CN117834242A

CN117834242A - Verification method, device, apparatus, storage medium, and program product

Info

Publication number: CN117834242A
Application number: CN202311847431.7A
Authority: CN
Inventors: 涂先胜
Original assignee: Guangdong Oppo Mobile Telecommunications Corp Ltd
Current assignee: Guangdong Oppo Mobile Telecommunications Corp Ltd
Priority date: 2023-12-28
Filing date: 2023-12-28
Publication date: 2024-04-05

Abstract

The present application relates to an authentication method, apparatus, device, storage medium and program product. The method comprises the following steps: after detecting the authorization authentication operation aiming at the target account, acquiring the target biological characteristics of the target user; performing identity verification on the target user according to the target biological characteristics; under the condition that the identity verification is passed, a target private key in a public-private key pair corresponding to the target account number is obtained; requesting, by the service server, authorization verification of the target account based on the target private key, where the authorization verification includes the service server performing authorization verification of the target account based on a target public key in the public-private key pair. By adopting the method, the safety of the user identity authentication process when logging in the service server can be improved.

Description

Verification method, device, apparatus, storage medium, and program product

Technical Field

The present invention relates to the field of identity authentication technologies, and in particular, to a verification method, apparatus, device, storage medium, and program product.

Background

The user logs in the service end server to carry out identity verification so as to ensure the login security. The current authentication mode is that a user is required to input an account number and a password, and the server performs association authentication on the account number and the password so as to determine whether login passes. However, the user is easy to be phishing and the password is still stored on the service end server, so that the security is low in the technology based on account number and password login.

Disclosure of Invention

In view of the foregoing, it is desirable to provide a verification method, apparatus, device, storage medium, and program product that can improve the security of a user authentication process when logging in a service server.

In a first aspect, the present application provides a method of authentication. The method comprises the following steps:

after detecting the authorization authentication operation aiming at the target account, acquiring the target biological characteristics of the target user;

performing identity verification on the target user according to the target biological characteristics;

under the condition that the identity verification is passed, a target private key in a public-private key pair corresponding to the target account number is obtained;

requesting, by the service server, authorization verification of the target account based on the target private key, where the authorization verification includes the service server performing authorization verification of the target account based on a target public key in the public-private key pair.

In a second aspect, the present application also provides an authentication apparatus. The device comprises:

the first acquisition module is used for acquiring the target biological characteristics of the target user after detecting the authorization authentication operation aiming at the target account;

the first verification module is used for carrying out identity verification on the target user according to the target biological characteristics;

The second acquisition module is used for acquiring a target private key in a public-private key pair corresponding to the target account, which is generated in advance, under the condition that the identity verification is passed;

and the second verification module is used for requesting the service server to carry out authorization verification on the target account based on the target private key, wherein the authorization verification comprises that the service server carries out authorization verification on the target account based on the target public key in the public-private key pair.

In a third aspect, the present application also provides a computer device comprising a memory storing a computer program and a processor implementing the steps of the method of any of the first aspects described above when the computer program is executed by the processor.

In a fourth aspect, the present application also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method of any of the first aspects described above.

In a fifth aspect, the present application also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of any of the first aspects above.

In the verification method, the device, the equipment, the storage medium and the program product, the terminal can acquire the target biological characteristics of the target user after detecting the authorization authentication operation aiming at the target account; performing identity verification on the target user according to the target biological characteristics; under the condition that the identity verification is passed, a target private key in a public-private key pair corresponding to the target account number is obtained; requesting, by the service server, authorization verification of the target account based on the target private key, where the authorization verification includes the service server performing authorization verification of the target account based on a target public key in the public-private key pair. Based on the method, the terminal can identify the target biological characteristics of the user according to the target account provided by the user, and on the basis, the user identity can be confirmed, and the private key and the public key are directly used for interaction with the server to perform authorization verification on the target account, so that in the authorization verification process of the user logging in the service server, the user only needs to provide the target account without memorizing and providing the password, the problems that the password is revealed in the terminal and the server, the password is difficult to memorize by the user and the like are avoided, the user can log in the service server conveniently, meanwhile, the authorization verification is performed through the public key and the private key, and the security of the authorization verification process of the target account is improved while the convenience is ensured.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is an application environment diagram of a verification method in one embodiment;

FIG. 2 is a flow diagram of a verification method in one embodiment;

FIG. 3 is a flow diagram of authentication in one embodiment;

FIG. 4 is a flow diagram of generating a public-private key pair in one embodiment;

FIG. 5 is a flow diagram of obtaining a target private key in one embodiment;

FIG. 6 is a flow diagram of authorization verification in one embodiment;

FIG. 7 is a flow diagram of data synchronization in one embodiment;

FIG. 8 is a schematic diagram of an architecture of an identity authentication system in one embodiment;

FIG. 9 is a schematic diagram of a multi-port synchronization architecture in one embodiment;

FIG. 10 is a block diagram of an authentication device in one embodiment;

FIG. 11 is an internal block diagram of a computer device in one embodiment.

Detailed Description

In order to make the above objects, features and advantages of the present application more comprehensible, embodiments accompanied with figures are described in detail below. It should be understood that numerous specific details are set forth in the following description in order to provide a thorough understanding of the present application, but that the present application can be practiced in many other ways other than those described herein, and that persons skilled in the art will be able to make similar modifications without departing from the spirit of the present application, so that the present application is not limited to the specific embodiments disclosed below.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.

The user logs in the service end server to carry out identity verification so as to ensure the login security. The current authentication mode is that the user is required to input an account number and a password, the user can prove that the user is an owner of the account number only by inputting a correct password when logging in the account number, and the server performs relevance authentication on the account number and the password so as to determine whether logging in passes or not. It can be seen that the password is currently the main means of protecting user account security and privacy, but the problem with the password is that it needs to be kept secret, but also needs to be shared. The password can be easily leaked by fishing by a user, the leakage risk exists by means of a password management tool, the leakage risk still exists when the password is stored on a service end server, and the like, so that the problem of low safety exists in the technology based on account number and password login. Moreover, a user may log in a plurality of different service end servers, a plurality of different passwords are required to be set correspondingly, the passwords must be complex enough to ensure the security, but the passwords of different accounts may be different, the password memorizing is very troublesome, the requirement on long-term memorizing of the user is higher, and the convenience is lower.

In view of this, the embodiment of the application provides an authentication method, which can improve security when a user logs in a server for authorization authentication, and has higher convenience because the user does not need to memorize a password.

The verification method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein the terminal 101 communicates with the service server 102 via a network. After detecting the authorization authentication operation for the target account, the terminal 101 acquires the target biological characteristics of the target user; the terminal 101 performs identity verification on the target user according to the target biological characteristics; in the case that the authentication is passed, the terminal 101 obtains a target private key in a public-private key pair corresponding to a target account generated in advance, requests the service server 102 to perform authorization authentication on the target account based on the target private key, and the authorization authentication includes the service server 102 performing authorization authentication on the target account based on a target public key in the public-private key pair. The terminal 101 may be, but not limited to, various smart phones, personal computers, notebook computers, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart televisions, smart vehicle devices and the like. The portable wearable device may be a smart watch, smart bracelet, or the like. The service server 102 may be implemented as a stand-alone server or as a server cluster composed of a plurality of servers.

In one embodiment, as shown in fig. 2, a verification method is provided, and the method is applied to the terminal 101 in fig. 1 for illustration, and includes the following steps:

step 201, after detecting the authorization authentication operation for the target account, acquiring the target biological characteristics of the target user.

In general, the actions of logging in, logging out, registering, etc. of an account number may be collectively referred to as network authorization authentication. Thus, in the embodiment of the present application, the authorization authentication operation may include the target account logging into the service server, or the target account logging out of the service server, etc.

In general, a terminal can be provided with a plurality of different applications, when a user uses a certain application, the user needs to log in a service server of the application by using a user account corresponding to the application based on the application, so as to use related functions provided by the application. Or, the user can log in the corresponding service server by using the corresponding user account based on the terminal on a certain webpage. Therefore, the target account in the embodiment of the present application may be used to log in a user account of a service server of any application installed in the terminal, or a user account of a user logging in a certain service server by using the terminal based on a certain web page, which is not limited herein specifically.

The target account is an account used by a user to log in the service server. Optionally, the target account number may be a mobile phone number or a string of characters, and may be customized by a user or customized by a service party.

When logging in a certain service server, the user can execute authorization authentication operation for the target account based on the terminal, and after detecting the authorization authentication operation, the terminal can acquire the target biological characteristics of the target user so as to perform biological characteristic recognition on the target user and confirm whether the identity of the target user is legal or not.

The user may input the target account number in a login page of a target application displayed by the terminal, and click a login virtual key provided in the trigger login page, so that the terminal may detect an authorization authentication operation for the target account number.

Illustratively, the terminal includes a biometric component that the terminal can invoke to operate to obtain a target biometric of the target user.

Step 202, authenticating the target user according to the target biological characteristics.

The target biological characteristics are biological characteristics of a target user which is obtained in real time and is currently used for executing authorization authentication operation by the terminal, the target user is authenticated according to the target biological characteristics, whether the target user is a target user trusted by the terminal or not is determined, and whether the terminal continuously requests the server to conduct authorization authentication on the target account or not is conveniently determined.

Thus, the user does not need to input a password or the like to execute complex operations, and only provides the target biological characteristics of the user, so that the terminal can ensure that the request server of the terminal performs authorization verification on the target account.

Step 203, under the condition that the identity verification is passed, obtaining a target private key in a public-private key pair corresponding to the target account number which is generated in advance.

The target account corresponds to a public-private key pair, in other words, the public-private key pair includes a pair of target private keys and target public keys, and the target private keys are stored in the terminal, and the target public keys are stored in a service server on which the target account is logged.

If the terminal confirms that the authentication of the target user passes, it indicates that the target user is a user trusted by the terminal, for example, a user having the terminal, and accordingly, the target user should be responded based on the authorization authentication operation triggered by the terminal, that is, the terminal may respond to the authorization authentication operation to obtain a target private key corresponding to the target account of the target user, so as to request the service server to perform authorization authentication on the target account based on the target private key.

Alternatively, if the authentication is not passed, the authorization authentication operation is not responded. Optionally, under the condition that the authentication is not passed, the terminal can display reminding information of failure of the authentication, so that the user can confirm the authentication result.

Step 204, requesting the service server to perform authorization verification on the target account based on the target private key. The authorization verification comprises that the service server performs authorization verification on the target account number based on the target public key in the public-private key pair.

In an exemplary case that the target user authentication passes, or in a case that the terminal detects an authorization authentication operation for the target account, the terminal may request the service server to send target authentication data to the terminal, so that after determining that the target user authentication passes, the terminal signs the target authentication data with the target private key and then sends the target authentication data to the service server.

Correspondingly, the terminal can acquire an authorization verification result fed back by the service server to determine whether the target account passes authorization verification, and if the authorization verification passes, taking the authorization verification operation as an example that the service server needs to be logged in, the terminal confirms that the target account can be successfully logged in to the service server at the moment.

Optionally, the service party with higher security requirement can customize the login process of the target account to login to the service server, for example, after the authorization verification is passed, the service party provides other login processes based on the target application, and the target user can successfully login to the service server after executing the other login processes based on the terminal. Other login procedures, for example, include the service server sending a temporary verification code to the terminal, the target application providing a temporary verification code entry, requiring the user to enter the temporary verification code based on the terminal to confirm successful login to the service server if the entry is correct.

In the verification method, after detecting the authorization authentication operation aiming at the target account, the terminal can acquire the target biological characteristics of the target user; performing identity verification on the target user according to the target biological characteristics; under the condition that the identity verification is passed, a target private key in a public-private key pair corresponding to the target account number is obtained; requesting, by the service server, authorization verification of the target account based on the target private key, where the authorization verification includes the service server performing authorization verification of the target account based on a target public key in the public-private key pair. Based on the method, the terminal can identify the target biological characteristics of the user according to the target account provided by the user, and on the basis, the user identity can be confirmed, and the private key and the public key are directly used for interaction with the server to perform authorization verification on the target account, so that in the authorization verification process of the user logging in the service server, the user only needs to provide the target account without memorizing and providing the password, the problems that the password is revealed in the terminal and the server, the password is difficult to memorize by the user and the like are avoided, the user can log in the service server conveniently, meanwhile, the authorization verification is performed through the public key and the private key, and the security of the authorization verification process of the target account is improved while the convenience is ensured.

The method of the terminal for authenticating the target user will be described first.

Referring to fig. 3, a schematic flow chart of authentication according to an embodiment of the present application is shown. Performing identity verification on the target user according to the target biological characteristics, including:

step 301, comparing the target biological feature with a preset biological feature.

The preset biological characteristics are recorded in the terminal in advance by a target user.

Alternatively, the preset biometric characteristic may be a face feature or a fingerprint feature of the target user, which is not specifically limited herein.

In an alternative implementation, the terminal has a biometric unlocking function, the target user inputs a preset biometric in the terminal in advance, and each time the target user uses the terminal, the terminal needs to acquire the real-time biometric of the user and compare with the preset biometric to determine whether to unlock the terminal. In the embodiment of the application, when the identity of the target user is verified, the preset biological feature which is input by the user for unlocking the terminal in advance can be called, so that the target biological feature is compared with the preset biological feature.

In another alternative implementation, when the user uses the target application for the first time based on the terminal, the target application is provided with a feature input function, the user triggers the feature input function based on the terminal and inputs the preset biological feature, and the terminal locally stores the preset biological feature, in which case the preset biological feature is specially used for being invoked when the user performs identity verification when logging in the target application based on the target account number.

Optionally, the terminal compares the target biological feature with a preset biological feature, determines a feature difference between the target biological feature and the preset biological feature, and a feature difference threshold is deployed in the terminal in advance, if the feature difference is smaller than the feature difference threshold, the comparison of the target biological feature and the preset biological feature is consistent, otherwise, if the feature difference is not smaller than the feature difference threshold, the comparison of the target biological feature and the preset biological feature is inconsistent.

Optionally, the terminal compares the target biological feature with a preset biological feature, determines the feature overlapping proportion or feature similarity of the target biological feature and the preset biological feature, and determines that the target biological feature and the preset biological feature are consistent in comparison if the feature overlapping proportion is larger than a preset proportion threshold or the feature similarity is larger than a preset similarity threshold; otherwise, if the feature overlapping proportion is not greater than a preset proportion threshold or the feature similarity is not greater than a preset similarity threshold, determining that the feature overlapping proportion and the feature similarity are inconsistent.

Step 302, if the target biological feature is consistent with the preset biological feature, determining that the identity verification of the target user is passed.

Step 303, if the target biometric feature is inconsistent with the preset biometric feature, determining that the identity verification of the target user is not passed.

In the embodiment of the application, the identity of the target user can be quickly confirmed by calling the preset biological characteristic to compare with the target biological characteristic, if the identity verification is passed, the target user is determined to have the terminal and can normally access the terminal without providing a password, so that the terminal can be granted access rights to the target account, namely, under the condition that the target user uses the terminal, the terminal can request the service server to carry out authorization verification on the target account, and the operation complexity of the user is reduced. It should be noted that, the preset biological feature and the target biological feature are obtained under the condition that the user knows and agrees, and the user can refuse to obtain the biological feature at any time.

The target account number needs to be registered in the service server before the target account number is used for logging in the service server, and the public and private key pair can be generated in the registration process and used in the login process.

Referring to fig. 4, a schematic flow chart of generating a public-private key pair according to an embodiment of the present application is shown. The method further comprises the steps of:

step 401, after detecting the registration operation, generating a public-private key pair in the trusted security environment of the terminal under the condition that the identity of the target user passes the authentication.

Wherein, as stated above, the authorization authentication operation includes a registration operation of the target account number. When initially accessing the service server, for example, when a user first uses the target application after installing the target application in the terminal, the user may input a target account number (or the target application automatically generates the target account number to which the target user belongs) in a registration page of the target application displayed by the terminal, and click a registration virtual key provided in the trigger registration page, so that the terminal may detect a registration operation triggered by the user, obtain a target biological feature of the target user, and perform identity verification on the target user according to the target biological feature; and under the condition that the identity verification is passed, generating a public and private key pair corresponding to the target account.

The terminal generates a public and private key pair in a trusted security environment. Alternatively, the trusted security environment may be a security environment provided by a TEE (Trusted Execution Environment ) deployed in the terminal or a security chip included in the terminal.

Here, TEE is a secure computing environment that is capable of protecting code and data running therein from external attacks, including attacks from operating systems, hardware, and other applications. The TEE may accomplish this by creating an isolated execution environment inside the processor, referred to as a "secure container" or "trust zone". Before the data and code enter the TEE, they are encrypted; when the data and code leave the TEE, they are decrypted. Thus, even if an attacker can steal data or codes, the attacker cannot crack the content; the TEE ensures that code and data are not tampered with during execution through integrity checking. In addition, the TEE supports remote authentication, allowing the user to verify the authenticity and integrity of the TEE through a secure channel. Therefore, in the embodiment of the application, the public-private key pair is generated by using the TEE environment and the target private key is stored in the TEE environment, so that the security of the target private key can be protected, the data leakage and the data theft can be prevented, and the attacks from an operating system, hardware and other application programs can be resisted without depending on complex software and hardware security mechanisms.

The security chip is a device capable of independently generating and encrypting and decrypting the key, and can store the key and characteristic data therein, provide a data encryption function and ensure data security.

That is, the terminal may generate a public-private key pair in the TEE environment or a public-private key pair in the security chip.

Step 402, storing the target private key in the public-private key pair in the trusted security environment, and sending the target public key in the target account number and the public-private key pair to the service server.

In a trusted security environment of the terminal, the target account number and the target private key are correspondingly stored. It can be appreciated that multiple sets of account numbers and private keys can be correspondingly stored in the trusted security environment, and each account number is used for logging in to a service server of a different service party.

In addition, the terminal sends the target account number and the target public key to the service server for corresponding storage by the service server. It will be appreciated that different users log into the service server based on different account numbers and thus have stored correspondence between different account numbers and public keys for the service server.

Optionally, the terminal may encrypt the target public key and then send the encrypted target public key to the service server together with the target account number. And the service server obtains the target public key after decrypting.

In the embodiment of the application, the public and private key pairs are generated based on the trusted security environment, and the security of the public and private key pairs is comprehensively ensured.

In one embodiment, as shown in fig. 5, a schematic flow chart of obtaining a target private key provided in an embodiment of the present application is shown. The method for obtaining the target private key in the public private key pair corresponding to the pre-generated target account comprises the following steps:

step 501, an application identifier of an application corresponding to a target account is obtained.

Step 502, obtaining a target private key from a trusted security environment of the terminal according to the application identifier.

The trusted security environment stores a plurality of groups of corresponding relations among different application identifications, account numbers and private keys. That is, in the trusted security environment, except for storing the correspondence between multiple groups of accounts and private keys, the application identifier corresponding to each account is stored. The application identification is related to the application corresponding to the account.

For example, for the target account, the application identifier of the corresponding target application and the target private key are stored in the trusted secure environment, so that when the target private key needs to be acquired, the terminal first knows that the target account is currently logged in the target application, and therefore the application identifier of the target application can be quickly determined, and thus the target correspondence can be quickly located based on the application identifier of the target application, and further the target private key is determined.

The application identifier includes a domain name and a package name of the corresponding application, where the package name is a unique identifier of the application in a local environment of the terminal, and the user is not visible, and the domain name is used to identify an application service of the application.

It should be noted that, besides the application identifier, the account number and the private key, the terminal may also optionally store other information related to the application, the user or the account number in the corresponding relationship, which is not fully illustrated herein.

The process of authorization verification is described below.

Referring to fig. 6, a flowchart of authorization verification provided in an embodiment of the present application is shown. Requesting the service server to perform authorization verification on the target account based on the target private key, including:

and 601, signing target verification data according to a target private key.

When the authorization authentication operation is a login operation, the terminal can acquire the target authentication data from the service server, and the two parties perform authorization authentication on the target account based on the target authentication data and the public and private key.

In an alternative embodiment of the present application, the terminal sends a verification data acquisition request to the service server when detecting a login operation; the verification data acquisition request is used for indicating a service server to feed back target verification data to the terminal; and the terminal can receive the target verification data fed back by the service server. That is, for the service server, after receiving the verification data acquisition request, it can generate the target verification data, and send it to the terminal for the terminal to sign.

Illustratively, the verification data acquisition request may include a target account number. The service server receives the verification data acquisition request and analyzes the verification data acquisition request to the target account, generates a challenge value and a service party identifier, and forms target verification data according to the challenge value, the service party identifier and the target account. Alternatively, the challenge value may be a series of random numbers generated in real time.

After receiving the target verification data, the terminal signs the target verification data by using the target private key. The signing process may refer to that the terminal encrypts the target verification data with the target private key, and attaches the target verification data to the rear of the target verification data to form a data packet to be sent to the service server. The service server decrypts the data packet by using the public key to obtain the original data and confirms the validity of the original target verification data.

Step 602, the signed target verification data is sent to the service server, so as to request the service server to perform authorization verification on the target account according to the signed target verification data.

The signed target verification data is used for the business server to verify the signed target verification data based on the target public key. The validity, the integrity and the like of the target verification data can be verified by utilizing the target public key verification, if the verification passes, the authorization verification of the target account is confirmed, and the authorization verification result fed back by the service server is fed back to the terminal.

The service server receives the signed target verification data, obtains a target public key according to the target account, and then performs verification by using the target public key, for example, verifies whether the challenge value is verified, exceeds the validity period of the verification value, and the like, so as to confirm whether the target verification data is data sent by the service server before and determine the validity and the integrity of the target verification data.

In the embodiment of the application, the biological characteristic recognition technology and the asymmetric cryptography technology are combined, so that a user can sign target verification data by using the target private key in the trusted security environment of the terminal after successfully accessing the terminal through the target biological characteristic, and a service server can verify the signature by using the target public key, thereby more conveniently and safely confirming 'you are you', and improving the security and simplicity of the authorization verification process of the target account; the password-free traffic experience of the user is realized more safely and conveniently without increasing the learning and using cost of the user.

In addition, the above scheme facilitates the user to log in the service server by using a single device, considering that the same user may have multiple devices, and the case that the user needs to log in the service server at other devices should also be considered. In view of this situation, in the embodiment of the present application, the corresponding relationship between the account number and the private key in the terminal is synchronized to the cloud server by using the cloud synchronization function, so that the user can recover the required corresponding relationship between the account number and the private key from the cloud server by using other devices, so as to log in the service server at the other devices. This process is described below.

In one embodiment, the method further comprises: and under the condition that the cloud synchronization function is started, carrying out cloud synchronization processing on a target terminal account number logged in the terminal and target login data in a codebook in the terminal so as to synchronize the target terminal account number and the target login data to a cloud server. The target login data includes a corresponding relationship between a plurality of groups of accounts and private keys, each private key is generated when the target user registers each account based on the terminal (see the description of the process of generating the public-private key pair above), and each account corresponds to a different service server.

The user can log in the target terminal account number in the terminal, and in the process of using the terminal by the user, the user can select whether to start the cloud synchronization function provided by the terminal. And the cloud synchronization function is used for synchronizing the target login data in the codebook in the terminal to the cloud server for backup.

Every time a user registers an account of an application in a terminal and generates a private key corresponding to the account, the terminal can automatically record the account and the private key to a codebook, namely, update target login data in the codebook. While the codebook may be located in a trusted secure environment.

Under the condition that the cloud synchronization function is started, the terminal can periodically synchronize target login data in the codebook to the cloud server. For example, after the data in the codebook is encrypted, the data and the target terminal account number are synchronously sent to the cloud server. The cloud server may store the target terminal account number and the target login data correspondingly. It can be understood that the target login data is also encrypted when stored in the cloud server, so that the security can be ensured, and only the device logging in the target terminal account has the function of decrypting the target login data.

In one embodiment, performing cloud synchronization processing on a target terminal account number logged in a terminal and target login data in a codebook in the terminal includes: encrypting the target login data; and synchronizing the encrypted target login data to the cloud server based on the end-to-end encryption technology.

That is, to ensure the security of the data synchronization process, the terminal encrypts the target login data based on the underlying trusted security environment, and synchronizes the encrypted target login data to the cloud server based on the end-to-end encryption technology.

End-to-End encryption (E2 EE) technology is used to secure data transmission during communication. An encryption channel is established between a data sender and a data receiver, plaintext data is converted into ciphertext data for transmission, and the ciphertext data is restored into plaintext data after decryption by the data receiver. The data is directly encrypted and decrypted between the sender and the receiver without intervention of a third party, so that the privacy and the integrity of the data can be protected, the data is prevented from being stolen, tampered or falsified, and the safety of the data synchronization process is ensured.

In one embodiment, as shown in fig. 7, a flow chart of data synchronization provided in an embodiment of the present application is shown. Wherein the method further comprises:

In step 701, a synchronization request is sent to a cloud server when a cloud synchronization function is started.

That is, the terminal may synchronize the target login data of the user in the cloud server through another device from the cloud server.

The user can log in a target terminal account in the terminal and start a cloud synchronization function, so that the terminal can send a synchronization request to the cloud server periodically or in real time.

The synchronization request includes a target terminal account, and the synchronization request is used for indicating the cloud server to issue target login data corresponding to the target terminal account to the terminal based on an end-to-end encryption technology. In other words, after receiving the synchronization request, the cloud server analyzes the target terminal account, further determines target login data corresponding to the target terminal account, and then issues the target login data to the terminal. The security of the data transmission process is ensured based on the end-to-end encryption technology in the data issuing process. It can be understood that the cloud server stores a plurality of sets of correspondence between terminal account numbers and login data, and the target terminal account number and the target login data are one set.

Step 702, decrypting the received target login data to obtain a corresponding relation between a plurality of groups of accounts and private keys, and storing each account and private key in a trusted security environment of the terminal.

Because the target login data is encrypted, after the terminal acquires the target login data, the terminal can decrypt the target login data in a trusted security environment, so that the corresponding relation between a plurality of groups of accounts and private keys is obtained.

Optionally, before sending the synchronization request, identity identification needs to be performed on the target user who uses the terminal currently, for example, the target user needs to input a preset locking verification code, and the synchronization request is sent under the condition that the input is correct.

After each account number and the private key are correspondingly stored in the trusted security environment of the terminal, a user can directly log in the target account number by using the terminal, and after the identity verification in the target account number logging-in process is passed, the target private key can be called to request the service server to carry out authorization verification.

In the embodiment of the application, the multi-terminal safe sharing of the private key is ensured based on the end-to-end encryption of the trusted security environment and the cloud synchronization service, the high-security-level encryption of the private key on the TEE environment or the security chip is ensured, the security of the sharing process is ensured, and the convenience of a user for logging in a target account based on different terminals is improved.

For ease of understanding, the method of rapid identity authentication based on trusted digital identity keys provided herein is described in one complete embodiment, and other limitations of this method are set forth above in the description of the authentication method.

Referring to fig. 8, an architecture diagram of an identity authentication system is shown. The user obtains authorization of the device based on biological characteristics such as fingerprint characteristics or face characteristics, and then requests the server to conduct authorization verification on the target account based on the terminal.

Specifically, 1, for a newly registered account: the user inputs a target account number or a target application in the terminal to generate the target account number, clicks a registration option, the terminal obtains the biological characteristics of the user, compares the obtained biological characteristics with preset biological characteristics, and authorizes the passing after the comparison is consistent; the preset biological characteristics are, for example, user biological characteristics used for unlocking a screen of the terminal and recorded in advance. 2. After the biological characteristics are compared, the terminal generates a public-private key pair in a trusted security environment (TEE environment or security chip), a target private key, a target account and a packet name and a domain name which are applied in a local environment of the terminal and correspond to the account are stored in the trusted security environment, the target public key and the target account are transmitted to an upper-layer service algorithm through a bottom-layer algorithm and then are transmitted to a service server, and the service server correspondingly stores the target account and the target public key. 3. In the login process: the user inputs a target account number based on the terminal, clicks a login option, and after clicking the login option, the terminal sends a verification request of the target account number to the service server, the server receives the verification request, generates target verification data and sends the target verification data to the terminal, wherein the verification data comprises a challenge value, and the challenge value comprises, for example, the target account number, a service end identifier and the like. And after clicking the login option, the terminal acquires the biological characteristics of the user, compares the acquired biological characteristics with preset biological characteristics, takes out a target private key corresponding to the target account number from the trusted security environment after the comparison is consistent, signs target verification data by using the target private key, and sends the signed target verification data and the target account number to the service server. And the service server acquires a target public key corresponding to the target account number to carry out signature verification. 4. After the verification sign passes, the service server determines that the authorization verification of the target account passes, and feeds back a response that the authorization verification passes to the terminal. 5. For a target account number for which a corresponding binding password has been registered: the user can log in the service server by the target account number and the target password, then the binding is established, namely, the biometric authentication and authorization are carried out, the terminal obtains the biometric characteristics of the user, the obtained biometric characteristics are compared with preset biometric characteristics, and the authorization is passed after the comparison is consistent. And then generating a public-private key pair, storing a target private key in the terminal, sending the target public key and the target account number to a service server for storage, and performing subsequent login based on the target private key of the biological characteristics of the user without target passwords.

In addition, account numbers and private keys support multi-terminal synchronization. Please refer to fig. 9, which illustrates a multi-port synchronization architecture. The target terminal account number is logged on the device 1. When the cloud synchronization service is opened, the device 1 may encrypt a private key in the trusted security environment and store the encrypted private key in the codebook together with the account. And periodically synchronizing the encrypted data in the codebook with the equipment account number to a cloud server. The synchronization process is performed based on an end-to-end encryption technology, so that the synchronization safety is ensured. When the user logs in the target terminal account number at the device 2 (or the device N), and the cloud synchronization service of the device 2 is opened, the encrypted data of the device 1 can be synchronized between the cloud server and the device 2 based on the end-to-end encryption technology. In this way, when the user logs in the target account based on the device 2, after the biometric identification is performed based on the device 2, the target private key corresponding to the target account is obtained, and then the service server is requested to perform authorization verification. After the data synchronization, the users who use the device 1 and the device 2 to log in the target account may not be the same user, but because the users who use the device 1 and the device 2 are both trusted users, the data use security can be ensured.

In the embodiment of the application, the user biological characteristics and the private key are combined, a public-private key pair (asymmetric cryptography) is adopted to replace the user password, and the private key is only stored in a safety area of the user equipment, such as a TEE or a safety chip; the public key is stored in the server, and even if data leakage occurs, the safety of the user account is not affected. Thus, the user can be thoroughly far away from the risks of weak passwords, password leakage, software guessing cracking and network fishing. And registering and logging in the account based on the biological feature recognition, the user is not required to actively create, memorize or input a password in the whole process, and the user can realize safer and more convenient password-free passing experience without increasing the learning and using cost of the user. In addition, the multi-terminal safe sharing of the private key is ensured based on the end-to-end encryption of the TEE and the equipment cloud service, and the high-security-level encryption of the private key on the TEE environment or the security chip is ensured.

It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides a verification device for realizing the verification method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in one or more embodiments of the verification device provided below may be referred to above for limitation of the verification method, which is not repeated here.

In one embodiment, as shown in fig. 10, there is provided a verification apparatus, the verification apparatus 1000 including: a first acquisition module 1001, a first verification module 1002, a second acquisition module 1003, and a second verification module 1004, wherein:

a first obtaining module 1001, configured to obtain a target biometric feature of a target user after detecting an authorization authentication operation for a target account;

a first verification module 1002, configured to perform identity verification on a target user according to a target biometric feature;

a second obtaining module 1003, configured to obtain, if the authentication passes, a target private key in a public-private key pair corresponding to the target account that is generated in advance;

the second verification module 1004 is configured to request, based on the target private key, the service server to perform authorization verification on the target account, where the authorization verification includes the service server performing authorization verification on the target account based on the target public key in the public-private key pair.

In one embodiment, the second obtaining module 1003 is specifically configured to: acquiring an application identifier of an application corresponding to a target account; acquiring a target private key from a trusted security environment of the terminal according to the application identifier; the trusted security environment stores a plurality of groups of corresponding relations among different application identifications, account numbers and private keys.

In one embodiment, the second verification module 1004 is specifically configured to: signing the target verification data according to the target private key; the signed target verification data is sent to a service server to request the service server to conduct authorization verification on the target account according to the signed target verification data; the signed target verification data is used for the business server to verify the signed target verification data based on the target public key.

In one embodiment, the authorization authentication operation includes a login operation, and the apparatus further includes a data receiving module for: sending a verification data acquisition request to a service server under the condition that a login operation is detected; the verification data acquisition request is used for indicating the service server to feed back target verification data to the terminal; and receiving target verification data fed back by the service server.

In one embodiment, the authorization authentication operation includes a registration operation, the apparatus further comprising a storage module for: after detecting registration operation, under the condition that the identity verification of a target user is passed, generating a public-private key pair in a trusted security environment of the terminal; storing a target private key in the public-private key pair in a trusted security environment, and sending the target public key in the target account and the public-private key pair to a service server; the target account number and the target public key are used for being correspondingly stored by the service server.

In one embodiment, the first verification module 1002 is specifically configured to: comparing the target biological characteristics with preset biological characteristics, and if the target biological characteristics are consistent with the preset biological characteristics, determining that the identity verification of the target user is passed; if the target biological characteristics are inconsistent with the preset biological characteristics, determining that the identity verification of the target user is not passed; the preset biological characteristics are recorded in the terminal in advance by a target user.

In one embodiment, the apparatus further comprises a first synchronization module for: under the condition that a cloud synchronization function is started, carrying out cloud synchronization processing on a target terminal account number logged in a terminal and target login data in a codebook in the terminal so as to synchronize the target terminal account number and the target login data to a cloud server; the target terminal account comprises a plurality of groups of corresponding relations between the accounts and private keys, each private key is generated when the target user registers each account based on the terminal, and each account corresponds to a different service server.

In one embodiment, the first synchronization module is specifically configured to: encrypting the target login data; and synchronizing the encrypted target login data to the cloud server based on the end-to-end encryption technology.

In one embodiment, the apparatus further comprises a second synchronization module for: under the condition that a cloud synchronization function is started, a synchronization request is sent to a cloud server; the synchronization request is used for indicating the cloud server to send target login data corresponding to the target terminal account to the terminal based on the end-to-end encryption technology; the cloud server stores the corresponding relation between a plurality of groups of terminal account numbers and login data; decrypting the received target login data to obtain the corresponding relation between a plurality of groups of accounts and private keys, and correspondingly storing each account and each private key into a trusted security environment of the terminal.

The respective modules in the above-described authentication apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, a computer device is provided, which may be a terminal, and the internal structure thereof may be as shown in fig. 11. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a verification method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.

It will be appreciated by those skilled in the art that the structure shown in fig. 11 is merely a block diagram of a portion of the structure associated with the present application and is not limiting of the computer device to which the present application applies, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.

In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of:

after detecting the authorization authentication operation aiming at the target account, acquiring the target biological characteristics of the target user; performing identity verification on a target user according to the target biological characteristics; under the condition that the identity verification is passed, a target private key in a public-private key pair corresponding to a pre-generated target account is obtained; and requesting the service server to perform authorization verification on the target account based on the target private key, wherein the authorization verification comprises the service server performing authorization verification on the target account based on the target public key in the public-private key pair.

In one embodiment, the processor when executing the computer program further performs the steps of:

Acquiring an application identifier of an application corresponding to a target account; acquiring a target private key from a trusted security environment of the terminal according to the application identifier; the trusted security environment stores a plurality of groups of corresponding relations among different application identifications, account numbers and private keys.

signing the target verification data according to the target private key; the signed target verification data is sent to a service server to request the service server to conduct authorization verification on the target account according to the signed target verification data; the signed target verification data is used for the business server to verify the signed target verification data based on the target public key.

sending a verification data acquisition request to a service server under the condition that a login operation is detected; the verification data acquisition request is used for indicating the service server to feed back target verification data to the terminal; and receiving target verification data fed back by the service server.

After detecting registration operation, under the condition that the identity verification of a target user is passed, generating a public-private key pair in a trusted security environment of the terminal; storing a target private key in the public-private key pair in a trusted security environment, and sending the target public key in the target account and the public-private key pair to a service server; the target account number and the target public key are used for being correspondingly stored by the service server.

comparing the target biological characteristics with preset biological characteristics, and if the target biological characteristics are consistent with the preset biological characteristics, determining that the identity verification of the target user is passed; if the target biological characteristics are inconsistent with the preset biological characteristics, determining that the identity verification of the target user is not passed; the preset biological characteristics are recorded in the terminal in advance by a target user.

under the condition that a cloud synchronization function is started, carrying out cloud synchronization processing on a target terminal account number logged in a terminal and target login data in a codebook in the terminal so as to synchronize the target terminal account number and the target login data to a cloud server; the target terminal account comprises a plurality of groups of corresponding relations between the accounts and private keys, each private key is generated when the target user registers each account based on the terminal, and each account corresponds to a different service server.

encrypting the target login data; and synchronizing the encrypted target login data to the cloud server based on the end-to-end encryption technology.

under the condition that a cloud synchronization function is started, a synchronization request is sent to a cloud server; the synchronization request is used for indicating the cloud server to send target login data corresponding to the target terminal account to the terminal based on the end-to-end encryption technology; the cloud server stores the corresponding relation between a plurality of groups of terminal account numbers and login data; decrypting the received target login data to obtain the corresponding relation between a plurality of groups of accounts and private keys, and correspondingly storing each account and each private key into a trusted security environment of the terminal.

In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:

In one embodiment, the computer program when executed by the processor further performs the steps of:

In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:

It should be noted that, the user information (including, but not limited to, user equipment information, user personal information, etc.) and the data (including, but not limited to, data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use, and processing of the related data are required to meet the related regulations.

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims

1. A method of authentication, the method comprising:

carrying out identity verification on the target user according to the target biological characteristics;

Requesting a service server to perform authorization verification on the target account based on the target private key, wherein the authorization verification comprises the service server performing authorization verification on the target account based on a target public key in the public-private key pair.

2. The method according to claim 1, wherein the obtaining a target private key of a public-private key pair corresponding to the target account number, which is generated in advance, includes:

acquiring an application identifier of an application corresponding to the target account;

acquiring the target private key from the trusted security environment of the terminal according to the application identifier; and the trusted security environment stores a plurality of groups of corresponding relations among different application identifications, account numbers and private keys.

3. The method of claim 1, wherein requesting a service server to authenticate the target account based on the target private key comprises:

signing the target verification data according to the target private key;

the signed target verification data is sent to the service server to request the service server to carry out authorization verification on the target account according to the signed target verification data;

The signed target verification data is used for the service server to verify the signed target verification data based on the target public key.

4. A method according to claim 3, wherein the authorised authentication operation comprises a login operation, the method further comprising:

sending a verification data acquisition request to the service server under the condition that the login operation is detected; the verification data acquisition request is used for indicating the service server to feed back the target verification data to a terminal;

and receiving the target verification data fed back by the service server.

5. The method of claim 1, wherein the authorization authentication operation comprises a registration operation, the method further comprising:

after the registration operation is detected, under the condition that the identity verification of the target user is passed, generating the public and private key pair in a trusted security environment of the terminal;

storing the target private key of the public-private key pair in the trusted security environment, and sending the target account number and the target public key of the public-private key pair to the service server; and the target account number and the target public key are used for being correspondingly stored by the service server.

6. The method of claim 1, wherein said authenticating said target user based on said target biometric comprises:

comparing the target biological characteristics with preset biological characteristics, and if the target biological characteristics are consistent with the preset biological characteristics, determining that the identity verification of the target user is passed; if the target biological characteristics are inconsistent with the preset biological characteristics, determining that the identity verification of the target user is not passed;

the preset biological characteristics are recorded in the terminal in advance by the target user.

7. The method according to any one of claims 1 to 6, further comprising:

under the condition that a cloud synchronization function is started, carrying out cloud synchronization processing on a target terminal account number logged in a terminal and target login data in a codebook in the terminal so as to synchronize the target terminal account number and the target login data to a cloud server;

the target login data comprises corresponding relations of a plurality of groups of accounts and private keys, each private key is generated when the target user registers each account based on the terminal, and each account corresponds to a different service server.

8. The method according to claim 7, wherein the cloud synchronization processing of the target terminal account number registered in the terminal and the target registration data in the codebook in the terminal includes:

encrypting the target login data;

and synchronizing the encrypted target login data to the cloud server based on an end-to-end encryption technology.

9. The method according to any one of claims 1 to 6, further comprising:

under the condition that a cloud synchronization function is started, a synchronization request is sent to a cloud server; the synchronization request is used for indicating the cloud server to send target login data corresponding to a target terminal account to a terminal based on an end-to-end encryption technology; the cloud server stores a plurality of groups of corresponding relations between terminal account numbers and login data;

decrypting the received target login data to obtain a corresponding relation between a plurality of groups of account numbers and private keys, and storing the account numbers and the private keys in a trusted security environment of the terminal.

10. A verification device, the device comprising:

the second acquisition module is used for acquiring a target private key in a public-private key pair corresponding to the target account number, which is generated in advance, under the condition that the identity verification is passed;

and the second verification module is used for requesting a service server to carry out authorization verification on the target account based on the target private key, wherein the authorization verification comprises that the service server carries out authorization verification on the target account based on the target public key in the public-private key pair.

11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any of claims 1 to 9 when the computer program is executed.

12. A storage medium having stored thereon a computer program, which when executed by a processor performs the steps of the method according to any of claims 1 to 9.

13. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any one of claims 1 to 9.