CN107455003A - A kind of method for authenticating user identity and server - Google Patents

A kind of method for authenticating user identity and server Download PDF

Info

Publication number
CN107455003A
CN107455003A CN201680003623.1A CN201680003623A CN107455003A CN 107455003 A CN107455003 A CN 107455003A CN 201680003623 A CN201680003623 A CN 201680003623A CN 107455003 A CN107455003 A CN 107455003A
Authority
CN
China
Prior art keywords
data
server
user
client
user password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201680003623.1A
Other languages
Chinese (zh)
Other versions
CN107455003B (en
Inventor
方习文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN107455003A publication Critical patent/CN107455003A/en
Application granted granted Critical
Publication of CN107455003B publication Critical patent/CN107455003B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications

Abstract

The embodiment of the invention discloses a kind of method for authenticating user identity and server, existing potential safety hazard during for solving authenticating user identification in the prior art, the security of individual subscriber privacy is effectively improved.Methods described includes:When first server receive client transmission in the user account and the first user cipher logged in the client when, the first server using first user cipher generate the first data;The first server N number of second data according to corresponding to the user account from least one second server acquisition user account, and N number of second data are generated into the 3rd data, wherein, N is the integer more than 1;When first data and three Data Matching, the first server determines that authenticating user identification passes through.

Description

User identity authentication method and server Technical Field
The invention relates to the field of communication, in particular to a user identity authentication method and a server.
Background
When a client registers a certain service, a server corresponding to the service stores a user account and a user password, and subsequently when the client logs in the service, the server acquires the user account and the user password and compares the user account and the user password with the user account and the user password stored by the server so as to verify the user password and verify the validity of the user identity. If the server is unsafe in the process of verifying the user password or the user password stored in the server has potential safety hazards, the user password is leaked.
At present, a server is adopted to store a one-way hash value generated based on a user password and a random SALT value SALT, and the user password is verified. The method specifically comprises a registration stage and a verification stage:
a registration stage: as shown in fig. 1, a client sends a user account and a user password registered by the client through a Security Transport Layer (TLS) channel, a server generates a random SALT value SALT, and calculates a corresponding one-way hash value H according to the user password and the random SALT value, that is: PBKDF2 (SALT) and saves the triplet < username, H, SATL > in the database.
A verification stage: as shown in fig. 2, the client sends the user account and the user password registered by the client through the TLS channel, the server calculates H ═ PBKDF2 (SALT) according to the given random SALT value SALT and the user password, compares the calculated H ═ PBKDF2 (SALT) with H stored in the database, and if H ═ H', the authentication is passed.
However, the server maintains < username, H, SALT >, where H is a one-way hash value generated based on the user password and the random SALT value SALT. One-way hashing is a public function, and given an input, a corresponding one-way hash value can be calculated. If the server information is leaked, the attacker obtains the storage result of the server, and can execute offline exhaustive attack, which specifically comprises the following steps: and exhausting the password according to the acquired random SALT value SALT, calculating a corresponding one-way hash value, and comparing whether the one-way hash value is consistent with H stored in a database. If the password is consistent with the password, the correct user password is exhausted, and the password leakage caused by the attack can cause serious damage to the personal privacy of the user.
Disclosure of Invention
The invention aims to provide a user identity authentication method and a server, which are used for solving the potential safety hazard existing in the prior art during user identity authentication and effectively improving the safety of personal privacy of a user.
A first aspect provides a user identity authentication method, including: when a first server receives a user account and a first user password which are sent by a client and are logged in the client, the first server generates first data by using the first user password; the first server acquires N second data corresponding to the user account from at least one second server according to the user account, and generates third data from the N second data, wherein N is an integer greater than 1; when the first data is matched with the third data, the first server determines that the user identity authentication is passed.
Different from the prior art, the first server does not need to store related data of a user password matched with the user account, personal privacy exposure of a user can be avoided after the related data corresponding to the user password stored by the first server is lost or after the related data corresponding to the user password stored by the first server is cracked by illegal molecules, and N second data corresponding to the user account are dispersedly stored by at least one second server, wherein third data generated by the N second data are data corresponding to the user password matched with the user account. Therefore, when the first server receives a user account and a first user password logged in the client, first data is generated through the first user password, whether the first data is the same as the third data is judged, and whether the user identity authentication is passed is further determined, that is: and when the first data is the same as the third data or the first data and the third data meet a certain functional relationship, determining that the user identity authentication passes, otherwise, determining that the user identity authentication does not pass. Therefore, the N second data are dispersedly stored by the at least one second server, and the third data generated by the N second data are used for user identity authentication, so that potential safety hazards existing when the user identity authentication is carried out only through the data corresponding to the user password matched with the user account and stored by the first server are avoided, and the personal privacy safety of the user is effectively improved.
With reference to the first aspect, in some possible implementations, before the first server receives a user account and a first user password, which are sent by a client and logged in to the client, the method further includes: when the first server receives a user account and a second user password which are sent by the client and registered on the client, the first server generates the third data by using the second user password; the first server generates the N second data from the third data and sends the N second data to the at least one second server.
It can be seen that, before a user account and a first user password are logged in on a client, when a user account and a second user password registered on the client are received, correspondingly, third data is generated by using the second password, the third data is generated into N second data, and the N second data are dispersedly stored in at least one second server, so that potential safety hazards caused by storing relevant data corresponding to the user password only in one first server are avoided, for example: after the related data corresponding to the user password stored in the first server is lost or after the related data corresponding to the user password stored in the first server is cracked by illegal molecules, the personal privacy of the user may be exposed. In addition, the second data is stored in at least one second server, so that the difficulty of stealing the user password by illegal persons is increased, and the security of the personal privacy of the user is effectively improved.
In other possible implementations, the generating the N second data into the third data includes: the first server merges the N second data through a merging function to generate the third data; or generating the third data from the N second data in a user-defined mode.
In practical applications, the N second data may be combined by some combination functions to generate the third data, and the expressions of the combination functions may be various, for example: h (x)1,x2,…,xN) Y, N ≧ 2, where (x)1,x2,…,xN) N second data and y third data, but in practical application, other merging functions may also be used, and are not specifically limited herein. In addition, the N second data may be generated into third data in a user-defined manner, so as to increase user experience, and there are various specific user-defined manners, for example: and generating the third data into N second data in advance according to a user-defined mode, otherwise, generating the third data from the N second data according to the same user-defined mode, which is not specifically limited here.
In other possible implementations, the generating, by the first server, the N second data from the third data includes: the first server disperses the third data through a dispersion function to generate the N pieces of second data, wherein the dispersion function is matched with the merging function; or the third data are scattered to generate the N second data in a user-defined mode.
In practical applications, the N second data may be generated by scattering the third data through some scattering function, where the purpose of matching the scattering function with the merging function is to verify the user password, for example: the dispersion function is H' (y) ═ x1,x2,…,xN) Wherein (x)1,x2,…,xN) Is N second data, y is third data, and the corresponding merging function is H (x)1,x2,…,xN)=y。
In addition, the N second data may be generated by dispersing the third data in a user-defined manner, and further, the user-defined manner is locally stored, which is convenient for subsequent verification of the user password, for example: and generating the N second data in a dispersing way by the third data in a user-defined way, and acquiring the N second data to generate the third data in a user-defined way subsequently. Therefore, a plurality of user-defined modes are provided, and the user experience is effectively increased.
A second aspect provides a server for user identity authentication, comprising: the receiving module is used for receiving a user account and a first user password which are sent by a client and are logged on the client; the processing module is used for generating first data by utilizing a first user password when the receiving module receives the user account and the first user password which are sent by the client and are logged on the client; the processing module is further configured to obtain, according to the user account, N second data corresponding to the user account from at least one second server, and generate third data from the N second data, where N is an integer greater than 1; the processing module is further configured to determine that the user identity authentication is passed when the first data matches the third data.
Different from the prior art, the first server does not need to store related data of a user password matched with the user account, personal privacy exposure of a user can be avoided after the related data corresponding to the user password stored by the first server is lost or after the related data corresponding to the user password stored by the first server is cracked by illegal molecules, and N second data corresponding to the user account are dispersedly stored by at least one second server, wherein third data generated by the N second data are data corresponding to the user password matched with the user account. Therefore, when the receiving module of the first server receives the user account and the first user password logged in the client, the processing module of the first server generates first data through the first user password, and determines whether the first data is the same as the third data, so as to determine whether the user identity authentication passes, that is: and if the first data is the same as the third data, determining that the user identity authentication passes, otherwise, not passing the authentication. Therefore, the N second data are dispersedly stored by the at least one second server, and the third data generated by the N second data are used for user identity authentication, so that potential safety hazards existing when the user identity authentication is carried out only through the data corresponding to the user password matched with the user account and stored by the first server are avoided, and the personal privacy safety of the user is effectively improved.
With reference to the second aspect, in some possible implementations, the server further includes: the processing module is further configured to, before the receiving module receives a user account and a first user password that are sent by a client and are logged in the client, generate, by using the second user password, the third data when the receiving module receives the user account and the second user password that are sent by the client and are registered on the client, and generate, by using the second user password, the N second data from the third data; a sending module, configured to send the N second data to the at least one second server.
It can be seen that, before a user account and a first user password are logged in on a client, when a receiving module receives a user account and a second user password registered on the client, correspondingly, a processing module generates third data by using the second password, and generates the third data into N second data, and a sending module sends the N second data to at least one second server and performs dispersed storage, so as to avoid a potential safety hazard caused by storing relevant data corresponding to the user password only in one first server, for example: after the related data corresponding to the user password stored in the first server is lost or after the related data corresponding to the user password stored in the first server is cracked by illegal molecules, the personal privacy of the user may be exposed. In addition, the second data is stored in at least one second server, so that the difficulty of stealing the user password by illegal persons is increased, and the security of the personal privacy of the user is effectively improved.
A third aspect provides a server comprising: one or more processors, a memory, a bus system, and a transceiver, the one or more processors, the memory, and the transceiver being connected by the bus system; wherein the memory stores one or more programs comprising instructions which, when executed by the server, cause the server to perform the method of the first aspect or any of its possible implementations.
Different from the prior art, the first server does not need to store related data of a user password matched with the user account, personal privacy exposure of a user can be avoided after the related data corresponding to the user password stored by the first server is lost or after the related data corresponding to the user password stored by the first server is cracked by illegal molecules, and N second data corresponding to the user account are dispersedly stored by at least one second server, wherein third data generated by the N second data are data corresponding to the user password matched with the user account. Therefore, when the first server receives a user account and a first user password logged in the client, first data is generated through the first user password, whether the first data is the same as the third data is judged, and whether the user identity authentication is passed is further determined, that is: and if the first data is the same as the third data, determining that the user identity authentication passes, otherwise, not passing the authentication. Therefore, the N second data are dispersedly stored by the at least one second server, and the third data generated by the N second data are used for user identity authentication, so that potential safety hazards existing when the user identity authentication is carried out only through the data corresponding to the user password matched with the user account and stored by the first server are avoided, and the personal privacy safety of the user is effectively improved.
Drawings
FIG. 1 is a diagram of one embodiment of a prior art user identity registration;
FIG. 2 is a diagram illustrating one embodiment of user authentication in the prior art;
FIG. 3 is a schematic diagram of a server according to an embodiment of the present invention;
FIG. 4 is a diagram of an embodiment of a user identity authentication application scenario in an embodiment of the present invention;
FIG. 5 is a diagram of an embodiment of a method for authenticating a user according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of another structure of a server according to an embodiment of the present invention;
fig. 7 is another schematic structural diagram of a server in the embodiment of the present invention.
Detailed Description
The embodiment of the invention discloses a user identity authentication method and a server, which are used for solving the potential safety hazard existing in the prior art during user identity authentication and effectively improving the safety of personal privacy of a user.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
As shown in fig. 3, the server 300 according to the present invention includes a communication unit 301, an input unit 302, an output unit 303, a processor 304, a storage unit 305, and a peripheral interface 306, which are connected by one or more buses. The communication unit 301 is configured to establish a communication channel, so that the server performs voice communication, text communication, data communication, and the like with the client through the communication channel, where the client is not limited to a mobile phone, a mobile computer, a tablet computer, a Personal Digital Assistant (abbreviated as PDA), a media player, a smart television, a wearable device (e.g., a smart watch or smart glasses, and the like), and a combination of two or more of the foregoing items; the input unit 302 is used for realizing the interaction between the client and the server and/or inputting information into the server; the processor 304 is a control center of the server, connects various parts of the entire server by using various interfaces and lines, and executes various functions of the server and/or processes data by operating or executing software programs and/or modules stored in the storage unit and calling data stored in the storage unit; the output unit 303 is used for outputting data of the processor; the storage unit 305 may be used to store software programs and modules; the peripheral interface 306 is used to connect clients.
The client, also called user end, corresponds to the server, and provides local service application programs for the client, except some application programs which only run locally, some application programs are generally installed on a common client, and the application programs need the client and the server to run in a mutual cooperation mode. With the development of the internet, more common clients include web browsers, e-mail clients, and client software. For these applications, a corresponding server or service program in the network is required to provide the corresponding service, for example: database services, email services, and the like. Therefore, a specific communication connection needs to be established between the client and the server to ensure the normal operation of the application program.
Before the embodiment of the present invention is introduced, a scenario in which the technical solution of the present invention is applied is introduced, as shown in fig. 4, a user account and a user password are logged in a client, a first server (e.g., a central server) receives the user account and the user password sent by the client, and obtains a random SALT value SALT pre-stored by the server, where the random SALT value is data randomly generated when the client initially registers the user account and the user password, the first server calculates a one-way hash value H through the random SALT value and the user password, further obtains distributed values respectively stored by a plurality of second servers (e.g., sub-servers), and calculates H 'through the plurality of distributed values, and determines that the user identity authentication passes when H' is further determined, otherwise, the authentication fails.
Referring to fig. 5, an embodiment of a user identity authentication method according to an embodiment of the present invention is schematically illustrated, and a specific process is as follows:
step 501, when the first server receives a user account and a second user password which are sent by a client and registered on the client, the first server generates third data by using the second user password.
In some possible implementation manners, when the first server receives a user account and a second user password which are sent by the client and registered at the client, the first server allocates fourth data for generating the third data, and locally stores the fourth data; the first server generates the third data using the fourth data and the second user password.
In practical application, when a user account and a second user password are registered on a client, the first server receives the user account and the second user password and stores the user account and the second user password locally, and login verification is performed according to the user account and the second user password subsequently. The second user password is a user password matched with the user account and has uniqueness, and the second user password can be set by user self-definition or client default, and is not specifically limited here. In order to increase the security of the user password, when the first server receives the user account and the second user password which are sent by the client and registered at the client, the first server allocates fourth data for generating the third data, where the fourth data is random data, for example: and generating a one-way hash value H by the random SALT value SALT and the second user password, namely: PBKDF2 (SALT) and locally saves the triplet < username, H, SATL >.
Step 502, the first server generates the N second data from the third data, and sends the N second data to at least one second server, where N is an integer greater than 1.
In some possible implementations, the first server disperses the third data by a dispersion function to generate the N second data, where the dispersion function is matched with the merge function; or the third data are scattered to generate the N second data in a user-defined mode.
In practical application, given input value third data (for example, H) and number N to be dispersed, H is further split into N second data by a dispersion function, wherein the N second data are communicatedAfter the merging function is merged, the relevant reference data of H may be recovered, where the reference data may be H itself, or may have a mapping relationship with H, and is not specifically limited herein. It should be noted that, the combination of (less than N) of the N second data cannot reveal the relevant data of H. Specifically, the application process of the dispersion function is as follows: let p be the system global modulus, g be the system global generator, x be the second data sequence number, f (x) H + a1x+a2x2+…+aN-1xN-1mod p, where a1,…,aN-1For the coefficients of the dispersion function, the first server disperses the H into N second data, Ii(1. ltoreq. i. ltoreq.N) is a second data value, namely: i is1=gf(1)mod p,I2=gf(2)mod p,…,IN=gf(N)mod p and send the N second data to at least one second server, preferably the N second data are sent to the N second servers in a decentralized manner, namely: each second server stores a second data.
In addition, the N second data are generated by dispersing the third data in a user-defined manner, for example: according to the user-defined mode, each second server stores one second data, and the second data stored by each second server are collected to restore the third data.
Step 503, when the first server receives the user account and the first user password, which are sent by the client and logged on the client, the first server generates first data by using the first user password.
In some possible implementations, the first server obtains the fourth data;
the first server generates the first data using the fourth data and the first user password.
In practical applications, the first server obtains the fourth data from local, that is: the random SALT is used to generate the first data using the random SALT and the first user password in the same manner as the third data is generated.
Step 504, the first server obtains N second data corresponding to the user account from at least one second server according to the user account, and generates third data from the N second data.
In some possible implementations, the first server merges the N second data by a merge function to generate the third data; or generating the third data from the N second data in a user-defined mode.
In practical application, N second data are input to generate third data (e.g. H') such that xi(i is not less than 1 and not more than N) is the second data sequence number, xj(j is more than or equal to 1 and less than or equal to N) is the second data sequence number, Ii(i is not less than 1 and not more than N) is a second data value. The application process of the merge function corresponding to the dispersion function of the previous case is as follows:
in practical application, H' is judged to satisfy H ═ gHmod p to verify that H' matches H.
In addition, the N second data may be generated into third data in a user-defined manner, so as to increase user experience, and there are various specific user-defined manners, for example: and generating the third data into N second data in advance according to a user-defined mode, otherwise, generating the third data from the N second data according to the same user-defined mode, which is not specifically limited here.
Step 505, determining whether the first data and the third data are matched, if yes, executing step 506.
Step 506, when the first data matches the third data, the first server determines that the user identity authentication is passed.
When the first server judges that the first data is matched with the third data, it is determined that the user identity authentication is passed, otherwise, it is determined that the user identity authentication is not passed, wherein the matching of the first data and the third data means that the first data and the third data are equal or that the first data and the third data satisfy a certain functional relationship, and the method is not particularly limited herein.
Therefore, the first server does not need to store the related data of the user password matched with the user account, personal privacy exposure of the user can be avoided after the related data corresponding to the user password stored by the first server is lost or the related data corresponding to the user password stored by the first server is cracked by illegal molecules, but N second data corresponding to the user account are dispersedly stored by at least one second server, wherein third data generated by the N second data are data corresponding to the user password matched with the user account. Therefore, when the first server receives a user account and a first user password logged in the client, first data is generated through the first user password, whether the first data is the same as the third data is judged, and whether the user identity authentication is passed is further determined, that is: and if the first data is the same as the third data, determining that the user identity authentication passes, otherwise, not passing the authentication. Therefore, the N second data are dispersedly stored by the at least one second server, and the third data generated by the N second data are used for user identity authentication, so that potential safety hazards existing when the user identity authentication is carried out only through the data corresponding to the user password matched with the user account and stored by the first server are avoided, and the personal privacy safety of the user is effectively improved.
To facilitate a better understanding of the above-described related methods of embodiments of the present invention, the following also provides related apparatus for cooperating with the above-described methods.
Referring to fig. 6, a schematic structural diagram of a server 600 according to an embodiment of the present invention, where the server is used for user identity authentication, and the server includes a receiving module 601, a processing module 602, and a sending module 603.
A receiving module 601, configured to receive a user account and a first user password that are sent by a client and are logged in the client;
the processing module 602 is configured to, when the receiving module 601 receives a user account and a first user password, which are sent by a client and logged in the client, generate first data by using the first user password;
in some possible implementations, the first server obtains the fourth data; the first server generates the first data using the fourth data and the first user password.
The processing module 602 is further configured to obtain, according to the user account, N second data corresponding to the user account from at least one second server, and generate third data from the N second data, where N is an integer greater than 1;
in some possible implementations, the first server merges the N second data by a merge function to generate the third data; or generating the third data from the N second data in a user-defined mode.
The processing module 602 is further configured to determine that the user identity authentication is passed when the first data matches the third data.
The processing module 602 is further configured to, before the receiving module 601 receives a user account and a first user password that are sent by a client and logged in the client, when the receiving module 601 receives a user account and a second user password that are sent by the client and registered on the client, generate the third data by using the second user password, and generate the N second data from the third data;
in some possible implementation manners, the processing module 602 is further configured to, when the receiving module 601 receives a user account and a second user password, which are sent by the client and registered at the client, allocate fourth data used for generating the third data, and locally store the fourth data;
the processing module 602 is specifically configured to generate the third data by using the fourth data and the second user password.
In some possible implementations, the processing module 602 is specifically configured to scatter the third data by a scatter function to generate the N second data; or generating the N pieces of second data by dispersing the third data in a user-defined mode, wherein the dispersion function is matched with the combination function.
A sending module 603, configured to send the N second data to the at least one second server.
Different from the prior art, the first server does not need to store related data of a user password matched with the user account, personal privacy exposure of a user can be avoided after the related data corresponding to the user password stored by the first server is lost or after the related data corresponding to the user password stored by the first server is cracked by illegal molecules, and N second data corresponding to the user account are dispersedly stored by at least one second server, wherein third data generated by the N second data are data corresponding to the user password matched with the user account. Therefore, when the receiving module of the first server receives the user account and the first user password logged in the client, the processing module of the first server generates first data through the first user password, and determines whether the first data is the same as the third data, so as to determine whether the user identity authentication passes, that is: and if the first data is the same as the third data, determining that the user identity authentication passes, otherwise, not passing the authentication. Therefore, the N second data are dispersedly stored by the at least one second server, and the third data generated by the N second data are used for user identity authentication, so that potential safety hazards existing when the user identity authentication is carried out only through the data corresponding to the user password matched with the user account and stored by the first server are avoided, and the personal privacy safety of the user is effectively improved.
The embodiment shown in fig. 6 describes a specific structure of the server from the perspective of the functional modules, and the following describes a specific structure of the server from the perspective of the hardware in conjunction with the embodiment of fig. 7: a server 700, comprising: one or more processors 701, a memory 702, a bus system 703 and a transceiver 704, the one or more processors 701, the memory 702 and the transceiver 703 being connected by the bus system 704;
wherein the memory 702 stores one or more programs 705, the one or more programs 705 comprising instructions that when executed by the server cause the server to perform the method as shown in figure 5.
In the embodiment of the invention, the first server does not need to store the related data of the user password matched with the user account, so that the personal privacy of the user can be prevented from being exposed after the related data corresponding to the user password stored by the first server is lost or after the related data corresponding to the user password stored by the first server is cracked by illegal molecules, but N second data corresponding to the user account are dispersedly stored by at least one second server, wherein the third data generated by the N second data is the data corresponding to the user password matched with the user account. Therefore, when the first server receives a user account and a first user password logged in the client, first data is generated through the first user password, whether the first data is the same as the third data is judged, and whether the user identity authentication is passed is further determined, that is: and if the first data is the same as the third data, determining that the user identity authentication passes, otherwise, not passing the authentication. Therefore, the N second data are dispersedly stored by the at least one second server, and the third data generated by the N second data are used for user identity authentication, so that potential safety hazards existing when the user identity authentication is carried out only through the data corresponding to the user password matched with the user account and stored by the first server are avoided, and the personal privacy safety of the user is effectively improved.
It should be noted that the function of the server in the present invention can be specifically implemented according to the method in the embodiment shown in fig. 5, and the specific implementation process thereof can refer to the related description in the embodiment of the method shown in fig. 5, which is not described herein again, and the server executes the method in the embodiment shown in fig. 5 to obtain the technical effect obtained by the embodiment of the method.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The user identity authentication method and the server provided by the invention are described in detail, a specific example is applied in the text to explain the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (13)

  1. A user identity authentication method is characterized by comprising the following steps:
    when a first server receives a user account and a first user password which are sent by a client and are logged in the client, the first server generates first data by using the first user password;
    the first server acquires N second data corresponding to the user account from at least one second server according to the user account, and generates third data from the N second data, wherein N is an integer greater than 1;
    and when the first data is matched with the third data, the first server determines that the user identity authentication is passed.
  2. The method of claim 1, wherein before the first server receives the user account and the first user password which are sent by the client and logged on the client, the method further comprises:
    when the first server receives a user account and a second user password which are sent by the client and registered on the client, the first server generates the third data by using the second user password;
    the first server generates the third data into the N second data, and sends the N second data to the at least one second server.
  3. The method of claim 2, wherein when the first server receives the user account and the second user password registered at the client, which are sent by the client, the method further comprises:
    the first server distributes fourth data used for generating the third data and locally stores the fourth data;
    the first server generating the third data using the second user password comprises:
    the first server generates the third data using the fourth data and the second user password.
  4. The method of claim 3, wherein the first server generating first data using the first user password comprises:
    the first server acquires the fourth data;
    the first server generates the first data using the fourth data and the first user password.
  5. The method of claim 1, wherein the generating the N second data into third data comprises:
    the first server merges the N second data through a merging function to generate third data;
    or generating the third data from the N second data in a user-defined mode.
  6. The method of claim 5, wherein the first server generating the N second data from the third data comprises:
    the first server disperses the third data through a dispersion function to generate the N second data, wherein the dispersion function is matched with the merge function;
    or the third data are scattered to generate the N second data in a user-defined mode.
  7. A server for user authentication, the server comprising:
    the receiving module is used for receiving a user account and a first user password which are sent by a client and are logged on the client;
    the processing module is used for generating first data by utilizing a first user password when a receiving module receives the user account and the first user password which are sent by a client and are logged on the client;
    the processing module is further configured to acquire N second data corresponding to the user account from at least one second server according to the user account, and generate third data from the N second data, where N is an integer greater than 1;
    and the processing module is further used for determining that the user identity authentication is passed when the first data is matched with the third data.
  8. The server of claim 7, further comprising:
    the processing module is further configured to, before the receiving module receives a user account and a first user password which are sent by a client and logged in the client, generate, by using the second user password, the third data when the receiving module receives the user account and the second user password which are sent by the client and registered on the client, and generate the N second data from the third data;
    a sending module, configured to send the N second data to the at least one second server.
  9. The server according to claim 8, comprising:
    the processing module is further configured to, when the receiving module receives a user account and a second user password, which are sent by the client and registered at the client, allocate fourth data for generating the third data, and locally store the fourth data;
    the processing module is specifically configured to generate the third data by using the fourth data and the second user password.
  10. The server according to claim 9,
    the processing module is specifically configured to obtain the fourth data; generating the first data using the fourth data and the first user password.
  11. The server according to claim 7, wherein the processing module is specifically configured to combine the N second data by a merge function and generate the third data, or generate the third data by the N second data in a user-defined manner.
  12. The server according to claim 11, wherein the processing module is specifically configured to scatter the third data by a scatter function to generate the N second data; or generating the N pieces of second data by dispersing the third data in a user-defined mode, wherein the dispersion function is matched with the combination function.
  13. A server, comprising: one or more processors, a memory, a bus system, and a transceiver, the one or more processors, the memory, and the transceiver being connected by the bus system;
    wherein the memory stores one or more programs therein, the one or more programs comprising instructions, which when executed by the server, cause the server to perform the method of any of claims 1-6.
CN201680003623.1A 2016-01-26 2016-01-26 User identity authentication method and server Active CN107455003B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/072182 WO2017128044A1 (en) 2016-01-26 2016-01-26 User identity authentication method and server

Publications (2)

Publication Number Publication Date
CN107455003A true CN107455003A (en) 2017-12-08
CN107455003B CN107455003B (en) 2020-09-18

Family

ID=59397021

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201680003623.1A Active CN107455003B (en) 2016-01-26 2016-01-26 User identity authentication method and server

Country Status (2)

Country Link
CN (1) CN107455003B (en)
WO (1) WO2017128044A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109960915A (en) * 2017-12-22 2019-07-02 苏州迈瑞微电子有限公司 A kind of identity authentication method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103997504A (en) * 2014-06-13 2014-08-20 谭知微 Identity authentication system and method
CN104468580A (en) * 2014-12-10 2015-03-25 北京众享比特科技有限公司 Authentication method suitable for distributed storage
CN104468579A (en) * 2014-12-10 2015-03-25 北京众享比特科技有限公司 Authentication system suitable for distributed storage
CN104486314A (en) * 2014-12-05 2015-04-01 北京众享比特科技有限公司 Identity authentication system and identity authentication method based on peer-to-peer network
CN104683301A (en) * 2013-11-28 2015-06-03 腾讯科技(深圳)有限公司 Password saving method and password saving device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104683301A (en) * 2013-11-28 2015-06-03 腾讯科技(深圳)有限公司 Password saving method and password saving device
CN103997504A (en) * 2014-06-13 2014-08-20 谭知微 Identity authentication system and method
CN104486314A (en) * 2014-12-05 2015-04-01 北京众享比特科技有限公司 Identity authentication system and identity authentication method based on peer-to-peer network
CN104468580A (en) * 2014-12-10 2015-03-25 北京众享比特科技有限公司 Authentication method suitable for distributed storage
CN104468579A (en) * 2014-12-10 2015-03-25 北京众享比特科技有限公司 Authentication system suitable for distributed storage

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109960915A (en) * 2017-12-22 2019-07-02 苏州迈瑞微电子有限公司 A kind of identity authentication method

Also Published As

Publication number Publication date
CN107455003B (en) 2020-09-18
WO2017128044A1 (en) 2017-08-03

Similar Documents

Publication Publication Date Title
US11711219B1 (en) PKI-based user authentication for web services using blockchain
US10263969B2 (en) Method and apparatus for authenticated key exchange using password and identity-based signature
CN105007279B (en) Authentication method and Verification System
US8984621B2 (en) Techniques for secure access management in virtual environments
CN105282126B (en) Login authentication method, terminal and server
CN106470184B (en) Security authentication method, device and system
CN108111473B (en) Unified management method, device and system for hybrid cloud
US20150222435A1 (en) Identity generation mechanism
CN110099048B (en) Cloud storage method and equipment
CN104735065B (en) A kind of data processing method, electronic equipment and server
JP2016502377A (en) How to provide safety using safety calculations
CN109981576B (en) Key migration method and device
CN112989426B (en) Authorization authentication method and device, and resource access token acquisition method
CN108111497A (en) Video camera and server inter-authentication method and device
US20210241270A1 (en) System and method of blockchain transaction verification
CN111405036A (en) Service access method, device, related equipment and computer readable storage medium
CN114244530A (en) Resource access method and device, electronic equipment and computer readable storage medium
CN106209793A (en) A kind of auth method and checking system
CN109740319B (en) Digital identity verification method and server
CN103368918A (en) Method, device and system for dynamic password authentication
CN108418679B (en) Method and device for processing secret key under multiple data centers and electronic equipment
CN110753029B (en) Identity verification method and biological identification platform
CN117336092A (en) Client login method and device, electronic equipment and storage medium
US20170230416A1 (en) System and methods for preventing phishing attack using dynamic identifier
CN107455003B (en) User identity authentication method and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant