CN107070667A - Identity identifying method, user equipment and server - Google Patents
Identity identifying method, user equipment and server Download PDFInfo
- Publication number
- CN107070667A CN107070667A CN201710421767.5A CN201710421767A CN107070667A CN 107070667 A CN107070667 A CN 107070667A CN 201710421767 A CN201710421767 A CN 201710421767A CN 107070667 A CN107070667 A CN 107070667A
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- public key
- certificate
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a kind of identity identifying method, in user equipment side, methods described includes:After being signed using device authentication private key to user authentication public key, authentication server is together sent to together with device authentication public key certificate, so that authentication server is verified using equipment manufacturers' root public key certificate to device authentication public key, then sign test is carried out to signed data using device authentication public key, user profile and user authentication public key are sent jointly into certificate management authority server again, so that certificate management authority server generates user certificate according to user profile and user authentication public key, and user certificate is returned into authentication server preservation.This method improves the security of authentication by the endorsement of certificate management authority.Present invention also offers the user equipment based on this method and server.
Description
Technical field
The present invention relates to authentication techniques field, particularly a kind of identity identifying method, user equipment for introducing authentication center
And server.
Background technology
Quick authentication standard (hereinafter referred to as FIDO standards) is the opening proposed by FIDO alliances on FIDO lines
Standard agreement, it is desirable to provide high security, cross-platform compatibility, splendid Consumer's Experience and privacy of user protection it is online
Identity identifying technology framework.FIDO standards are tested by integrated bio identification with the big technology of asymmetric encryption two to complete user identity
Card, it is intended to which user must remember and using the worry of large amount of complex password termination for many years.
But, FIDO system architecture remains some security risks.In FIDO UAF frameworks, user authentication is close
Key is produced by the authenticator being embedded in client device, and private key for user is stored in authenticator, and client public key is using recognizing
Card device checking private key is sent to server end after being signed, and is verified by server end using authenticator checking root certificate
Afterwards, client public key is stored in server-side database, to complete the flow of user's registration.In this flow, FIDO servers
Rely on original user authentication means (such as password, short message verification code) to verify user, while relying on authenticator verification machine
Make to verify equipment.Because the authentication secret of authenticator is not that every equipment is unique, cause to there may exist safety
Risk, such as attacker's puppet emit user and registered.
The content of the invention
The invention aims to solve in existing FIDO Valuation Standards, the security risk that user exists in registration is asked
Topic is there is provided a kind of identity identifying method, and user equipment and server based on this method.
In a first aspect, the present invention provides a kind of identity identifying method, in user equipment side, methods described includes:
After being signed using device authentication private key to user authentication public key, together sent together with device authentication public key certificate
To authentication server, so that authentication server is carried out using equipment manufacturers' root public key certificate to device authentication public key
Checking, then carries out sign test, then user profile is risen with user authentication public key one using device authentication public key to signed data
Certificate management authority server is given, so that certificate management authority server is used according to user profile and the generation of user authentication public key
Family certificate, and user certificate is returned into authentication server preservation.
Alternatively and preferably, the device authentication private key and device authentication public key are preset in a user device, described to set
Standby verification public key is also signed and issued by the root private key of equipment manufacturers.
Alternatively and preferably, it is described before the use device authentication private key is signed to user authentication public key
Method also includes:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
Alternatively and preferably, at least one of the public key, private key and user certificate information are stored in correspondence and set
In standby secure storage section.
Alternatively and preferably, the process of cancellation is included, the process of the cancellation includes:
After the authentication for completing user, de-registration request is initiated to authentication server, to cause identity authentication service
Device deletes the user authentication public key certificate of the user, and the identification code of the certificate is sent into certificate management authority server, with
Book authority server of providing evidence revokes the certificate, and returns to result;
After the result is received, user authentication private key is deleted.
Second aspect, the present invention provides a kind of identity identifying method, and in authentication server side, methods described includes:
After the signed data and device authentication public key certificate of user equipment transmission is received, set using equipment manufacturers' root public key certificate pair
Standby verification public key is verified, then using device authentication public key to signed data progress sign test, then by user profile and user
Certification public key sends jointly to certificate management authority server, so that certificate management authority server is according to user profile and user
Certification public key generates user certificate, and user certificate is returned into authentication server preservation;Wherein, the signed data is
User authentication public key is carried out using device authentication private key to sign what is obtained.
Alternatively and preferably, the device authentication private key and device authentication public key are preset in a user device, described to set
Standby verification public key is also signed and issued by the root private key of equipment manufacturers.
Alternatively and preferably, before the use device authentication private key is signed to user authentication public key, also wrap
Include following steps:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
Alternatively and preferably, at least one of the public key, private key and user certificate information are stored in correspondence and set
In standby secure storage section.
Alternatively and preferably, the process of cancellation is included, the process of the cancellation includes:
The card is revoked according to the identification code that authentication server deletes the certificate sent after user authentication public key certificate
Book, returns to result, so that user equipment deletes user authentication private key.
The third aspect, the present invention provides a kind of identity identifying method, based on user equipment, authentication server and certificate
Authority server realizes that, in the certificate management authority server side, methods described includes:According to authentication server
User profile and user authentication public key the generation user certificate of transmission, and user certificate is returned into authentication server guarantor
Deposit;Wherein:
The user authentication public key is before certificate management authority server is sent to, by following processing:With
Family equipment side sends jointly to body after being signed using device authentication private key to user authentication public key together with device authentication public key
Part certificate server, then device authentication public key is tested using equipment manufacturers' root public key certificate by authentication server
Card, then carries out sign test using device authentication public key to signed data.
Alternatively and preferably, the device authentication private key and device authentication public key are preset in a user device, described to set
Standby verification public key is also signed and issued by the root private key of equipment manufacturers.
Alternatively and preferably, before the use device authentication private key is signed to user authentication public key, also wrap
Include following steps:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
Alternatively and preferably, at least one of the public key, private key and user certificate information are stored in correspondence and set
In standby secure storage section.
Alternatively and preferably, the process of cancellation is included, the process of the cancellation includes:Receiving the cancellation of user equipment
After request, user authentication public key certificate is deleted, and the identification code of the certificate is sent to certificate management authority server, to provide evidence
Book authority server revokes the certificate according to the identification code, and returns to result, deletes user for user equipment and recognizes
Demonstrate,prove private key.
Fourth aspect, a kind of user equipment of present invention offer, including storage medium and the calculating being stored in storage medium
Machine program, described program can operationally realize following steps:
After being signed using device authentication private key to user authentication public key, together sent together with device authentication public key certificate
To authentication server, so that authentication server is carried out using equipment manufacturers' root public key certificate to device authentication public key
Checking, then carries out sign test, then user profile is risen with user authentication public key one using device authentication public key to signed data
Certificate management authority server is given, so that certificate management authority server is used according to user profile and the generation of user authentication public key
Family certificate, and user certificate is returned into authentication server preservation.
Alternatively and preferably, the device authentication private key and device authentication public key are preset in a user device, described to set
Standby verification public key is also signed and issued by the root private key of equipment manufacturers.
Alternatively and preferably, it is described before the use device authentication private key is signed to user authentication public key
Program operationally can also realize following steps:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
Alternatively and preferably, at least one of the public key, private key and user certificate information are stored in correspondence and set
In standby secure storage section.
Alternatively and preferably, described program operationally can also realize following steps:
After the authentication for completing user, de-registration request is initiated to authentication server, to cause identity authentication service
Device deletes the user authentication public key certificate of the user, and the identification code of the certificate is sent into certificate management authority server, with
Book authority server of providing evidence revokes the certificate, and returns to result;
After the result is received, user authentication private key is deleted.
5th aspect, the embodiment of the present invention provides a kind of authentication server, including storage medium and is stored in storage
Computer program in medium, described program can operationally realize following steps:
After the signed data and device authentication public key certificate of user equipment transmission is received, equipment manufacturers' root public key is used
Certificate is verified to device authentication public key, then carries out sign test to signed data using device authentication public key, then user is believed
Breath sends jointly to certificate management authority server with user authentication public key, so that certificate management authority server is believed according to user
Breath and user authentication public key generate user certificate, and user certificate is returned into authentication server preservation;Wherein, the label
Name data are signed using device authentication private key to user authentication public key.
Alternatively and preferably, the device authentication private key and device authentication public key are preset in a user device, described to set
Standby verification public key is also signed and issued by the root private key of equipment manufacturers.
Alternatively and preferably, before the use device authentication private key is signed to user authentication public key, also wrap
Include following steps:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
Alternatively and preferably, at least one of the public key, private key and user certificate information are stored in correspondence and set
In standby secure storage section.
Alternatively and preferably, described program operationally can also realize following steps:
The card is revoked according to the identification code that authentication server deletes the certificate sent after user authentication public key certificate
Book, returns to result, so that user equipment deletes user authentication private key.
6th aspect, the present invention provides a kind of certificate management authority server, including storage medium and is stored in storage and is situated between
Computer program in matter, described program can operationally realize following steps:The user sent according to authentication server
Information and user authentication public key generation user certificate, and user certificate is returned into authentication server preservation;Wherein:
The user authentication public key is before certificate management authority server is sent to, by following processing:With
Family equipment side sends jointly to body after being signed using device authentication private key to user authentication public key together with device authentication public key
Part certificate server, then device authentication public key is tested using equipment manufacturers' root public key certificate by authentication server
Card, then carries out sign test using device authentication public key to signed data.
Alternatively and preferably, the device authentication private key and device authentication public key are preset in a user device, described to set
Standby verification public key is also signed and issued by the root private key of equipment manufacturers.
Alternatively and preferably, before the use device authentication private key is signed to user authentication public key, also wrap
Include following steps:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
Alternatively and preferably, at least one of the public key, private key and user certificate information are stored in correspondence and set
In standby secure storage section.
Alternatively and preferably, described program can operationally realize following steps:Please in the cancellation for receiving user equipment
After asking, user authentication public key certificate is deleted, and the identification code of the certificate is sent to certificate management authority server, for certificate
Authority server revokes the certificate according to the identification code, and returns to result, so that user equipment deletes user authentication
Private key.
A kind of identity identifying method that the present invention is provided, and user equipment and server based on this method, are existing
In the system architecture of some FIDO standards, certificate management authority server is introduced.In user registration course, user authentication public key
Device authentication key devices checking private key signature and device authentication public key sign test is first passed through, then issues together with user profile card in the lump
Book authority server generates user certificate as the foundation of user authentication, because certificate management authority is authority believable the
Tripartite mechanism, is to improve user's registration and the security of certification after user authentication public key is endorsed by it.
Brief description of the drawings
Flow chart of the identity identifying method that Fig. 1 is provided by the embodiment of the present invention in user equipment side;
In the flow chart of user equipment side revoke certificates in the identity identifying method that Fig. 2 is provided by the embodiment of the present invention;
Flow chart of the identity identifying method that Fig. 3 is provided by the embodiment of the present invention in authentication server side;
In the stream of authentication server side revoke certificates in the identity identifying method that Fig. 4 is provided by the embodiment of the present invention
Cheng Tu;
Flow chart of the identity identifying method that Fig. 5 is provided by the embodiment of the present invention in certificate management authority server side;
In certificate management authority server side revoke certificates in the identity identifying method that Fig. 6 is provided by the embodiment of the present invention
Flow chart;
DAK generation flow chart in the identity identifying method that Fig. 7 is provided by the embodiment of the present invention;
UAK generation flow chart in the identity identifying method that Fig. 8 is provided by the embodiment of the present invention;
The flow chart of user authentication in the identity identifying method that Fig. 9 is provided by the embodiment of the present invention;
The flow chart of revoke certificates in the identity identifying method that Figure 10 is provided by the embodiment of the present invention;
The structural representation for the user equipment that Figure 11 is provided by the embodiment of the present invention;
The structural representation for the authentication server that Figure 12 is provided by the embodiment of the present invention;
The structural representation for the certificate management authority server that Figure 13 is provided by the embodiment of the present invention;
The integrated stand composition for the identity identifying method that Figure 14 is provided by the embodiment of the present invention.
Embodiment
In order that those skilled in the art more fully understand the present invention program, with reference to the accompanying drawings and detailed description
The present invention is described in further detail.Below in conjunction with the accompanying drawing in the embodiment of the present invention, in the embodiment of the present invention
Technical scheme is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the invention, without
It is whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not before creative work is made
The every other embodiment obtained is put, the scope of protection of the invention is belonged to.
The embodiment of the present invention provides a kind of identity identifying method, and its basic design is the system in existing FIDO standards
On the basis of framework, it is user to introduce certificate management authority server (being the CA/RA servers shown in Figure 14 in the present embodiment)
Certification public key is endorsed, and improves user's registration and the security of certification.
The following word and phrase addressed in this specification generally have the implication of following provisions, except the context of non-usage is another
Allude to:
Term " device authentication key ", English full name is Device Attestation Key, is abbreviated as DAK.
" device authentication key " is a kind of unsymmetrical key pair, including public key and private key.The key is to by authentication visitor
Family end produces when equipment is dispatched from the factory and is preset in equipment safety storage region.The DAK of every equipment is unique.
" service verification key " is a kind of unsymmetrical key pair, including public key and private key.The key is by authentication client
End is produced when first activation is used, and is delivered to identity authentication service end after being signed using DAK private key.
Term " subscriber authentication key ", English full name is User Authentication Key, is abbreviated as UAK.
Term " universal authentication framework ", English full name is Universal Authentication Framework, is write a Chinese character in simplified form
For UAF.Universal authentication framework is the identity identifying technology agreement that international FIDO alliances propose, is provided using user equipment
Authentication capability simultaneously completes the authentication to user based on public private key systems.
" subscriber authentication key " is a kind of unsymmetrical key pair, including public key and private key.The key in user to noting
Produced during volume by user equipment, for certification end user's identity.
Below, with reference to Fig. 1-10, retouched respectively from user equipment side, authentication server side and device authentication server side
State the identity identifying method in the embodiment of the present invention.
In user equipment side, identity identifying method provided in an embodiment of the present invention comprises the following steps:
S101:User authentication public private key pair is generated in user's registration, and user authentication private key is stored in user equipment
In.
Under the system of FIDO standards, by taking universal authentication framework (UAF) as an example, generation user authentication public private key pair specifically may be used
To pass through following flow:
User equipment submits user name and other necessary user data by APP to application provider, and application starts UAF notes
Volume program.Receive after user's request, sent by user using the UAF clients into smart machine using provider's server
Application for registration.UAF clients are received after application for registration, call UAF identity authentications by application interface, and provide a user this
The local acknowledgment mode that equipment is supported is selected with confirming for user;After user confirms, UAF identity authentications generate newly public and private
Key pair.UAF identity authentications herein can be any one biological information identifying device, include but is not limited to known fingerprint
Identifying device, facial recognition modules, iris recognition module and speech recognition equipment etc..
It should be appreciated that user is obtaining the intelligent terminal (such as mobile phone) of a support UAF agreement afterwards, it is necessary to as daily
Using such elder generation, typing user biological feature identification information completes local authentication in equipment.For example adopted using fingerprint identification module
Collect the finger print information of user, the voice messaging of user is gathered using Mike or the face or rainbow of user are gathered using camera
Film information etc., the authentication information completed between user and equipment is gathered, and is stored in the safe unit of this equipment.
S102:After being signed using device authentication private key to user authentication public key, together with device authentication public key certificate one
With authentication server is sent to, so that authentication server is public to device authentication using equipment manufacturers' root public key certificate
Key verified, then carries out sign test to signed data using device authentication public key, then by user profile and user authentication public key
Certificate management authority server is sent jointly to, so that certificate management authority server is according to user profile and user authentication public key
User certificate is generated, and user certificate is returned into authentication server and is preserved.User certificate is preferably kept in safe storage
In region, in the database such as Jing Guo encryption or in credible performing environment and safety chip, leakage can be so avoided,
Improve the security of verification process.
Certificate management authority is a kind of authoritative, believable third-party institution, is responsible for digital certificates management, and the management includes
But it is not limited to the matters such as the application for registration, granting, cancellation of digital certificates.Certificate management authority is referred to as authentication center, presses
Divided according to specific function, CA (Certification Authority-- authentication centers) and supporting RA can be included
(Registration Authority-- register approving authority) system.Provided for each user using public-key cryptography at CA centers
One digital certificate, the effect of digital certificate is the user's name listed in certification and the public-key cryptography phase listed in certificate
Correspondence.The digital signature at CA centers prevents attacker from certificate of forging and juggle the figures.RA systems are CA certificate issued, pipe
The extension of reason.It is responsible for the work such as Data Enter, examination & verification and the certificate issued of certificate Requestor;Meanwhile, to the certificate of granting
Complete corresponding management function.The digital certificate of granting can be deposited in the media such as IC-card, hard disk or floppy disk.Except registration Shen
Please be outer, CA also allows the digital certificate that keeper's revocation is provided, in the middle new item of addition of certification revocation list (CRL) and periodically
Issue the CRL of this digital signature.
Device authentication private key and device authentication public key can be obtained by following flow:
The first step, device fabrication manufacturer (manufacturer of such as smart mobile phone) obtains from certificate management authority represents oneself identity
Root public key certificate and root private key certificate.Root public key certificate and root private key certificate are finally chasing after in whole public and private key Verification System
Trace back certificate, the safety and reliability with height.
Second step, equipment manufacturers generate a pair of new public and private keys, i.e. device authentication public key and device authentication private key, and make
With root private key to device authentication public key grant a certificate.
3rd step, device authentication public key and device authentication private key is preset at when dispatching from the factory the secure storage areas of user equipment
In domain.
In step s 102, user authentication public key first passes around the signature of device authentication private key and testing for device authentication public key
Label, due to device authentication key be it is preset in a user device, with higher security, and device authentication public key also passes through
Root certificate is signed and issued, and security is higher.Therefore user authentication public key just have passed through when being sent to authentication server first
First of sign test process with higher-security.Then, user authentication public key also issues certificate pipe together with user profile
Authority server is managed, after being endorsed with authoritative and credible certificate management authority server to it, generation is final
User authentication credentials, security improves a level again.
The process of user authentication may be referred to existing FIDO standard to realize.For example, Fig. 9 is a kind of user authentication mistake
Flow chart in journey.In verification process, first initiating initialization authentication by authentication client (i.e. user equipment) please
Ask and give identity authentication service end, service end produces random challenge value to client, and client is raw by fingerprint or iris recognition etc.
Thing characteristic information means of identification, unlocks UAK private keys and challenging value is signed, random challenge value and signature are sent into service end,
Service end carries out sign test using above-mentioned client public key certificate to signature, and returns to sign test result.If sign test passes through, perform
Corresponding electronic transaction operation.
As a further improvement, the method for authenticating user identity of the embodiment of the present invention is also comprising the mistake for revoking certificate of registry
Journey.In this process, the steps is specifically included:
S103:After the authentication for completing user, de-registration request is initiated to authentication server, to cause authentication
Server deletes the user authentication public key certificate of the user, and the identification code of the certificate is sent into certificate management authority service
Device, so that certificate management authority server revokes the certificate, and returns to result.
Identification code in step S103 can be a string of sequence numbers, for recognizing user authentication credentials.Certificate management authority
Server finds corresponding certificate in database and carries out deletion action after the identification code is received, and more new authentication is abrogated
List (CRL).Returning result can first return to authentication server, further return on user equipment to notify to use
Family.
By step S103, user also goes through the endorsement of certificate management authority when nullifying, it is to avoid it is illegal to emit user
The behavior of cancellation.
S104:After the result is received, user authentication private key is deleted.
As a kind of preferred embodiment, during each above-mentioned equipment preserves public key or private key, preferentially by this
A little keys are stored in the secure storage section of corresponding device, in such as database Jing Guo encryption or credible performing environment
In safety chip, the leakage of key can be so avoided, the security of verification process is improved.
In authentication server side, identity identifying method provided in an embodiment of the present invention comprises the following steps:
S201:After the signed data and device authentication public key certificate of user equipment transmission is received, equipment manufacturers are used
Root public key certificate is verified to device authentication public key, and sign test is then carried out to signed data using device authentication public key, then will
User profile and user authentication public key send jointly to certificate management authority server, for certificate management authority server according to
User profile and user authentication public key generation user certificate, and user certificate is returned into authentication server preservation.
Wherein, the signed data is signed using device authentication private key to user authentication public key.
With the execution step of user side similarly, the said equipment checking private key and device authentication public key are preset at user equipment
In, the device authentication public key is also signed and issued by the root private key of equipment manufacturers.
It should be appreciated that before being signed using device authentication private key to user authentication public key, in addition to following step
Suddenly:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
As a kind of preferred improved procedure, the public key, private key and user certificate are stored in the safety of corresponding device
In storage region.In database such as Jing Guo encryption or in credible performing environment and safety chip, it can so avoid
The leakage of key, improves the security of verification process.
Further, the embodiment of the present invention also includes the process nullified, and the process of cancellation comprises the following steps:
S202:Revoked according to the identification code that authentication server deletes the certificate sent after user authentication public key certificate
The certificate, returns to result, so that user equipment deletes user authentication private key.
Embodiment in above steps may be referred to the associated description in user equipment side, no longer go to live in the household of one's in-laws on getting married herein
State.
In certificate management authority server side, method for authenticating user identity provided in an embodiment of the present invention includes following step
Suddenly:
S301:User profile and user authentication public key the generation user certificate sent according to authentication server, and will
User certificate returns to authentication server preservation;Wherein:
The user authentication public key is before certificate management authority server is sent to, by following processing:With
Family equipment side sends jointly to body after being signed using device authentication private key to user authentication public key together with device authentication public key
Part certificate server, then device authentication public key is tested using equipment manufacturers' root public key certificate by authentication server
Card, then carries out sign test using device authentication public key to signed data.
With the execution step of user side similarly, the said equipment checking private key and device authentication public key are preset at user equipment
In, the device authentication public key is also signed and issued by the root private key of equipment manufacturers.
It should be appreciated that before being signed using device authentication private key to user authentication public key, in addition to following step
Suddenly:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
As a kind of preferred improved procedure, the public key, private key and user certificate are stored in the safety of corresponding device
In storage region.In database such as Jing Guo encryption or in credible performing environment and safety chip, it can so avoid
The leakage of key, improves the security of verification process.
Further, the embodiment of the present invention also includes the process nullified, and the process of cancellation comprises the following steps:
S302:After the de-registration request of user equipment is received, user authentication public key certificate is deleted, and by the identification of the certificate
Code is sent to certificate management authority server, so that certificate management authority server revokes the certificate according to the identification code, and returns
Result is returned, so that user equipment deletes user authentication private key.
Below, according to the identity identifying method of above-mentioned offer, with reference to Fig. 7-9, described provided in an embodiment of the present invention be used for
Realize the relevant device of the above method.
In one embodiment, the invention provides a kind of user equipment, it is referred to as authentication client.Its by
User holds, and can be user's smart machine known to any one, including but not limited to mobile phone, PAD or intelligent watch etc..Should
User equipment can be configured with the operating system and application program for supporting FIDO agreements.Can additionally have bio-identification dress
Put, include but is not limited to known fingerprint identification device, iris identification device, face recognition device and speech recognition equipment etc..
User equipment provided in an embodiment of the present invention includes storage medium 401 and the computer journey being stored in storage medium
Sequence, the program can be performed by processor 402, and described program can operationally realize following steps:
S101:User authentication public private key pair is generated in user's registration, and user authentication private key is stored in user equipment
In.
Under the system of FIDO standards, by taking UAF as an example, generation user authentication public private key pair can specifically pass through following stream
Journey:
User equipment submits user name and other necessary user data by APP to application provider, and application starts UAF notes
Volume program.Receive after user's request, sent by user using the UAF clients into smart machine using provider's server
Application for registration.UAF clients are received after application for registration, call UAF identity authentications by application interface, and provide a user this
The local acknowledgment mode that equipment is supported is selected with confirming for user;After user confirms, UAF identity authentications generate newly public and private
Key pair.UAF identity authentications herein can be any one biological information identifying device, include but is not limited to known fingerprint
Identifying device, facial recognition modules, iris recognition module and speech recognition equipment etc..
It should be appreciated that user is obtaining the intelligent terminal (such as mobile phone) of a support UAF agreement afterwards, it is necessary to as daily
Using such elder generation, typing user biological feature identification information completes local authentication in equipment.For example adopted using fingerprint identification module
Collect the finger print information of user, the voice messaging of user is gathered using Mike or the face or rainbow of user are gathered using camera
Film information etc., the authentication information completed between user and equipment is gathered, and is stored in the safe unit of this equipment.
S102:After being signed using device authentication private key to user authentication public key, together with device authentication public key certificate one
With authentication server is sent to, so that authentication server is public to device authentication using equipment manufacturers' root public key certificate
Key verified, then carries out sign test to signed data using device authentication public key, then by user profile and user authentication public key
Certificate management authority server is sent jointly to, so that certificate management authority server is according to user profile and user authentication public key
User certificate is generated, and user certificate is returned into authentication server and is preserved.User certificate is preferably kept in safe storage
In region, in the database such as Jing Guo encryption or in credible performing environment and safety chip, leakage can be so avoided,
Improve the security of verification process.
Certificate management authority is a kind of authoritative, believable third-party institution, is responsible for digital certificates management, and the management includes
But it is not limited to the matters such as the application for registration, granting, cancellation of digital certificates.Certificate management authority is referred to as authentication center, presses
Divided according to specific function, CA (Certification Authority-- authentication centers) and supporting RA can be included
(Registration Authority-- register approving authority) system.Provided for each user using public-key cryptography at CA centers
One digital certificate, the effect of digital certificate is the user's name listed in certification and the public-key cryptography phase listed in certificate
Correspondence.The digital signature at CA centers prevents attacker from certificate of forging and juggle the figures.RA systems are CA certificate issued, pipe
The extension of reason.It is responsible for the work such as Data Enter, examination & verification and the certificate issued of certificate Requestor;Meanwhile, to the certificate of granting
Complete corresponding management function.The digital certificate of granting can be deposited in the media such as IC-card, hard disk or floppy disk.Except registration Shen
Please be outer, CA also allows the digital certificate that keeper's revocation is provided, in the middle new item of addition of certification revocation list (CRL) and periodically
Issue the CRL of this digital signature.
Device authentication private key and device authentication public key can be obtained by following flow:
The first step, device fabrication manufacturer (manufacturer of such as smart mobile phone) obtains from certificate management authority represents oneself identity
Root public key certificate and root private key certificate.Root public key certificate and root private key certificate are finally chasing after in whole public and private key Verification System
Trace back certificate, the safety and reliability with height.
Second step, equipment manufacturers generate a pair of new public and private keys, i.e. device authentication public key and device authentication private key, and make
With root private key to device authentication public key grant a certificate.
3rd step, device authentication public key and device authentication private key is preset at when dispatching from the factory the secure storage areas of user equipment
In domain.
In step s 102, user authentication public key first passes around the signature of device authentication private key and testing for device authentication public key
Label, due to device authentication key be it is preset in a user device, with higher security, and device authentication public key also passes through
Root certificate is signed and issued, and security is higher.Therefore user authentication public key just have passed through when being sent to authentication server first
First of sign test process with higher-security.Then, user authentication public key also issues certificate pipe together with user profile
Authority server is managed, after being endorsed with authoritative and credible certificate management authority server to it, generation is final
User authentication credentials, security improves a level again.
The process of user authentication may be referred to existing FIDO standard to realize.For example, Fig. 9 is a kind of user authentication mistake
Flow chart in journey.In verification process, first initiating initialization authentication by authentication client (i.e. user equipment) please
Ask and give identity authentication service end, service end produces random challenge value to client, and client is raw by fingerprint or iris recognition etc.
Thing characteristic information means of identification, unlocks UAK private keys and challenging value is signed, random challenge value and signature are sent into service end,
Service end carries out sign test using above-mentioned client public key certificate to signature, and returns to sign test result.If sign test passes through, perform
Corresponding electronic transaction operation.
As a further improvement, the program of the embodiment of the present invention can also operationally realize the mistake for revoking certificate of registry
Journey.In this process, the steps is specifically included:
S103:After the authentication for completing user, de-registration request is initiated to authentication server, to cause authentication
Server deletes the user authentication public key certificate of the user, and the identification code of the certificate is sent into certificate management authority service
Device, so that certificate management authority server revokes the certificate, and returns to result.
Identification code in step S103 can be a string of sequence numbers, for recognizing user authentication credentials.Certificate management authority
Server finds corresponding certificate in database and carries out deletion action after the identification code is received, and more new authentication is abrogated
List (CRL).Returning result can first return to authentication server, further return on user equipment to notify to use
Family.
By step S103, user also goes through the endorsement of certificate management authority when nullifying, it is to avoid it is illegal to emit user
The behavior of cancellation.
S104:After the result is received, user authentication private key is deleted.
As a kind of preferred embodiment, during each above-mentioned equipment preserves public key or private key, preferentially by this
A little keys are stored in the secure storage section of corresponding device, in such as database Jing Guo encryption or credible performing environment
In safety chip, the leakage of key can be so avoided, the security of verification process is improved.
In another embodiment, the present invention provides a kind of authentication server, including storage medium 501 and is stored in
Computer program in storage medium, the program can be performed by processor 502, and described program can operationally realize following step
Suddenly:
S201:After the signed data and device authentication public key certificate of user equipment transmission is received, equipment manufacturers are used
Root public key certificate is verified to device authentication public key, and sign test is then carried out to signed data using device authentication public key, then will
User profile and user authentication public key send jointly to certificate management authority server, for certificate management authority server according to
User profile and user authentication public key generation user certificate, and user certificate is returned into authentication server preservation.
Wherein, the signed data is signed using device authentication private key to user authentication public key.
With the execution step of user side similarly, the said equipment checking private key and device authentication public key are preset at user equipment
In, the device authentication public key is also signed and issued by the root private key of equipment manufacturers.
It should be appreciated that before being signed using device authentication private key to user authentication public key, in addition to following step
Suddenly:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
As a kind of preferred improved procedure, the public key, private key and user certificate are stored in the safety of corresponding device
In storage region.In database such as Jing Guo encryption or in credible performing environment and safety chip, it can so avoid
The leakage of key, improves the security of verification process.
Further, the program of the embodiment of the present invention of the embodiment of the present invention can also operationally realize the process of cancellation,
The process of cancellation comprises the following steps:
S202:Revoked according to the identification code that authentication server deletes the certificate sent after user authentication public key certificate
The certificate, returns to result, so that user equipment deletes user authentication private key.
Embodiment in above steps may be referred to the associated description in user equipment side, no longer go to live in the household of one's in-laws on getting married herein
State.
In another embodiment, the invention provides a kind of certificate management authority server, including storage medium 601 and
The computer program in storage medium is stored in, the program can be performed by processor 602, and described program can operationally be realized
Following steps:
S301:User profile and user authentication public key the generation user certificate sent according to authentication server, and will
User certificate returns to authentication server preservation;Wherein:
The user authentication public key is before certificate management authority server is sent to, by following processing:With
Family equipment side sends jointly to body after being signed using device authentication private key to user authentication public key together with device authentication public key
Part certificate server, then device authentication public key is tested using equipment manufacturers' root public key certificate by authentication server
Card, then carries out sign test using device authentication public key to signed data.
With the execution step of user side similarly, the said equipment checking private key and device authentication public key are preset at user equipment
In, the device authentication public key is also signed and issued by the root private key of equipment manufacturers.
It should be appreciated that before being signed using device authentication private key to user authentication public key, in addition to following step
Suddenly:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
As a kind of preferred improved procedure, the public key, private key and user certificate are stored in the safety of corresponding device
In storage region.In database such as Jing Guo encryption or in credible performing environment and safety chip, it can so avoid
The leakage of key, improves the security of verification process.
Further, the program of the embodiment of the present invention operationally also includes the process nullified, and the process of cancellation is included such as
Lower step:
S302:After the de-registration request of user equipment is received, user authentication public key certificate is deleted, and by the identification of the certificate
Code is sent to certificate management authority server, so that certificate management authority server revokes the certificate according to the identification code, and returns
Result is returned, so that user equipment deletes user authentication private key.
Description of the invention is provided for the sake of example and description, and is not exhaustively or by the present invention
It is limited to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.Select and retouch
State embodiment and be more preferably to illustrate the principle and practical application of the present invention, and one of ordinary skill in the art is managed
The solution present invention is so as to design the various embodiments with various modifications suitable for special-purpose.
Claims (30)
1. identity identifying method, it is characterised in that in user equipment side, methods described includes:
After being signed using device authentication private key to user authentication public key, body is together sent to together with device authentication public key certificate
Part certificate server, so that authentication server is tested device authentication public key using equipment manufacturers' root public key certificate
Card, then carries out sign test, then user profile is sent together with user authentication public key using device authentication public key to signed data
Certificate management authority server is given, so that certificate management authority server generates user according to user profile and user authentication public key
Certificate, and user certificate is returned into authentication server preservation.
2. identity identifying method according to claim 1, it is characterised in that the device authentication private key and device authentication are public
Key is preset in a user device, and the device authentication public key is also signed and issued by the root private key of equipment manufacturers.
3. identity identifying method according to claim 1, it is characterised in that in the use device authentication private key to user
Before certification public key is signed, methods described also includes:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
4. according to any described identity identifying methods of claim 1-3, it is characterised in that the public key, private key and user certificate
At least one of book information is stored in the secure storage section of corresponding device.
It is described 5. according to any described identity identifying methods of claim 1-3, it is characterised in that the also process including cancellation
The process of cancellation includes:
After the authentication for completing user, de-registration request is initiated to authentication server, to cause authentication server to delete
Certificate management authority server is sent to except the user authentication public key certificate of the user, and by the identification code of the certificate, to provide evidence
Book authority server revokes the certificate, and returns to result;
After the result is received, user authentication private key is deleted.
6. identity identifying method, it is characterised in that in authentication server side, methods described includes:Receiving user equipment
After the signed data and device authentication public key certificate of transmission, device authentication public key is carried out using equipment manufacturers' root public key certificate
Checking, then carries out sign test, then user profile is risen with user authentication public key one using device authentication public key to signed data
Certificate management authority server is given, so that certificate management authority server is used according to user profile and the generation of user authentication public key
Family certificate, and user certificate is returned into authentication server preservation;Wherein, the signed data is private using device authentication
Key carries out signing what is obtained to user authentication public key.
7. identity identifying method according to claim 6, it is characterised in that the device authentication private key and device authentication are public
Key is preset in a user device, and the device authentication public key is also signed and issued by the root private key of equipment manufacturers.
8. identity identifying method according to claim 6, it is characterised in that in the use device authentication private key to user
Before certification public key is signed, also comprise the following steps:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
9. according to any described identity identifying methods of claim 6-8, it is characterised in that the public key, private key and user certificate
At least one of book information is stored in the secure storage section of corresponding device.
It is described 10. according to any described identity identifying methods of claim 6-8, it is characterised in that the also process including cancellation
The process of cancellation includes:
The certificate is revoked according to the identification code that authentication server deletes the certificate sent after user authentication public key certificate, returned
Result is returned, so that user equipment deletes user authentication private key.
11. identity identifying method, is realized based on user equipment, authentication server and certificate management authority server, in institute
Certificate management authority server side is stated, methods described includes:The user profile and user sent according to authentication server is recognized
Public key generation user certificate is demonstrate,proved, and user certificate is returned into authentication server and is preserved;Wherein:
The user authentication public key is before certificate management authority server is sent to, by following processing:Set in user
Standby side is sent jointly to identity together with device authentication public key after being signed using device authentication private key to user authentication public key and recognized
Server is demonstrate,proved, then device authentication public key is verified using equipment manufacturers' root public key certificate by authentication server,
Then sign test is carried out to signed data using device authentication public key.
12. identity identifying method according to claim 11, it is characterised in that the device authentication private key and device authentication
Public key is preset in a user device, and the device authentication public key is also signed and issued by the root private key of equipment manufacturers.
13. identity identifying method according to claim 11, it is characterised in that the use device authentication private key to
Before family certification public key is signed, also comprise the following steps:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
14. according to any described identity identifying methods of claim 11-13, it is characterised in that the public key, private key and user
At least one of certificate information is stored in the secure storage section of corresponding device.
15. it is described according to any described identity identifying methods of claim 11-13, it is characterised in that the process including cancellation
The process of cancellation includes:After the de-registration request of user equipment is received, user authentication public key certificate is deleted, and by the knowledge of the certificate
Other code is sent to certificate management authority server, so that certificate management authority server revokes the certificate according to the identification code, and
Result is returned to, so that user equipment deletes user authentication private key.
16. user equipment, including storage medium and the computer program that is stored in storage medium, it is characterised in that the journey
Sequence can operationally realize following steps:
After being signed using device authentication private key to user authentication public key, body is together sent to together with device authentication public key certificate
Part certificate server, so that authentication server is tested device authentication public key using equipment manufacturers' root public key certificate
Card, then carries out sign test, then user profile is sent together with user authentication public key using device authentication public key to signed data
Certificate management authority server is given, so that certificate management authority server generates user according to user profile and user authentication public key
Certificate, and user certificate is returned into authentication server preservation.
17. user equipment according to claim 16, it is characterised in that the device authentication private key and device authentication public key
It is preset in a user device, the device authentication public key is also signed and issued by the root private key of equipment manufacturers.
18. user equipment according to claim 16, it is characterised in that recognize in the use device authentication private key user
Before card public key is signed, described program operationally can also realize following steps:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
19. according to any described user equipmenies of claim 16-18, it is characterised in that the public key, private key and user certificate
At least one of information be stored in the secure storage section of corresponding device.
20. according to any described user equipmenies of claim 16-18, it is characterised in that described program operationally can also be real
Existing following steps:
After the authentication for completing user, de-registration request is initiated to authentication server, to cause authentication server to delete
Certificate management authority server is sent to except the user authentication public key certificate of the user, and by the identification code of the certificate, to provide evidence
Book authority server revokes the certificate, and returns to result;
After the result is received, user authentication private key is deleted.
21. authentication server, including storage medium and the computer program that is stored in storage medium, it is characterised in that
Described program can operationally realize following steps:
After the signed data and device authentication public key certificate of user equipment transmission is received, equipment manufacturers' root public key certificate is used
Device authentication public key is verified, then using device authentication public key to signed data carry out sign test, then by user profile with
User authentication public key sends jointly to certificate management authority server, for certificate management authority server according to user profile and
User authentication public key generates user certificate, and user certificate is returned into authentication server preservation;Wherein, the number of signature
User authentication public key is signed according to using device authentication private key.
22. authentication server according to claim 21, it is characterised in that the device authentication private key and equipment are tested
Card public key is preset in a user device, and the device authentication public key is also signed and issued by the root private key of equipment manufacturers.
23. authentication server according to claim 21, it is characterised in that in the use device authentication private key pair
Before user authentication public key is signed, also comprise the following steps:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
24. according to any described authentication servers of claim 21-23, it is characterised in that the public key, private key and use
At least one of family certificate information is stored in the secure storage section of corresponding device.
25. according to any described authentication servers of claim 21-23, it is characterised in that described program is operationally
Following steps can also be realized:
The certificate is revoked according to the identification code that authentication server deletes the certificate sent after user authentication public key certificate, returned
Result is returned, so that user equipment deletes user authentication private key.
26. certificate management authority server, including storage medium and the computer program that is stored in storage medium, its feature exists
In described program can operationally realize following steps:The user profile and user authentication sent according to authentication server
Public key generates user certificate, and user certificate is returned into authentication server preservation;Wherein:
The user authentication public key is before certificate management authority server is sent to, by following processing:Set in user
Standby side is sent jointly to identity together with device authentication public key after being signed using device authentication private key to user authentication public key and recognized
Server is demonstrate,proved, then device authentication public key is verified using equipment manufacturers' root public key certificate by authentication server,
Then sign test is carried out to signed data using device authentication public key.
27. certificate management authority server according to claim 26, it is characterised in that the device authentication private key and set
Standby verification public key is preset in a user device, and the device authentication public key is also signed and issued by the root private key of equipment manufacturers.
28. certificate management authority server according to claim 26, it is characterised in that private in the use device authentication
Before key is signed to user authentication public key, also comprise the following steps:
User authentication public private key pair is generated in user's registration, and user authentication private key is preserved in a user device.
29. according to any described certificate management authority servers of claim 26-28, it is characterised in that the public key, private key
It is stored in at least one of user certificate information in the secure storage section of corresponding device.
30. according to any described certificate management authority servers of claim 26-28, it is characterised in that described program is in fortune
Following steps can be realized during row:After the de-registration request of user equipment is received, user authentication public key certificate is deleted, and by the certificate
Identification code be sent to certificate management authority server, so that certificate management authority server revokes the card according to the identification code
Book, and result is returned, so that user equipment deletes user authentication private key.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710421767.5A CN107070667B (en) | 2017-06-07 | 2017-06-07 | Identity authentication method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710421767.5A CN107070667B (en) | 2017-06-07 | 2017-06-07 | Identity authentication method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107070667A true CN107070667A (en) | 2017-08-18 |
CN107070667B CN107070667B (en) | 2020-08-04 |
Family
ID=59615756
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710421767.5A Active CN107070667B (en) | 2017-06-07 | 2017-06-07 | Identity authentication method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107070667B (en) |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107634834A (en) * | 2017-09-05 | 2018-01-26 | 四川中电启明星信息技术有限公司 | A kind of trusted identity authentication method based on the more scenes in multiple terminals |
CN107919962A (en) * | 2017-12-22 | 2018-04-17 | 国民认证科技(北京)有限公司 | A kind of internet of things equipment registration and authentication method |
CN108234509A (en) * | 2018-01-16 | 2018-06-29 | 国民认证科技(北京)有限公司 | FIDO authenticators, Verification System and method based on TEE and PKI certificates |
CN108366063A (en) * | 2018-02-11 | 2018-08-03 | 广东美的厨房电器制造有限公司 | Data communications method, device and its equipment of smart machine |
CN109379371A (en) * | 2018-11-20 | 2019-02-22 | 多点生活(成都)科技有限公司 | Certification authentication method, apparatus and system |
CN109428725A (en) * | 2017-09-01 | 2019-03-05 | 佳能株式会社 | Information processing equipment, control method and storage medium |
CN109510711A (en) * | 2019-01-08 | 2019-03-22 | 深圳市网心科技有限公司 | A kind of network communication method, server, client and system |
WO2019127278A1 (en) * | 2017-12-28 | 2019-07-04 | 深圳达闼科技控股有限公司 | Safe access blockchain method, apparatus, system, storage medium, and electronic device |
CN110324290A (en) * | 2018-03-30 | 2019-10-11 | 贵州白山云科技股份有限公司 | Method, network element device, medium and the computer equipment of network equipment certification |
CN110417776A (en) * | 2019-07-29 | 2019-11-05 | 大唐高鸿信安(浙江)信息科技有限公司 | A kind of identity identifying method and device |
CN110493237A (en) * | 2019-08-26 | 2019-11-22 | 深圳前海环融联易信息科技服务有限公司 | Identity management method, device, computer equipment and storage medium |
CN110690966A (en) * | 2019-11-08 | 2020-01-14 | 北京金茂绿建科技有限公司 | Method, system, equipment and storage medium for connecting terminal and service server |
CN111106929A (en) * | 2019-12-09 | 2020-05-05 | 上海创能国瑞数据系统有限公司 | Hash-based approval method |
CN111222879A (en) * | 2019-12-31 | 2020-06-02 | 航天信息股份有限公司 | Certificateless authentication method and certificateless authentication system suitable for alliance chain |
CN112035813A (en) * | 2020-07-21 | 2020-12-04 | 杜晓楠 | Method and computer readable medium for hierarchical generation of distributed identities based on fingerprint identification in blockchains |
CN112037054A (en) * | 2020-07-21 | 2020-12-04 | 杜晓楠 | Method and computer readable medium for hiding a user's quota of assets in a decentralized identity system |
CN112565294A (en) * | 2020-12-23 | 2021-03-26 | 杭州天谷信息科技有限公司 | Identity authentication method based on block chain electronic signature |
CN112913269A (en) * | 2018-12-28 | 2021-06-04 | 苹果公司 | Providing authenticated user identity claims |
CN113190816A (en) * | 2021-05-08 | 2021-07-30 | 国民认证科技(北京)有限公司 | Man-machine interaction verification method and system using system biological characteristics |
CN114553444A (en) * | 2022-04-27 | 2022-05-27 | 北京时代亿信科技股份有限公司 | Identity authentication method, identity authentication device and storage medium |
CN115208698A (en) * | 2022-09-15 | 2022-10-18 | 中国信息通信研究院 | Block chain-based Internet of things identity authentication method and device |
CN116866093A (en) * | 2023-09-05 | 2023-10-10 | 鼎铉商用密码测评技术(深圳)有限公司 | Identity authentication method, identity authentication device, and readable storage medium |
CN118018207A (en) * | 2024-01-19 | 2024-05-10 | 中国华能集团有限公司北京招标分公司 | Digital certificate issuing method and system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009079916A1 (en) * | 2007-12-03 | 2009-07-02 | Beijing Senselock Software Technology Co., Ltd | A method for generating a key pair and transmitting a public key or a certificate application document securely |
CN101729493A (en) * | 2008-10-28 | 2010-06-09 | 中兴通讯股份有限公司 | Method and system for distributing key |
CN101771541A (en) * | 2008-12-26 | 2010-07-07 | 中兴通讯股份有限公司 | Secret key certificate generating method and system for home gateway |
CN102523095A (en) * | 2012-01-12 | 2012-06-27 | 公安部第三研究所 | User digital certificate remote update method with intelligent card protection function |
CN202696901U (en) * | 2011-06-17 | 2013-01-23 | 深圳一卡通新技术有限公司 | Mobile terminal identity authentication system based on digital certificate |
CN103490881A (en) * | 2013-09-06 | 2014-01-01 | 广东数字证书认证中心有限公司 | Authentication service system, user authentication method, and authentication information processing method and system |
-
2017
- 2017-06-07 CN CN201710421767.5A patent/CN107070667B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009079916A1 (en) * | 2007-12-03 | 2009-07-02 | Beijing Senselock Software Technology Co., Ltd | A method for generating a key pair and transmitting a public key or a certificate application document securely |
CN101729493A (en) * | 2008-10-28 | 2010-06-09 | 中兴通讯股份有限公司 | Method and system for distributing key |
CN101771541A (en) * | 2008-12-26 | 2010-07-07 | 中兴通讯股份有限公司 | Secret key certificate generating method and system for home gateway |
CN202696901U (en) * | 2011-06-17 | 2013-01-23 | 深圳一卡通新技术有限公司 | Mobile terminal identity authentication system based on digital certificate |
CN102523095A (en) * | 2012-01-12 | 2012-06-27 | 公安部第三研究所 | User digital certificate remote update method with intelligent card protection function |
CN103490881A (en) * | 2013-09-06 | 2014-01-01 | 广东数字证书认证中心有限公司 | Authentication service system, user authentication method, and authentication information processing method and system |
Cited By (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109428725A (en) * | 2017-09-01 | 2019-03-05 | 佳能株式会社 | Information processing equipment, control method and storage medium |
CN109428725B (en) * | 2017-09-01 | 2022-03-29 | 佳能株式会社 | Information processing apparatus, control method, and storage medium |
CN107634834A (en) * | 2017-09-05 | 2018-01-26 | 四川中电启明星信息技术有限公司 | A kind of trusted identity authentication method based on the more scenes in multiple terminals |
CN107919962A (en) * | 2017-12-22 | 2018-04-17 | 国民认证科技(北京)有限公司 | A kind of internet of things equipment registration and authentication method |
WO2019127278A1 (en) * | 2017-12-28 | 2019-07-04 | 深圳达闼科技控股有限公司 | Safe access blockchain method, apparatus, system, storage medium, and electronic device |
CN108234509A (en) * | 2018-01-16 | 2018-06-29 | 国民认证科技(北京)有限公司 | FIDO authenticators, Verification System and method based on TEE and PKI certificates |
CN108366063A (en) * | 2018-02-11 | 2018-08-03 | 广东美的厨房电器制造有限公司 | Data communications method, device and its equipment of smart machine |
CN108366063B (en) * | 2018-02-11 | 2021-06-18 | 广东美的厨房电器制造有限公司 | Data communication method and device of intelligent equipment and equipment thereof |
CN110324290A (en) * | 2018-03-30 | 2019-10-11 | 贵州白山云科技股份有限公司 | Method, network element device, medium and the computer equipment of network equipment certification |
CN109379371A (en) * | 2018-11-20 | 2019-02-22 | 多点生活(成都)科技有限公司 | Certification authentication method, apparatus and system |
CN109379371B (en) * | 2018-11-20 | 2021-11-23 | 多点生活(成都)科技有限公司 | Certificate verification method, device and system |
CN112913269A (en) * | 2018-12-28 | 2021-06-04 | 苹果公司 | Providing authenticated user identity claims |
CN109510711A (en) * | 2019-01-08 | 2019-03-22 | 深圳市网心科技有限公司 | A kind of network communication method, server, client and system |
CN109510711B (en) * | 2019-01-08 | 2022-04-01 | 深圳市网心科技有限公司 | Network communication method, server, client and system |
CN110417776A (en) * | 2019-07-29 | 2019-11-05 | 大唐高鸿信安(浙江)信息科技有限公司 | A kind of identity identifying method and device |
CN110417776B (en) * | 2019-07-29 | 2022-03-25 | 大唐高鸿信安(浙江)信息科技有限公司 | Identity authentication method and device |
CN110493237A (en) * | 2019-08-26 | 2019-11-22 | 深圳前海环融联易信息科技服务有限公司 | Identity management method, device, computer equipment and storage medium |
CN110690966A (en) * | 2019-11-08 | 2020-01-14 | 北京金茂绿建科技有限公司 | Method, system, equipment and storage medium for connecting terminal and service server |
CN111106929A (en) * | 2019-12-09 | 2020-05-05 | 上海创能国瑞数据系统有限公司 | Hash-based approval method |
CN111106929B (en) * | 2019-12-09 | 2023-04-18 | 上海创能国瑞数据系统有限公司 | Hash-based approval method |
CN111222879A (en) * | 2019-12-31 | 2020-06-02 | 航天信息股份有限公司 | Certificateless authentication method and certificateless authentication system suitable for alliance chain |
CN112035813A (en) * | 2020-07-21 | 2020-12-04 | 杜晓楠 | Method and computer readable medium for hierarchical generation of distributed identities based on fingerprint identification in blockchains |
CN112037054A (en) * | 2020-07-21 | 2020-12-04 | 杜晓楠 | Method and computer readable medium for hiding a user's quota of assets in a decentralized identity system |
CN112035813B (en) * | 2020-07-21 | 2023-12-08 | 杜晓楠 | Method and computer readable medium for generating distributed identities based on fingerprint identification layering in blockchain |
CN112037054B (en) * | 2020-07-21 | 2023-10-03 | 杜晓楠 | Method and computer readable medium for hiding user's asset line in a decentralized identity system |
CN112565294A (en) * | 2020-12-23 | 2021-03-26 | 杭州天谷信息科技有限公司 | Identity authentication method based on block chain electronic signature |
CN112565294B (en) * | 2020-12-23 | 2023-04-07 | 杭州天谷信息科技有限公司 | Identity authentication method based on block chain electronic signature |
CN113190816A (en) * | 2021-05-08 | 2021-07-30 | 国民认证科技(北京)有限公司 | Man-machine interaction verification method and system using system biological characteristics |
CN114553444A (en) * | 2022-04-27 | 2022-05-27 | 北京时代亿信科技股份有限公司 | Identity authentication method, identity authentication device and storage medium |
CN115208698A (en) * | 2022-09-15 | 2022-10-18 | 中国信息通信研究院 | Block chain-based Internet of things identity authentication method and device |
CN116866093A (en) * | 2023-09-05 | 2023-10-10 | 鼎铉商用密码测评技术(深圳)有限公司 | Identity authentication method, identity authentication device, and readable storage medium |
CN116866093B (en) * | 2023-09-05 | 2024-01-05 | 鼎铉商用密码测评技术(深圳)有限公司 | Identity authentication method, identity authentication device, and readable storage medium |
CN118018207A (en) * | 2024-01-19 | 2024-05-10 | 中国华能集团有限公司北京招标分公司 | Digital certificate issuing method and system |
Also Published As
Publication number | Publication date |
---|---|
CN107070667B (en) | 2020-08-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107070667A (en) | Identity identifying method, user equipment and server | |
US10075437B1 (en) | Secure authentication of a user of a device during a session with a connected server | |
CN108989278A (en) | Identification service system and method | |
CN105306490B (en) | Payment verifying system, method and device | |
US11394712B2 (en) | Secure account access | |
CN108959933A (en) | Risk analysis device and method for the certification based on risk | |
CN106452772B (en) | Terminal authentication method and device | |
US10050791B2 (en) | Method for verifying the identity of a user of a communicating terminal and associated system | |
CN101765108B (en) | Safety certification service platform system, device and method based on mobile terminal | |
JP2018532301A (en) | User authentication method and apparatus | |
CN107196922A (en) | Identity identifying method, user equipment and server | |
US9124571B1 (en) | Network authentication method for secure user identity verification | |
CN112953970A (en) | Identity authentication method and identity authentication system | |
CN109150547A (en) | A kind of system and method for the digital asset real name registration based on block chain | |
US11777942B2 (en) | Transfer of trust between authentication devices | |
CN107634834A (en) | A kind of trusted identity authentication method based on the more scenes in multiple terminals | |
Laka et al. | User perspective and security of a new mobile authentication method | |
CN103401686A (en) | User Internet identity authentication system and application method thereof | |
TW201328280A (en) | Instant communication identity authentication system and method | |
CN108833105A (en) | Electric endorsement method and device | |
CN108512832A (en) | A kind of safe Enhancement Method for OpenStack authentications | |
CN116112242B (en) | Unified safety authentication method and system for power regulation and control system | |
CN109460647B (en) | Multi-device secure login method | |
CN104918245A (en) | Identity authentication method, device, server and client | |
EP2916509B1 (en) | Network authentication method for secure user identity verification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address |
Address after: Part 4-5, No. 789 Jingwei Avenue, Shiyou Road Street, Yuzhong District, Chongqing 400042 Patentee after: National Certification Technology (Chongqing) Co.,Ltd. Address before: 100085 room A606, 6th floor, building 1, 6 Shangdi West Road, Haidian District, Beijing Patentee before: GUOMIN AUTHENTICATION TECHNOLOGY (BEIJING) CO.,LTD. |
|
CP03 | Change of name, title or address |