CN117034232A - User identity security inspection method and device based on zero knowledge proof - Google Patents
User identity security inspection method and device based on zero knowledge proof Download PDFInfo
- Publication number
- CN117034232A CN117034232A CN202311290575.7A CN202311290575A CN117034232A CN 117034232 A CN117034232 A CN 117034232A CN 202311290575 A CN202311290575 A CN 202311290575A CN 117034232 A CN117034232 A CN 117034232A
- Authority
- CN
- China
- Prior art keywords
- user
- identity
- key
- verification
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000007689 inspection Methods 0.000 title claims abstract description 8
- 238000012795 verification Methods 0.000 claims abstract description 103
- 230000006978 adaptation Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
Abstract
The invention provides a user identity security inspection method based on zero knowledge proof, which is characterized by comprising the following steps: s1, a user inputs a user name and a password to register at a client, and a certification key and a verification key are generated at a server based on zero knowledge certification according to the user name input by the user; s2, the user inputs the registered user name and the user password at the client, an identity verification result is generated at the client through the password, the random number and the verification key which are input by the user by the identity verification generator, an identity verification result is generated through the identity verifier, and the identity verification result are compared to obtain the user identity verification result. The invention uses zero knowledge proof to ensure the safety of user login without revealing user password, and even if revealing user name and password abstract, the user identity is not imposted and replaced.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a user identity security inspection method and device based on zero knowledge proof.
Background
With the popularization of the internet and mobile devices, providing services to a plurality of users through interfaces in the form of Web, APP and the like in a service form becomes a very common way. Thus, for such a multi-tenant traffic pattern, verifying the identity of the accessing user to provide differentiated services and its own unique data is a process that must be performed. Therefore, before these services can be used effectively, the account number must be registered. While there are many forms of login, one of the most basic and common forms is a login method based on a user name and a password, such as QQ, mailbox, and other applications. But this approach requires storing the user's password or digest information thereof on the service provider's server. Therefore, it has the following problems:
(1) If the password is stored in a plaintext form, a great hidden danger exists in the influence range of the privacy and the security of the user; thus, typically the service side will not choose this form;
(2) If the user is stored in a password Hash mode, although the user privacy is solved, the current processing mode of checking the user identity by using the password Hash still faces the security problem after the user is revealed, namely the user is not the own user to finish the login of the user.
Disclosure of Invention
The technical problem to be solved by the invention is to provide the user identity safety inspection method and the device based on the zero knowledge proof, which use the zero knowledge proof to ensure the safety problem of the server side under the condition that the user password is not revealed, namely revealing the user name and the password abstract, and not causing the user identity to be imposter.
In order to solve the technical problems, the embodiment of the invention provides a user identity security inspection method based on zero knowledge proof, which comprises the following steps:
s1, a user inputs a user name and a password to register at a client, and a certification key and a verification key are generated at a server based on zero knowledge certification according to the user name input by the user;
s2, the user inputs the registered user name and the user password at the client, an identity verification result is generated by the user through the password, the random number and the verification key which are input by the user at the client through the identity verification generator, an identity verification result is generated by the server through the identity verifier for the password, the random number and the verification key which are registered by the user, and the identity verification result are compared to obtain the user identity verification result.
The specific steps of step S1 are as follows:
s1.1, a user generates a registration request at a client, and sends a user name UserName to a server through the client;
s1.2, the server receives a registration request, generates a proof key PK and a verification key VK based on zero knowledge proof through a key manager according to hash values of a user name and a user password input by a user, and associates the user name.
The specific steps of step S2 are as follows:
s2.1, a user generates a login request at a client, carries a user name UserName of the login user, and sends the user name UserName to a server through the client;
s2.2, when the server receives a login request, generating a random number N for the user to login, and returning the random number N and a proof key PK based on zero knowledge proof generated in a registration stage to the client;
s2.3, a user inputs a user password p at a client, an identity authentication generator Prover is called, the user password p, a random number N and an authentication key PK are input to the identity authentication generator Prover, and an identity authentication result ZKProof is generated;
s2.4, the client sends an identity certificate to the server, wherein the identity certificate comprises an identity certificate ZKProof and a user name UserName;
s2.5, when the server receives the identity certificate, the corresponding verification key VK and the random number N are found according to the user name UserName;
s2.6, the server calls an identity Verifier, inputs a hash value of a user password p, a random number N and a verification key VK, and generates an identity verification result: if the verification result is True, the user identity verification is passed; if the verification result is False, the user identity verification fails.
The embodiment of the invention also provides a user identity security checking device based on zero knowledge proof, which comprises:
the identification generator is used for generating an identification result required by login according to the user password, the random number and the identification key, wherein the zero knowledge identification information generation method comprises the following steps: generating zero knowledge proving information required by login according to the user password, the random number and the proving key;
a key manager for generating and querying a zero knowledge proof key, comprising a proof key and a verification key;
the authentication device is used for generating an authentication result required by login according to the user registration password Hash, the random number and the authentication key, wherein the zero knowledge authentication information generation method comprises the following steps: and generating zero knowledge verification information required by login according to the user registration password Hash, the random number and the verification key.
Wherein, the user identity safety inspection device based on zero knowledge proof further comprises:
the random string generation module is used for receiving a login request sent by the client and returning the generated random string to the client;
and the login verification module is used for generating a verification result according to the identification result and the identity verification result so as to determine whether the login of the client is successful.
The present invention also provides a computer readable storage medium for storing computer instructions that, when run on a computer, cause the computer to perform the method described in the zero knowledge proof based user identity security verification method provided by the present invention.
The technical scheme of the invention has the following beneficial effects:
the verification method, the corresponding device and the electronic equipment provided by the invention adopt the client to send a login request to the server, receive the random number and the certification key returned by the server, generate an identity certification result according to the input user password, the random number and the certification key, and generate an identity verification result according to the hash value of the user registration password, the random number and the verification key, so that the server generates the verification result according to the identity certification result and the identity verification result. The login is carried out in a zero knowledge proof mode, so that the server can confirm that the identity of the client is correct under the condition that the server does not store the password, and the random number, the proof key and the verification key returned by the server each time enable zero knowledge proof information generated each time to be different, so that the safety problem of the server is ensured under the condition that the user password is not revealed, and the user identity is not imposted and replaced even if the user name and the password abstract are revealed.
Drawings
FIG. 1 is a flowchart I of a user identity security verification method based on zero knowledge proof provided by an embodiment of the invention;
FIG. 2 is a second flowchart of a user identity security verification method based on zero knowledge proof according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a user identity security check device based on zero knowledge proof provided by the invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages to be solved more apparent, the following detailed description will be given with reference to the accompanying drawings and specific embodiments.
As shown in fig. 1, an embodiment of the present invention provides a user identity security verification method based on zero knowledge proof, including the following steps:
s1, a user inputs a user name and a password to register at a client, and a server generates a certification key and a verification key based on zero knowledge certification according to the user name input by the user: s1.1, a user generates a registration request at a client, and sends a user name UserName to a server through the client;
s1.2, the server receives a registration request, generates a proof key PK and a verification key VK based on zero knowledge proof through a key manager according to hash values of a user name and a user password input by a user, and associates the user name.
S2, the user inputs the registered user name and the user password at the client, an identity verification result is generated by the user through the password, the random number and the verification key which are input by the user at the client through the identity verification generator, an identity verification result is generated by the server through the identity verifier for the password, the random number and the verification key which are registered by the user, and the identity verification result are compared to obtain the user identity verification result:
s2.1, a user generates a login request at a client, carries a user name UserName of the login user, and sends the user name UserName to a server through the client;
s2.2, when the server receives a login request, generating a random number N for the user to login, and returning the random number N and a proof key PK based on zero knowledge proof generated in a registration stage to the client;
s2.3, a user inputs a user password p at a client, an identity authentication generator Prover is called, the user password p, a random number N and an authentication key PK are input to the identity authentication generator Prover, and an identity authentication result ZKProof is generated;
s2.4, the client sends an identity certificate to the server, wherein the identity certificate comprises an identity certificate ZKProof and a user name UserName;
s2.5, when the server receives the identity certificate, the corresponding verification key VK and the random number N are found according to the user name UserName;
s2.6, the server calls an identity Verifier, inputs a hash value of a user password p, a random number N and a verification key VK, and generates an identity verification result: if the verification result is True, the user identity verification is passed; if the verification result is False, the user identity verification fails. And the identity Verifier calculates according to the key VK to obtain a conclusion whether the identity verification is passed or not, wherein the conclusion is a Boolean value, namely True indicates that the verification is passed, and False indicates that the verification is failed.
As shown in fig. 3, an embodiment of the present invention further provides a user identity security checking device based on zero knowledge proof, including:
the identification generator is used for generating an identification result required by login according to the user password, the random number and the identification key, wherein the zero knowledge identification information generation method comprises the following steps: generating zero knowledge proving information required by login according to the user password, the random number and the proving key;
a key manager for generating and querying a zero knowledge proof key, comprising a proof key and a verification key;
the authentication device is used for generating an authentication result required by login according to the user registration password Hash, the random number and the authentication key, wherein the zero knowledge authentication information generation method comprises the following steps: generating zero knowledge verification information required by login according to the user registration password Hash, the random number and the verification key;
the random string generation module is used for receiving a login request sent by the client and returning the generated random string to the client;
and the login verification module is used for generating a verification result according to the identification result and the identity verification result so as to determine whether the login of the client is successful.
In practical application, the user app is generally used as a client to interact with the server, and the server is generally used as a server to interact with the client, so as shown in fig. 2, according to the above-mentioned user identity security checking method and device based on zero knowledge proof, the flow in the whole system is as follows:
when a user needs to log in a service provided by a service provider, firstly, a login request is initiated to a service S and a user name UserName of the logged-in user is carried;
after receiving the login request, the service S generates a random number N for the user during login through a random string generation module, generates and records a certification key PK and a verification key VK through a key manager, and forms a corresponding relation with a user name UserName; then, at least returning the random number N and the certification key PK to the user APP;
the user APP obtains a secret password P of the user from the user;
the user APP calls an identity authentication generator Prover, takes a password P and a random number N of the user as input, and generates an identity authentication ZKProof according to an authentication key PK;
the user APP sends a login credential to the server S, wherein the login credential carries an identification ZKProof and a user name UserName;
after receiving the login credentials, the server S finds out the login random number N corresponding to the login credentials and the verification key VK corresponding to the certification key PK according to the user name UserName;
the server S calls an identity authentication Verifier, takes a password Hash (P) of a user, a random number N and an identity authentication ZKProof as inputs, and generates an identity authentication result according to an authentication key VK: if the verification result is True, the user identity verification is passed; false, the authentication fails.
The zero knowledge proof based method can ensure that: if the user password P and the random number N input during the generation of the certification and the certification result ZKProof are inconsistent with the user password Hash (P), the random number N and the identity verification result generated by the certifier Verifier during the verification, the identity verification is certainly failed. The Verifier verifiers calculate the random numbers N and ZKProof by inputting the Hash value Hash (P) of the user password P, and the Verifier verifiers calculate according to the verification key VK to obtain a conclusion whether the identity passes verification, wherein the conclusion is a Boolean value, true indicates that the verification passes, and False indicates that the verification fails.
Embodiments of the present invention further provide a non-transitory computer readable storage medium storing a program or instructions that cause a computer to execute the steps of the embodiments of the authentication method based on zero knowledge proof, and to avoid repetition of the description, no further description is given here.
The present invention provides a secure authentication scheme using zero knowledge proof by which data security in web applications is enhanced. It supports a secure authentication process without the need to transmit a password through a channel. The client sends a login request to the server, receives a random number and a certification key returned by the server, generates an identity certification result according to the input user password, the random number and the certification key, and generates an identity verification result according to the hash value of the user registration password, the random number and the verification key, so that the server generates the verification result according to the identity certification result and the identity verification result. The login is carried out in a zero knowledge proof mode, so that the server can confirm that the identity of the client is correct under the condition that the server does not store the password, and the random number, the proof key and the verification key returned by the server each time enable zero knowledge proof information generated each time to be different, so that the safety problem of the server is ensured under the condition that the user password is not revealed, and the user identity is not imposted and replaced even if the user name and the password abstract are revealed.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.
Claims (6)
1. The user identity security inspection method based on zero knowledge proof is characterized by comprising the following steps:
s1, a user inputs a user name and a password to register at a client, and a certification key and a verification key are generated at a server based on zero knowledge certification according to the user name input by the user;
s2, the user inputs the registered user name and the user password at the client, an identity verification result is generated by the user through the password, the random number and the verification key input by the user at the client through the identity verification generator, an identity verification result is generated by the user through the identity verifier, and the identity verification result are compared to obtain the user identity verification result.
2. The user identity security verification method based on zero knowledge proof according to claim 1, wherein the specific steps of step S1 are as follows:
s1.1, a user generates a registration request at a client, and sends a user name UserName to a server through the client;
s1.2, the server receives a registration request, generates a proof key PK and a verification key VK based on zero knowledge proof through a key manager according to hash values of a user name UserName and a user password p input by a user, and associates the user name UserName.
3. The user identity security check method based on zero knowledge proof according to claim 1, wherein the step S2 comprises the specific steps of:
s2.1, a user generates a login request at a client, carries a user name UserName of the login user, and sends the user name UserName to a server through the client;
s2.2, when the server receives a login request, generating a random number N for the user to login, and returning the random number N and a proof key PK based on zero knowledge proof generated in a registration stage to the client;
s2.3, a user inputs a user password p at a client, an identity authentication generator Prover is called, the user password p, a random number N and an authentication key PK are input to the identity authentication generator Prover, and an identity authentication result ZKProof is generated;
s2.4, the client sends an identity certificate to the server, wherein the identity certificate comprises an identity certificate ZKProof and a user name UserName;
s2.5, when the server receives the identity certificate, the corresponding verification key VK and the random number N are found according to the user name UserName;
s2.6, the server calls an identity Verifier, inputs a hash value of a user password p, a random number N and a verification key VK, and generates an identity verification result: if the verification result is True, the user identity verification is passed; if the verification result is False, the user identity verification fails.
4. A zero knowledge proof based user identity security verification device, comprising:
the identification generator is used for generating an identification result required by login according to the user password, the random number and the identification key, wherein the zero knowledge identification information generation method comprises the following steps: generating zero knowledge certification information required by login according to the user password, the random number and the certification key;
a key manager for generating and querying a zero knowledge proof key, comprising a proof key and a verification key;
the authentication device is used for generating an authentication result required by login according to a user registration password Hash, a random number and an authentication key, wherein the zero knowledge authentication information generation method comprises the following steps: and generating zero knowledge verification information required by login according to the user registration password Hash, the random number and the verification key.
5. The zero-knowledge proof based user identity security check device of claim 4, further comprising:
the random string generation module is used for receiving a login request sent by the client and returning the generated random string to the client;
and the login verification module is used for generating a verification result according to the identification result and the identity verification result so as to determine whether the login of the client is successful.
6. A computer readable storage medium storing computer instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311290575.7A CN117034232A (en) | 2023-10-08 | 2023-10-08 | User identity security inspection method and device based on zero knowledge proof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311290575.7A CN117034232A (en) | 2023-10-08 | 2023-10-08 | User identity security inspection method and device based on zero knowledge proof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117034232A true CN117034232A (en) | 2023-11-10 |
Family
ID=88630370
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311290575.7A Pending CN117034232A (en) | 2023-10-08 | 2023-10-08 | User identity security inspection method and device based on zero knowledge proof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117034232A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101969377A (en) * | 2010-10-09 | 2011-02-09 | 成都市华为赛门铁克科技有限公司 | Zero-knowledge identity authentication method and system |
| CN106789069A (en) * | 2016-12-20 | 2017-05-31 | 中国电子科技集团公司第三十研究所 | A kind of zero-knowledge status authentication method |
| CN108769061A (en) * | 2018-06-25 | 2018-11-06 | 北京奇虎科技有限公司 | Login method, login validation method and corresponding device, electronic equipment |
| CN109242675A (en) * | 2018-07-27 | 2019-01-18 | 阿里巴巴集团控股有限公司 | Assets dissemination method and device, electronic equipment based on block chain |
| CN114006702A (en) * | 2021-11-01 | 2022-02-01 | 山东大学 | Zero-knowledge proof dividing circuit and information verification method |
| CN115632797A (en) * | 2022-11-02 | 2023-01-20 | 北京科技大学 | Safety identity verification method based on zero-knowledge proof |
| WO2023074984A1 (en) * | 2021-10-25 | 2023-05-04 | 주식회사 온더 | Zero knowledge proof-based blockchain virtual machine verification system |
-
2023
- 2023-10-08 CN CN202311290575.7A patent/CN117034232A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101969377A (en) * | 2010-10-09 | 2011-02-09 | 成都市华为赛门铁克科技有限公司 | Zero-knowledge identity authentication method and system |
| CN106789069A (en) * | 2016-12-20 | 2017-05-31 | 中国电子科技集团公司第三十研究所 | A kind of zero-knowledge status authentication method |
| CN108769061A (en) * | 2018-06-25 | 2018-11-06 | 北京奇虎科技有限公司 | Login method, login validation method and corresponding device, electronic equipment |
| CN109242675A (en) * | 2018-07-27 | 2019-01-18 | 阿里巴巴集团控股有限公司 | Assets dissemination method and device, electronic equipment based on block chain |
| WO2023074984A1 (en) * | 2021-10-25 | 2023-05-04 | 주식회사 온더 | Zero knowledge proof-based blockchain virtual machine verification system |
| CN114006702A (en) * | 2021-11-01 | 2022-02-01 | 山东大学 | Zero-knowledge proof dividing circuit and information verification method |
| CN115632797A (en) * | 2022-11-02 | 2023-01-20 | 北京科技大学 | Safety identity verification method based on zero-knowledge proof |
Non-Patent Citations (1)
| Title |
|---|
| 李伟荣等: "《深入浅出隐私计算 技术解析与应用实践》", pages: 116 - 120 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11223614B2 (en) | Single sign on with multiple authentication factors | |
| US8584224B1 (en) | Ticket based strong authentication with web service | |
| US8356179B2 (en) | Entity bi-directional identificator method and system based on trustable third party | |
| US9491175B2 (en) | System and method for proxying federated authentication protocols | |
| US8417955B2 (en) | Entity bidirectional authentication method and system | |
| US7698736B2 (en) | Secure delegation using public key authentication | |
| US20170244676A1 (en) | Method and system for authentication | |
| US8510565B2 (en) | Bidirectional entity authentication method based on the credible third party | |
| EP2346207A1 (en) | A method for authenticating a trusted platform based on the tri-element peer authentication (tepa) | |
| CN111800378B (en) | Login authentication method, device, system and storage medium | |
| CN109245897B (en) | Node authentication method and device based on non-interactive zero-knowledge proof | |
| KR20150033053A (en) | User authentication method and apparatus | |
| CN111835514A (en) | Method and system for realizing safe interaction of front-end and back-end separated data | |
| CN111641615A (en) | Distributed identity authentication method and system based on certificate | |
| CN113312664A (en) | User data authorization method and user data authorization system | |
| CN112332980B (en) | Digital certificate signing and verifying method, equipment and storage medium | |
| CN110460609B (en) | Bidirectional authentication method and system for terminal application and security authentication platform | |
| CN108833105B (en) | Electronic signature method and device | |
| CN111723347B (en) | Identity authentication method, identity authentication device, electronic equipment and storage medium | |
| WO2017219886A1 (en) | Simple network protocol authentication method and device | |
| CN115242471A (en) | Information transmission method and device, electronic equipment and computer readable storage medium | |
| CN117034232A (en) | User identity security inspection method and device based on zero knowledge proof | |
| Damabi | Security analysis of the OpenID financial-grade API | |
| Mandal et al. | A General Approach of Authentication Scheme and its Comparative Study | |
| CN111651732B (en) | License offline authentication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |