CN102594843A - Identity authentication system and method - Google Patents
Identity authentication system and method Download PDFInfo
- Publication number
- CN102594843A CN102594843A CN2012100786299A CN201210078629A CN102594843A CN 102594843 A CN102594843 A CN 102594843A CN 2012100786299 A CN2012100786299 A CN 2012100786299A CN 201210078629 A CN201210078629 A CN 201210078629A CN 102594843 A CN102594843 A CN 102594843A
- Authority
- CN
- China
- Prior art keywords
- authentication code
- authentication
- code information
- pki
- verify data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The embodiment of the invention provides an identity authentication system and an identity authentication method. The system comprises an authorizer and a signer, wherein the authorizer is used for calculating a key pair comprising a public key and a private key which are uniquely matched with each other, storing the private key, transmitting the public key to the signer for storage, performing calculation to obtain authentication data by utilizing the private key, and transmitting the authentication data to the signer for authentication; and the signer is used for receiving the public key from the authorizer for storage, resolving the authentication data acquired from the authorizer by utilizing own storage public key, and passing the authentication if the authentication data is successfully resolved. The method comprises the following steps that: the key pair is calculated; the private key is stored in the authorizer, and the public key is stored in the signer; the authorizer performs the calculation to obtain the authentication data by utilizing the private key; and the signer receives the authentication data from the authorizer, resolves the authentication data by utilizing own stored public key, and passes the authentication if the authentication data is successfully resolved.
Description
Technical field
The present invention relates to the information encryption field, particularly a kind of authentication and method.
Background technology
In the society that today, such the Internet drove, Web bank also claims online bank, has become an indispensable part in financial institution's overall development strategy.Use the number of users tremendous growth of Web bank in recent years, and kept stable growth momentum every year.A lot of security risks are also being born when bringing many convenient services the user who gives it, give bank's cost saving expenditure and bringing more profit growth points by Web bank.A lot of banks have recognized this point, take action one after another, comprise that continuous education user improves inherently safe consciousness, installs antivirus software, anti-Trojan software; Adopt hardware USBKey or dynamic password board mode to carry out authentication etc.
USBKey is a kind of hardware device of USB interface.Its built-in single-chip microcomputer or intelligent card chip has certain memory space, can store user's private key and digital certificate, utilizes the built-in public key algorithm of USBKey to realize the authentication to user identity.Because private key for user is kept in the coded lock, uses any way all can't read in theory, therefore guaranteed the fail safe of authentification of user.
At present for some enterprises docking of safe ready more with system of the Internet bank; Bank can arrange a front server in the computer system of enterprise; Front server is that this business processes Internet bank is professional through the background system of network connection bank specially; Than the public servicer of bank, the protection that the front server of an enterprise-specific of this confession is safer the commercial privacy of corporate client, also be convenient to corporate client more and use.Front server is general all with a USBKey who binds with this server, and corresponding relation fixing between a kind of USBKey and the front server is promptly represented in said binding; When enterprises is used the Internet bank; At first need USBKey be inserted front server through USB interface and carry out authentication; In the authentication process, having only with front server exists the USBKey of binding relationship can be through authentication; After authentication, enterprise can begin to utilize front server to carry out the Net silver operation.
In the prior art, the binding of USBKey and front server mainly contains two kinds of forms, a kind of in USBKey and the front server for example virtual link such as IP address bind; Another kind is the hardware identifier that USBKey passes through in the front server CPU sequence number for example or hard disk sequence number and so on, directly and hardware bind.
The shortcoming that exists in the prior art is, if bind with virtual links such as similar IP addresses, because virtual links such as IP address are modified probably or pretend to be, so fail safe is very low; If bind with hardware; When hardware of server updates, then bind and lost efficacy, in practical application, cause very big inconvenience; And said hardware binding is realized through some virtual links in fact equally, so there is security risk equally.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of identity authorization system and method, to realize the authentication of carrying out of safe ready more, concrete technical scheme is following:
A kind of identity authorization system, said system comprises:
Authorization location, it is right to be used to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key; Authorization location storage private key is sent to the signature end with PKI and stores; Authorization location utilizes private key to calculate verify data, said verify data is sent to said signature end carries out authentication;
The signature end is used for receiving PKI and storage from authorization location; Utilize the PKI of self storage to resolve the verify data of obtaining from authorization location, if resolve successfully then through authentication.
Said authorization location comprises:
First generation unit, it is right to be used to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
First arithmetic element is used for obtaining private key from first memory cell, utilizes said private key to calculate verify data;
First transmitting element is used for obtaining PKI from first generation unit, PKI is sent to the signature end preserves; Obtain verify data from first arithmetic element, verify data is sent to the signature end carries out authentication;
First memory cell is used to store private key.
Said signature end comprises:
The second key authentication unit is used for obtaining verify data from authorization location, obtains PKI from second memory cell, utilizes said PKI to resolve said verify data, if resolve successfully then through authentication;
Second memory cell is used for obtaining PKI and storage from authorization location.
Said authorization location is also stored the authentication code information of signature end; Said signature end is also stored a sequence number that indicates the unique characteristic of signature end self, and said authorization location comprises:
The 3rd generation unit, it is right to be used to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
The 3rd acquiring unit is used for obtaining signature terminal sequence number from signature end, and sequence number is sent to the 3rd recognition unit;
The 3rd recognition unit is used to discern the sequence number that signature is held, and based on obtain the authentication code information corresponding with this sequence number from the 3rd memory cell;
The 3rd arithmetic element is used for obtaining private key from the 3rd memory cell, utilizes said private key to calculate verify data;
The 3rd signature unit is used for obtaining verify data from the 3rd arithmetic element, obtains authentication code information from the 3rd recognition unit, and verify data is write in the authentication code information;
The 3rd transmitting element is used for obtaining PKI from the 3rd generation unit, PKI is sent to the signature end preserves; Obtain the authentication code information that writes verify data and be sent to signature end from the 3rd signature unit and carry out authentication;
The 3rd memory cell, the authentication code information that is used to store private key and signature end.
Said signature end is also stored a legal authentication code that is used for external authentication, and said signature end comprises:
The 4th transmitting element is used for obtaining sequence number and being sent to authorization location from the 4th memory cell;
The 4th key authentication unit; Be used to receive the authentication code information that writes verify data that authorization location is sent; And obtain PKI from the 4th memory cell; Utilize said PKI to resolve the verify data that writes in the said authentication code information, if resolve successfully then authentication code information is sent to the 4th authentication code authentication ' unit, if resolve unsuccessful then interrupt authentication;
The 4th authentication code authentication ' unit; Be used for obtaining authentication code information, obtain legal authentication code, and judge whether said authentication code information is consistent with legal authentication code from the 4th memory cell from the 4th key authentication unit; If it is unanimity then authentication success, if inconsistent then interrupt authentication;
The 4th memory cell is used for obtaining PKI and storage from authorization location, stores a sequence number and a legal authentication code that is used for external authentication that indicates the unique characteristic of signature end self.
Said authorization location is also stored the authentication code information of signature end; Said signature end is also stored one and is indicated the sequence number of the unique characteristic of signature end self and in verification process, generate a random number, and said authorization location comprises:
The 5th generation unit, it is right to be used to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
The 5th acquiring unit is used for obtaining signature terminal sequence number and random number from signature end, and sequence number is sent to the 5th recognition unit, and random number is sent to the 5th arithmetic element;
The 5th recognition unit is used to discern the sequence number that signature is held, and based on obtain the authentication code information corresponding with this sequence number from the 5th memory cell;
The 5th arithmetic element is used for obtaining private key from the 5th memory cell, utilizes said private key to calculate verify data; And obtain authentication code information from the 5th recognition unit, and obtain random number from the 5th acquiring unit, operation rule is set in advance, utilize operation rule computing random number and authentication code information, obtain computing authentication code information;
The 5th signature unit is used for obtaining verify data and obtaining computing authentication code information from the 5th arithmetic element, and verify data is write in the computing authentication code information;
The 5th transmitting element is used for obtaining PKI from the 5th generation unit, PKI is sent to the signature end preserves; Obtain the computing authentication code information that writes verify data and be sent to signature end from the 5th signature unit and carry out authentication;
The 5th memory cell, the authentication code information that is used to store private key and signature end.
Said signature end is also stored a legal authentication code that is used for external authentication, and said signature end comprises:
The random number unit is used to generate random number, and random number is sent to the 6th transmitting element;
The 6th transmitting element is used for obtaining sequence number from the 6th memory cell, obtains random number from the random number unit, and sequence number and random number are sent to authorization location;
The 6th key authentication unit; Be used to receive the computing authentication code information that writes verify data that authorization location is sent; And obtain PKI from the 6th memory cell; Utilize said PKI to resolve the verify data that writes in the said computing authentication code information, if resolve successfully then computing authentication code information is sent to the inverse operation unit, if resolve unsuccessful then interrupt authentication;
The inverse operation unit is used for parsing authentication code information from computing authentication code information, and authentication code information is sent to the 6th authentication code authentication ' unit;
The 6th authentication code authentication ' unit; Be used for obtaining authentication code information, obtain legal authentication code, and judge whether said authentication code information is consistent with legal authentication code from the 6th memory cell from the inverse operation unit; If it is unanimity then authentication success, if inconsistent then interrupt authentication;
The 6th memory cell is used for obtaining PKI and storage from authorization location, stores a sequence number and a legal authentication code that is used for external authentication that indicates the unique characteristic of signature end self.
A kind of identity identifying method said method comprising the steps of:
It is right to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
Private key is kept at authorization location, and PKI is kept at the signature end;
Authorization location utilizes private key to calculate verify data;
The signature termination is received the verify data of authorization location, and utilizes the PKI of self storage to resolve said verify data, if resolve successfully then through authentication.
Said signature termination is received the verify data of authorization location, and utilizes the PKI of self storage to resolve said verify data also to comprise:
The signature end sends the sequence number of self to authorization location;
Authorization location utilizes sequence number to obtain corresponding authentication code information;
Authorization location utilizes private key to calculate verify data; And verify data write in the authentication code information;
The authentication code information that authorization location will write verify data is sent to the signature end;
Signature end utilizes the PKI of self storage to resolve the verify data that writes in the authentication code information, if resolves successfully then authentication authentication code information, if parsing gets nowhere then interrupts authentication;
Judge that said authentication code information is whether consistent with the legal authentication code that the signature end is preserved, if unanimity then authentication success, if inconsistent then interrupt authentication.
Said signature termination is received the verify data of authorization location, and utilizes the PKI of self storage to resolve said verify data also to comprise:
The signature end sends the sequence number of self and counts to authorization location at random;
Authorization location utilizes sequence number to obtain corresponding authentication code information, and operation rule is set in advance, utilizes operation rule computing random number and authentication code information, obtains computing authentication code information;
Authorization location utilizes private key to calculate verify data, and verify data is write in the computing authentication code information; The computing authentication code information that writes verify data is sent to the signature end;
Signature end utilizes the PKI of self storage to resolve the verify data that writes in the computing authentication code information, if resolves successfully then authentication algorithm authentication code information, if parsing gets nowhere then interrupts authentication;
The signature end parses authentication code information from computing authentication code information;
Signature end judges whether said authentication code information is consistent with the legal authentication code of signature end preservation, if unanimity then authentication success, if inconsistent then interrupt authentication.
Can know through above technical scheme; The beneficial effect that the present invention exists is that said system is through the unique coupling between authorization location and the signature end, the excessive risk of both having avoided virtual link to bind; Avoid the complicated inconvenience of hardware binding again, realized the succinct binding of identity authorization system safety; The present invention is through adding the random number computing for authentication code in addition, and the computing authentication code information that makes each authentication send is different, thereby has avoided malice abduction authentication code occurring and the potential safety hazard that causes.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the said system configuration sketch map of the embodiment of the invention;
Fig. 2 is the said system configuration sketch map of another embodiment of the present invention;
Fig. 3 is the said system configuration sketch map of further embodiment of this invention;
Fig. 4 is the said method flow diagram of the embodiment of the invention;
Fig. 5 is the said method flow diagram of another embodiment of the present invention;
Fig. 6 is the said method flow diagram of further embodiment of this invention.
Embodiment
In the present invention, the key of unique coupling is right each other through producing one, and the private key of this key pair is kept at the authorization location of identity authorization system according to the invention, the PKI of this key pair is kept at the signature end of identity authorization system according to the invention; Realized unique and fixing corresponding relation between said authorization location and the signature end, promptly accomplished the binding of authorization location with the signature end.The authorization location of above-mentioned binding is held in use with signature, calculates verify data through utilizing said private key, and utilizes corresponding PKI to resolve the function that this verify data is accomplished authenticating identity.
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer; To combine the accompanying drawing in the embodiment of the invention below; Technical scheme in the embodiment of the invention is carried out clear, intactly description; Obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
With reference to shown in Figure 1, be the disclosed specific embodiment of system according to the invention.Said system comprises authorization location and signature end, is specially:
Authorization location, it is right to be used to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key; Authorization location storage private key is sent to the signature end with PKI and stores; Authorization location utilizes private key to calculate verify data, said verify data is sent to said signature end carries out authentication;
The signature end is used for receiving PKI and storage from authorization location; Utilize the PKI of self storage to resolve the verify data of obtaining from authorization location, if resolve successfully then through authentication.
In the present embodiment, said authorization location comprises:
First generation unit, it is right to be used to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
First arithmetic element is used for obtaining private key from first memory cell, utilizes said private key to calculate verify data;
First transmitting element is used for obtaining PKI from first generation unit, PKI is sent to the signature end preserves; Obtain verify data from first arithmetic element, verify data is sent to the signature end carries out authentication;
First memory cell is used to store private key;
Said signature end comprises:
The second key authentication unit is used for obtaining verify data from authorization location, obtains PKI from second memory cell, utilizes said PKI to resolve said verify data, if resolve successfully then through authentication;
Second memory cell is used for obtaining PKI and storage from authorization location.
The two preserves the private key and the PKI of a pair of unique coupling respectively to the said system of present embodiment through authorization location and signature end, unique corresponding binding between having realized authorization location and signature being held.Said system is in the process of carrying out authentication, and authorization location utilizes said private key to calculate verify data, has only the PKI of binding with this private key can resolve this verify data, and the signature end thinks that under parsing verify data case of successful identity is conscientiously successful.
Present embodiment is a basic embodiment of system according to the invention.Authorization location described in the present embodiment has realized unique and fixing each other binding relationship with signature end through private key and the PKI of preserving a key pair respectively, and through private key and public key calculation and resolve verify data completion authentication.In concrete the application, generally can the signature end be placed the inside of server or personal computer, authorization location is inserted server or personal computer, the user can accomplish the authentication on server or personal computer through said two devices.The beneficial effect that present embodiment exists is the binding mode that utilizes the replacement of the binding between two parts traditional identity authenticate device in the identity authorization system according to the invention; Solved that the traditional identity authenticate device is directly bound with the virtual link of server or personal computer and the safety issue that exists, also solved the traditional identity authenticate device directly and the hardware of server or personal computer bind and the use that brings is inconvenient.In addition; When breaking down or need, server or personal computer change; Only need to take out built-in signature end and place new server or personal computer is inner get final product, do not have the change of identity authorization system binding relationship, thereby make the practicality more of the said system of present embodiment.
Technical scheme in embodiment illustrated in fig. 1 further expands, and can obtain embodiment as shown in Figure 2, is specially:
Said authorization location is also stored the authentication code information of signature end;
Said signature end is also stored the sequence number and the legal authentication code that is used for external authentication that indicate the unique characteristic of signature end self;
Authorization location comprises:
The 3rd generation unit, it is right to be used to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
The 3rd acquiring unit is used for obtaining signature terminal sequence number from signature end, and sequence number is sent to the 3rd recognition unit;
The 3rd recognition unit is used to discern the sequence number that signature is held, and based on obtain the authentication code information corresponding with this sequence number from the 3rd memory cell;
The 3rd arithmetic element is used for obtaining private key from the 3rd memory cell, utilizes said private key to calculate verify data;
The 3rd signature unit is used for obtaining verify data from the 3rd arithmetic element, obtains authentication code information from the 3rd recognition unit, and verify data is write in the authentication code information;
The 3rd transmitting element is used for obtaining PKI from the 3rd generation unit, PKI is sent to the signature end preserves; Obtain the authentication code information that writes verify data and be sent to signature end from the 3rd signature unit and carry out authentication;
The 3rd memory cell, the authentication code information that is used to store private key and signature end;
The signature end comprises:
The 4th transmitting element is used for obtaining sequence number and being sent to authorization location from the 4th memory cell;
The 4th key authentication unit; Be used to receive the authentication code information that writes verify data that authorization location is sent; And obtain PKI from the 4th memory cell; Utilize said PKI to resolve the verify data that writes in the said authentication code information, if resolve successfully then authentication code information is sent to the 4th authentication code authentication ' unit, if resolve unsuccessful then interrupt authentication;
The 4th authentication code authentication ' unit; Be used for obtaining authentication code information, obtain legal authentication code, and judge whether said authentication code information is consistent with legal authentication code from the 4th memory cell from the 4th key authentication unit; If it is unanimity then authentication success, if inconsistent then interrupt authentication;
The 4th memory cell is used for obtaining PKI and storage from authorization location, stores a sequence number and a legal authentication code that is used for external authentication that indicates the unique characteristic of signature end self.
Present embodiment has further realized carrying out for authentication code information the function of authentication with respect to embodiment illustrated in fig. 1, makes technical scheme more complete.The link of carrying out authentication for authentication code is a preferred version of the present invention; Through this preferred version present embodiment through private key and public key calculation and resolve verify data when accomplishing authentication; Whether the authentication code that also needs further authentication verification sign indicating number authorization location to preserve is consistent with the legal authentication code of signature end, the fail safe that has further improved said system.
With reference to shown in Figure 3, be another specific embodiment disclosed by the invention.The application scenarios of choosing in the present embodiment is specially, and docks with enterprise for making the Net silver system, and bank disposes front server in enterprise, and front server need carry out can realizing network trading after the authentication to enterprise; In the present embodiment, said system is actually a kind of USBKey, and is different from traditional USB Key, and USBKey according to the invention comprises two different functions entities, is specially to authorize Key and signature Key.In the present embodiment, said authorization location is promptly authorized Key, the said signature end Key that promptly signs.The Key of signature described in the present embodiment places front server inner, authorizes Key then to dock with front server through USB interface; After authorizing Key to be docked to front server, signature Key carries out authentication to it, and signature Key only allow with the unique mandate Key that self binds through authentication.Be specially:
Said authorization location is also stored the authentication code information of signature end;
Said signature end is also stored the sequence number and the legal authentication code that is used for external authentication that indicate the unique characteristic of signature end self, and in verification process, generates a random number;
Authorization location comprises:
The 5th generation unit, it is right to be used to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
The 5th acquiring unit is used for obtaining signature terminal sequence number and random number from signature end, and sequence number is sent to the 5th recognition unit, and random number is sent to the 5th arithmetic element;
The 5th recognition unit is used to discern the sequence number that signature is held, and based on obtain the authentication code information corresponding with this sequence number from the 5th memory cell;
The 5th arithmetic element is used for obtaining private key from the 5th memory cell, utilizes said private key to calculate verify data; And obtain authentication code information from the 5th recognition unit, and obtain random number from the 5th acquiring unit, operation rule is set in advance, utilize operation rule computing random number and authentication code information, obtain computing authentication code information;
The 5th signature unit is used for obtaining verify data and obtaining computing authentication code information from the 5th arithmetic element, and verify data is write in the computing authentication code information;
The 5th transmitting element is used for obtaining PKI from the 5th generation unit, PKI is sent to the signature end preserves; Obtain the computing authentication code information that writes verify data and be sent to signature end from the 5th signature unit and carry out authentication;
The 5th memory cell, the authentication code information that is used to store private key and signature end;
The signature end comprises:
The random number unit is used to generate random number, and random number is sent to the 6th transmitting element;
The 6th transmitting element is used for obtaining sequence number from the 6th memory cell, obtains random number from the random number unit, and sequence number and random number are sent to authorization location;
The 6th key authentication unit; Be used to receive the computing authentication code information that writes verify data that authorization location is sent; And obtain PKI from the 6th memory cell; Utilize said PKI to resolve the verify data that writes in the said computing authentication code information, if resolve successfully then computing authentication code information is sent to the inverse operation unit, if resolve unsuccessful then interrupt authentication;
The inverse operation unit is used for parsing authentication code information from computing authentication code information, and authentication code information is sent to the 6th authentication code authentication ' unit;
The 6th authentication code authentication ' unit; Be used for obtaining authentication code information, obtain legal authentication code, and judge whether said authentication code information is consistent with legal authentication code from the 6th memory cell from the inverse operation unit; If it is unanimity then authentication success, if inconsistent then interrupt authentication;
The 6th memory cell is used for obtaining PKI and storage from authorization location, stores a sequence number and a legal authentication code that is used for external authentication that indicates the unique characteristic of signature end self.
In the present embodiment, it is right that said generation unit generates a key, and key is to comprising a PKI and a private key; The unique each other coupling of said PKI and private key; Signature Key storage of public keys is authorized Key storage private key, has promptly realized signature Key by the way and has authorized the binding between the Key; Said PKI can only be resolved the verify data that corresponding private key computing produces, that is to say signature Key only allow with the unique mandate Key that self binds through authentication.The said right method of key that calculates specifically adopts the rsa algorithm, and the rsa algorithm is that the present technique field is known, does not give unnecessary details at this.
In some actual conditions of present embodiment, said mandate Key is to utilize traditional USB Key to transform to obtain with signature Key, and the identification authentication mode of traditional USBKey is to carry out authentication through manual input PIN code.System described in the present embodiment passes through key to generation and parsing verify data, and cooperates the authentication code authentication to carry out authentication, does not need manually to import the authentication of PIN code.So in the said system of present embodiment, close the PIN code certification path of signature Key, to prevent through key to carrying out authentication with the means beyond the authentication code, the raising fail safe.
In the present embodiment, said the 5th arithmetic element is utilized operation rule computing random number and authentication code information, and computing authentication code information specifically can be with reference to following case:
Authentication code information is a string 4 numeral 0000.In the process of certain authentication, the random number of generation is 2.The computation rule that is provided with in advance in the present embodiment does, each numeral and random number addition in authentication code information, and the result who obtains keeps last position.According to above-mentioned rule authentication code information and random number are carried out computing, the computing authentication code information that obtains is a string 4 numeral 2222.
Accordingly, according to above-mentioned operation rule corresponding also meta-rule is set in the said inverse operation unit, promptly each numeral of computing authentication code information deducts random number, if should numeral less than random number then deduct random number after adding 10 again; Utilize this also meta-rule, parse authentication code information 0000 through computing authentication code information 2222.
In the present embodiment, USBKey is divided into two, authorize the Key signature Key inner with placing front server through key to binding, thereby realized the binding of USBKey and front server.The binding form is different from traditional virtual link binding or hardware binding in the present embodiment, so promptly avoided being prone to also avoided the restriction on the hardware by the risk of invasion modification in the virtual link binding, has improved fail safe and convenience.
Present embodiment is a preferred version of the present invention.In the present embodiment except key to generating and resolving verify data, with the double authentication link of authentication code authentication, also comprised the process of random number and authentication code computing and inverse operation.So present embodiment except the beneficial effect that has comprised two embodiment illustrated in figures 1 and 2, also comprises following beneficial effect:
Process through above-mentioned random number and the computing of authentication code information; In authentication each time; Because random number changes, then authorization location send to the computing authentication code information of signature end at every turn all maybe be inequality, avoided kidnapping authentication code information thus and cracked verification process through malice.
Corresponding identity authorization system according to the invention the invention also discloses a kind of embodiment of identity identifying method, and with reference to shown in Figure 4, concrete steps are following:
It is right to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
Private key is kept at authorization location, and PKI is kept at the signature end;
Authorization location utilizes private key to calculate verify data;
The signature termination is received the verify data of authorization location, and utilizes the PKI of self storage to resolve said verify data, if resolve successfully then through authentication.
Present embodiment is a basic embodiment of the method for the invention.Authorization location described in the present embodiment has realized unique and fixing each other binding relationship with signature end through private key and the PKI of preserving a key pair respectively, and through private key and public key calculation and resolve verify data completion authentication.In concrete the application, generally can the signature end be placed the inside of server or personal computer, authorization location is inserted server or personal computer, the user can accomplish the authentication on server or personal computer through said two devices.The beneficial effect that present embodiment exists is the binding mode that utilizes the replacement of the binding between two parts traditional identity authenticate device in the identity identifying method according to the invention; Solved that the traditional identity authenticate device is directly bound with the virtual link of server or personal computer and the safety issue that exists, also solved the traditional identity authenticate device directly and the hardware of server or personal computer bind and the use that brings is inconvenient.In addition; When breaking down or need, server or personal computer change; Only need to take out built-in signature end and place new server or personal computer is inner get final product, do not have the change of identity identifying method binding relationship, thereby make the practicality more of the said method of present embodiment.
After further expansion embodiment illustrated in fig. 4, can obtain following another method embodiment, as shown in Figure 5, concrete steps are following:
The signature end sends the sequence number of self to authorization location;
Authorization location utilizes sequence number to obtain corresponding authentication code information; Authorization location utilizes private key to calculate verify data; And verify data write in the authentication code information;
The authentication code information that authorization location will write verify data is sent to the signature end;
Signature end utilizes the PKI of self storage to resolve the verify data that writes in the authentication code information, if resolves successfully then authentication authentication code information, if parsing gets nowhere then interrupts authentication;
Judge that said authentication code information is whether consistent with the legal authentication code that the signature end is preserved, if unanimity then authentication success, if inconsistent then interrupt authentication.
Present embodiment has further realized carrying out for authentication code information the function of authentication with respect to embodiment illustrated in fig. 4, makes technical scheme more complete.The link of carrying out authentication for authentication code is a preferred version of the present invention; Through this preferred version present embodiment through private key and public key calculation and resolve verify data when accomplishing authentication; Whether the authentication code that also needs further authentication verification sign indicating number authorization location to preserve is consistent with the legal authentication code of signature end, the fail safe that has further improved said system.
Corresponding method embodiment shown in Figure 3 the invention discloses another method embodiment, and with reference to shown in Figure 6, concrete steps are:
It is right to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
Private key is kept at authorization location, and PKI is kept at the signature end;
The signature end sends the sequence number of self and counts to authorization location at random;
Authorization location utilizes sequence number to obtain corresponding authentication code information, and operation rule is set in advance, utilizes operation rule computing random number and authentication code information, obtains computing authentication code information;
Authorization location utilizes private key to calculate verify data, and verify data is write in the computing authentication code information; The computing authentication code information that writes verify data is sent to the signature end;
Signature end utilizes the PKI of self storage to resolve the verify data that writes in the computing authentication code information, if resolves successfully then authentication algorithm authentication code information, if parsing gets nowhere then interrupts authentication;
The signature end parses authentication code information from computing authentication code information;
Signature end judges whether said authentication code information is consistent with the legal authentication code of signature end preservation, if unanimity then authentication success, if inconsistent then interrupt authentication.
Present embodiment is a preferred version of the present invention.In the present embodiment except key to generating and resolving verify data, with the double authentication link of authentication code authentication, also comprised the process of random number and authentication code computing and inverse operation.So present embodiment also comprises following beneficial effect except the beneficial effect that has comprised Fig. 4 and two embodiment shown in Figure 5:
Process through above-mentioned random number and the computing of authentication code information; In authentication each time; Because random number changes, then authorization location send to the computing authentication code information of signature end at every turn all maybe be inequality, avoided kidnapping authentication code information thus and cracked verification process through malice.
The above only is a preferred implementation of the present invention; Should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; Can also make some improvement and retouching, these improvement and retouching also should be regarded as protection scope of the present invention.
Claims (10)
1. an identity authorization system is characterized in that, said system comprises:
Authorization location, it is right to be used to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key; Authorization location storage private key is sent to the signature end with PKI and stores; Authorization location utilizes private key to calculate verify data, said verify data is sent to said signature end carries out authentication;
The signature end is used for receiving PKI and storage from authorization location; Utilize the PKI of self storage to resolve the verify data of obtaining from authorization location, if resolve successfully then through authentication.
2. according to the said system of claim 1, it is characterized in that said authorization location comprises:
First generation unit, it is right to be used to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
First arithmetic element is used for obtaining private key from first memory cell, utilizes said private key to calculate verify data;
First transmitting element is used for obtaining PKI from first generation unit, PKI is sent to the signature end preserves; Obtain verify data from first arithmetic element, verify data is sent to the signature end carries out authentication;
First memory cell is used to store private key.
3. according to the said system of claim 2, it is characterized in that said signature end comprises:
The second key authentication unit is used for obtaining verify data from authorization location, obtains PKI from second memory cell, utilizes said PKI to resolve said verify data, if resolve successfully then through authentication;
Second memory cell is used for obtaining PKI and storage from authorization location.
4. according to the said system of claim 1, it is characterized in that said authorization location is also stored the authentication code information of signature end; Said signature end is also stored a sequence number that indicates the unique characteristic of signature end self, and said authorization location comprises:
The 3rd generation unit, it is right to be used to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
The 3rd acquiring unit is used for obtaining signature terminal sequence number from signature end, and sequence number is sent to the 3rd recognition unit;
The 3rd recognition unit is used to discern the sequence number that signature is held, and based on obtain the authentication code information corresponding with this sequence number from the 3rd memory cell;
The 3rd arithmetic element is used for obtaining private key from the 3rd memory cell, utilizes said private key to calculate verify data;
The 3rd signature unit is used for obtaining verify data from the 3rd arithmetic element, obtains authentication code information from the 3rd recognition unit, and verify data is write in the authentication code information;
The 3rd transmitting element is used for obtaining PKI from the 3rd generation unit, PKI is sent to the signature end preserves; Obtain the authentication code information that writes verify data and be sent to signature end from the 3rd signature unit and carry out authentication;
The 3rd memory cell, the authentication code information that is used to store private key and signature end.
5. according to the said system of claim 4, it is characterized in that said signature end is also stored a legal authentication code that is used for external authentication, said signature end comprises:
The 4th transmitting element is used for obtaining sequence number and being sent to authorization location from the 4th memory cell;
The 4th key authentication unit; Be used to receive the authentication code information that writes verify data that authorization location is sent; And obtain PKI from the 4th memory cell; Utilize said PKI to resolve the verify data that writes in the said authentication code information, if resolve successfully then authentication code information is sent to the 4th authentication code authentication ' unit, if resolve unsuccessful then interrupt authentication;
The 4th authentication code authentication ' unit; Be used for obtaining authentication code information, obtain legal authentication code, and judge whether said authentication code information is consistent with legal authentication code from the 4th memory cell from the 4th key authentication unit; If it is unanimity then authentication success, if inconsistent then interrupt authentication;
The 4th memory cell is used for obtaining PKI and storage from authorization location, stores a sequence number and a legal authentication code that is used for external authentication that indicates the unique characteristic of signature end self.
6. according to the said system of claim 1, it is characterized in that said authorization location is also stored the authentication code information of signature end; Said signature end is also stored one and is indicated the sequence number of the unique characteristic of signature end self and in verification process, generate a random number, and said authorization location comprises:
The 5th generation unit, it is right to be used to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
The 5th acquiring unit is used for obtaining signature terminal sequence number and random number from signature end, and sequence number is sent to the 5th recognition unit, and random number is sent to the 5th arithmetic element;
The 5th recognition unit is used to discern the sequence number that signature is held, and based on obtain the authentication code information corresponding with this sequence number from the 5th memory cell;
The 5th arithmetic element is used for obtaining private key from the 5th memory cell, utilizes said private key to calculate verify data; And obtain authentication code information from the 5th recognition unit, and obtain random number from the 5th acquiring unit, operation rule is set in advance, utilize operation rule computing random number and authentication code information, obtain computing authentication code information;
The 5th signature unit is used for obtaining verify data and obtaining computing authentication code information from the 5th arithmetic element, and verify data is write in the computing authentication code information;
The 5th transmitting element is used for obtaining PKI from the 5th generation unit, PKI is sent to the signature end preserves; Obtain the computing authentication code information that writes verify data and be sent to signature end from the 5th signature unit and carry out authentication;
The 5th memory cell, the authentication code information that is used to store private key and signature end.
7. according to the said system of claim 6, it is characterized in that said signature end is also stored a legal authentication code that is used for external authentication, said signature end comprises:
The random number unit is used to generate random number, and random number is sent to the 6th transmitting element;
The 6th transmitting element is used for obtaining sequence number from the 6th memory cell, obtains random number from the random number unit, and sequence number and random number are sent to authorization location;
The 6th key authentication unit; Be used to receive the computing authentication code information that writes verify data that authorization location is sent; And obtain PKI from the 6th memory cell; Utilize said PKI to resolve the verify data that writes in the said computing authentication code information, if resolve successfully then computing authentication code information is sent to the inverse operation unit, if resolve unsuccessful then interrupt authentication;
The inverse operation unit is used for parsing authentication code information from computing authentication code information, and authentication code information is sent to the 6th authentication code authentication ' unit;
The 6th authentication code authentication ' unit; Be used for obtaining authentication code information, obtain legal authentication code, and judge whether said authentication code information is consistent with legal authentication code from the 6th memory cell from the inverse operation unit; If it is unanimity then authentication success, if inconsistent then interrupt authentication;
The 6th memory cell is used for obtaining PKI and storage from authorization location, stores a sequence number and a legal authentication code that is used for external authentication that indicates the unique characteristic of signature end self.
8. an identity identifying method is characterized in that, said method comprising the steps of:
It is right to calculate a key, and said key is to comprising a PKI and a private key, the unique each other coupling of said PKI and private key;
Private key is kept at authorization location, and PKI is kept at the signature end;
Authorization location utilizes private key to calculate verify data;
The signature termination is received the verify data of authorization location, and utilizes the PKI of self storage to resolve said verify data, if resolve successfully then through authentication.
9. said according to Claim 8 method is characterized in that, the signature termination is received the verify data of authorization location, and utilizes the PKI of self storage to resolve said verify data also to comprise:
The signature end sends the sequence number of self to authorization location;
Authorization location utilizes sequence number to obtain corresponding authentication code information;
Authorization location utilizes private key to calculate verify data; And verify data write in the authentication code information;
The authentication code information that authorization location will write verify data is sent to the signature end;
Signature end utilizes the PKI of self storage to resolve the verify data that writes in the authentication code information, if resolves successfully then authentication authentication code information, if parsing gets nowhere then interrupts authentication;
Judge that said authentication code information is whether consistent with the legal authentication code that the signature end is preserved, if unanimity then authentication success, if inconsistent then interrupt authentication.
10. said according to Claim 8 method is characterized in that, said signature termination is received the verify data of authorization location, and utilizes the PKI of self storage to resolve said verify data also to comprise:
The signature end sends the sequence number of self and counts to authorization location at random;
Authorization location utilizes sequence number to obtain corresponding authentication code information, and operation rule is set in advance, utilizes operation rule computing random number and authentication code information, obtains computing authentication code information;
Authorization location utilizes private key to calculate verify data, and verify data is write in the computing authentication code information; The computing authentication code information that writes verify data is sent to the signature end;
Signature end utilizes the PKI of self storage to resolve the verify data that writes in the computing authentication code information, if resolves successfully then authentication algorithm authentication code information, if parsing gets nowhere then interrupts authentication;
The signature end parses authentication code information from computing authentication code information;
Signature end judges whether said authentication code information is consistent with the legal authentication code of signature end preservation, if unanimity then authentication success, if inconsistent then interrupt authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100786299A CN102594843A (en) | 2012-03-22 | 2012-03-22 | Identity authentication system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100786299A CN102594843A (en) | 2012-03-22 | 2012-03-22 | Identity authentication system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102594843A true CN102594843A (en) | 2012-07-18 |
Family
ID=46483044
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012100786299A Pending CN102594843A (en) | 2012-03-22 | 2012-03-22 | Identity authentication system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102594843A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103795549A (en) * | 2014-02-28 | 2014-05-14 | 成都卫士通信息产业股份有限公司 | Communication content encryption and decryption method and encryption management method based on CS mode |
| CN106302354A (en) * | 2015-06-05 | 2017-01-04 | 北京壹人壹本信息科技有限公司 | A kind of identity identifying method and device |
| CN107820128A (en) * | 2017-11-10 | 2018-03-20 | 深圳创维-Rgb电子有限公司 | USB recording functions method for customizing, device and computer-readable recording medium |
| CN109743167A (en) * | 2019-01-07 | 2019-05-10 | 殷鹏 | The safe identification authentication method of big data based on block chain |
| WO2019120321A3 (en) * | 2019-03-29 | 2020-01-30 | Alibaba Group Holding Limited | Cryptographic key management based on identity information |
| US11023620B2 (en) | 2019-03-29 | 2021-06-01 | Advanced New Technologies Co., Ltd. | Cryptography chip with identity verification |
| CN113392418A (en) * | 2021-06-30 | 2021-09-14 | 北京紫光展锐通信技术有限公司 | Data deployment method and device, computer readable storage medium, deployment device and user side |
| US11251941B2 (en) | 2019-03-29 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Managing cryptographic keys based on identity information |
| US11251950B2 (en) | 2019-03-29 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Securely performing cryptographic operations |
| CN114531236A (en) * | 2022-03-02 | 2022-05-24 | 杭州华澜微电子股份有限公司 | Key processing method and device and electronic equipment |
| CN114697099A (en) * | 2022-03-24 | 2022-07-01 | 浪潮云信息技术股份公司 | Multi-party authorization authentication scheme based on elliptic curve encryption algorithm |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1694564A (en) * | 2005-05-19 | 2005-11-09 | 中国科学院计算技术研究所 | Authentication, authority and accounting method of voice communication in radio block network |
| CN101039197A (en) * | 2007-04-18 | 2007-09-19 | 华为技术有限公司 | Method, equipment and system for collecting charging information in point-to-point application |
| CN101136748A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Identification authentication method and system |
| CN101588245A (en) * | 2009-06-24 | 2009-11-25 | 成都市华为赛门铁克科技有限公司 | A kind of method of authentication, system and memory device |
| EP2197150A1 (en) * | 2007-09-27 | 2010-06-16 | Huawei Technologies Co Ltd | The method and the device for authenticating the neighbor based on the group key management |
-
2012
- 2012-03-22 CN CN2012100786299A patent/CN102594843A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1694564A (en) * | 2005-05-19 | 2005-11-09 | 中国科学院计算技术研究所 | Authentication, authority and accounting method of voice communication in radio block network |
| CN101136748A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Identification authentication method and system |
| CN101039197A (en) * | 2007-04-18 | 2007-09-19 | 华为技术有限公司 | Method, equipment and system for collecting charging information in point-to-point application |
| EP2197150A1 (en) * | 2007-09-27 | 2010-06-16 | Huawei Technologies Co Ltd | The method and the device for authenticating the neighbor based on the group key management |
| CN101588245A (en) * | 2009-06-24 | 2009-11-25 | 成都市华为赛门铁克科技有限公司 | A kind of method of authentication, system and memory device |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103795549A (en) * | 2014-02-28 | 2014-05-14 | 成都卫士通信息产业股份有限公司 | Communication content encryption and decryption method and encryption management method based on CS mode |
| CN106302354A (en) * | 2015-06-05 | 2017-01-04 | 北京壹人壹本信息科技有限公司 | A kind of identity identifying method and device |
| CN107820128A (en) * | 2017-11-10 | 2018-03-20 | 深圳创维-Rgb电子有限公司 | USB recording functions method for customizing, device and computer-readable recording medium |
| CN109743167A (en) * | 2019-01-07 | 2019-05-10 | 殷鹏 | The safe identification authentication method of big data based on block chain |
| US11258591B2 (en) | 2019-03-29 | 2022-02-22 | Advanced New Technologies Co., Ltd. | Cryptographic key management based on identity information |
| WO2019120321A3 (en) * | 2019-03-29 | 2020-01-30 | Alibaba Group Holding Limited | Cryptographic key management based on identity information |
| US11023620B2 (en) | 2019-03-29 | 2021-06-01 | Advanced New Technologies Co., Ltd. | Cryptography chip with identity verification |
| US11063749B2 (en) | 2019-03-29 | 2021-07-13 | Advanced New Technologies Co., Ltd. | Cryptographic key management based on identity information |
| US11088831B2 (en) | 2019-03-29 | 2021-08-10 | Advanced New Technologies Co., Ltd. | Cryptographic key management based on identity information |
| US11251941B2 (en) | 2019-03-29 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Managing cryptographic keys based on identity information |
| US11251950B2 (en) | 2019-03-29 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Securely performing cryptographic operations |
| CN113392418A (en) * | 2021-06-30 | 2021-09-14 | 北京紫光展锐通信技术有限公司 | Data deployment method and device, computer readable storage medium, deployment device and user side |
| CN113392418B (en) * | 2021-06-30 | 2022-10-11 | 北京紫光展锐通信技术有限公司 | Data deployment method and device, computer readable storage medium, deployment device and user side |
| CN114531236A (en) * | 2022-03-02 | 2022-05-24 | 杭州华澜微电子股份有限公司 | Key processing method and device and electronic equipment |
| CN114531236B (en) * | 2022-03-02 | 2023-10-31 | 杭州华澜微电子股份有限公司 | Key processing method and device and electronic equipment |
| CN114697099A (en) * | 2022-03-24 | 2022-07-01 | 浪潮云信息技术股份公司 | Multi-party authorization authentication scheme based on elliptic curve encryption algorithm |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102594843A (en) | Identity authentication system and method | |
| RU2648944C2 (en) | Methods, devices, and systems for secure provisioning, transmission and authentication of payment data | |
| CN103617531B (en) | Safe payment method based on credible two-dimension code and device | |
| CN102737311B (en) | Internet bank security authentication method and system | |
| CN201910100U (en) | Bus one-card business system, bus one-card business platform and POS (point-of-sale) machine | |
| US8661520B2 (en) | Systems and methods for identification and authentication of a user | |
| CA2697921C (en) | Dynamic card verification values and credit transactions | |
| US7548890B2 (en) | Systems and methods for identification and authentication of a user | |
| JP4420201B2 (en) | Authentication method using hardware token, hardware token, computer apparatus, and program | |
| US10204215B2 (en) | System and method for processing a transaction with secured authentication | |
| CN108683667B (en) | Account protection method, device, system and storage medium | |
| WO2020107233A1 (en) | Blockchain-based wallet system, method of use of wallet and storage medium | |
| CN105515783A (en) | Identity authentication method, server and authentication terminal | |
| CN103281187B (en) | Safety certifying method, equipment and system | |
| CN103839157A (en) | Electronic payment method, device and system | |
| ES2877522T3 (en) | Method and system to improve the security of a transaction | |
| CN109844787A (en) | A kind of hardware wallet, transaction system and storage medium based on block chain | |
| CN102238193A (en) | Data authentication method and system using same | |
| US20170193499A1 (en) | Universal access to an electronic wallet | |
| CN103903140A (en) | O2O safety payment method, system and safety payment background | |
| CN102044040A (en) | Online banking transaction method and device as well as mobile terminal | |
| CN109067544A (en) | A kind of private key verification method, the apparatus and system of soft or hard combination | |
| CN111311259A (en) | Bill processing method, device, terminal and computer readable storage medium | |
| CN104935550A (en) | Intelligent electronic commerce user management system technique and operating method thereof | |
| CN103544598A (en) | Financial transaction safety certification system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120718 |