CN105939196A

CN105939196A - Identity authentication method and system

Info

Publication number: CN105939196A
Application number: CN201610146855.4A
Authority: CN
Inventors: 李东声
Original assignee: Tendyron Technology Co Ltd
Current assignee: Tendyron Corp; Tendyron Technology Co Ltd
Priority date: 2016-03-15
Filing date: 2016-03-15
Publication date: 2016-09-14
Anticipated expiration: 2036-03-15
Also published as: CN105939196B

Abstract

The invention provides an identity authentication method and system. The identity authentication method comprises the steps of carrying out associated storage for identification information of an information security device and user identification card information by an authentication server; reminding a user to input a personal identification code and verifying whether the personal identification code input by the user is correct by the information security device; receiving login information input by the user by an application program; receiving the login information and judging whether the login information is correct by an application server; by a terminal, generating an identity authentication request and sending the identity authentication request to an authentication server; receiving the identity authentication request and authenticating the user identification card information by the authentication server; generating to-be-authenticated information by the authentication server; by the information security, obtaining the to-be-authenticated information device and generating an identification image by using the to-be-authentication information; by the terminal, obtaining a group photo image and sending the group photo image to the authentication server; and by the authentication server, receiving the group photo image and authenticating the identification image and a face image in the group photo image.

Description

Identity identifying method and system

Technical field

The present invention relates to field of identity authentication, particularly for the identity identifying method during remotely opening an account and system

Background technology

Traditional, in order to open an account, people need to business hall to go to handle account opening procedure.Such as, when handling stock account, Securities broker company, in order to verify the identity of account holder, needs user to handle account opening procedure to securities broker company scene；When handling bank card, Bank, in order to verify the identity of account holder, needs user to handle account opening procedure to bank counter scene.

Along with the development of electronic technology, in the life having begun to enter people of remotely opening an account, people begin attempt to by network real The most remotely open an account.But, at present, how to realize during remotely opening an account the authentication of user being the skill needing solution at present badly Art problem.

Summary of the invention

Present invention seek to address that the problems referred to above/one of.

A kind of identity identifying method of offer is provided；

Another object of the present invention is to provide a kind of identity authorization system；

For reaching above-mentioned purpose, technical scheme is specifically achieved in that

One aspect of the present invention provides a kind of identity identifying method, including: certificate server by the identification information of information safety device with User identity card information be associated storage, wherein, user identity card information include resident identification card number, name, the date of birth, Address, card service life and/or the face image of user；Information safety device access terminal, information safety device powers on, and Communication connection is set up with terminal；Information safety device prompting user inputs PIN；Information safety device receives user's input PIN, and verify that the PIN that user inputs is the most correct, if incorrect, then prompting user re-enters PIN；Terminal is after user opens the application program for carrying out authentication, and prompting user inputs log-on message；Should Receive the log-on message of user's input by program, and the log-on message received is sent to application server；Application server connects Receiving log-on message, and judge that log-on message is the most correct, if correctly, terminal allows user's login application program, if the most just Really, then terminal notifying user re-enters log-on message；Terminal generates ID authentication request by application program, and identity is recognized Card request sends to certificate server, wherein, carries subscriber identity information in ID authentication request, and subscriber identity information includes: User identity card information and the identification information of information safety device；Certificate server receives ID authentication request, and to user identity Card information is authenticated；User identity card information is authenticated by rear by certificate server, uses the algorithm preset to user's body Part information carries out calculating generation information to be certified；Information safety device obtains information to be certified, and using information to be certified as input Parameter, according to identification image generation strategy set in advance, generates identification image；Information safety device is by display screen display mark Know image；After information safety device generates identification image, terminal notifying user uploads the face image and identification image comprising user Group photo image；Terminal obtains group photo image, and sends group photo image to certificate server；Certificate server receives group photo figure Picture, and the identification image in group photo image and face image are authenticated.

Additionally, generated before ID authentication request by application program in terminal, method also includes: identity card read module from Family resident identification card reads user identity card information；Information safety device obtains user identity card information, and uses the first encryption Double secret key user identity card information is encrypted, and generates the user identity card information of encryption, and sends subscriber identity information to end End, wherein, subscriber identity information includes: the user identity card information of encryption and the identification information of information safety device；Certification takes Business device receives after ID authentication request, and before being authenticated user identity card information, also includes: certificate server utilizes The user identity card information of first decruption key encryption to receiving is decrypted, and obtains user identity card information.

Additionally, after information safety device generates the user identity card information of encryption, and subscriber identity information was sent to end Before end, method also includes: the user identity that information safety device uses hashing algorithm to calculate encryption demonstrate,proves the hash data of information, And use the private key self stored that hash data is encrypted calculating, generate the first data；Subscriber identity information also includes: the One data；Before certificate server utilizes the user identity card information of first decruption key encryption to receiving to be decrypted, also Use the PKI of information safety device that the first data received are decrypted including: certificate server and obtain hash data, and The user identity using hashing algorithm to calculate the encryption received demonstrate,proves the hash data of information, then the hash that comparison public key decryptions obtains Data are the most identical with the calculated hash data of hash.

Additionally, user identity card information is authenticated by certificate server, including: certificate server is according to information safety device Identification information obtains the user identity card information corresponding with identification information prestored；The user identity that certificate server will obtain The user identity card information that card information and deciphering obtain compares, if it does, then the certification to user identity card information is passed through, Otherwise terminate authentication.

Additionally, the identification image in group photo image and face image are authenticated, including: certificate server is according to the mark preset Know in image recognition strategy identification image from group photo image and identify information to be certified, and the information to be certified that will identify that with The information to be certified self generated is compared, if identical, then the certification to identification image is passed through；Identification image is being recognized Demonstrate,prove by the case of, the face image in the user identity card information that certificate server comparison prestores and the group photo received Whether the face image in image mates, if it does, authentication is passed through.

Another aspect of the present invention provides a kind of identity authorization system, it is characterised in that system includes: information safety device, terminal, Certificate server and application server；Wherein, certificate server, for by the identification information of information safety device and user identity Card information be associated storage, wherein, user identity card information include resident identification card number, name, the date of birth, address, Card service life and/or the face image of user；Information safety device, for access terminal, and sets up communication connection with terminal； It is additionally operable to point out user to input PIN, and receives the PIN that user inputs, and verify individual's knowledge that user inputs Other code is the most correct, if incorrect, is additionally operable to point out user to re-enter PIN；Terminal, for opening user After the application program carrying out authentication, prompting user inputs log-on message；Application server, is used for receiving application program The log-on message sent, wherein, log-on message is that application program is obtained by the log-on message receiving user's input；Application clothes Business device, is additionally operable to judge that log-on message is the most correct, if correctly, terminal is additionally operable to allow user's login application program, if Incorrect, terminal is additionally operable to point out user to re-enter log-on message；Terminal, is additionally operable to generate authentication by application program Request, and ID authentication request is sent to certificate server, wherein, ID authentication request carries subscriber identity information, Subscriber identity information includes: user identity card information and the identification information of information safety device；Certificate server, is additionally operable to receive ID authentication request, and user identity card information is authenticated；It is additionally operable to be authenticated by rear to user identity card information, The algorithm preset is used to carry out subscriber identity information calculating generation information to be certified；Information safety device, is additionally operable to obtain and waits to recognize Card information, and using information to be certified as input parameter, according to identification image generation strategy set in advance, generate identification image, And show identification image by display screen；Terminal, is additionally operable to after information safety device generates identification image, and prompting user uploads Comprise the face image of user and the group photo image of identification image；It is additionally operable to obtain group photo image, and group photo image is sent to recognizing Card server；Certificate server, is additionally operable to receive group photo image, and carries out the identification image in group photo image and face image Certification.

Additionally, system also includes identity card read module；Identity card read module, for reading user's body from resident identification card Part card information；Information safety device, is additionally operable to obtain user identity card information, and uses the first encryption key to demonstrate,prove user identity Information is encrypted, and generates the user identity card information of encryption, and sends subscriber identity information to terminal, wherein, and Yong Hushen Part information includes: the user identity card information of encryption and the identification information of information safety device；Certificate server, is used for utilizing The user identity card information of one decruption key encryption to receiving is decrypted, and obtains user identity card information.

Additionally, information safety device, it is also used for the hash data that hashing algorithm calculates the user identity card information of encryption, and The private key using self to store is encrypted calculating to hash data, generates the first data；Certificate server, is also used for letter The first data received are decrypted and obtain hash data by the PKI of breath safety device, and use hashing algorithm calculating to receive The hash data of user identity card information of encryption, then the hash data that obtains of comparison public key decryptions is calculated with hash dissipates Column data is the most identical.

Additionally, certificate server, be additionally operable to the identification information according to information safety device obtain prestore with identification information pair The user identity card information answered；The user identity card information by the user identity card information of acquisition and deciphering obtain that is additionally operable to compares Relatively, if it does, then the certification to user identity card information is passed through, authentication is otherwise terminated.

Additionally, certificate server, it is additionally operable in basis default identification image recognition strategy identification image from group photo image know Do not go out information to be certified, and the information to be certified that the information to be certified that will identify that generates with self is compared, if identical, Then the certification to identification image is passed through；Certificate server, is additionally operable in the case of passing through the certification of identification image, and comparison is pre- Whether the face image in the user identity card information first stored mates with the face image in the group photo image received, if Joining, authentication is passed through.

As seen from the above technical solution provided by the invention, the invention provides a kind of identity identifying method and system.Pass through Above-mentioned identity identifying method, certificate server associates storage by the identification information of information safety device and user identity card information, Realizing the certification to user identity card information, in the case of preventing information safety device or identity card from losing, illegal molecule is pretended to be out Family；It addition, information to be certified is generated identification image by information safety device, certificate server is to the identification image in group photo image It is authenticated, it is possible to achieve the certification to information safety device；It addition, certificate server is to the face figure of user in group photo image As being authenticated, in the case of being possible to prevent identity card and information safety device all to lose, illegal molecule is pretended to be and is opened an account.

Accompanying drawing explanation

In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, the required accompanying drawing used in embodiment being described below It is briefly described, it should be apparent that, the accompanying drawing in describing below is only some embodiments of the present invention, for this area From the point of view of those of ordinary skill, on the premise of not paying creative work, it is also possible to obtain other accompanying drawings according to these accompanying drawings.

The flow chart of a kind of identity identifying method that Fig. 1 provides for the embodiment of the present invention 1；

The system block diagram of a kind of identity authorization system that Fig. 2 provides for the embodiment of the present invention 3；

The system block diagram of the another kind of identity authorization system that Fig. 3 provides for the embodiment of the present invention 3.

Detailed description of the invention

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, Obviously, described embodiment is only a part of embodiment of the present invention rather than whole embodiments.Reality based on the present invention Execute example, the every other embodiment that those of ordinary skill in the art are obtained under not making creative work premise, broadly fall into Protection scope of the present invention.

In describing the invention, it is to be understood that term " " center ", " longitudinally ", " laterally ", " on ", D score, " front ", Orientation or the position relationship of the instruction such as " afterwards ", "left", "right", " vertically ", " level ", " top ", " end ", " interior ", " outward " are base In orientation shown in the drawings or position relationship, it is for only for ease of the description present invention and simplifies description rather than instruction or hint institute The device that refers to or element must have specific orientation, with specific azimuth configuration and operation, therefore it is not intended that to the present invention Restriction.Additionally, term " first ", " second " are only used for describing purpose, and it is not intended that instruction or hint relative importance Or quantity or position.

In describing the invention, it should be noted that unless otherwise clearly defined and limited, term " install ", " being connected ", " connect " and should be interpreted broadly, connect for example, it may be fixing, it is also possible to be to removably connect, or be integrally connected；Permissible It is to be mechanically connected, it is also possible to be electrical connection；Can be to be joined directly together, it is also possible to be indirectly connected to by intermediary, can be two The connection of individual element internal.For the ordinary skill in the art, can understand that above-mentioned term is in the present invention with concrete condition In concrete meaning.

Below in conjunction with accompanying drawing, the embodiment of the present invention is described in further detail.

Embodiment 1

A kind of identity identifying method flow chart that Fig. 1 provides for the present embodiment.As it is shown in figure 1, a kind of body that the present embodiment provides Identity authentication method comprises the following steps:

Step 101: the identification information of information safety device is associated storage with user identity card information by certificate server, its In, user identity card information includes resident identification card number, name, date of birth, address, card service life and/or user Face image；

In the present embodiment, the identification information of information safety device can be the digital certificate of information safety device, can also be letter The serial number of breath safety device.The present embodiment is not specifically limited, as long as this identification information can uniquely represent information security Device is i.e. within protection scope of the present invention.

In the present embodiment, user identity card information includes that resident identification card number, name, date of birth, address, card use The time limit and/or the face image of user.Certainly, the ID card information of user can also include finger print information or out of Memory.Preferably , user identity card information at least includes the face image of user, to facilitate the follow-up face image to taking a group photo in image to carry out Certification.

In the present embodiment, certificate server refers to for storing user profile or the clothes being authenticated the user profile received Business device, the identification information of information safety device is associated storage with user identity card information by certificate server.Such as, user Before remotely opening an account, need to handle one in bank and be specifically designed to the information safety device (such as U-shield) opened an account.Doing When managing this information safety device, user's body that serial number or the digital certificate of information safety device are provided by certificate server with user The ID card information of part card is associated storage.After user handled this information safety device, it is possible to use this information safety device Remotely open an account.After the identification information of information safety device is associated storage with user identity card information by certificate server, User can use information safety device to realize authentication to user, to carry out remotely opening an account repeatedly, need not carry out every time Dou Qu bank or securities broker company when of remotely opening an account.

In the present embodiment, information safety device can be the equipment with authentication, digital signature function, such as USBKEY (such as industrial and commercial bank's U-shield, agricultural bank K precious), audio frequency KEY, there is the equipment such as smart card of electronic signature functionality, naturally it is also possible to It it is E-token dynamic password card.

Step 102: information safety device access terminal, information safety device powers on, and sets up communication connection with terminal；

In the present embodiment, terminal can be computer or mobile phone etc..Information safety device can access terminal, example in a wired fashion As, information safety device passes through USB interface or audio interface access terminal.Certainly, information safety device can also be with wireless parties Formula access terminal, such as, information safety device is accessed by modes such as bluetooth, infrared, NFC near-field communication or visible light communications Terminal.Information safety device access terminal, sets up communication connection with terminal, it is possible to achieve between information safety device and terminal Data are transmitted.

Step 103: information safety device prompting user inputs PIN；

In the present embodiment, PIN refers to the start PIN code of information safety device.Concrete, on information safety device After electricity, enter starting-up interface, and point out user to input PIN.Input PIN by prompting user can confirm that The identity of user, it is ensured that the safety that information safety device uses, after preventing user from losing information safety device, illegal molecule profit The information safety device lost with user is remotely opened an account.

Step 104: information safety device receives the PIN of user's input, and verifies that the PIN that user inputs is No correctly, if incorrect, then prompting user re-enter PIN；

In the present embodiment, after information safety device prompting user inputs PIN, user can pass through information safety device Input PIN；Certainly, user can be by the terminal input PIN being connected with information safety device, and terminal is again The PIN that user inputs is sent to information safety device.

In the present embodiment, after information safety device receives the PIN of user's input, by the PIN that receives with In information safety device, the PIN of storage is compared the most identical, if it is different, then individual's knowledge of explanation user's input Other code is incorrect, and prompting user re-enters PIN.If identical, then the PIN of explanation user input is correct, Then opening the function privilege of information safety device, user remotely can be opened an account by this information safety device.

Step 105: terminal is after user opens the application program for carrying out authentication, and prompting user inputs log-on message；

In the present embodiment, application program refer to for that open an account, the computer program of interface alternation can be carried out with user.Step on Record information can be the password of the login application program of user；It is of course also possible to be logged on account information and the login of application program Password.

In the present embodiment, after the PIN verifying user's input is correct, user opens for carrying out answering of authentication By program, after the application program that terminal recognition to user is opened for carrying out authentication, prompting user inputs log-on message. Wherein, terminal can automatically identify user's login account information according to the information safety device accessed and show, and points out user to input Log-on message, such as terminal, according to the serial number of the information safety device accessed, obtain login through network from certificate server end Account information, and point out user to input log-on message, now, log-on message refers to login password；Certainly, terminal can not basis When the information safety device accessed identifies the login account information of user automatically, the log-on message of prompting user's input includes logging in account Number information and login password.

Step 106: application program receives the log-on message of user's input, and sends the log-on message received to application service Device；

In the present embodiment, application server is the server for storing login account information and login password.Can as one The embodiment of choosing, login account information and login password may be alternatively stored in certificate server, and application program receives user's input Log-on message after, the log-on message that receives is sent to certificate server.

Step 107: application server receives log-on message, and judges that log-on message is the most correct, if correctly, terminal allows User's login application program, if incorrect, then terminal notifying user re-enters log-on message；

In the present embodiment, after application server receives log-on message, it is judged that the log-on message received and himself storage Log-on message is the most identical, if identical, then application server judges that log-on message is correct, and application server sends to terminal and steps on The response signal that record information is correct, after terminal receives the correct response signal of log-on message that application server sends, terminal permits Family allowable login application program, if it is different, then application server judges that log-on message is incorrect, application service district is sent out to terminal Send log-on message incorrect response signal, after terminal receives the log-on message incorrect response signal of application server side, Terminal notifying user re-enters log-on message.

Step 108: terminal generates ID authentication request by application program, and sends ID authentication request to certificate server, Wherein, carrying subscriber identity information in ID authentication request, subscriber identity information includes: user identity card information and information peace The identification information of full device；

As the optional embodiment of one of the present embodiment, before terminal generates ID authentication request by application program, identity card Read module reads user identity card information from the resident identification card of user；Information safety device obtains user identity card information, And use the first encryption key that user identity card information is encrypted, generate the user identity card information of encryption, and by user's body Part information sends to terminal, and wherein, subscriber identity information includes: the user identity card information of encryption and the mark of information safety device Knowledge information.Concrete, before terminal generates ID authentication request by application program, identity card read module is from the resident of user Reading user identity card information in identity card, wherein, identity card read module can be arranged on information safety device, certain body Part card read module can also be arranged in terminal.If identity card reads and is arranged on information safety device, information safety device User identity card information is obtained by identity card read module；If identity card read module is arranged in terminal, terminal passes through body Part card read module reads after user identity card information, and the user identity card information obtained is sent to information safety device by terminal, Information safety device obtains user identity card information.After information safety device obtains user identity card information, use the first encryption close Key to user identity card information be encrypted, generate encryption user identity card information, and by encryption user identity card information and The identification information of information safety device sends to terminal as subscriber identity information.Certainly, identity card read module can also be arranged On miscellaneous equipment, after miscellaneous equipment reads user identity card information, information safety device, information security can be sent directly to After device obtains user identity card information, use the first encryption key that user identity card information is encrypted, generate the use of encryption Family ID card information, and the user identity card information of encryption and the identification information of information safety device are sent out as subscriber identity information Deliver to terminal；The user identity card information read can also be sent to terminal by miscellaneous equipment, and user identity is demonstrate,proved information by terminal again Send to information safety device, after information safety device obtains user identity card information, use the first encryption key to user identity Card information is encrypted, and generates the user identity card information of encryption, and the user identity of encryption is demonstrate,proved information and information safety device Identification information as subscriber identity information send to terminal.Wherein, the first encryption key can be unsymmetrical key, such as, recognize The PKI of card server, it is of course also possible to be symmetric key, the present embodiment is not specifically limited, as long as can realize identity card Information is encrypted, i.e. within protection scope of the present invention.Owing to legal identity card can only be carried out by identity card read module Read, read user identity card information by identity card read module and can be verified the true and false of user identity card by certificate server. It addition, information safety device sends to certificate server after being encrypted user identity card information, it is ensured that user identity is demonstrate,proved The safety of information transmission.

As the optional embodiment of one of the present embodiment, after information safety device generates the user identity card information of encryption, And subscriber identity information was being sent before terminal, also include: information safety device uses hashing algorithm to calculate the user of encryption The hash data of ID card information, and use the private key self stored that hash data is encrypted calculating, generate the first data； Subscriber identity information also includes: the first data.Concrete, after information safety device generates the ID card information of encryption, use Hashing algorithm (such as, HASH algorithm) calculates the hash data (such as, summary) of the ID card information of encryption, calculates and generates After hash data, utilize the private key self stored that hash data is encrypted, generate the first data (such as, signed data), And the identification information of the first data, the ID card information of encryption and information safety device is sent to terminal as subscriber identity information. By the user identity of encryption card information is calculated hash data and generates first data transmission, it is possible to prevent illegal molecule to distort and adds Close user identity card information.

In the present embodiment, after terminal obtains subscriber identity information, terminal generates ID authentication request by application program, and will The subscriber identity information obtained carries and sends to certificate server in ID authentication request.

Step 109: certificate server receives ID authentication request, and is authenticated user identity card information；

In the present embodiment, user identity card information is authenticated including by certificate server: certificate server is according to information security The identification information of device obtains the user identity card information corresponding with identification information prestored；The use that certificate server will obtain The user identity card information that family ID card information and deciphering obtain compares, if it does, then recognize user identity card information Card passes through, and otherwise, terminates authentication.When specifically applying, when the subscriber identity information carried in ID authentication request includes body When part demonstrate,proves the identification information of information and information safety device, certificate server obtains and mark according to the identification information of information safety device Know information association storage ID card information, and comparison ID authentication request is carried user identity card information with associate store User identity card information is the most identical, if it is different, then the authentification failure of the identity card to user, terminates flow for authenticating ID, If identical, the certification to user identity card information is passed through.By user identity card information is authenticated, user can be avoided Identity card or electronic cipher device losses after falsely used by other people and to open an account, when the electronic cipher equipment only used mates with identity card, Just can open an account.

As the optional embodiment of one of the present embodiment, after certificate server receives ID authentication request, and to user identity Before card information is authenticated, also include: certificate server utilizes the user identity of first decruption key encryption to receiving to demonstrate,prove Information is decrypted, and obtains user identity card information.When specifically applying, when the subscriber identity information carried in ID authentication request During including ID card information and the identification information of information safety device of encryption, certificate server utilizes corresponding with the first encryption key The ID card information of first decruption key encryption to receiving be decrypted, obtain user identity card information；Certificate server After obtaining user identity card information, user identity card information is authenticated.User identity card information is carried out by certificate server The detailed process of certification repeats no more.

As the optional embodiment of one of the present embodiment, certificate server utilizes the use of first decruption key encryption to receiving Family ID card information is decrypted, and also includes: certificate server uses the PKI of information safety device the first data to receiving It is decrypted and obtains hash data, and the user identity using hashing algorithm to calculate the encryption received demonstrate,proves the hash data of information, The hash data that comparison public key decryptions obtains again is the most identical with the calculated hash data of hash.When specifically applying, work as identity The subscriber identity information carried in certification request includes the mark letter of the first data, the ID card information of encryption and information safety device During breath, certificate server receives after ID authentication request, and certificate server uses the PKI of information safety device to receiving First data are decrypted and obtain hash data, and use hashing algorithm to calculate the hash number of the ID card information of encryption received According to, then the hash data that comparison public key decryptions obtains is the most identical with the calculated hash data of hash, if identical, then profit It is decrypted with the ID card information of first decruption key encryption to receiving, obtains the ID card information of user, and to user ID card information be authenticated.The detailed process that user identity card information is authenticated by certificate server repeats no more.

Step 110: user identity card information is authenticated by rear by certificate server, uses the algorithm preset to user identity Information carries out calculating generation information to be certified；

In the present embodiment, the algorithm preset can use any one algorithm following: (1) AES: DES, 3DES or AES；(2) symmetrical MAC algorithm: DES-CBC, 3DES-CBC, AES-CBC；(3) HASH algorithm: MD5, SHA1；(4) hmac algorithm: HMAC-MD5, HMAC-SHA1.

In the present embodiment, the information to be certified generated can directly be sent to information safety device by certificate server.Certainly, As a kind of optional embodiment, the information to be certified generated can also first first be sent to terminal by certificate server, and terminal will again Information to be certified sends to information safety device.

As the optional embodiment of one of the present embodiment, being authenticated by rear to user identity card information, certificate server is raw Become information to be certified, and treat and transmit again to information safety device after authentication information is encrypted；Certainly, certificate server also may be used Transmitting to information safety device after the information to be certified encrypted is encrypted and is signed, the present embodiment is not specifically limited again.Logical Cross and transmit again to information safety device after the information to be certified to encryption is encrypted and signs, on the one hand can ensure that letter to be certified Breath safety in transmitting procedure, is on the other hand possible to prevent illegal molecule to distort information to be certified.

Step 111: information safety device obtains information to be certified, and using information to be certified as input parameter, according to setting in advance Fixed identification image generation strategy, generates identification image；

In the present embodiment, identification image can be image in 2 D code, it is also possible to be bar code image, of course, it is possible to be other Image, the present embodiment is not specifically limited, as long as can represent that the image of information to be certified is all in protection scope of the present invention.Logical Cross and information to be certified is generated identification image, certificate server follow-up identification information to be certified can be facilitated.

In the present embodiment, identification image generation strategy set in advance is algorithm information to be certified being calculated and generating identification image. Such as, information to be certified is calculated and generates image in 2 D code by certificate server；Or, information to be certified is calculated by certificate server Generate bar code image.

In the present embodiment, the mode of information safety device acquisition information to be certified is: information to be certified is sent by certificate server To information safety device, information safety device receives and obtains information to be certified.As the optional embodiment of one, certification takes After business device generates information to be certified, sending information to be certified to terminal or other terminal unit (such as mobile phone), user again will eventually The information to be certified of end or other terminal demonstration inputs to information safety device.As the optional embodiment of another kind, certification takes User identity card information is authenticated by rear by business device, sends response signal to information safety device, and information safety device receives To response signal after, certificate server with information safety device based on identical basic dynamic parameter (such as time parameter, transaction Count parameter etc.) generate information to be certified.

Step 112: information safety device shows identification image by display screen；

Step 113: after information safety device generates identification image, terminal notifying user uploads the face image and mark comprising user Know the group photo image of image；

In the present embodiment, group photo image can be the photo of face image and the identification image including user, naturally it is also possible to It is the video of face image and the identification image including user, here, the present embodiment does not limits.

In the present embodiment, after information safety device generates identification image, the sound having generated identification image can be sent to terminal Induction signal, after terminal receives response signal, prompting user uploads the group photo image of the face image comprising user and identification image.

Step 114: terminal obtains group photo image, and sends group photo image to certificate server；

In the present embodiment, the identification image of display on the face of user and information safety device is taken pictures or records video by terminal together, Obtain group photo image.It is of course also possible to be other external equipment by the mark figure of display on the face of user and information safety device After taking pictures or record video together, generating group photo image, group photo image is sent to terminal by other external equipment again, and terminal obtains Group photo image.

Step 115: certificate server receives group photo image, and is authenticated the identification image in group photo image and face image.

In the present embodiment, the identification image in group photo image and face image are authenticated including by certificate server: certification takes Business device identifies information to be certified according in the identification image recognition strategy preset identification image from group photo image, and will identification The information to be certified that the information to be certified gone out generates with self is compared, if identical, then the certification to identification image is passed through. When specifically applying, the identification image preset in certificate server is corresponding with the identification image generation strategy preset in information safety device Corresponding, certificate server according to preset identification image recognition strategy from group photo image identification image in identify to be certified Information, and the information to be certified that the information to be certified that will identify that generates with self compares, if identical, then to mark figure The certification of picture is passed through, if it is different, then the authentification failure to identification image, terminates authentication.By the mark figure to user As being authenticated realizing the certification to information safety device.

In the present embodiment, in the case of passing through identification image certification, certificate server comparison prestores the identity of user Whether the face image in card information mates, if it does, authentication is passed through with the face image received in group photo image. When specifically applying, in the case of passing through identification image certification, certificate server obtains according to the identification information of information safety device Take the user identity card information of storage corresponding with identification information, and by the face image in user identity card information and the conjunction received Face image in shadow image compares, if it does, then the certification to face image is passed through, authentication is passed through, if Do not mate, terminate authentication.By the certification to face image, can confirm that whether this information safety device belongs to this true Account holder's, in the case of preventing identity card and information safety device from losing, illegal molecule is pretended to be and is opened an account simultaneously.

Certainly, the face image in group photo image also can be first authenticated by certificate server, and to the face in group photo image In the case of image authentication passes through, the identification image in group photo image is authenticated.To group photo image in identification image and Face image is time all certification is passed through, and the authentication to user is passed through.

By above-mentioned identity identifying method, certificate server is by the pass of the identification information of information safety device with user identity card information Connection storage, it is achieved the certification to user identity card information, in the case of preventing information safety device or identity card from losing, illegally divides Eclampsia gravidarum fills opens an account；It addition, information to be certified is generated identification image by information safety device, certificate server is in group photo image Identification image is authenticated, it is possible to achieve the certification to information safety device；It addition, certificate server is to user in group photo image Face-image be authenticated, in the case of being possible to prevent identity card and information safety device all to lose, illegal molecule is pretended to be and is opened an account.

Embodiment 2

The present embodiment provides a kind of remotely account-opening method, uses the identity identifying method in above-described embodiment 1 to enter the identity of user Row certification, authentication is by the most remotely opening an account.User remotely can be opened an account by real-time performance, is that one is opened easily Family method, opens an account furthermore it is possible to prevent illegal molecule from pretending to be.

It should be noted that authentication is by afterwards, can be that certificate server is the most remotely opened an account, it is also possible to be work Make personnel control certificate server remotely to open an account.

Embodiment 3

Fig. 2 provides a kind of identity authorization system for the present embodiment, as in figure 2 it is shown, described identity authorization system includes information security Device 201, terminal 202, certificate server 203 and application server 204.Wherein, certificate server 203, for believing The identification information of breath safety device 201 and user identity card information are associated storage, and wherein, user identity card information includes occupying People's identification card number, name, date of birth, address, card service life and/or the face image of user；Information safety device 201, For access terminal 202, and set up communication connection with terminal 202；It is additionally operable to point out user to input PIN, and receives The PIN of user's input, and verify that the PIN that user inputs is the most correct, if incorrect, it is additionally operable to prompting User re-enters PIN；Terminal 202, after opening the application program for carrying out authentication user, carries Show that user inputs log-on message；Application server 204, for receiving the log-on message that application program sends, wherein, logs in letter Breath is that application program is obtained by the log-on message receiving user's input；Application server 204, is additionally operable to judge log-on message The most correct, if correctly, terminal 202 is additionally operable to allow user's login application program, if incorrect, terminal 202 is also used Log-on message is re-entered in prompting user；Terminal 202, is additionally operable to generate ID authentication request by application program, and by body Part certification request sends to certificate server 203, wherein, carries subscriber identity information, user identity in ID authentication request Information includes: user identity card information and the identification information of information safety device 201；Certificate server 203, is additionally operable to receive ID authentication request, and user identity card information is authenticated；It is additionally operable to be authenticated by rear to user identity card information, The algorithm preset is used to carry out subscriber identity information calculating generation information to be certified；Information safety device 201, is additionally operable to obtain Information to be certified, and using information to be certified as input parameter, according to identification image generation strategy set in advance, generate mark Image, and show identification image by display screen；Terminal 202, is additionally operable to after information safety device 201 generates identification image, Prompting user uploads the group photo image of the face image comprising user and identification image；It is additionally operable to obtain group photo image, and will group photo Image sends to certificate server 203；Certificate server 203, is additionally operable to receive group photo image, and to the mark in group photo image Image and face image are authenticated.

In the present embodiment, the identification information of information safety device 201 can be the digital certificate, also of information safety device 201 It can be the serial number of information safety device 201.The present embodiment is not specifically limited, as long as this identification information can be unique Represent that information safety device 201 is i.e. within protection scope of the present invention.

In the present embodiment, certificate server 203 refers to for storing user profile or be authenticated the user profile received Server, the identification information of information safety device 201 and user identity card information is associated storage by certificate server 203. Such as, user, before remotely opening an account, needs to handle one in bank and is specifically designed to the information safety device 201 (example opened an account Such as U-shield).When handling this information safety device 201, certificate server 203 by the serial number of information safety device 201 or The ID card information of the user identity card that digital certificate and user provide is associated storage.User handled this information safety device After 201, it is possible to use this information safety device 201 is remotely opened an account.Certificate server 203 is by information safety device 201 Identification information and user identity card information be associated storage after, user can use information safety device 201 to realize user Authentication, to carry out remotely opening an account repeatedly, Dou Qu bank or securities broker company when of need not the most remotely opening an account.

In the present embodiment, information safety device 201 can be the equipment with authentication, digital signature function, as USBKEY (such as industrial and commercial bank's U-shield, agricultural bank K precious), audio frequency KEY, there is the equipment such as smart card of electronic signature functionality, when It can also be so E-token dynamic password card.

In the present embodiment, terminal 202 can be computer or mobile phone etc..Information safety device 201 can access in a wired fashion Terminal 202, such as, information safety device 201 is by USB interface or audio interface access terminal 202.Certainly, information peace Full device 201 can also wirelessly access terminal 202, such as, information safety device 201 is by bluetooth, infrared, NFC The mode access terminal such as near-field communication or visible light communication 202.Information safety device 201 access terminal 202, builds with terminal 202 Vertical communication connection, it is possible to achieve the data transmission between information safety device 201 and terminal 202.

In the present embodiment, PIN refers to the start PIN code of information safety device 201.Concrete, information security fills Put 201 power on after, enter starting-up interface, and point out user to input PIN.PIN is inputted by prompting user Can confirm that the identity of user, it is ensured that the safety that information safety device 201 uses, prevent user from losing information safety device 201 After, the information safety device 201 that illegal molecule utilizes user to lose remotely is opened an account.

In the present embodiment, after information safety device 201 points out user to input PIN, user can pass through information security Device 201 inputs PIN；Certainly, user can input individual by the terminal 202 being connected with information safety device 201 People's identification code, the PIN that user inputs is sent to information safety device 201 by terminal 202 again.

In the present embodiment, after information safety device 201 receives the PIN of user's input, the individual's identification that will receive Code is compared the most identical with the PIN of storage in information safety device 201, if it is different, then explanation user's input PIN incorrect, prompting user re-enter PIN.If identical, then individual's knowledge of explanation user input Other code is correct, then open the function privilege of information safety device 201, and user can be carried out remotely by this information safety device 201 Open an account.

In the present embodiment, after the PIN verifying user's input is correct, user opens for carrying out answering of authentication By program, recognizing user in terminal 202 and open after the application program carrying out authentication, prompting user inputs login letter Breath.Wherein, terminal 202 can automatically identify user's login account information according to the information safety device 201 accessed and show, and Prompting user inputs log-on message, such as terminal 202 according to the serial number of information safety device 201 accessed, through network from Certificate server 203 end obtains login account information, and points out user to input log-on message, and now, log-on message refers to log in Password；Certainly, when terminal 202 can not automatically identify the login account information of user according to the information safety device 201 accessed, The log-on message of prompting user's input includes login account information and login password.

In the present embodiment, application server 204 is the server for storing login account information and login password.As one Planting optional embodiment, login account information and login password may be alternatively stored in certificate server 203, and application program receives After the log-on message of user's input, the log-on message received is sent to certificate server 203.

In the present embodiment, after application server 204 receives log-on message, it is judged that the log-on message received is deposited with himself The log-on message of storage is the most identical, if identical, then application server 204 judges that log-on message is correct, application server 204 Sending, to terminal 202, the response signal that log-on message is correct, terminal 202 receives the log-on message that application server 204 sends After correct response signal, terminal 202 allows user's login application program, if it is different, then application server 204 judges to step on Record information is incorrect, and application service district sends log-on message incorrect response signal to terminal 202, and terminal 202 receives should After the log-on message incorrect response signal of server 204 side, terminal 202 points out user to re-enter log-on message.

As the optional embodiment of one of the present embodiment, as it is shown on figure 3, described identity authorization system also includes that identity card reads Module 205, before terminal 202 generates ID authentication request by application program, identity card read module 205, for from user Resident identification card in read user identity card information；Information safety device 201, is additionally operable to obtain user identity card information, and Use the first encryption key that user identity card information is encrypted, generate the user identity card information of encryption, and by user identity Information sends to terminal 202, and wherein, subscriber identity information includes: the user identity card information of encryption and information safety device 201 Identification information.Concrete, before terminal 202 generates ID authentication request by application program, identity card read module 205 Reading user identity card information from the resident identification card of user, wherein, identity card read module 205 can be arranged on information peace On full device 201, certain identity card read module 205 can also be arranged in terminal 202.If identity card reads and is arranged on On information safety device 201, information safety device 201 obtains user identity card information by identity card read module 205；As Really identity card read module 205 is arranged in terminal 202, and terminal 202 reads user identity by identity card read module 205 After card information, the user identity card information obtained is sent to information safety device 201, information safety device 201 by terminal 202 Obtain user identity card information.After information safety device 201 obtains user identity card information, use the first encryption key to user ID card information is encrypted, and generates the user identity card information of encryption, and the user identity of encryption is demonstrate,proved information and information security The identification information of device 201 sends to terminal 202 as subscriber identity information.Certainly, identity card read module 205 can also It is arranged on miscellaneous equipment, after miscellaneous equipment reads user identity card information, information safety device 201 can be sent directly to, After information safety device 201 obtains user identity card information, use the first encryption key that user identity card information is encrypted, Generate the user identity card information of encryption, and the user identity card information of encryption and the identification information of information safety device 201 are made Send to terminal 202 for subscriber identity information；The user identity card information read can also be sent to terminal 202 by miscellaneous equipment, User identity is demonstrate,proved information and is sent to information safety device 201 by terminal 202 again, and information safety device 201 obtains user identity card After information, use the first encryption key that user identity card information is encrypted, generate the user identity card information of encryption, and will The user identity card information of encryption and the identification information of information safety device 201 send to terminal 202 as subscriber identity information. Wherein, the first encryption key can be unsymmetrical key, such as the PKI of certificate server 203, it is of course also possible to be symmetrical Key, the present embodiment is not specifically limited, as long as can realize being encrypted ID card information, i.e. in protection scope of the present invention Within.Owing to legal identity card can only be read out by identity card read module 205, read by identity card read module 205 Taking family ID card information, can be verified that user identity is demonstrate,proved by certificate server 203 true and false.It addition, information safety device 201 Send to certificate server 203 after user identity card information is encrypted, it is ensured that the safety of user identity card information transmission Property.

As the optional embodiment of one of the present embodiment, information safety device 201 generate encryption user identity card information it After, and subscriber identity information was being sent before terminal 202, information safety device 201, it is also used for hashing algorithm meter Calculate the hash data of the user identity card information of encryption, and use the private key self stored that hash data is encrypted calculating, raw Become the first data；Subscriber identity information also includes: the first data.Concrete, information safety device 201 generates the identity of encryption After card information, hashing algorithm (such as, HASH algorithm) is used to calculate the hash data of the ID card information encrypted (such as, Summary), calculate after generating hash data, utilize the private key self stored that hash data is encrypted, generate the first data (example As, signed data), and using the identification information of the first data, the ID card information of encryption and information safety device 201 as user Identity information sends to terminal 202.By the user identity of encryption card information is calculated hash data and generates first data transmission, It is possible to prevent illegal molecule to distort the user identity card information of encryption.

In the present embodiment, after terminal 202 obtains subscriber identity information, terminal 202 generates authentication by application program please Ask, and the subscriber identity information of acquisition is carried send in ID authentication request to certificate server 203.

In the present embodiment, when user identity card information is authenticated by certificate server 203, certificate server 203, also use The user identity card information corresponding with identification information prestored is obtained in the identification information according to information safety device 201；Also User identity card information for the user identity of acquisition card information and deciphering being obtained compares, if it does, then to user The certification of ID card information is passed through, and otherwise, terminates authentication.When specifically applying, as the user carried in ID authentication request When identity information includes the identification information of ID card information and information safety device 201, certificate server 203 is according to information security The identification information of device 201 obtains and associates the ID card information stored with identification information, and comparison ID authentication request is carried To demonstrate,prove information the most identical with associate the user identity stored for user identity card information, if it is different, then recognizing the identity card of user Demonstrate,proving unsuccessfully, terminate flow for authenticating ID, if identical, the certification to user identity card information is passed through.By user identity is demonstrate,proved Information is authenticated, and is falsely used by other people and opens an account, only use after can avoiding the identity card of user or electronic cipher device losses When electronic cipher equipment mates with identity card, just can open an account.

As the optional embodiment of one of the present embodiment, after certificate server 203 receives ID authentication request, and to user Before ID card information is authenticated, certificate server 203, it is additionally operable to the use of the encryption utilizing the first decruption key to receiving Family ID card information is decrypted, and obtains user identity card information.When specifically applying, as the user carried in ID authentication request When identity information includes ID card information and the identification information of information safety device 201 of encryption, certificate server 203 utilize with The ID card information of the first decruption key corresponding to the first encryption key encryption to receiving is decrypted, and obtains user identity card Information；After certificate server 203 obtains user identity card information, user identity card information is authenticated.Certificate server The detailed process that 203 pairs of user identity card information is authenticated repeats no more.

As the optional embodiment of one of the present embodiment, certificate server 203, it is also used for information safety device 201 The first data received are decrypted and obtain hash data by PKI, and use hashing algorithm to calculate the user of the encryption received The hash data of ID card information, then the comparison private key hash data that obtains of deciphering and the calculated hash data of hash whether phase With.When specifically applying, when the subscriber identity information carried in ID authentication request includes the ID card information of the first data, encryption During with the identification information of information safety device 201, after certificate server 203 receives ID authentication request, certificate server 203 The first data received are decrypted and obtain hash data by the PKI using information safety device 201, and use hashing algorithm Calculate the hash data of the ID card information of the encryption received, then the hash data that comparison public key decryptions obtains calculates with hash The hash data arrived is the most identical, if identical, then utilizes the ID card information of first decruption key encryption to receiving to carry out Deciphering, obtains the ID card information of user, and is authenticated the ID card information of user.Certificate server 203 is to user's body The detailed process that part card information is authenticated repeats no more.

In the present embodiment, the information to be certified generated can directly be sent to information safety device 201 by certificate server 203. Certainly, as a kind of optional embodiment, the information to be certified generated can also first first be sent to terminal by certificate server 203 202, information to be certified is sent to information safety device 201 by terminal 202 again.

As the optional embodiment of one of the present embodiment, user identity card information is authenticated by rear, certificate server 203 Generate information to be certified, and treat and transmit again to information safety device 201 after authentication information is encrypted；Certainly, authentication service Device 203 also can transmit to information safety device 201 after the information to be certified of encryption is encrypted and is signed again, and the present embodiment is not It is specifically limited.By transmitting again to information safety device 201, a side after the information to be certified of encryption is encrypted and signs Face can ensure that the information to be certified safety in transmitting procedure, is on the other hand possible to prevent illegal molecule to distort information to be certified.

In the present embodiment, identification image can be image in 2 D code, it is also possible to be bar code image, of course, it is possible to be other Image, the present embodiment is not specifically limited, as long as can represent that the image of information to be certified is all in protection scope of the present invention.Logical Cross and information to be certified is generated identification image, certificate server 203 follow-up identification information to be certified can be facilitated.

In the present embodiment, identification image generation strategy set in advance is algorithm information to be certified being calculated and generating identification image. Such as, information to be certified is calculated and generates image in 2 D code by certificate server 203；Or, certificate server 203 is by be certified Information calculates and generates bar code image.

In the present embodiment, information safety device 201 obtains the mode of information to be certified and is: certificate server 203 is by be certified Information sends to information safety device 201, and information safety device 201 receives and obtain information to be certified.Optional as one Embodiment, after certificate server 203 generates information to be certified, sends information to be certified to terminal 202 or other terminal 202 Equipment (such as mobile phone), the information to be certified that terminal 202 or other terminal 202 are shown by user again inputs to information safety device 201.As the optional embodiment of another kind, user identity card information is authenticated by rear by certificate server 203, Xiang Xin Breath safety device 201 sends response signal, after information safety device 201 receives response signal, and certificate server 203 and letter Breath safety device 201 generates letter to be certified based on identical basic dynamic parameter (such as time parameter, transaction count parameter etc.) Breath.

In the present embodiment, after information safety device 201 generates identification image, can send to terminal 202 and generate mark The response signal of image, after terminal 202 receives response signal, prompting user uploads the face image comprising user and mark figure The group photo image of picture.

In the present embodiment, the identification image of display on the face of user and information safety device 201 is taken pictures by terminal 202 together Or record video, obtain group photo image.It is of course also possible to be other external equipment by the face of user and information safety device 201 After the identification image of upper display is taken pictures together or recorded video, generating group photo image, group photo image is sent extremely by other external equipment again Terminal 202, terminal 202 obtains group photo image.

In the present embodiment, when the identification image in group photo image and face image are authenticated by certificate server 203, certification Server 203, be additionally operable to according to preset identification image recognition strategy from group photo image identification image in identify to be certified Information, and the information to be certified that the information to be certified that will identify that generates with self compares, if identical, then to mark figure The certification of picture is passed through.When specifically applying, the identification image preset in certificate server 203 and information safety device 201 are preset Identification image generation strategy correspondence corresponding, certificate server 203 according to default identification image recognition strategy from group photo image In identification image in identify information to be certified, and the information to be certified that the information to be certified that will identify that generates with self is carried out Comparison, if identical, then the certification to identification image is passed through, if it is different, then the authentification failure to identification image, terminates body Part certification.By being authenticated realizing the certification to information safety device 201 to the identification image of user.

In the present embodiment, certificate server 203, it is additionally operable in the case of identification image certification is passed through, comparison is deposited in advance Whether the face image in the ID card information of storage user mates with the face image received in group photo image, if it does, body Part certification is passed through.When specifically applying, in the case of passing through identification image certification, certificate server 203 is according to information security The identification information of device 201 obtains the user identity card information of storage corresponding with identification information, and by user identity card information Face image compares with the face image in the group photo image received, if it does, then the certification to face image is passed through, Authentication is passed through, if do not mated, terminates authentication.By the certification to face image, can confirm that this information security Whether device 201 belongs to this true account holder, in the case of preventing identity card and information safety device 201 from losing, non-simultaneously Method molecule is pretended to be and is opened an account.

Certainly, the face image in group photo image also can be first authenticated by certificate server 203, and in group photo image In the case of face image certification is passed through, the identification image in group photo image is authenticated.To the mark figure in group photo image Picture and face image are time all certification is passed through, and the authentication to user is passed through.

By above-mentioned identity authorization system, the identification information of information safety device 201 is demonstrate,proved by certificate server 203 with user identity The association storage of information, it is achieved the certification to user identity card information, prevents the feelings that information safety device 201 or identity card are lost Under condition, illegal molecule is pretended to be and is opened an account；It addition, information to be certified is generated identification image, authentication service by information safety device 201 Identification image in group photo image is authenticated by device 203, it is possible to achieve the certification to information safety device 201；It addition, recognize The face-image of user in group photo image is authenticated by card server 203, is possible to prevent identity card and information safety device 201 In the case of all losing, illegal molecule is pretended to be and is opened an account.

Embodiment 4

The present embodiment provides a kind of remotely account opening system, uses the identity authorization system in above-described embodiment 3 to enter the identity of user Row certification, after passing through the authentication of user, certificate server 203 is remotely opened an account.User can be remote by real-time performance Journey is opened an account, and is a kind of account-opening method easily, opens an account furthermore it is possible to prevent illegal molecule from pretending to be

It should be noted that authentication is by afterwards, can be that certificate server 203 is the most remotely opened an account, it is also possible to It is that staff controls certificate server 203 and remotely opens an account.

Any process described otherwise above or method describe and are construed as in flow chart or at this, represent include one or The module of code, fragment or the part of the executable instruction of the more steps for realizing specific logical function or process, and The scope of the preferred embodiment of the present invention includes other realization, wherein can not be by order that is shown or that discuss, including root According to involved function by basic mode simultaneously or in the opposite order, performing function, this should be by embodiments of the invention institute Belong to those skilled in the art to be understood.

Should be appreciated that each several part of the present invention can realize by hardware, software, firmware or combinations thereof.In above-mentioned enforcement In mode, multiple steps or method can be with storing the software or firmware that in memory and be performed by suitable instruction execution system Realize.Such as, if realized with hardware, with the most the same, available following technology well known in the art In any one or their combination realize: have and patrol for the discrete of logic gates that data signal is realized logic function Collect circuit, there is the special IC of suitable combination logic gate circuit, programmable gate array (PGA), field programmable gate Array (FPGA) etc..

Those skilled in the art are appreciated that it is permissible for realizing all or part of step that above-described embodiment method carries Instruct relevant hardware by program to complete, program can be stored in a kind of computer-readable recording medium, this program exists During execution, including one or a combination set of the step of embodiment of the method.

Additionally, each functional unit in each embodiment of the present invention can be integrated in a processing module, it is also possible to be each Unit is individually physically present, it is also possible to two or more unit are integrated in a module.Above-mentioned integrated module is the most permissible The form using hardware realizes, it would however also be possible to employ the form of software function module realizes.If integrated module is with software function mould The form of block realizes and as independent production marketing or when using, it is also possible to be stored in a computer read/write memory medium.

Storage medium mentioned above can be read only memory, disk or CD etc..

In the description of this specification, reference term " embodiment ", " some embodiments ", " example ", " concrete example ", Or specific features, structure, material or the feature that the description of " some examples " etc. means to combine this embodiment or example describes comprises In at least one embodiment or example of the present invention.In this manual, the schematic representation to above-mentioned term not necessarily refers to It is identical embodiment or example.And, the specific features of description, structure, material or feature can at any one or Multiple embodiments or example combine in an appropriate manner.

Although above it has been shown and described that embodiments of the invention, it is to be understood that above-described embodiment is exemplary, Being not considered as limiting the invention, those of ordinary skill in the art is in the case of without departing from the principle of the present invention and objective Above-described embodiment can be changed within the scope of the invention, revise, replace and modification.The scope of the present invention is by appended power Profit requires and equivalent limits.

Claims

1. an identity identifying method, it is characterised in that including:

The identification information of information safety device is associated storage, wherein, described use with user identity card information by certificate server Family ID card information includes face's figure of resident identification card number, name, date of birth, address, card service life and/or user Picture；

Described information safety device access terminal, described information safety device powers on, and sets up communication connection with described terminal；

Described information safety device prompting user inputs PIN；

Described information safety device receives the described PIN of described user input, and verify that described user input described individual People's identification code is the most correct, if incorrect, then prompting user re-enters PIN；

Described terminal, after user opens the application program for carrying out authentication, points out described user to input log-on message；

Described application program receives the described log-on message of described user input, and sends the described log-on message received to answering Use server；

Described application server receives described log-on message, and judges that described log-on message is the most correct, if correctly, and described end End allow described user log in described application program, if incorrect, user described in the most described terminal notifying re-enter described in step on Record information；

Described terminal generates ID authentication request by described application program, and sends described ID authentication request to described certification Server, wherein, carries subscriber identity information in described ID authentication request, described subscriber identity information includes: Yong Hushen Part card information and the identification information of information safety device；

Described certificate server receives described ID authentication request, and is authenticated user identity card information；

User identity card information is authenticated by rear by described certificate server, uses the algorithm preset to believe described user identity Breath carries out calculating generation information to be certified；

Described information safety device obtains described information to be certified, and using described information to be certified as input parameter, according in advance The identification image generation strategy set, generates identification image；

Described information safety device shows described identification image by display screen；

Described information safety device generates after identification image, user described in described terminal notifying upload the face image comprising user and The group photo image of described identification image；

Described terminal obtains described group photo image, and sends described group photo image to described certificate server；

Described certificate server receives described group photo image, and schemes the described identification image in described group photo image and described face As being authenticated.

Method the most according to claim 1, it is characterised in that

Before described terminal generates ID authentication request by described application program, described method also includes: identity card reads mould Block reads user identity card information from user's resident identification card；Described information safety device obtains described user identity card information, And use the first encryption key that described user identity card information is encrypted, generate the user identity card information of encryption, and will use Family identity information sends to described terminal, and wherein, described subscriber identity information includes: the user identity card information of described encryption and The identification information of described information safety device；

Described certificate server receives after described ID authentication request, and before being authenticated user identity card information, also wraps Include: described certificate server utilizes the user identity card information of the first decruption key described encryption to receiving to be decrypted, Information is demonstrate,proved to user identity.

Method the most according to claim 2, it is characterised in that generate the user identity of encryption at described information safety device After card information, and being sent before described terminal by subscriber identity information, described method also includes: described information security fills Put the user identity using hashing algorithm to calculate described encryption and demonstrate,prove the hash data of information, and use the private key self stored to described Hash data is encrypted calculating, generates the first data；

Described subscriber identity information also includes: described first data；

Described certificate server utilizes the user identity card information of the first decruption key described encryption to receiving to be decrypted it Before, also include: described certificate server uses the PKI of described information safety device to solve described first data received Close obtain described hash data, and use described hashing algorithm to calculate the hash of user identity card information of the described encryption received Data, the more described hash data that comparison public key decryptions obtains is the most identical with the calculated described hash data of hash.

4. according to the method described in any one of claims 1 to 3, it is characterised in that user identity is demonstrate,proved by described certificate server Information is authenticated, including:

Described certificate server obtains prestore corresponding with described identification information according to the identification information of described information safety device User identity card information；

The user identity card information that the described user identity obtained card information and deciphering are obtained by described certificate server compares, If it does, then the certification to user identity card information is passed through, otherwise terminate described authentication.

5. according to the method described in any one of Claims 1-4, it is characterised in that to the described mark in described group photo image Image and described face image are authenticated, including:

Described certificate server identifies institute according in the identification image recognition strategy identification image from described group photo image preset State information to be certified, and the information described to be certified that the information described to be certified that will identify that generates with self is compared, if Identical, then the certification to described identification image is passed through；

In the case of the certification of described identification image is passed through, the user identity card letter that described certificate server comparison prestores Whether the described face image in breath mates with the described face image in the described group photo image received, if it does, described Authentication is passed through.

6. an identity authorization system, it is characterised in that described system includes: information safety device, terminal, certificate server And application server；Wherein,

Described certificate server, for the identification information of information safety device is associated storage with user identity card information, its In, described user identity card information includes resident identification card number, name, date of birth, address, card service life and/or use The face image at family；

Described information safety device, for access terminal, and sets up communication connection with described terminal；It is additionally operable to point out user input PIN, and receive the described PIN of described user input, and verify that the PIN that described user inputs is No correctly, if incorrect, be additionally operable to point out user re-enter PIN；

Described terminal, after opening the application program for carrying out authentication user, prompting user inputs log-on message；

Described application server, for receiving the log-on message that described application program sends, wherein, described log-on message is described Application program is obtained by the log-on message receiving described user input；

Described application server, is additionally operable to judge that described log-on message is the most correct, if correctly, described terminal is additionally operable to allow User logs in described application program, if incorrect, described terminal is additionally operable to point out described user to re-enter described log-on message；

Described terminal, is additionally operable to generate ID authentication request by described application program, and described ID authentication request is sent extremely Described certificate server, wherein, carries subscriber identity information in described ID authentication request, described subscriber identity information includes: User identity card information and the identification information of information safety device；

Described certificate server, is additionally operable to receive described ID authentication request, and is authenticated user identity card information；Also use In being authenticated by rear to user identity card information, the algorithm preset is used to carry out described subscriber identity information calculating generation Information to be certified；

Described information safety device, is additionally operable to obtain described information to be certified, and using described information to be certified as input parameter, According to identification image generation strategy set in advance, generate identification image, and show described identification image by display screen；

Described terminal, is additionally operable to, after described information safety device generates identification image, point out described user to upload and comprise user's The group photo image of face image and described identification image；It is additionally operable to obtain described group photo image, and described group photo image is sent extremely Described certificate server；

Described certificate server, is additionally operable to receive described group photo image, and to the described identification image in described group photo image and institute State face image to be authenticated.

System the most according to claim 6, it is characterised in that described system also includes identity card read module；

Described identity card read module, for reading user identity card information from resident identification card；

Described information safety device, is additionally operable to obtain described user identity card information, and uses the first encryption key to user identity Card information is encrypted, and generates the user identity card information of encryption, and sends subscriber identity information to described terminal, wherein, Described subscriber identity information includes: the user identity card information of described encryption and the identification information of described information safety device；

Described certificate server, for utilizing the user identity card information of first decruption key encryption to receiving to be decrypted, Obtain user identity card information.

System the most according to claim 7, it is characterised in that

Described information safety device, is also used for the hash data that hashing algorithm calculates the user identity card information of described encryption, And use the private key self stored that hash data is encrypted calculating, generate the first data；

Described certificate server, the first data received are decrypted by the PKI being also used for described information safety device To described hash data, and the user identity using described hashing algorithm to calculate the encryption received demonstrate,proves the hash data of information, then The described hash data that comparison public key decryptions obtains is the most identical with the calculated described hash data of hash.

9. according to the system described in any one of claim 6 to 8, it is characterised in that

Described certificate server, is additionally operable to identification information according to described information safety device and obtains that prestore with described mark The user identity card information that information is corresponding；It is additionally operable to the user identity card described user identity obtained card information and deciphering obtained Information compares, if it does, then the certification to user identity card information is passed through, otherwise terminates described authentication.

10. according to the system described in any one of claim 6 to 9, it is characterised in that

Described certificate server, is additionally operable in basis default identification image recognition strategy identification image from described group photo image Identify described information to be certified, and the information described to be certified that the information described to be certified that will identify that generates with self compares Right, if identical, then the certification to described identification image is passed through；

Described certificate server, is additionally operable in the case of passing through the certification of described identification image, the user that comparison prestores Whether the described face image in ID card information mates with the described face image in the described group photo image received, if Joining, described authentication is passed through.