, so as to ensure that when the terminal is attacked, if the token is stolen and no secret key is available, the obtained data cannot be decrypted to obtain the token. In this embodiment, the token is encrypted using a biometric hash value. Meanwhile, when encryption is carried out, the equipment number of the terminal can be combined, so that the secret key is obtained and bound with the terminal, and the safety of the token is further ensured.
Therefore, after the token in the keyhain or keystore is obtained, decryption is required, and a decrypted key needs to be generated by the biometric hash value.
Optionally, a decryption key may be obtained through an SM4 encryption algorithm according to the biometric hash value and the identifier of the terminal, and then the terminal decrypts the pre-stored encrypted token through the decryption key to obtain the decrypted token.
In this embodiment, when the token is encrypted based on the biometric hash value and the identifier of the terminal, an SM4 encryption algorithm may be adopted, that is, a part of the biometric hash value and the serial number of the terminal are intercepted as an encryption key of the SM4 encryption algorithm. Therefore, the biometric hash value and the terminal identifier are also required to calculate the decryption key during decryption.
It will be understood by those skilled in the art that the token may be issued to the terminal by the server after the terminal first logs in or automatically logs in. For example, the terminal receives a new token encrypted by a private key from the server; the terminal decrypts the new token through the public key and encrypts and stores the new token through the encryption key.
S203, the terminal sends authentication information to the server, wherein the authentication information comprises a token and a biological characteristic hash value after the public key is encrypted;
in this embodiment, the server does not store the biometric information of the user. The token is essentially a long character string, and in order to make it correspond to the biometric information of the user, when the server generates the token, the server generates a random character string corresponding to the biometric hash value by using an algorithm, that is, the token. And then, the server stores the biological characteristic hash value and the token corresponding to the biological characteristic hash value, and takes out the biological characteristic hash value and compares the biological characteristic hash value and the token when waiting for authentication. Therefore, the terminal needs to transmit authentication information including the token and the biometric hash value after the public key encryption when performing authentication.
In this embodiment, the public key is generated by the server using an algorithm and then sent to the terminal. When the terminal logs in for the first time, the terminal sends a request to the server, and the request is used for requesting the server to generate a pair of secret keys, a public key and a private key. The server stores the private key and sends the public key to the terminal. The method can encrypt the communication process between the terminal and the server, and further ensure the financial security of the user. And when the terminal sends the authentication information to the server, the terminal encrypts the authentication information by using the public key generated by the server.
S204, the server side obtains authentication information sent by the terminal;
s205, the server decrypts the encrypted token and the biological characteristic hash value through a private key to obtain the decrypted token and the biological characteristic hash value;
in this embodiment, the private key is a pair of keys generated by the server using an algorithm with the public key in the above steps. The authentication information sent by the terminal and received by the server is encrypted by the public key, so that the server needs to obtain a specific token and a biological characteristic hash value for verification, namely, the authentication information needs to be decrypted by using a private key.
S206, the server side verifies the biological characteristic hash value in the authentication information according to the biological characteristic hash value of the token generated by the server side;
in this embodiment, in order to authenticate that the token sent by the terminal is the generated token, the biometric hash value of the user used is compared with the biometric hash value of the generated token stored in the server, and thus the verification is completed.
S207, after the verification is passed, the server side sends an authentication response to the terminal, and the authentication response is used for indicating that the authentication is successful;
s208, the terminal acquires the authentication response sent by the server.
After the server sends the authentication response to the terminal, the token is aged, the server may send a new token to the terminal again, for example, the server generates a new token through the stored biometric hash value, and sends the new token to the terminal after encrypting the new token through the private key, and the terminal decrypts the new token through the public key and encrypts and stores the new token through the encryption key.
In this embodiment, in order to prevent someone from stealing the token, the token is used to perform subsequent secondary authentication or high-risk operation, after the automatic login after the first login is successful, or after the terminal sends the token to the server and passes the authentication, the server discards the verified token, generates a new random character string token using the biometric hash value, and encrypts and sends the token to the terminal. After receiving the new token, the terminal first decrypts the token, and then encrypts and stores the token in the above steps.
The embodiment provides an authentication method based on a token, which prompts a user to input biological identification information after acquiring an authentication request of the user through a terminal, and generates a biological characteristic hash value according to the biological identification information input by the user; the terminal decrypts the pre-stored encrypted token according to the biological characteristic hash value to obtain a decrypted token; the terminal sends authentication information to the server; the terminal sends authentication information to the server; the server decrypts the encrypted token and the biological characteristic hash value through a private key to obtain the decrypted token and the biological characteristic hash value; the server side verifies the biological characteristic hash value in the authentication information according to the biological characteristic hash value of the token generated by the server side; after the verification is passed, the server side sends an authentication response to the terminal; and the terminal acquires the authentication response sent by the server. According to the method, the biological characteristic hash value is used for storing instead of biological identification information, the server generates the token related to the biological characteristic hash value, the token is encrypted by using the biological characteristic hash value, the secret key is used for encryption in communication, so that the terminal and the server do not store sensitive information, the biological information is used for participating in secondary authentication, the authentication flow is simplified, meanwhile, the risk of information leakage is reduced, the privacy of a user is protected, and meanwhile, the reliability of a verification result is improved.
Fig. 3 is a flowchart of a token-based authentication method according to an embodiment of the present disclosure. As shown in fig. 2, the present embodiment describes in detail a process of first login of a terminal based on the embodiment shown in fig. 2. The method of the embodiment comprises the following steps:
s301, after the user successfully logs in for the first time, the terminal prompts the user to carry out biological identification so as to obtain biological identification information of the user, and a biological characteristic hash value is generated based on an SM3 algorithm according to the biological identification information;
in this embodiment, the biometric information is used during automatic login or secondary authentication, and the biometric information is not entered during the first login, so that after the user successfully logs in for the first time, if the user starts the automatic login, the user is required to enter the biometric information. After obtaining the biometric information, the terminal does not save it, but directly as an input to the SM3 algorithm, generating a unique string of data, i.e. a biometric hash value.
S302, the terminal encrypts the biological characteristic hash value through the public key and sends the biological characteristic hash value to the server;
in this embodiment, the obtaining of the public key is already described in S203 of the embodiment shown in fig. 2, and is not described here again.
S303, the server receives the biological characteristic hash value which is sent by the terminal and encrypted by the public key;
s304, the server decrypts the biological characteristic hash value through a private key, and generates a token based on the decrypted biological characteristic hash value, wherein the public key and the private key are generated by the server based on an SM2 encryption algorithm;
in this embodiment, the public key and the private key are generated by the server based on the SM2 encryption algorithm. In order to obtain a token uniquely associated with biometric information of a user without storing the biometric information in a server, a random string, i.e., the token, is generated using a biometric hash value uniquely associated with the biometric information. Those skilled in the art can understand that, for a user, the biometric identification information corresponding to the user is unique, and the biometric hash value generated by using the same algorithm is also unique, but the token corresponding to the user is not unique, but only the latest token is stored in the server. The token is revoked after being verified, and the new token generated after this is different from the last revoked token.
S305, the server encrypts the token through a private key and sends the token to the terminal;
in this embodiment, the private key is generated by the server based on the SM2 encryption algorithm.
S306, the terminal receives the token encrypted by the server through the private key and decrypts the token through the public key;
in this embodiment, the public key is generated by the server based on the SM2 encryption algorithm.
S307, the terminal obtains an encryption key through an SM4 encryption algorithm according to the biological characteristic hash value and the identifier of the terminal, and encrypts and stores the token through the encryption key;
in this embodiment, the reason why the token is encrypted by using the biometric hash value is that the terminal does not store the biometric information of the user, and after the biometric information of the user is input into the terminal each time, the biometric information of the user is used as the input of the SM4 encryption algorithm and the identifier of the terminal which is also used as the input of the SM4 encryption algorithm, and the key of the SM4 encryption algorithm is immediately generated, and then the token is encrypted by using the key and stored in keyhide or keystore. Thus, even if someone steals the token, the encrypted token cannot be used without the biometric information of the user.
In this embodiment, after the token is authenticated once, the server may be abolished to regenerate a new token for security of the token, and send the new token to the terminal.
Fig. 4 is a schematic structural diagram of an authentication apparatus based on a token according to an embodiment of the present disclosure. The apparatus of the present embodiment may be in the form of software and/or hardware. As shown in fig. 4, the token-based authentication apparatus 400 provided in this embodiment is applied to a terminal, and includes an obtaining module 401, a decryption module 402 and a sending module 403,
the obtaining module 401 is configured to prompt the user to input biometric information after obtaining an authentication request of the user, and generate a biometric hash value according to the biometric information input by the user;
a decryption module 402, configured to decrypt a pre-stored encrypted token according to the biometric hash value, and obtain a decrypted token, where the token is sent to the terminal by the server;
the sending module 403 is configured to send authentication information to the server, where the authentication information includes the token and the biometric hash value encrypted by the public key, so that the server verifies the biometric hash value in the authentication information by generating the biometric hash value of the token after decrypting the private key;
the obtaining module 401 is further configured to obtain, after the verification is passed, an authentication response sent by the server, where the authentication response is used to indicate that the authentication is successful.
In a possible implementation manner, the decryption module is specifically configured to:
obtaining a decryption key through an SM4 encryption algorithm according to the biological feature hash value and the identifier of the terminal;
and decrypting the pre-stored encrypted token through the decryption key to obtain the decrypted token.
In a possible implementation manner, the obtaining module is further configured to:
after the user successfully logs in for the first time, prompting the user to carry out biological identification so as to obtain biological identification information of the user, and generating a biological characteristic hash value based on an SM3 algorithm according to the biological identification information;
encrypting the biological characteristic hash value through a public key and sending the encrypted biological characteristic hash value to a server so that the server decrypts the biological characteristic hash value through a private key and generates a token based on the decrypted biological characteristic hash value, wherein the public key and the private key are generated by the server based on an SM2 encryption algorithm, and the public key is obtained by a terminal from the server in advance;
receiving a token encrypted by the server through a private key, and decrypting the token through a public key;
and obtaining an encryption key through an SM4 encryption algorithm according to the biological characteristic hash value and the identifier of the terminal, and encrypting and storing the token through the encryption key.
In a possible implementation manner, the obtaining module is further configured to:
receiving a new token encrypted by a server through a private key;
decrypting the new token through the public key;
the new token is encrypted by the encryption key and stored.
Fig. 5 is a schematic structural diagram of an authentication apparatus based on a token according to an embodiment of the present disclosure. The apparatus of the present embodiment may be in the form of software and/or hardware. As shown in fig. 5, an authentication apparatus 500 based on a token provided in this embodiment of the present application, applied to a server, includes an obtaining module 501, a decryption module 502, a verification module 503, and a sending module 504,
an obtaining module 501, configured to obtain authentication information sent by a terminal, where the authentication information includes a token and a biometric hash value after public key encryption;
the decryption module 502 is configured to decrypt the encrypted token and the biometric hash value through a private key to obtain a decrypted token and a decrypted biometric hash value;
the verification module 503 is configured to verify the biometric hash value in the authentication information according to the biometric hash value of the token generated by the server;
a sending module 504, configured to send an authentication response to the terminal after the verification is passed, where the authentication response is used to indicate that the authentication is successful.
In a possible implementation manner, the obtaining module is further configured to:
after the user successfully logs in for the first time, receiving a biological characteristic hash value which is sent by a terminal and encrypted by a public key;
decrypting the biological characteristic hash value through a private key, and generating a token based on the decrypted biological characteristic hash value, wherein the public key and the private key are generated by the server side based on an SM2 encryption algorithm;
and encrypting the token through a private key and sending the token to the terminal.
In a possible implementation manner, the sending module is further configured to:
generating a new token based on the biometric hash value;
encrypting the new token by the private key;
and sending the encrypted new token to the terminal.
Fig. 6 is a hardware structure diagram of a token-based authentication device according to an embodiment of the present disclosure. As shown in fig. 6, the token-based authentication apparatus 600 includes:
a processor 601 and a memory 602;
the memory stores computer-executable instructions;
the processor executes the computer-executable instructions stored by the memory 602 to cause the electronic device to perform the token-based authentication method as described above.
It should be understood that the Processor 601 may be a Central Processing Unit (CPU), other general-purpose processors, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present invention may be embodied directly in a hardware processor, or in a combination of the hardware and software modules within the processor. The Memory 602 may include a high-speed Random Access Memory (RAM), a Non-volatile Memory (NVM), at least one disk Memory, a usb disk, a removable hard disk, a read-only Memory, a magnetic disk, or an optical disk.
The embodiment of the present application further provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the computer-executable instructions are executed by a processor, the token-based authentication method is implemented.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A token-based authentication method applied to a terminal, the method comprising:
after an authentication request of a user is acquired, prompting the user to input biological identification information, and generating a biological characteristic hash value according to the biological identification information input by the user;
decrypting a pre-stored encrypted token according to the biological feature hash value to obtain a decrypted token, wherein the token is sent to a terminal by the server side;
sending authentication information to the server, wherein the authentication information comprises a token and a biological characteristic hash value after public key encryption, so that the server verifies the biological characteristic hash value in the authentication information by generating the biological characteristic hash value of the token after private key decryption;
and after the verification is passed, acquiring an authentication response sent by the server, wherein the authentication response is used for indicating that the authentication is successful.
2. The method according to claim 1, wherein decrypting the pre-stored encrypted token according to the biometric hash value to obtain a decrypted token comprises:
obtaining a decryption key through an SM4 encryption algorithm according to the biological characteristic hash value and the identifier of the terminal;
and decrypting the pre-stored encrypted token through the decryption key to obtain the decrypted token.
3. The method of claim 1, wherein after obtaining the authentication request of the user, prompting the user to input biometric information, and before generating the biometric hash value based on the biometric information input by the user, the method further comprises:
after the user successfully logs in for the first time, prompting the user to carry out biological identification so as to obtain biological identification information of the user, and generating a biological characteristic hash value based on an SM3 algorithm according to the biological identification information;
encrypting the biological characteristic hash value through the public key and sending the biological characteristic hash value to a server so that the server decrypts the biological characteristic hash value through the private key and generates a token based on the decrypted biological characteristic hash value, wherein the public key and the private key are generated by the server based on an SM2 encryption algorithm, and the public key is obtained by the terminal from the server in advance;
receiving a token encrypted by the server through a private key, and decrypting the token through the public key;
and obtaining an encryption key through an SM4 encryption algorithm according to the biological feature hash value and the identifier of the terminal, and encrypting and storing the token through the encryption key.
4. The method according to claim 3, wherein after the user logs in successfully automatically or acquires an authentication response sent by the server, the method further comprises:
receiving a new token encrypted by the server through the private key;
decrypting the new token by the public key;
and encrypting and storing the new token through the encryption key.
5. A token-based authentication method is applied to a server side, and comprises the following steps:
acquiring authentication information sent by a terminal, wherein the authentication information comprises a token and a biological characteristic hash value which are encrypted by a public key;
decrypting the encrypted token and the biological characteristic hash value through a private key to obtain a decrypted token and a decrypted biological characteristic hash value;
verifying the biological characteristic hash value in the authentication information according to the biological characteristic hash value of the token generated by the server;
and after the verification is passed, sending an authentication response to the terminal, wherein the authentication response is used for indicating that the authentication is successful.
6. The method according to claim 5, wherein before obtaining the authentication information sent by the client, the method further comprises:
after the user successfully logs in for the first time, receiving the biological characteristic hash value which is sent by the terminal and encrypted by the public key;
decrypting the biological characteristic hash value through the private key, and generating a token based on the decrypted biological characteristic hash value, wherein the public key and the private key are generated by the server based on an SM2 encryption algorithm;
and encrypting the token through the private key and sending the encrypted token to the terminal.
7. The method according to claim 6, wherein after the user logs in successfully or sends an authentication response to the terminal, the method further comprises:
generating a new token based on the biometric hash value;
encrypting the new token with the private key;
and sending the encrypted new token to the terminal.
8. An authentication device based on token, applied to a terminal, comprising:
the acquisition module is used for prompting the user to input the biological identification information after acquiring the authentication request of the user, and generating a biological characteristic hash value according to the biological identification information input by the user;
the decryption module is used for decrypting a pre-stored encrypted token according to the biological characteristic hash value to obtain a decrypted token, wherein the token is sent to the terminal by the server side;
the sending module is used for sending authentication information to the server, wherein the authentication information comprises a token and a biological characteristic hash value after public key encryption, so that the server verifies the biological characteristic hash value in the authentication information by generating the biological characteristic hash value of the token after a private key is decrypted;
and the acquisition module is further used for acquiring an authentication response sent by the server after the verification is passed, wherein the authentication response is used for indicating the success of the authentication.
9. An electronic device, comprising: a processor and a memory;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored by the memory, causing the electronic device to perform the method of any of claims 1-7.
10. A computer-readable storage medium having computer-executable instructions stored thereon for implementing a token-based authentication method as claimed in any one of claims 1 to 7 when executed by a processor.
CN202211199515.XA 2022-09-29 2022-09-29 Token-based authentication method, device, equipment and storage medium Pending CN115529591A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211199515.XA CN115529591A (en) 2022-09-29 2022-09-29 Token-based authentication method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211199515.XA CN115529591A (en) 2022-09-29 2022-09-29 Token-based authentication method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115529591A true CN115529591A (en) 2022-12-27

Family

ID=84700448

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211199515.XA Pending CN115529591A (en) 2022-09-29 2022-09-29 Token-based authentication method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115529591A (en)

Similar Documents

Publication Publication Date Title
US8112787B2 (en) System and method for securing a credential via user and server verification
US20190173873A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
CN107317677B (en) Secret key storage and equipment identity authentication method and device
JP2018521417A (en) Safety verification method based on biometric features, client terminal, and server
CN108768963B (en) Communication method and system of trusted application and secure element
US20230368194A1 (en) Encryption method and decryption method for payment key, payment authentication method, and terminal device
CN109818747B (en) Digital signature method and device
US20180247313A1 (en) Fingerprint security element (se) module and payment verification method
CN107920052B (en) Encryption method and intelligent device
CN107733636B (en) Authentication method and authentication system
CN110659467A (en) Remote user identity authentication method, device, system, terminal and server
CN112565265B (en) Authentication method, authentication system and communication method between terminal devices of Internet of things
WO2021190197A1 (en) Method and apparatus for authenticating biometric payment device, computer device and storage medium
KR100939725B1 (en) Certification method for a mobile phone
TW201108696A (en) Account identification system, method and peripheral device of performing function thereof
CN112861148B (en) Data processing method, server, client and encryption machine
CN108768941B (en) Method and device for remotely unlocking safety equipment
US20020018570A1 (en) System and method for secure comparison of a common secret of communicating devices
CN113872989A (en) Authentication method and device based on SSL protocol, computer equipment and storage medium
CN112039857B (en) Calling method and device of public basic module
TW202207667A (en) Authentication and validation procedure for improved security in communications systems
CN112487380A (en) Data interaction method, device, equipment and medium
WO2014166193A1 (en) Application encryption processing method, apparatus, and terminal
CN110968878A (en) Information transmission method, system, electronic device and readable medium
CN115529591A (en) Token-based authentication method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination