CN106034023A - User equipment, authentication server, identity authentication method and identity authentication system - Google Patents

Abstract

The invention discloses user equipment, an authentication server, an identity authentication method and an identity authentication system. The identity authentication method comprises the steps of reading a first key by the user equipment from a first storage area, the user equipment comprises a plurality of data areas for storing authentication keys and a data area for storing an equipment key, the first storage area is one selected from the plurality of data areas for storing the authentication keys, and each data area in the plurality of data areas is used for storing one authentication key; transmitting a first authentication request by the user equipment to a first authentication server; performing authentication by the first authentication server by means of the first key and returning a first authentication result to the user equipment; and receiving the first authentication result returned from the first authentication server by the user equipment. The user equipment, the authentication server, the identity authentication method and the identity authentication system settle a problem of inconvenient authentication by a user to a plurality of authentication servers in prior art, and realizes an effect of authenticating the plurality of authentication servers by the user through single set of user equipment.

Description

Subscriber equipment, certificate server and identity identifying method and system

Technical field

The present invention relates to computer realm, in particular to a kind of subscriber equipment, certificate server and authentication Method and system.

Background technology

Existing identity identifying technology, it usually needs use multiple equipment respectively multiple certificate servers to be authenticated. Inventor finds, due to the defect existing for existing identity identifying technology so that user is to multiple different certifications When server is authenticated, needing to hold multiple equipment, this brings inconvenience to user.

For the problem to multiple certificate server certifications inconvenience of the user in prior art, the most not yet propose effective Solution.

Summary of the invention

A kind of subscriber equipment of offer, certificate server and identity identifying method and system are provided, To solve user's problem to multiple certificate server certifications inconvenience in prior art.

To achieve these goals, according to an aspect of the invention, it is provided a kind of identity identifying method.According to this The identity identifying method of invention includes: subscriber equipment reads the first key, wherein, described first from the first memory area Key is that described subscriber equipment utilizes device keys to obtain after the first certificate server registration under the assistance of device server The certification key arrived, described device keys is the key that described subscriber equipment obtains after described device server is registered, Described subscriber equipment includes for multiple data areas of authentication storage key with for storing the data of described device keys Region, described first memory area is a described data area in multiple data areas of authentication storage key, Each data area in the plurality of data area is for one described certification key of storage；Described subscriber equipment is to institute Stating the first certificate server and send the first certification request, wherein, described first certification request carries according to described first The disposable information that key obtains, described first certificate server utilizes subscriber equipment described in described first double secret key to carry out Certification also returns the first authentication result to described subscriber equipment；And described subscriber equipment receives described first authentication service The first authentication result that device returns.

Further, at subscriber equipment before the first memory area reads the first key, described method also includes: institute State subscriber equipment to register with described device server；And build in described subscriber equipment and described device server Vertical symmetric key, using the symmetric key in described subscriber equipment as described device keys.

Further, at subscriber equipment before the first memory area reads the first key, described method also includes: institute Stating subscriber equipment and send registration request to described first certificate server, described registration request carries for representing described The open name of subscriber equipment and according to the confidential information of described device keys and described subscriber equipment self calculated One authentication information, wherein, after described first certificate server receives described registration request, recognizes according to described first First confidential information of card information and selected described first certificate server self is calculated the second authentication information, and Sending described open name and described second authentication information to described device server, described device server is based on described public affairs Open name from key corresponding to locally extracted and described open name, and utilize and disclose described in the double secret key that name is corresponding the with described Two authentication informations are verified, are calculated the 3rd authentication information according to described second authentication information after being verified, with And returning the 3rd authentication information to described first certificate server, described first certificate server is according to described first certification The of information, described second authentication information, described 3rd authentication information and selected described first certificate server self Two confidential information are calculated described first key, and according to described first authentication information, described 3rd authentication information and Second confidential information of selected described first certificate server self is calculated the 4th authentication information, and by described the Four authentication informations return to described subscriber equipment；Described subscriber equipment receives described 4th authentication information；Described user sets For utilizing described 4th authentication information to be calculated described first key；And described subscriber equipment is by described first key It is stored in described first memory area.

Further, described subscriber equipment has unique open name, the described corresponding multiple certificate servers of open name； Or, described subscriber equipment has multiple open name, the plurality of open name and multiple certificate server one_to_one corresponding.

Further, described method also includes: described subscriber equipment reads the second key from the second memory area, wherein, Described second key is that described subscriber equipment utilizes device keys to the second certificate server under the assistance of device server The certification key obtained after registration, described second memory area is many for storage device key in described subscriber equipment A data area in individual data area；Described subscriber equipment sends the second certification to described second certificate server please Asking, wherein, described second certification request carries the disposable information obtained according to described second key, and described second Certificate server is the certificate server separate with described first certificate server, described second certificate server profit It is authenticated with subscriber equipment described in described second double secret key and returns the second authentication result to described subscriber equipment；And Described subscriber equipment receives the second authentication result that described second certificate server returns.

To achieve these goals, according to a further aspect in the invention, it is provided that a kind of identity identifying method.According to this The identity identifying method of invention includes: certificate server receives the first certification request that subscriber equipment sends, wherein, institute First certification request of stating carries the disposable information obtained according to the first key, and described first key is that described user sets The standby certification key utilizing device keys to obtain after the first certificate server registration under the assistance of device server, institute Stating device keys is the key that described subscriber equipment obtains after described device server is registered, and described subscriber equipment includes For multiple data areas of authentication storage key with for storing the data area of described device keys, the plurality of number According to each data area in region for one described certification key of storage；Described certificate server utilizes described first Described in double secret key, subscriber equipment is authenticated, and obtains authentication result；And described certificate server is to described subscriber equipment Send described authentication result.

Further, before certificate server receives the first certification request that subscriber equipment sends, described method is also wrapped Include: described certificate server receives the registration request that described subscriber equipment sends, and wherein, described registration request carries For representing the open name of described subscriber equipment and according to described device keys and the confidential information of described subscriber equipment self Calculated first authentication information；After described certificate server receives described registration request, according to described first First confidential information of authentication information and selected described certificate server self is calculated the second authentication information；Described Certificate server sends described open name and described second authentication information, wherein, described equipment to described device server Server based on described open name from key corresponding to locally extracted and described open name, and utilize right with described openly name Described in the double secret key answered, the second authentication information is verified, is calculated according to described second authentication information after being verified 3rd authentication information, and return described 3rd authentication information to described certificate server；Described certificate server according to Described first authentication information, described second authentication information, described 3rd authentication information and and selected described first certification Second confidential information of server self is calculated described first key；Described certificate server is recognized according to described first Second confidential information of card information, described 3rd authentication information and selected described first certificate server self calculates To the 4th authentication information；Described 4th authentication information is sent to described subscriber equipment by described certificate server, wherein, Described subscriber equipment utilizes described 4th authentication information to be calculated described first key, and by described first key storage At the first memory area.

To achieve these goals, according to a further aspect in the invention, it is provided that a kind of subscriber equipment.According to the present invention Subscriber equipment include: first reads unit, is used for so that described subscriber equipment that to read first from the first memory area close Key, wherein, described first key is that described subscriber equipment utilizes device keys to first under the assistance of device server The certification key obtained after certificate server registration, described device keys is that described subscriber equipment is to described device server The key obtained after registration, described subscriber equipment includes for multiple data areas of authentication storage key with for storing The data area of described device keys, described first memory area is described for multiple data fields of authentication storage key A data area in territory, each data area in the plurality of data area is close for one described certification of storage Key；First transmitting element, is used for so that described subscriber equipment sends the first certification request to described first certificate server, Wherein, described first certification request carries the disposable information obtained according to described first key, described first certification Subscriber equipment described in first double secret key described in server by utilizing is authenticated and returns the first certification knot to described subscriber equipment Really；And first receive unit, for make described subscriber equipment receive described first certificate server return first Authentication result.

Further, described subscriber equipment also includes: the second transmitting element, is used at subscriber equipment from the first memory block Before the first key is read in territory so that described subscriber equipment sends registration request to described first certificate server, described Registration request carries the open name for representing described subscriber equipment and according to described device keys and described subscriber equipment Calculated first authentication information of confidential information of self, wherein, described first certificate server receives described note After volume request, according to described first authentication information and the first secret letter of selected described first certificate server self Breath is calculated the second authentication information, and sends described open name and described second authentication information to described device server, Described device server is based on described open name from key corresponding to locally extracted and described open name, and utilization is with described Second authentication information described in the double secret key that open name is corresponding is verified, according to described second authentication information after being verified It is calculated the 3rd authentication information, and returns described 3rd authentication information to described first certificate server, described the One certificate server according to described first authentication information, obtain the second authentication information, described 3rd authentication information and selected The second confidential information of described first certificate server self be calculated described first key, and according to described first Second confidential information of authentication information, described 3rd authentication information and selected described first certificate server self calculates Obtain the 4th authentication information, and described 4th authentication information is returned to described subscriber equipment；Second receives unit, uses Described 4th authentication information is received in making described subscriber equipment；Computing unit, is used for so that described subscriber equipment utilizes Described 4th authentication information is calculated described first key；And memory element, it is used for so that described subscriber equipment will Described first key storage is at described first memory area.

Further, described subscriber equipment also includes: second reads unit, is used for so that described subscriber equipment is from second Memory area reads the second key, and wherein, described second key is that described subscriber equipment utilizes device keys to take at equipment The certification key obtained after the second certificate server registration under the assistance of business device, described second memory area is described use A data area in multiple data areas of storage device key in the equipment of family；3rd transmitting element, is used for Making described subscriber equipment send the second certification request to described second certificate server, wherein, described second certification please Seeking the disposable information obtained according to described second key that carries, described second certificate server is for recognize with described first The certificate server that card server is separate, described second certificate server utilizes user described in described second double secret key Equipment is authenticated and returns the second authentication result to described subscriber equipment；And the 3rd receive unit, be used for so that institute State subscriber equipment and receive the second authentication result that described second certificate server returns.

To achieve these goals, according to a further aspect in the invention, it is provided that a kind of certificate server.According to this Bright certificate server includes: first receives unit, for making described certificate server receive what subscriber equipment sent First certification request, wherein, described first certification request carries the disposable information obtained according to the first key, institute Stating the first key is that described subscriber equipment utilizes device keys to the first certificate server note under the assistance of device server The certification key obtained after Ce, described device keys is that described subscriber equipment obtains after described device server is registered Key, described subscriber equipment includes for multiple data areas of authentication storage key with for storing described device keys Data area, each data area in the plurality of data area for storage one described certification key；Certification Unit, is used for, so that described certificate server utilizes subscriber equipment described in described first double secret key to be authenticated, being recognized Card result；And first transmitting element, it is used for so that described certificate server sends authentication result to described subscriber equipment.

Further, described certificate server also includes: second receives unit, for receiving user at certificate server Before the first certification request that equipment sends so that described certificate server receives the registration of described subscriber equipment transmission please Asking, wherein, wherein, described registration request carries the open name for representing described subscriber equipment and sets according to described Standby key and calculated first authentication information of confidential information of described subscriber equipment self；First computing unit, uses After making described certificate server receive described registration request, according to described first authentication information and selected institute The first confidential information stating certificate server self is calculated the second authentication information；Second transmitting element, be used for so that Described certificate server sends described open name and described second authentication information to described device server, wherein, described Device server, and utilizes and described disclosure from key corresponding to locally extracted and described open name based on described open name Second authentication information described in the double secret key that name is corresponding is verified, calculates according to described second authentication information after being verified Obtain the 3rd authentication information, and return described 3rd authentication information to described certificate server；Second computing unit, For making described certificate server according to described first authentication information, described second authentication information, described 3rd certification Second confidential information of information and selected described first certificate server self is calculated described first key；3rd Computing unit, is used for so that described certificate server is according to described first authentication information, described 3rd authentication information and choosing Second confidential information of fixed described first certificate server self is calculated the 4th authentication information；3rd transmitting element, For making described certificate server that described 4th authentication information is sent to described subscriber equipment, wherein, described user 4th authentication information described in equipment utilization is calculated described first key, and is deposited first by described first key storage Storage area territory.

To achieve these goals, according to a further aspect in the invention, it is provided that a kind of identity authorization system.According to this Invention identity authorization system include: subscriber equipment, including for multiple data areas of authentication storage key and for The data area of storage device key, each data area in the plurality of data area is for recognizing described in storage one Card key, described subscriber equipment is for sending certification request to certificate server, and described certification request carries according to recognizing The disposable information that card key obtains, wherein, described certification key is that described subscriber equipment utilizes described device keys to exist The device keys obtained after the first certificate server registration under the assistance of device server, described device keys is described The key that subscriber equipment obtains after described device server is registered；Described certificate server, is used for receiving described user The certification request that equipment sends；And described device server, for described subscriber equipment and described certificate server Register.

In the embodiment of the present invention, owing to subscriber equipment including for multiple data areas of authentication storage key and use In the data area of storage device key, so, corresponding to different certificate servers, subscriber equipment can be from difference Region read corresponding key, and utilize this key to send certification request to certificate server, such that it is able to utilize single Multiple certificate servers are authenticated by one subscriber equipment, solve user in prior art and recognize multiple certificate servers The problem that card is inconvenient, has reached to be easy to the effect that user uses sole user's equipment to be authenticated multiple certificate servers Really.

Accompanying drawing explanation

The accompanying drawing of the part constituting the application is used for providing a further understanding of the present invention, and the present invention's is schematic real Execute example and illustrate for explaining the present invention, being not intended that inappropriate limitation of the present invention.In the accompanying drawings:

Fig. 1 is the flow chart of identity identifying method according to a first embodiment of the present invention；

Fig. 2 is the flow chart of identity identifying method according to a second embodiment of the present invention；

Fig. 3 is the schematic diagram of subscriber equipment according to embodiments of the present invention；

Fig. 4 is the schematic diagram of certificate server according to embodiments of the present invention；And

Fig. 5 is the schematic diagram of identity authorization system according to embodiments of the present invention.

Detailed description of the invention

It should be noted that in the case of not conflicting, the embodiment in the application and the feature in embodiment can phases Combination mutually.Describe the present invention below with reference to the accompanying drawings and in conjunction with the embodiments in detail.

In order to make those skilled in the art be more fully understood that the present invention program, below in conjunction with in the embodiment of the present invention Accompanying drawing, is clearly and completely described the technical scheme in the embodiment of the present invention, it is clear that described embodiment It is only the embodiment of a present invention part rather than whole embodiments.Based on the embodiment in the present invention, ability The every other embodiment that territory those of ordinary skill is obtained under not making creative work premise, all should belong to The scope of protection of the invention.

It should be noted that term " first " in description and claims of this specification and above-mentioned accompanying drawing, " Two " it is etc. for distinguishing similar object, without being used for describing specific order or precedence.Should be appreciated that this The data that sample uses can be exchanged in the appropriate case, in order to embodiments of the invention described herein.Additionally, term " include " and " having " and their any deformation, it is intended that cover non-exclusive comprising, such as, comprise The process of series of steps or unit, method, system, product or equipment are not necessarily limited to those steps clearly listed Rapid or unit, but can include that the most clearly list or intrinsic for these processes, method, product or equipment Other step or unit.

Embodiments provide a kind of identity identifying method.

Fig. 1 is the flow chart of identity identifying method according to a first embodiment of the present invention.As it is shown in figure 1, this identity is recognized Card method comprises the following steps that

Step S102, subscriber equipment reads the first key from the first memory area.Wherein, the first key is subscriber equipment Utilize the certification key that device keys obtains under the assistance of device server after the first certificate server registration, equipment Key is the key that subscriber equipment obtains after device server is registered, and subscriber equipment includes for authentication storage key Multiple data areas and the data area for storage device key, the first memory area is for authentication storage key A data area in multiple data areas, each data area in multiple data areas is for one certification of storage Key.

Subscriber equipment can be i.e. that software realizes, it is also possible to is hard-wired, it is also possible to is that software and hardware combining realizes, Specifically, hard-wired subscriber equipment can be the apparatus etc. of a kind of card, certification, the subscriber equipment that software realizes Can be then to be realized by software application.Subscriber equipment is for multiple data areas of authentication storage key and is used for depositing The data area of storage device keys, wherein, mutually isolated for the data area of authentication storage key and device keys, The data area storing different certification keys is the most mutually isolated.Before using subscriber equipment to be authenticated, need to use Family equipment and device server are registered, and subscriber equipment is registered with certificate server, then after having registered Can be authenticated.

Step S104, subscriber equipment sends the first certification request, wherein, the first certification request to the first certificate server Carrying the disposable information obtained according to the first key, the first certificate server utilizes the first double secret key subscriber equipment to enter Row certification also returns the first authentication result to subscriber equipment.

Subscriber equipment, after reading the first key, utilizes the first cipher key calculation to produce disposable information, and this is disposable Information is only effective when when secondary certification, expired invalid.Specifically, this disposable information can be to utilize the first key meter Obtain, it is also possible to be to utilize the first key to be calculated together with other information (bio information such as such as fingerprint) 's.After subscriber equipment produces above-mentioned disposable information, ask to be sent to the first certification by the certification carrying this information Server, is used for asking it to be authenticated.First certificate server self storage has and the first key in subscriber equipment Corresponding symmetric key, that is to say that in the first certificate server, also storage has the first key.Therefore, the first authentication service Device can utilize this first double secret key subscriber equipment to be authenticated, and obtains the first authentication result, and is sent to subscriber equipment.

Step S106, subscriber equipment receives the first authentication result that the first certificate server returns.

After subscriber equipment receives the first authentication result, it is determined whether certification is passed through.

In the embodiment of the present invention, owing to subscriber equipment including for multiple data areas of authentication storage key and use In the data area of storage device key, so, corresponding to different certificate servers, subscriber equipment can be from difference Region read corresponding key, and utilize this key to send certification request to certificate server, such that it is able to utilize single Multiple certificate servers are authenticated by one subscriber equipment, solve user in prior art and recognize multiple certificate servers The problem that card is inconvenient, has reached to be easy to the effect that user uses sole user's equipment to be authenticated multiple certificate servers Really.

Preferably, at subscriber equipment before the first memory area reads the first key, method also includes: subscriber equipment Register with device server；And in subscriber equipment and device server, set up symmetric key, by subscriber equipment In symmetric key as device keys.

Before subscriber equipment is authenticated, equipment and device server first to be registered.Registration can have an in the following manner: 1) equipment is the most registered with device server when producing；2) equipment does not has and device server when producing Registration, but the registration done afterwards.This registration is the activity together prior to other.Specifically, registration is to set The device server key zone of standby server neutralizing device sets up symmetric key, that is to say subscriber equipment and device service Difference storage device key in device.

Preferably, at subscriber equipment before the first memory area reads the first key, method also includes: subscriber equipment To first certificate server send registration request, registration request carry the open name for representing subscriber equipment and according to Calculated first authentication information of confidential information of device keys and subscriber equipment self, wherein, the first authentication service After device receives registration request, according to the first authentication information and the first secret of selected the first certificate server self Information is calculated the second authentication information, and sends open name and the second authentication information, device service to device server Device from key corresponding to locally extracted and open name, and utilizes the double secret key second corresponding with openly name to recognize based on open name Card information is verified, is calculated the 3rd authentication information according to the second authentication information after being verified, and to first Certificate server return the 3rd authentication information, the first certificate server according to the first authentication information, the second authentication information, Second confidential information of the 3rd authentication information and selected described first certificate server self is calculated the first key, And according to the first authentication information, the 3rd authentication information and the second confidential information meter of the first selected certificate server self Calculation obtains the 4th authentication information, and the 4th authentication information is returned to subscriber equipment；Subscriber equipment receives the 4th certification letter Breath；Subscriber equipment utilizes the 4th authentication information to be calculated the first key；And the first key storage is existed by subscriber equipment First memory area.

Before carrying out authentication, subscriber equipment also needs to the first certificate server registration, specifically, to first During certificate server registration, comprise the following steps:

A) equipment submits registration request to the first certificate server, and this registration request carries the disclosure representing subscriber equipment Name and the first authentication information.Wherein, the first authentication information can be to be utilized device keys by subscriber equipment and himself select Fixed confidential information is calculated, and this confidential information is can be by the information of subscriber equipment identification, and this confidential information can Be randomly generated.Can also generate according to rule set in advance.

B) the first certificate server obtains above-mentioned first authentication information, and oneself selectes certain confidential information (the most not It is key, after being, produces the composition of key) the i.e. first confidential information, this first confidential information can be can be by the The information of one certificate server identification, can be randomly generated, it is also possible to generate according to certain rule.Utilize First confidential information and the first authentication information calculate, and produce a segment information, the i.e. second authentication information, and then first Certificate server submits to open name and the second authentication information to device server.

C) after device server obtains open name, the open name stored according to self and the corresponding relation of device keys, from Self extract the device keys corresponding with open name, key (the setting in this device keys and subscriber equipment that will extract Standby key agreement), then verify with this double secret key second authentication information, if the can not be noted that by checking One certificate server；If just the second authentication information can be calculated, it is thus achieved that the 3rd authentication information by checking, Then the 3rd authentication information is submitted to the first certificate server.

D) the first certificate server selectes different confidential information that is second confidential information, this confidential information and first again Confidential information has the attribute to type, then calculates the first authentication information and the 3rd authentication information, produces first Key and the 4th authentication information.

E) the first certificate server submits to the 4th authentication information to subscriber equipment.

F) subscriber equipment utilizes own symmetric key i.e. device keys, calculates the 4th authentication information, it is thus achieved that first Key, the first key agreement in this first key and the first certificate server.

G) subscriber equipment and the first certificate server store the first key, and other confidential information the most respectively.

H) then subscriber equipment and the first certificate server do succeed in registration mutual, confirm to succeed in registration.

I) device server is also tackled this transaction and is kept a record.

Wherein, the first authentication information generates process: confidential information (typically random number) selected by subscriber equipment, and ties Close open name, the confidential information shared in conjunction with other, it is also possible to containing biological information, with setting with device server Standby key carries out cryptography calculating, produces the first authentication information.

Second authentication information generates process: certificate server selectes confidential information, and then with the first authentication information makees password Learn and calculate, it is also possible to use former just agreement between certificate server and device server key (but most feelings Need not under condition so), produce the second authentication information.

3rd authentication information generates process: first device server obtains the second authentication information, then does cryptography and calculates, Regain the part in the first authentication information, then utilize device keys, to the part in above-mentioned first authentication information Verify.If the verification passes, the 3rd authentication information is just calculated.In calculating, these information to be used: device keys, First authentication information, the second authentication information.

4th authentication information generation process: certificate server, selects confidential information again, in conjunction with the 3rd authentication information, First authentication information, the second authentication information, does cryptography and calculates, produce the 4th authentication information.

In the embodiment of the present invention, following effect can be reached:

A) can ensure that the safety of certificate server, only equipment holder just can apply for, is only possible to registration.

B) can ensure that symmetric key (device keys) secret completely.The generation of certification key depends on selection of equipment Confidential data, also relies on the confidential data that certificate server is selected, that is the generation of certification key, fully reflects Both will.

C) can ensure that the safety of device server and reduce the flow of device server, device server only takes with certification Business device exchange.

D), during whole, all of data (authentication information) transmission can disclose the most completely, does not forms safety Any injury, although in fact contain confidential information in these information.The acquisition of these confidential information and process, it is necessary to Depend on device keys.

E) establish the mechanism of themselves trust between certificate server and equipment, have certification key the most each other. And, certificate server may insure that this equipment is not camouflage, it is necessary to is the equipment of device server accreditation.This It it is the first safe level.Setting up certification key is safety the second level.

Further, subscriber equipment has unique open name, the corresponding multiple certificate servers of open name；Or, use Family equipment has multiple open name, multiple open names and multiple certificate server one_to_one corresponding.

Explanation to open name: each equipment has a special title so that it can be with other any equipment Distinguish, and this name can externally be announced, do not reveal any information.Generally this open name is numeric string, Letter string, one group of word, etc..In device server, there is the corresponding table of open name and device keys.Device service Device can find corresponding device keys by open name.

Preferably, method also includes: subscriber equipment reads the second key, wherein, the second key from the second memory area Device keys certification of obtaining after the second certificate server registration under the assistance of device server is utilized for subscriber equipment Key, the second memory area is a data field in subscriber equipment in multiple data areas of storage device key Territory；Subscriber equipment sends the second certification request to the second certificate server, and wherein, the second certification request carries basis The disposable information that second key obtains, the second certificate server is the certification clothes separate with the first certificate server Business device, the second certificate server utilizes the second double secret key subscriber equipment be authenticated and return the second certification to subscriber equipment Result；And subscriber equipment receives the second authentication result that the second certificate server returns.

Second certificate server is the certificate server differed with the first certificate server, stores second in subscriber equipment The data area of key is completely isolated with the data area of storage the first key, and subscriber equipment is recognized to the second certificate server Card process and subscriber equipment are to the similar process of the first certificate server certification, and subscriber equipment is to the second authentication service The similar process that the process of device registration is also registered to the first certificate server with subscriber equipment, does not repeats.

The embodiment of the present invention additionally provides another kind of identity identifying method.

Fig. 2 is the flow chart of identity identifying method according to a second embodiment of the present invention.As in figure 2 it is shown, this identity is recognized Card method comprises the following steps that

Step S202, certificate server receives the first certification request that subscriber equipment sends, wherein, the first certification request Carrying the disposable information obtained according to the first key, the first key is that subscriber equipment utilizes device keys to pass through first The certification key that certificate server obtains after device server is registered, device keys is that subscriber equipment is to device server The key obtained after registration, subscriber equipment includes for multiple data areas of authentication storage key with for storage device The data area of key, each data area in multiple data areas is for one certification key of storage.

Step S204, certificate server utilizes the first double secret key subscriber equipment to be authenticated, obtains authentication result.

Step S206, certificate server sends authentication result to subscriber equipment.

Subscriber equipment can be i.e. that software realizes, it is also possible to is hard-wired, it is also possible to is that software and hardware combining realizes, Specifically, hard-wired subscriber equipment can be the apparatus etc. of a kind of card, certification, the subscriber equipment that software realizes Can be then to be realized by software application.Subscriber equipment is for multiple data areas of authentication storage key and is used for depositing The data area of storage device keys, wherein, mutually isolated for the data area of authentication storage key and device keys, The data area storing different certification keys is the most mutually isolated.Before using subscriber equipment to be authenticated, need to use Family equipment and device server are registered, and subscriber equipment is registered with certificate server, then after having registered Can be authenticated.

Subscriber equipment, after reading the first key, utilizes the first cipher key calculation to produce disposable information, and this is disposable Information is only effective when when secondary certification, expired invalid.Specifically, this disposable information can be to utilize the first key meter Obtain, it is also possible to be to utilize the first key to be calculated together with other information (bio information such as such as fingerprint) 's.After subscriber equipment produces above-mentioned disposable information, ask to be sent to the first certification by the certification carrying this information Server, is used for asking it to be authenticated.First certificate server self storage has and the first key in subscriber equipment Corresponding symmetric key, that is to say that in the first certificate server, also storage has the first key.Therefore, the first authentication service Device can utilize this first double secret key subscriber equipment to be authenticated, and obtains the first authentication result, and is sent to subscriber equipment.

In the embodiment of the present invention, owing to subscriber equipment including for multiple data areas of authentication storage key and use In the data area of storage device key, so, corresponding to different certificate servers, subscriber equipment can be from difference Region read corresponding key, and utilize this key to send certification request to certificate server, such that it is able to utilize single Multiple certificate servers are authenticated by one subscriber equipment, solve user in prior art and recognize multiple certificate servers The problem that card is inconvenient, has reached to be easy to the effect that user uses sole user's equipment to be authenticated multiple certificate servers Really.

Preferably, before certificate server receives the first certification request that subscriber equipment sends, method also includes: recognize Card server receives the registration request that subscriber equipment sends, and wherein, registration request carries for representing subscriber equipment Open name and calculated first authentication information of confidential information according to device keys and subscriber equipment self；Certification takes After business device receives registration request, according to the first authentication information and the first secret letter of selected certificate server self Breath is calculated the second authentication information；Certificate server sends open name and the second authentication information to device server, its In, device server from key corresponding to locally extracted and open name, and utilizes corresponding with openly name based on open name Double secret key the second authentication information is verified, is calculated the 3rd authentication information according to the second authentication information after being verified, And return the 3rd authentication information to certificate server；Certificate server according to the first authentication information, the second authentication information, Second confidential information of the 3rd authentication information and selected described first certificate server self is calculated the first key； Certificate server is according to the first authentication information, the 3rd authentication information and the second machine of the first selected certificate server self Confidential information is calculated the 4th authentication information；4th authentication information is sent to subscriber equipment by certificate server, wherein, Subscriber equipment utilizes the 4th authentication information to be calculated the first key, and by the first key storage at the first memory area.

Before carrying out authentication, subscriber equipment also needs to the first certificate server registration, specifically, to first During certificate server registration, including following:

A) equipment submits registration request to the first certificate server, and this registration request carries the disclosure representing subscriber equipment Name and the first authentication information.Wherein, the first authentication information can be to be utilized device keys by subscriber equipment and himself select Fixed confidential information is calculated, and this confidential information is can be by the information of subscriber equipment identification, and this confidential information can Be randomly generated.Can also generate according to rule set in advance.

B) the first certificate server obtains above-mentioned first authentication information, and oneself selectes certain confidential information (the most not It is key, after being, produces the composition of key) the i.e. first confidential information, this first confidential information can be can be by the The information of one certificate server identification, can be randomly generated, it is also possible to generate according to certain rule.Utilize First confidential information and the first authentication information calculate, and produce a segment information, the i.e. second authentication information, and then first Certificate server submits to open name and the second authentication information to device server.

C) after device server obtains open name, the open name stored according to self and the corresponding relation of device keys, from Self extract the device keys corresponding with open name, key (the setting in this device keys and subscriber equipment that will extract Standby key agreement), then verify with this double secret key second authentication information, if the can not be noted that by checking One certificate server；If just the second authentication information can be calculated, it is thus achieved that the 3rd authentication information by checking, Then the 3rd authentication information is submitted to the first certificate server.

D) the first certificate server selectes different confidential information that is second confidential information, this confidential information and first again Confidential information has the attribute to type, then calculates the first authentication information and the 3rd authentication information, produces first Key and the 4th authentication information.

E) the first certificate server submits to the 4th authentication information to subscriber equipment.

F) subscriber equipment utilizes own symmetric key i.e. device keys, calculates the 4th authentication information, it is thus achieved that first Key, the first key agreement in this first key and the first certificate server.

G) subscriber equipment and the first certificate server store the first key, and other confidential information the most respectively.

H) then subscriber equipment and the first certificate server do succeed in registration mutual, confirm to succeed in registration.

I) device server is also tackled this transaction and is kept a record.

Wherein, the first authentication information generates process: confidential information (typically random number) selected by subscriber equipment, and ties Close open name, the confidential information shared in conjunction with other, it is also possible to containing biological information, with setting with device server Standby key carries out cryptography calculating, produces the first authentication information.

Second authentication information generates process: certificate server selectes confidential information, and then with the first authentication information makees password Learn and calculate, it is also possible to use former just agreement between certificate server and device server key (but most feelings Need not under condition so), produce the second authentication information.

3rd authentication information generates process: first device server obtains the second authentication information, then does cryptography and calculates, Regain the part in the first authentication information, then utilize device keys, to the part in above-mentioned first authentication information Verify.If the verification passes, the 3rd authentication information is just calculated.In calculating, these information to be used: device keys, First authentication information, the second authentication information.

4th authentication information generation process: certificate server, selects confidential information again, in conjunction with the 3rd authentication information, First authentication information, the second authentication information, does cryptography and calculates, produce the 4th authentication information.

In the embodiment of the present invention, following effect can be reached:

A) can ensure that the safety of certificate server, only equipment holder just can apply for, is only possible to registration.

B) can ensure that symmetric key (device keys) secret completely.The generation of certification key depends on selection of equipment Confidential data, also relies on the confidential data that certificate server is selected, that is the generation of certification key, fully reflects Both will.

C) can ensure that the safety of device server and reduce the flow of device server, device server only takes with certification Business device exchange.

D), during whole, all of data (authentication information) transmission can disclose the most completely, does not forms safety Any injury, although in fact contain confidential information in these information.The acquisition of these confidential information and process, it is necessary to Depend on device keys.

E) establish the mechanism of themselves trust between certificate server and equipment, have certification key the most each other. And, certificate server may insure that this equipment is not camouflage, it is necessary to is the equipment of device server accreditation.This It it is the first safe level.Setting up certification key is safety the second level.

The embodiment of the present invention also provides for a kind of subscriber equipment.

Fig. 3 is the schematic diagram of subscriber equipment according to embodiments of the present invention.As it is shown on figure 3, this subscriber equipment includes: First reads unit the 301, first transmitting element 302 and first receives unit 303.

First reads unit 301 is used for so that subscriber equipment reads the first key, wherein, first from the first memory area Key is that subscriber equipment utilizes device keys to obtain after the first certificate server registration under the assistance of device server Certification key, the key that device keys is subscriber equipment to be obtained after device server is registered, subscriber equipment include for Multiple data areas of authentication storage key and the data area for storage device key, the first memory area is for being used for A data area in multiple data areas of authentication storage key, each data area in multiple data areas is used In one certification key of storage.

First transmitting element 302 is used for asking so that subscriber equipment sends the first certification to the first certificate server, wherein, First certification request carries the disposable information obtained according to the first key, and the first certificate server utilizes the first key Subscriber equipment is authenticated and returns the first authentication result to subscriber equipment.

First receives unit 303 for making subscriber equipment receive the first authentication result that the first certificate server returns.

Subscriber equipment can be i.e. that software realizes, it is also possible to is hard-wired, it is also possible to is that software and hardware combining realizes, Specifically, hard-wired subscriber equipment can be the apparatus etc. of a kind of card, certification, the subscriber equipment that software realizes Can be then to be realized by software application.Subscriber equipment is for multiple data areas of authentication storage key and is used for depositing The data area of storage device keys, wherein, mutually isolated for the data area of authentication storage key and device keys, The data area storing different certification keys is the most mutually isolated.Before using subscriber equipment to be authenticated, need to use Family equipment and device server are registered, and subscriber equipment is registered with certificate server, then after having registered Can be authenticated.

Subscriber equipment, after reading the first key, utilizes the first cipher key calculation to produce disposable information, and this is disposable Information is only effective when when secondary certification, expired invalid.Specifically, this disposable information can be to utilize the first key meter Obtain, it is also possible to be to utilize the first key to be calculated together with other information (bio information such as such as fingerprint) 's.After subscriber equipment produces above-mentioned disposable information, ask to be sent to the first certification by the certification carrying this information Server, is used for asking it to be authenticated.First certificate server self storage has and the first key in subscriber equipment Corresponding symmetric key, that is to say that in the first certificate server, also storage has the first key.Therefore, the first authentication service Device can utilize this first double secret key subscriber equipment to be authenticated, and obtains the first authentication result, and is sent to subscriber equipment.

After subscriber equipment receives the first authentication result, it is determined whether certification is passed through.

In the embodiment of the present invention, owing to subscriber equipment including for multiple data areas of authentication storage key and use In the data area of storage device key, so, corresponding to different certificate servers, subscriber equipment can be from difference Region read corresponding key, and utilize this key to send certification request to certificate server, such that it is able to utilize single Multiple certificate servers are authenticated by one subscriber equipment, solve user in prior art and recognize multiple certificate servers The problem that card is inconvenient, has reached to be easy to the effect that user uses sole user's equipment to be authenticated multiple certificate servers Really.

Preferably, subscriber equipment also includes: the second transmitting element, for reading from the first memory area at subscriber equipment Before first key so that subscriber equipment to first certificate server send registration request, registration request carry for Represent the open name of subscriber equipment and recognize according to the confidential information calculated first of device keys and subscriber equipment self Card information, wherein, after the first certificate server receives registration request, according to the first authentication information and selected the First confidential information of one certificate server self is calculated the second authentication information, and sends open to device server Name and the second authentication information, device server, and utilizes from the locally extracted key corresponding with openly name based on open name Double secret key second authentication information corresponding with open name is verified, calculates according to the second authentication information after being verified To the 3rd authentication information, and returning the 3rd authentication information to the first certificate server, the first certificate server is according to the One authentication information, the second authentication information, the 3rd authentication information and the second of selected described first certificate server self Confidential information is calculated the first key, and according to the first authentication information, the 3rd authentication information and the first selected certification Second confidential information of server self is calculated the 4th authentication information, and the 4th authentication information is returned to user sets Standby；Second receives unit, is used for so that subscriber equipment receives the 4th authentication information；Computing unit, is used for so that user Equipment utilization the 4th authentication information is calculated the first key；And memory element, it is used for so that subscriber equipment is by first Key storage is at the first memory area.

The contents of the section may refer to the identity identifying method part of first embodiment of the invention, does not repeats.

In the embodiment of the present invention, following effect can be reached:

A) can ensure that the safety of certificate server, only equipment holder just can apply for, is only possible to registration.

B) can ensure that symmetric key (device keys) secret completely.The generation of certification key depends on selection of equipment Confidential data, also relies on the confidential data that certificate server is selected, that is the generation of certification key, fully reflects Both will.

C) can ensure that the safety of device server and reduce the flow of device server, device server only takes with certification Business device exchange.

D), during whole, all of data (authentication information) transmission can disclose the most completely, does not forms safety Any injury, although in fact contain confidential information in these information.The acquisition of these confidential information and process, it is necessary to Depend on device keys.

E) establish the mechanism of themselves trust between certificate server and equipment, have certification key the most each other. And, certificate server may insure that this equipment is not camouflage, it is necessary to is the equipment of device server accreditation.This It it is the first safe level.Setting up certification key is safety the second level.

Preferably, subscriber equipment also includes: second reads unit, is used for so that subscriber equipment is read from the second memory area Taking the second key, wherein, the second key is that subscriber equipment utilizes device keys to second under the assistance of device server The certification key obtained after certificate server registration, the second memory area is for storage device key in subscriber equipment A data area in multiple data areas；3rd transmitting element, is used for so that subscriber equipment is to the second authentication service Device sends the second certification request, and wherein, the second certification request carries the disposable information obtained according to the second key, Second certificate server is the certificate server separate with the first certificate server, and the second certificate server utilizes Two double secret key subscriber equipmenies are authenticated and return the second authentication result to subscriber equipment；And the 3rd receive unit, use The second authentication result that the second certificate server returns is received in making subscriber equipment.

Second certificate server is the certificate server differed with the first certificate server, stores second in subscriber equipment The data area of key is completely isolated with the data area of storage the first key, and subscriber equipment is recognized to the second certificate server Card process and subscriber equipment are to the similar process of the first certificate server certification, and subscriber equipment is to the second authentication service The similar process that the process of device registration is also registered to the first certificate server with subscriber equipment, does not repeats.

The embodiment of the present invention additionally provides a kind of certificate server.Fig. 4 is certificate server according to embodiments of the present invention Schematic diagram.As shown in Figure 4, this certificate server includes: first receives unit 401, authentication ' unit 402 and the One transmitting element 403.

First receives unit 401 is used for the first certification of certificate server reception subscriber equipment transmission is asked, wherein, First certification request carries the disposable information obtained according to the first key, and the first key is that subscriber equipment utilizes equipment The certification key that key obtains under the assistance of device server after the first certificate server registration, device keys is for using The key that family equipment obtains after device server is registered, subscriber equipment includes the multiple data for authentication storage key Region and the data area for storage device key, each data area in multiple data areas is for storage one Certification key.

Authentication ' unit 402 is used for, so that certificate server utilizes the first double secret key subscriber equipment to be authenticated, obtaining certification Result.

First transmitting element 403 is used for so that certificate server sends authentication result to subscriber equipment.

Subscriber equipment can be i.e. that software realizes, it is also possible to is hard-wired, it is also possible to is that software and hardware combining realizes, Specifically, hard-wired subscriber equipment can be the apparatus etc. of a kind of card, certification, the subscriber equipment that software realizes Can be then to be realized by software application.Subscriber equipment is for multiple data areas of authentication storage key and is used for depositing The data area of storage device keys, wherein, mutually isolated for the data area of authentication storage key and device keys, The data area storing different certification keys is the most mutually isolated.Before using subscriber equipment to be authenticated, need to use Family equipment and device server are registered, and subscriber equipment is registered with certificate server, then after having registered Can be authenticated.

Subscriber equipment, after reading the first key, utilizes the first cipher key calculation to produce disposable information, and this is disposable Information is only effective when when secondary certification, expired invalid.Specifically, this disposable information can be to utilize the first key meter Obtain, it is also possible to be to utilize the first key to be calculated together with other information (bio information such as such as fingerprint) 's.After subscriber equipment produces above-mentioned disposable information, ask to be sent to the first certification by the certification carrying this information Server, is used for asking it to be authenticated.First certificate server self storage has and the first key in subscriber equipment Corresponding symmetric key, that is to say that in the first certificate server, also storage has the first key.Therefore, the first authentication service Device can utilize this first double secret key subscriber equipment to be authenticated, and obtains the first authentication result, and is sent to subscriber equipment.

In the embodiment of the present invention, owing to subscriber equipment including for multiple data areas of authentication storage key and use In the data area of storage device key, so, corresponding to different certificate servers, subscriber equipment can be from difference Region read corresponding key, and utilize this key to send certification request to certificate server, such that it is able to utilize single Multiple certificate servers are authenticated by one subscriber equipment, solve user in prior art and recognize multiple certificate servers The problem that card is inconvenient, has reached to be easy to the effect that user uses sole user's equipment to be authenticated multiple certificate servers Really.

Preferably, certificate server also includes: second receives unit, sends out for receiving subscriber equipment at certificate server Before the first certification request sent so that the registration request that certificate server reception subscriber equipment sends, wherein, wherein, Registration request carries the open name for representing subscriber equipment and the secret letter according to device keys and subscriber equipment self Cease calculated first authentication information；First computing unit, be used for so that certificate server receive registration request it After, it is calculated the second certification letter according to the first confidential information of the first authentication information and selected certificate server self Breath；Second transmitting element, is used for so that certificate server sends open name and the second authentication information to device server, Wherein, device server from key corresponding to locally extracted and open name, and utilizes corresponding with openly name based on open name Double secret key the second authentication information verify, after being verified according to the second authentication information be calculated the 3rd certification letter Breath, and return the 3rd authentication information to certificate server；Second computing unit, be used for so that certificate server according to The of first authentication information, the second authentication information, the 3rd authentication information and selected described first certificate server self Two confidential information are calculated the first key；3rd computing unit, is used for so that certificate server is believed according to the first certification Second confidential information of breath, the 3rd authentication information and the first selected certificate server self is calculated the 4th certification letter Breath；3rd transmitting element, is used for so that the 4th authentication information is sent to subscriber equipment by certificate server, wherein, uses Family equipment utilization the 4th authentication information is calculated the first key, and by the first key storage at the first memory area.

Before carrying out authentication, subscriber equipment also needs to the first certificate server registration, specifically, to first During certificate server registration, including following:

A) equipment submits registration request to the first certificate server, and this registration request carries the disclosure representing subscriber equipment Name and the first authentication information.Wherein, the first authentication information can be to be utilized device keys by subscriber equipment and himself select Fixed confidential information is calculated, and this confidential information is can be by the information of subscriber equipment identification, and this confidential information can Be randomly generated.Can also generate according to rule set in advance.

B) the first certificate server obtains above-mentioned first authentication information, and oneself selectes certain confidential information (the most not It is key, after being, produces the composition of key) the i.e. first confidential information, this first confidential information can be can be by the The information of one certificate server identification, can be randomly generated, it is also possible to generate according to certain rule.Utilize First confidential information and the first authentication information calculate, and produce a segment information, the i.e. second authentication information, and then first Certificate server submits to open name and the second authentication information to device server.

C) after device server obtains open name, the open name stored according to self and the corresponding relation of device keys, from Self extract the device keys corresponding with open name, key (the setting in this device keys and subscriber equipment that will extract Standby key agreement), then verify with this double secret key second authentication information, if the can not be noted that by checking One certificate server；If just the second authentication information can be calculated, it is thus achieved that the 3rd authentication information by checking, Then the 3rd authentication information is submitted to the first certificate server.

D) the first certificate server selectes different confidential information that is second confidential information, this confidential information and first again Confidential information has the attribute to type, then calculates the first authentication information and the 3rd authentication information, produces first Key and the 4th authentication information.

E) the first certificate server submits to the 4th authentication information to subscriber equipment.

F) subscriber equipment utilizes own symmetric key i.e. device keys, calculates the 4th authentication information, it is thus achieved that first Key, the first key agreement in this first key and the first certificate server.

G) subscriber equipment and the first certificate server store the first key, and other confidential information the most respectively.

H) then subscriber equipment and the first certificate server do succeed in registration mutual, confirm to succeed in registration.

I) device server is also tackled this transaction and is kept a record.

Wherein, the first authentication information generates process: confidential information (typically random number) selected by subscriber equipment, and ties Close open name, the confidential information shared in conjunction with other, it is also possible to containing biological information, with setting with device server Standby key carries out cryptography calculating, produces the first authentication information.

Second authentication information generates process: certificate server selectes confidential information, and then with the first authentication information makees password Learn and calculate, it is also possible to use former just agreement between certificate server and device server key (but most feelings Need not under condition so), produce the second authentication information.

3rd authentication information generates process: first device server obtains the second authentication information, then does cryptography and calculates, Regain the part in the first authentication information, then utilize device keys, to the part in above-mentioned first authentication information Verify.If the verification passes, the 3rd authentication information is just calculated.In calculating, these information to be used: device keys, First authentication information, the second authentication information.

4th authentication information generation process: certificate server, selects confidential information again, in conjunction with the 3rd authentication information, First authentication information, the second authentication information, does cryptography and calculates, produce the 4th authentication information.

In the embodiment of the present invention, following effect can be reached:

A) can ensure that the safety of certificate server, only equipment holder just can apply for, is only possible to registration.

B) can ensure that symmetric key (device keys) secret completely.The generation of certification key depends on selection of equipment Confidential data, also relies on the confidential data that certificate server is selected, that is the generation of certification key, fully reflects Both will.

C) can ensure that the safety of device server and reduce the flow of device server, device server only takes with certification Business device exchange.

D), during whole, all of data (authentication information) transmission can disclose the most completely, does not forms safety Any injury, although in fact contain confidential information in these information.The acquisition of these confidential information and process, it is necessary to Depend on device keys.

E) establish the mechanism of themselves trust between certificate server and equipment, have certification key the most each other. And, certificate server may insure that this equipment is not camouflage, it is necessary to is the equipment of device server accreditation.This It it is the first safe level.Setting up certification key is safety the second level.

The embodiment of the present invention additionally provides a kind of identity authorization system.Fig. 5 is authentication according to embodiments of the present invention System.As it is shown in figure 5, identity authorization system includes: subscriber equipment 501, certificate server 502 and device service Device 503.

Subscriber equipment 501 includes the multiple data areas for authentication storage key and the data for storage device key Region, each data area in multiple data areas is for one certification key of storage, and subscriber equipment is for certification Server sends certification request, and certification request carries the disposable information obtained according to certification key, wherein, certification Key is the equipment that subscriber equipment utilizes that device keys obtains under the assistance of device server after certificate server is registered Key, device keys is the key that subscriber equipment obtains after device server is registered.

The certification request that certificate server 502 sends for receiving subscriber equipment.

Device server 503 is for registering subscriber equipment and certificate server.

For the description of identity authorization system, can be referring specifically to portion about identity identifying method in the embodiment of the present invention Point, do not repeat.

It should be noted that for aforesaid each method embodiment, in order to be briefly described, therefore it is all expressed as one it be The combination of actions of row, but those skilled in the art should know, the present invention not limiting by described sequence of movement System, because according to the present invention, some step can use other orders or carry out simultaneously.Secondly, art technology Personnel also should know, embodiment described in this description belongs to preferred embodiment, involved action and module Not necessarily necessary to the present invention.

In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not has the portion described in detail in certain embodiment Point, may refer to the associated description of other embodiments.

In several embodiments provided herein, it should be understood that disclosed device, can be by other side Formula realizes.Such as, device embodiment described above is only schematically, the division of the most described unit, only Being only a kind of logic function to divide, actual can have other dividing mode when realizing, and the most multiple unit or assembly can To combine or to be desirably integrated into another system, or some features can be ignored, or does not performs.Another point, is shown The coupling each other shown or discuss or direct-coupling or communication connection can be by some interfaces, device or unit INDIRECT COUPLING or communication connection, can be being electrical or other form.

The described unit illustrated as separating component can be or may not be physically separate, shows as unit The parts shown can be or may not be physical location, i.e. may be located at a place, or can also be distributed to On multiple NEs.Some or all of unit therein can be selected according to the actual needs to realize the present embodiment The purpose of scheme.

It addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it is also possible to It is that unit is individually physically present, it is also possible to two or more unit are integrated in a unit.Above-mentioned integrated Unit both can realize to use the form of hardware, it would however also be possible to employ the form of SFU software functional unit realizes.

If described integrated unit realizes and as independent production marketing or use using the form of SFU software functional unit Time, can be stored in a computer read/write memory medium.Based on such understanding, technical scheme Completely or partially can producing with software of the part that the most in other words prior art contributed or this technical scheme The form of product embodies, and this computer software product is stored in a storage medium, including some instructions in order to make Obtain a computer equipment (can be personal computer, mobile terminal, server or the network equipment etc.) and perform this All or part of step of method described in each embodiment bright.And aforesaid storage medium includes: USB flash disk, read-only storage Device (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), The various media that can store program code such as portable hard drive, magnetic disc or CD.

The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for the skill of this area For art personnel, the present invention can have various modifications and variations.All within the spirit and principles in the present invention, made Any modification, equivalent substitution and improvement etc., should be included within the scope of the present invention.

Claims (13)

1. an identity identifying method, it is characterised in that including:

Subscriber equipment reads the first key from the first memory area, and wherein, described first key is that described user sets The standby certification utilizing device keys to obtain after the first certificate server registration under the assistance of device server is close Key, described device keys is the key that described subscriber equipment obtains after described device server is registered, described use Family equipment includes for multiple data areas of authentication storage key with for storing the data field of described device keys Territory, described first memory area is a described data field in multiple data areas of authentication storage key Territory, each data area in the plurality of data area is for one described certification key of storage；

Described subscriber equipment sends the first certification request to described first certificate server, and wherein, described first recognizes Card request carries the disposable information obtained according to described first key, and described first certificate server utilizes institute State subscriber equipment described in the first double secret key be authenticated and return the first authentication result to described subscriber equipment；And

Described subscriber equipment receives the first authentication result that described first certificate server returns.

Identity identifying method the most according to claim 1, it is characterised in that at subscriber equipment from the first memory area Before reading the first key, described method also includes:

Described subscriber equipment is registered with described device server；And

Symmetric key is set up, right by described subscriber equipment in described subscriber equipment and described device server Claim key as described device keys.

Identity identifying method the most according to claim 1, it is characterised in that at subscriber equipment from the first memory area Before reading the first key, described method also includes:

Described subscriber equipment sends registration request to described first certificate server, and described registration request carries use In representing the open name of described subscriber equipment and believing according to the secret of described device keys and described subscriber equipment self Cease calculated first authentication information, wherein, described first certificate server receive described registration request it After, according to described first authentication information and the first confidential information meter of selected described first certificate server self Calculation obtains the second authentication information, and sends described open name and described second authentication information to described device server, Described device server based on described open name from key corresponding to locally extracted and described open name, and utilize and Second authentication information described in the double secret key that described open name is corresponding is verified, according to described second after being verified Authentication information is calculated the 3rd authentication information, and returns the 3rd authentication information to described first certificate server, Described first certificate server is according to described first authentication information, described second authentication information, described 3rd certification Second confidential information of information and selected described first certificate server self is calculated described first key, And according to described first authentication information, described 3rd authentication information and selected described first certificate server self The second confidential information be calculated the 4th authentication information, and described 4th authentication information is returned to described user Equipment；

Described subscriber equipment receives described 4th authentication information；

Described subscriber equipment utilizes described 4th authentication information to be calculated described first key；And

Described subscriber equipment by described first key storage at described first memory area.

Identity identifying method the most according to claim 3, it is characterised in that described subscriber equipment has unique public affairs Open name, the described corresponding multiple certificate servers of open name；Or, described subscriber equipment has multiple open name, The plurality of open name and multiple certificate server one_to_one corresponding.

Identity identifying method the most according to claim 1, it is characterised in that described method also includes:

Described subscriber equipment reads the second key from the second memory area, and wherein, described second key is described use The certification that equipment utilization device keys in family obtains under the assistance of device server after the second certificate server registration Key, described second memory area be in described subscriber equipment in multiple data areas of storage device key A data area；

Described subscriber equipment sends the second certification request to described second certificate server, and wherein, described second recognizes Card request carry the disposable information obtained according to described second key, described second certificate server for institute Stating the certificate server that the first certificate server is separate, described second certificate server utilizes described second close Described subscriber equipment is authenticated and returns the second authentication result to described subscriber equipment by key；And

Described subscriber equipment receives the second authentication result that described second certificate server returns.

6. an identity identifying method, it is characterised in that including:

Certificate server receives the first certification request that subscriber equipment sends, and wherein, described first certification request is taken The disposable information obtained with good grounds first key, described first key is that described subscriber equipment utilizes equipment close The certification key that key obtains under the assistance of device server after the first certificate server registration, described equipment is close The key that key is described subscriber equipment to be obtained after described device server is registered, described subscriber equipment include for Multiple data areas of authentication storage key and for storing the data area of described device keys, the plurality of number According to each data area in region for one described certification key of storage；

Described certificate server utilizes subscriber equipment described in described first double secret key to be authenticated, and obtains authentication result； And

Described certificate server sends described authentication result to described subscriber equipment.

Identity identifying method the most according to claim 6, it is characterised in that receive subscriber equipment at certificate server Before the first certification request sent, described method also includes:

Described certificate server receives the registration request that described subscriber equipment sends, and wherein, described registration request is taken With for representing the open name of described subscriber equipment and according to described device keys and described subscriber equipment self Calculated first authentication information of confidential information；

After described certificate server receives described registration request, according to described first authentication information and selected First confidential information of described certificate server self is calculated the second authentication information；

Described certificate server sends described open name and described second authentication information to described device server, its In, described device server is from the locally extracted and described key that openly name is corresponding and sharp based on described openly name Verify, according to described after being verified with the second authentication information described in the double secret key corresponding with described open name Second authentication information is calculated the 3rd authentication information, and returns described 3rd certification to described certificate server Information；

Described certificate server is according to described first authentication information, described second authentication information, described 3rd certification Second confidential information of information and selected described first certificate server self is calculated described first key；

Described certificate server is according to described first authentication information, described 3rd authentication information and selected described Second confidential information of one certificate server self is calculated the 4th authentication information；

Described 4th authentication information is sent to described subscriber equipment by described certificate server, wherein, and described user 4th authentication information described in equipment utilization is calculated described first key, and by described first key storage One memory area.

8. a subscriber equipment, it is characterised in that including:

First reads unit, is used for so that subscriber equipment reads the first key, wherein, institute from the first memory area Stating the first key is that described subscriber equipment utilizes device keys to the first authentication service under the assistance of device server The certification key obtained after device registration, described device keys is that described subscriber equipment is registered to described device server After the key that obtains, described subscriber equipment includes for multiple data areas of authentication storage key with for storing The data area of described device keys, described first memory area is described many numbers for authentication storage key According to a data area in region, each data area in the plurality of data area is for one institute of storage State certification key；

First transmitting element, is used for so that described subscriber equipment sends the first certification to described first certificate server Request, wherein, described first certification request carries the disposable information obtained according to described first key, institute Stating the first certificate server utilizes subscriber equipment described in described first double secret key to be authenticated and to described subscriber equipment Return the first authentication result；And

First receives unit, described first certificate server returns for making described subscriber equipment receive first Authentication result.

9. with the subscriber equipment stated according to claim 8, it is characterised in that described subscriber equipment also includes:

Second transmitting element, was used at subscriber equipment before the first memory area reads the first key so that institute Stating subscriber equipment and send registration request to described first certificate server, described registration request carries for representing The open name of described subscriber equipment and the confidential information according to described device keys and described subscriber equipment self calculate The first authentication information obtained, wherein, after described first certificate server receives described registration request, root It is calculated according to the first confidential information of described first authentication information and selected described first certificate server self Second authentication information, and send described open name and described second authentication information to described device server, described Device server is based on described open name from key corresponding to locally extracted and described open name, and utilization is with described Second authentication information described in the double secret key that open name is corresponding is verified, according to described second certification after being verified Information is calculated the 3rd authentication information, and returns described 3rd authentication information to described first certificate server, Described first certificate server is according to described first authentication information, described second authentication information, described 3rd certification Second confidential information of information and selected described first certificate server self is calculated described first key, And according to described first authentication information, described 3rd authentication information and selected described first certificate server self The second confidential information be calculated the 4th authentication information, and described 4th authentication information is returned to described user Equipment；

Second receives unit, is used for so that described subscriber equipment receives described 4th authentication information；

Computing unit, is used for so that described subscriber equipment utilizes described 4th authentication information to be calculated described first Key；And

Memory element, is used for described first key storage so that described subscriber equipment at described first memory area.

The subscriber equipment stated the most according to Claim 8, it is characterised in that described subscriber equipment also includes:

Second reads unit, is used for so that described subscriber equipment reads the second key from the second memory area, wherein, Described second key is that described subscriber equipment utilizes device keys to the second certification clothes under the assistance of device server The certification key obtained after business device registration, described second memory area is for storage device in described subscriber equipment A data area in multiple data areas of key；

3rd transmitting element, is used for so that described subscriber equipment sends the second certification to described second certificate server Request, wherein, described second certification request carries the disposable information obtained according to described second key, institute Stating the second certificate server is the certificate server separate with described first certificate server, and described second recognizes Subscriber equipment described in second double secret key described in card server by utilizing is authenticated and returns second to described subscriber equipment Authentication result；And

3rd receives unit, described second certificate server returns for making described subscriber equipment receive second Authentication result.

11. 1 kinds of certificate servers, it is characterised in that including:

First receives unit, for making certificate server receive the first certification request that subscriber equipment sends, its In, described first certification request carries the disposable information obtained according to the first key, and described first key is Described subscriber equipment utilizes device keys to obtain after the first certificate server registration under the assistance of device server Certification key, the key that described device keys is described subscriber equipment to be obtained after described device server is registered, Described subscriber equipment includes for multiple data areas of authentication storage key with for storing described device keys Data area, each data area in the plurality of data area is for one described certification key of storage；

Authentication ' unit, is used for so that described certificate server utilizes subscriber equipment described in described first double secret key to carry out Certification, obtains authentication result；And

First transmitting element, is used for so that described certificate server sends authentication result to described subscriber equipment.

12. certificate servers according to claim 11, it is characterised in that described certificate server also includes:

Second receives unit, before receiving, at certificate server, the first certification request that subscriber equipment sends, Described certificate server is made to receive the registration request that described subscriber equipment sends, wherein, wherein, described registration Request carries the open name for representing described subscriber equipment and according to described device keys and described subscriber equipment Calculated first authentication information of confidential information of self；

First computing unit, after being used for receiving described registration request so that described certificate server, according to institute The first confidential information stating the first authentication information and selected described certificate server self is calculated the second certification Information；

Second transmitting element, is used for so that described certificate server sends described open name to described device server With described second authentication information, wherein, described device server based on described open name from locally extracted and described The key that open name is corresponding, and utilize the second authentication information described in the double secret key corresponding with described open name to test Card, is calculated the 3rd authentication information according to described second authentication information after being verified, and to described certification Server returns described 3rd authentication information；

Second computing unit, be used for so that described certificate server according to described first authentication information, described second Authentication information, described 3rd authentication information and the second confidential information of selected described first certificate server self It is calculated described first key；

3rd computing unit, be used for so that described certificate server according to described first authentication information, the described 3rd Second confidential information of authentication information and selected described first certificate server self is calculated the 4th certification letter Breath；

3rd transmitting element, is used for so that described 4th authentication information is sent to described use by described certificate server Family equipment, wherein, described subscriber equipment utilizes described 4th authentication information to be calculated described first key, and By described first key storage at the first memory area.

13. 1 kinds of identity authorization systems, it is characterised in that including:

Subscriber equipment, including the multiple data areas for authentication storage key and the number for storage device key According to region, each data area in the plurality of data area is for one described certification key of storage, described Subscriber equipment is for sending certification request to certificate server, and described certification request carries and obtains according to certification key The disposable information arrived, wherein, described certification key is that described subscriber equipment utilizes described device keys at equipment The device keys obtained after the first certificate server registration under the assistance of server, described device keys is described The key that subscriber equipment obtains after described device server is registered；

Described certificate server, for receiving the certification request that described subscriber equipment sends；And

Described device server, for registering described subscriber equipment and described certificate server.