CN108063748A

CN108063748A - A kind of user authen method, apparatus and system

Info

Publication number: CN108063748A
Application number: CN201610987445.2A
Authority: CN
Inventors: 程宇
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Co Ltd
Priority date: 2016-11-09
Filing date: 2016-11-09
Publication date: 2018-05-22
Anticipated expiration: 2036-11-09
Also published as: CN108063748B

Abstract

The invention discloses a kind of user authen method, apparatus and system, the system comprises：Application server and at least two certificate servers；Wherein, at least two certificate servers, for receiving the authentication information of user's broadcast, according to the user identity information carried in the authentication information, judge locally whether preserve the check information of the user, if so, being authenticated according to the check information and the authentication information to the user, if certification to the application server by sending authenticate-acknowledge information；The application server, for receiving the authenticate-acknowledge information that at least two certificate servers are sent, judge for the user, whether the quantity for sending the certificate server of authenticate-acknowledge information reaches the frequency threshold value of setting, if, determine the user authentication by providing respective service to the user.Solve user concurrent access amount it is excessive when, concentration certificate server processing bottleneck problem.

Description

User authentication method, device and system

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a user authentication method, device, and system.

Background

As shown in fig. 1, in the prior art, user authentication specifically includes sending query user information to an account management server after the authentication server receives user identity authentication information of a user, sending a query user information to the account management server according to a user information query result returned by the account management server, determining that the user exists and the user identity authentication passes by the authentication server, and sending user authentication confirmation information to an authorization server.

As shown in fig. 1, in the user authentication system in the prior art, when receiving identity authentication information sent by a user, an authentication server sends query user information to an account management server, and authenticates the user according to a user information query result returned by an account management node, all authentication functions are concentrated in the account management server and the authentication server, and when a concurrent access amount of the user is too large, the efficiency of the entire user authentication system is affected by the account management server and the authentication server, so that the access efficiency of the user is affected by bottleneck problems of the account management server and the authentication server to a great extent.

Disclosure of Invention

The embodiment of the invention provides a user authentication method, device and system, which are used for solving the problem that the access efficiency of the existing user is influenced by the bottleneck problem of an account management server and an authentication server to a great extent.

In order to solve the above problems, the present invention provides a user authentication system, including: an application server and at least two authentication servers; wherein,

the at least two authentication servers are used for receiving identity authentication information broadcasted by the mobile terminal, judging whether verification information of the user is stored locally or not according to identification information of the user carried in the identity authentication information, if so, authenticating the user according to the verification information and the identity authentication information, and if the authentication is passed, sending authentication confirmation information to the application server;

the application server is used for receiving authentication confirmation information sent by the authentication server, judging whether the number of the authentication servers sending the authentication confirmation information for the user reaches a set number threshold value, and if so, determining that the user passes authentication and providing corresponding services for the user.

Further, the at least two authentication servers are specifically configured to receive identity authentication information encrypted by a private key broadcast by the mobile terminal, determine whether the identity authentication information encrypted by the private key of the user is locally stored, if yes, decrypt the locally stored identity authentication information encrypted by the private key of the user and the received identity authentication information encrypted by the private key by using a public key stored for the user, determine whether the decrypted identity authentication information is consistent, and if yes, confirm that the user authentication passes.

Further, the system further comprises:

the digital certificate server is used for receiving registration identity information sent by the mobile terminal, wherein the registration identity information carries identification information of a user, generating a public key and a private key according to the registration identity information, and sending the information of the public key and the private key to the mobile terminal;

the at least two authentication servers are further configured to receive a public key sent by the mobile terminal and registration identity information encrypted by the private key, store the registration identity information as identity authentication information, and store the public key for the identity authentication information.

Further, the at least two authentication servers are further configured to send an inquiry request for inquiring the validity period of the public key to the digital certificate server if it is determined that the verification information of the user is locally stored, where the inquiry request carries the identification information of the user; receiving the information of the validity period of the public key of the user returned by the digital certificate server, and if the public key is valid, decrypting the received identity authentication information encrypted by the private key and the identity authentication information encrypted by the locally stored private key by using the public key; judging whether the decrypted identity authentication information is consistent;

the digital certificate server is also used for receiving an inquiry request for inquiring the validity period of the public key sent by the authentication server and returning the information of the validity period of the inquired public key to the authentication server.

Further, the digital certificate server is further configured to receive key update information sent by the mobile terminal, where the key update information carries identification information of the user, update the public key and the private key of the user according to the key update information, and send the updated information of the public key and the private key to the mobile terminal.

Further, the application server is further configured to, if it is determined that the user authentication passes, search the authority of the user according to the stored authorization list, and provide corresponding services to the user according to the authority of the user.

Further, the application server is further configured to broadcast the access record of the user to an authentication server;

the at least two authentication servers are used for receiving the access records of the users broadcasted by the application server, judging whether verification information of the users is stored locally or not according to the identification information of the users contained in the access records, and if so, storing the access records aiming at the users.

The invention provides a user authentication method, which is applied to an authentication server in a user authentication system, wherein the user authentication system comprises at least two authentication servers, and the method comprises the following steps:

receiving identity authentication information broadcast by a mobile terminal;

judging whether verification information of the user is stored locally or not according to identification information of the user carried in the identity authentication information;

if so, authenticating the user according to the verification information and the identity authentication information; and if the authentication is passed, sending authentication confirmation information to an application server, so that the application server aims at the user, judging that the user passes the authentication if the number of the authentication servers sending the authentication confirmation information reaches a set number threshold, and providing corresponding services for the user.

Furthermore, the identity authentication information broadcast by the mobile terminal is the identity authentication information encrypted by the private key, and each identity authentication information encrypted by the private key is locally stored in the authentication server;

the authenticating the user according to the verification information and the identity authentication information comprises:

identifying a public key in the verification information, and decrypting the identity authentication information encrypted by the private key in the locally stored verification information and the received identity authentication information encrypted by the private key by using the public key;

and judging whether the decrypted identity authentication information is consistent.

Further, the process of pre-storing the identity authentication information encrypted by the private key includes:

and receiving and storing the public key sent by the mobile terminal and the registration identity information encrypted by the private key, wherein the registration identity information encrypted by the private key is the registration identity information sent by the mobile terminal to the digital certificate server, and the public key and the private key sent by the digital certificate server are received, and the registration identity information is sent after being encrypted by the private key information.

Further, the authenticating the user according to the verification information and the identity authentication information includes:

sending an inquiry request for inquiring the validity period of a public key to the digital certificate server, wherein the inquiry request carries the identification information of the user;

receiving the information of the validity period of the public key of the user returned by the digital certificate server;

if the public key is valid, decrypting the received identity authentication information encrypted by the private key and the locally stored identity authentication information encrypted by the private key by using the public key;

Further, the method further comprises:

receiving an access record of a user broadcasted by the application server;

judging whether verification information of the user is stored locally or not according to the identification information of the user contained in the access record;

if so, saving the access record for the user.

The invention provides a user authentication method, which is applied to an application server in a user authentication system and comprises the following steps:

receiving authentication confirmation information sent by at least two authentication servers, wherein the authentication confirmation information is identity authentication information broadcasted by a mobile terminal and received by the at least two authentication servers, judging that verification information of a user is locally stored according to identification information of the user carried in the identity authentication information, and sending the user authentication information when the user passes according to the verification information and the identity authentication information;

judging whether the number of authentication servers sending authentication confirmation information reaches a set number threshold value or not aiming at the user;

if so, determining that the user passes the authentication, and providing corresponding service for the user.

Further, the providing the corresponding service to the user includes:

searching the authority of the user according to the stored authorization list;

and providing corresponding service for the user according to the user authority.

Further, the method further comprises:

broadcasting the access record of the user to an authentication server.

The present invention provides a user authentication apparatus, the apparatus comprising:

the receiving module is used for receiving the identity authentication information broadcasted by the mobile terminal;

the judging module is used for judging whether verification information of the user is stored locally or not according to the identification information of the user carried in the identity authentication information; if yes, triggering an authentication module;

the authentication module is used for authenticating the user according to the verification information and the identity authentication information; if the authentication is passed, triggering a sending module;

and the sending module is used for sending authentication confirmation information to an application server, so that the application server judges whether the number of the authentication servers sending the authentication confirmation information reaches a set number threshold value aiming at the user, the user passes the authentication and provides corresponding services for the user.

Further, the authentication module includes:

the decryption unit is used for identifying a public key in the verification information and decrypting the identity authentication information encrypted by the private key in the locally stored verification information and the received identity authentication information encrypted by the private key by adopting the public key;

and the judging unit is used for judging whether the decrypted identity authentication information is consistent.

Further, the apparatus further comprises:

and the storage module is used for receiving and storing the public key sent by the mobile terminal and the registration identity information encrypted by the private key, wherein the registration identity information encrypted by the private key is the registration identity information sent by the mobile terminal to the digital certificate server, and the public key and the private key sent by the digital certificate server are received, and the registration identity information is sent after being encrypted by the private key information.

Further, the authentication module further comprises:

a sending unit, configured to send, to the digital certificate server, an inquiry request for inquiring a validity period of a public key, where the inquiry request carries identification information of the user;

a receiving unit, configured to receive information of a validity period of a public key of the user returned by the digital certificate server;

the decryption unit is further configured to decrypt, if the public key is valid, the received identity authentication information encrypted by the private key and the locally stored identity authentication information encrypted by the private key by using the public key;

the judging unit is further configured to judge whether the decrypted identity authentication information is consistent.

Further, the receiving module is further configured to receive an access record of the user broadcasted by the application server;

the judging module is further configured to judge whether verification information of the user is stored locally according to the identification information of the user included in the access record, and if yes, trigger the storing module;

the saving module is further configured to save the access record for the user.

the receiving module is used for receiving authentication confirmation information sent by at least two authentication servers, wherein the authentication confirmation information is identity authentication information broadcasted by the at least two authentication servers for receiving the mobile terminal, judging that verification information of the user is locally stored according to identification information of the user carried in the identity authentication information, and sending the verification information when the user passes authentication according to the verification information and the identity authentication information;

the judging module is used for judging whether the number of the authentication servers sending the authentication confirmation information reaches a set number threshold value or not aiming at the user; if yes, triggering a service providing module;

and the service providing module is used for determining that the user passes the authentication and providing corresponding services for the user.

Further, the service providing module includes:

the searching unit is used for searching the authority of the user according to the stored authorization list;

and the service providing unit is used for providing corresponding services for the user according to the user authority.

Further, the apparatus further comprises:

and the sending module is used for broadcasting the access record of the user to the authentication server.

The invention provides a user authentication method, a device and a system, wherein the system comprises the following steps: an application server and at least two authentication servers; the at least two authentication servers are used for receiving identity authentication information broadcasted by the mobile terminal, judging whether verification information of the user is stored locally or not according to identification information of the user carried in the identity authentication information, if so, authenticating the user according to the verification information and the identity authentication information, and if the authentication is passed, sending authentication confirmation information to the application server; the application server is used for receiving authentication confirmation information sent by the authentication server, judging whether the number of the authentication servers sending the authentication confirmation information for the user reaches a set number threshold value, and if so, determining that the user passes authentication and providing corresponding services for the user. The user authentication system comprises at least two authentication servers, each authentication server stores corresponding user verification information, and each authentication server authenticates a corresponding user, so that the load of each authentication server is effectively reduced, and the problem of bottleneck in processing of the authentication servers is solved.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic flow chart of a user authentication system provided in the prior art;

fig. 2 is a schematic diagram illustrating an authentication process of a user authentication system according to embodiment 1 of the present invention;

fig. 3 is a schematic diagram of a user registration process of the user authentication system according to embodiment 3 of the present invention;

fig. 4 is a schematic diagram illustrating an authentication flow of the user authentication system according to embodiment 4 of the present invention;

fig. 5 is a schematic diagram illustrating an authorization flow of the user authentication system according to embodiment 7 of the present invention;

fig. 6 is a schematic diagram of a user authentication method applied to an authentication server according to embodiment 8 of the present invention;

fig. 7 is a schematic diagram of a user authentication method applied to an application server according to embodiment 13 of the present invention;

fig. 8 is a structural diagram of a user authentication apparatus according to an embodiment of the present invention;

fig. 9 is a structural diagram of a user authentication device according to an embodiment of the present invention.

Detailed Description

In order to improve the access efficiency of a user and solve the authentication bottleneck problem of an authentication server, the embodiment of the invention provides a user authentication method, device and system.

In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Example 1:

the embodiment of the invention provides a user authentication system, which comprises: an application server and at least two authentication servers; wherein,

the system comprises at least two authentication servers, a user terminal and an application server, wherein the authentication servers are used for receiving identity authentication information broadcasted by the mobile terminal, judging whether verification information of the user is stored locally or not according to identification information of the user carried in the identity authentication information, authenticating the user according to the verification information and the identity authentication information if the verification information and the identity authentication information are stored locally, and sending authentication confirmation information to the application server if the verification is passed;

In order to improve the access efficiency of users and solve the problem of authentication bottleneck of authentication servers, at least two authentication servers are deployed in the system, for example, the number of the authentication servers may be 2, 3, 5, and the like, each authentication server stores the verification information of a user, and the verification information is stored for each user, where the verification information of a user may be the registered identity information of the user, or the identity information which is generated or encrypted according to an algorithm and contains user identification information, and the like.

The verification information of the users stored in each authentication server may be completely the same, may be completely different, or may be partially the same, for example, there are 5 users, which are respectively user a, user B, user C, user D, and user E, and there are 3 authentication servers, which are respectively authentication server 1, authentication server 2, and authentication server 3, where the verification information of user a, user B, user C, and user D is stored in authentication server 1, the verification information of user a, user B, user C, and user E is stored in authentication server 2, and the verification information of user B, user C, user D, and user E is stored in authentication server 3.

Because at least two authentication servers are deployed in the user authentication system, the mobile terminal broadcasts the identity authentication information of the user in a broadcast manner in order to send the identity authentication information to each authentication server, wherein the identity authentication information carries the identification information of the user, and the identification information of the user can be the login account number of the user or the information of the user, such as the mobile phone number of the user, which uniquely identifies the user.

Fig. 2 is a schematic diagram of an authentication process of a user authentication system according to an embodiment of the present invention, and as shown in fig. 2, the user authentication system includes: authentication server a, authentication server B, authentication server C and application server.

The user broadcasts identity authentication information to an authentication server A, an authentication server B and an authentication server C in the user authentication system through the mobile terminal, wherein the identity authentication information carries identification information of the user, and the identity authentication information can be identity authentication information of a plaintext or identity authentication information encrypted by an algorithm. The authentication server A, the authentication server B and the authentication server C can all receive the identity authentication information broadcast by the mobile terminal. Each authentication server judges whether the verification information of the user is stored locally according to the identification information of the user carried in the identity authentication information, wherein the verification information of the user can be the verification information of a plaintext or the identity authentication information encrypted by an algorithm.

And the authentication server B judges that the verification information of the user is not stored locally, and discards the received identity authentication information broadcasted by the mobile terminal.

The authentication server a and the authentication server C determine that the verification information of the user is locally stored, and authenticate the user according to the identity authentication information and the locally stored verification information, as shown in fig. 4, the authentication server a and the authentication server C send authentication confirmation information to the application server for the user authentication to pass.

And the application server judges that the number of the authentication servers sending the authentication confirmation information for the user reaches a set number threshold value, determines that the user passes the authentication and provides corresponding services for the user.

The number threshold value stored by the application server for different users may be the same or different, and may be set manually according to the number of authentication servers deployed in the user authentication system and the user's authority, and if the user's authority is higher, the number threshold value may be larger, and if the number of authentication servers deployed in the user authentication system is larger, the number threshold value may also be larger.

The user authentication system provided by the embodiment of the invention comprises at least two authentication servers, each authentication server stores corresponding user verification information, and each authentication server authenticates a corresponding user, so that the load of each authentication server is effectively reduced, and the problem of bottleneck in processing of the authentication server is solved.

Example 2:

in the prior art, the authentication information of all users is stored in the account management node and is stored in a plaintext form, and if the account management node is cracked, the authentication information of all users in the user authentication system is revealed, so that the security of the user authentication information is greatly reduced. On the basis of the above embodiments, in the embodiments of the present invention,

the at least two authentication servers are used for receiving the identity authentication information which is broadcasted by the mobile terminal and encrypted by the private key, judging whether the identity authentication information which is encrypted by the private key of the user is locally stored or not, if so, decrypting the locally stored identity authentication information which is encrypted by the private key of the user and the received identity authentication information which is encrypted by the private key by adopting a public key which is stored aiming at the user, judging whether the decrypted identity authentication information is consistent or not, and if so, confirming that the user authentication passes.

In the embodiment of the invention, each authentication server stores a large amount of user verification information, and each piece of verification information comprises the identification information of the user, the identity authentication information encrypted by a private key and a corresponding public key. Each authentication server stores a large amount of user verification information, and the user verification information stored in each authentication server may be the same or different.

Further, as described in the above example, there are 5 users, namely, user a, user B, user C, user D, and user E, and there are 3 authentication servers, namely, authentication server 1, authentication server 2, and authentication server 3, where the authentication server 1 stores the verification information of user a, user B, user C, and user D, the authentication server 2 stores the verification information of user a, user B, user C, and user E, and the authentication server 3 stores the verification information of user B, user C, user D, and user E, and the verification information is the authentication information encrypted by the private key and the private key corresponding to the authentication information.

If the user A broadcasts the identity authentication information after the private key is encrypted through the mobile terminal, the authentication server 1, the authentication server 2 and the authentication server 3 receive the identity authentication information after the private key is encrypted, wherein the identity authentication information after the private key is encrypted carries the identification information of the user A, the identification information of the user A is unencrypted, the authentication server 1, the authentication server 2 and the authentication server 3 store the verification information for the user according to the local, and the authentication server 1 and the authentication server 2 judge that the verification information of the user A is locally stored. The authentication server 1 and the authentication server 2 identify public key information in the check information according to the check information stored locally for the user a, decrypt the encrypted identity authentication information broadcasted by the received mobile terminal and the identity authentication information encrypted by the private key stored locally for the user a by using the public key, judge whether the decrypted identity authentication information is consistent, judge that the decrypted identity authentication information is consistent by the authentication server 1 and the authentication server 2, confirm that the user authentication is passed, and send authentication confirmation information to the application server by the authentication server 1 and the authentication server 2.

The process of decrypting the identity authentication information encrypted by the private key by using the public key belongs to the prior art, and details of the process are not repeated in the embodiment of the invention.

In the embodiment of the invention, the identity authentication information is respectively stored in a plurality of different authentication servers, and the identity authentication information stored in the authentication servers is the identity authentication information encrypted by the private key, so that the identity authentication information stored in the authentication server cannot be acquired even if a certain authentication server is cracked, the identity authentication information of all users in the user authentication system cannot be acquired even if the identity authentication information stored in the authentication server is acquired, and the safety of the user authentication information is ensured to a certain extent.

Example 3:

in order to improve the security of the user authentication information, on the basis of the above embodiments, in an embodiment of the present invention, the user authentication system further includes:

In order to improve the security of user authentication information, a private key and a public key are adopted in the system to encrypt and decrypt the user information. Wherein the public key and private key information are generated by a digital certificate server.

The following describes the above registration and authentication process of the present invention in detail by using a specific embodiment, and fig. 3 is a schematic diagram of a user registration process of a user authentication system provided in the embodiment of the present invention, as shown in fig. 3, the user authentication system includes: a digital certificate server, an authentication server A, an authentication server B, an authentication server C and an application server.

The method comprises the steps that a user sends registration identity information to a digital certificate server through a mobile terminal, wherein the registration identity information carries identification information and login password information of the user, the digital certificate server generates a public key and a private key according to the registration identity information, and the information of the public key and the private key is sent to the mobile terminal. The registration identity information may be plaintext registration identity information or may be registration identity information generated according to a preset algorithm, where the preset algorithm may be a hash algorithm, and the public key and the private key generated by the digital certificate server are different for the registration identity information of different users.

The process of generating the public key and the private key by the digital certificate server according to the registration identity information belongs to the prior art, and the process is not described in detail in the embodiment of the invention.

And the mobile terminal receives the information of the public key and the private key sent by the digital authentication server and broadcasts the public key and the registration identity information encrypted by the private key to the authentication server.

In fig. 3, the authentication server a, the authentication server B, and the authentication server C all receive the public key broadcasted by the mobile terminal and the registration identity information encrypted by using the private key, where the authentication server a and the authentication server C store the verification information of the user, where the verification information includes the identification information of the user, the registration identity information and the public key encrypted by using the private key, and the authentication server a and the authentication server C store the registration identity information encrypted by using the private key as the identity authentication information encrypted by using the private key.

Specifically, each authentication server receives the public key broadcasted by the mobile terminal and the registration identity information encrypted by the private key, and whether the authentication server stores the public key and the registration identity information encrypted by the private key is judged according to a preset rule stored by the authentication server. And if the authentication server judges that the public key and the registration identity information encrypted by the private key meet the preset rule stored by the authentication server, storing the public key and the registration identity information encrypted by the private key. The preset rules stored in each authentication server may be different or the same.

When each authentication server judges whether to store the public key and the registration identity information encrypted by the private key according to the stored preset rule, whether to store the public key or the registration identity information according to whether the time period of receiving the public key broadcasted by the mobile terminal and the registration identity information encrypted by the private key is a set time period or not can be judged, whether the number of pieces of currently stored user verification information reaches a set number threshold or not can be judged after the public key broadcasted by the mobile terminal and the registration identity information encrypted by the private key are received, whether to store the verification information or not can be judged, the address of the mobile terminal for broadcasting can be identified after the public key broadcasted by the mobile terminal and the registration identity information encrypted by the private key are received, whether the address is located in an allowed address range or not can be judged, and the like. The stored preset rule may be a single preset rule or a superposition of a plurality of preset rules.

For example, if the set time period is from 0 point to 12 points, and the time for receiving the public key broadcasted by the mobile terminal and the registration identity information encrypted by the private key is 8 points, the set time period is satisfied, the authentication server may store the public key and the registration identity information encrypted by the private key, for example, the set threshold of the number of pieces is 10000, if the number of pieces of user verification information currently stored by the authentication server is 5000, the authentication server can store the public key and the registration identity information encrypted by the private key, for example, the self-permitted Address range is IP addresses (Internet Protocol addresses) 127.16.0.0 to 172.31.255.255, if the address identifying the broadcasting mobile terminal is 127.16.1.100, the self-permitted address range is satisfied, the server may store the public key and the registration identity information encrypted with the private key.

Example 4:

in order to further improve the security of the user identity authentication information, on the basis of the above embodiments, in the embodiments of the present invention, the at least two authentication servers are further configured to send, to the digital certificate server, an inquiry request for inquiring the validity period of the public key if it is determined that the verification information of the user is locally stored, where the inquiry request carries the identification information of the user; receiving the information of the validity period of the public key of the user returned by the digital certificate server, and if the public key is valid, decrypting the received identity authentication information encrypted by the private key and the identity authentication information encrypted by the locally stored private key by using the public key; judging whether the decrypted identity authentication information is consistent;

Generally, a public key is used for decrypting the identity authentication information encrypted by a private key, and if the state of the public key exceeds the validity period or is not activated, the identity authentication information cannot be decrypted normally or the identity authentication information is leaked, so that before the identity authentication information is decrypted, whether the public key stored in the authentication server is valid needs to be judged, and if the public key is valid, the authentication server decrypts the identity authentication information.

On the basis of the above embodiment, the user authentication system shown in fig. 4 includes, in addition to the authentication server a, the authentication server B, the authentication server C, and the application server: a digital certificate server.

Specifically, after judging that the verification information of the user is locally stored, the authentication server A and the authentication server C send an inquiry request for inquiring the validity period of the public key to the digital certificate server, wherein the inquiry request carries the identification information of the user; the digital certificate server returns the inquiry result of the validity period of the public key to the authentication server A and the authentication server C, the authentication server A and the authentication server C judge that the public key is valid according to the inquiry result returned by the digital certificate server, the authentication server A and the authentication server C decrypt the received identity authentication information encrypted by the private key and the identity authentication information encrypted by the locally stored private key by adopting the public key, judge whether the decrypted identity authentication information is consistent, and if so, confirm that the user authentication is passed and send authentication confirmation information to the application server.

The at least two authentication servers judge whether the locally stored public key is valid, and if the public key is valid, the public key is adopted to decrypt the received identity authentication information encrypted by the private key and the identity authentication information encrypted by the locally stored private key, so that the security of the user identity authentication information is ensured, and the security of the user identity authentication information is further improved.

Example 5:

on the basis of the foregoing embodiments, in an embodiment of the present invention, the digital certificate server is further configured to receive key update information sent by a mobile terminal, where the key update information carries identification information of a user, update public key and private key information of the mobile terminal according to the key update information, and send the updated public key and private key information to the mobile terminal.

Generally, the public key is used for decrypting the identity authentication information encrypted by the private key, and if the state of the public key exceeds the validity period or is not activated, the identity authentication information cannot be decrypted normally or the identity authentication information is leaked, so the public key stored in the authentication server should be the public key in the validity period. In order to ensure that the public key in the authentication server is valid, in the embodiment of the invention, the user can send the key updating information to the digital certificate server through the mobile terminal.

The updating of the key by the digital certificate server specifically comprises: and if the digital certificate server receives the key updating information sent by the mobile terminal, regenerating the public key and the private key according to the identification information of the user carried in the key updating information, and sending the regenerated information of the public key and the private key to the mobile terminal. And after receiving the public key and the private key sent by the digital certificate server, the mobile terminal rebroadcasts the updated registration identity information encrypted by the private key and the updated information of the public key to all authentication servers of the identity authentication system.

The authentication server receives the updated registration identity information encrypted by the private key and the updated public key information broadcast by the mobile terminal, judges whether the verification information of the user is stored locally, and if so, updates the identity authentication information and the public key encrypted by the private key in the verification information of the user stored locally by adopting the updated registration identity information encrypted by the private key and the updated public key information.

The digital certificate server in the embodiment of the invention can update the information of the public key and the private key of the user, thereby improving the flexibility of the user identity authentication system.

Example 6:

the user authentication system in the prior art comprises an authorization node, wherein the authorization node determines the authority of a user passing authentication and informs an application server of the authority, and the application server provides corresponding services for the user according to the received authority. Therefore, it can be seen that in the existing user authentication system, an authorization node needs to be separately deployed, but the authorization node only determines the user right, which causes waste of hardware resources and increases operation expenses.

In order to save hardware resources, on the basis of the above embodiments, in the user authentication system provided by the embodiments of the present invention,

and the application server is also used for searching the authority of the user according to the stored authorization list and providing corresponding service for the user according to the authority of the user if the user is determined to pass the authentication.

After receiving authentication confirmation information sent by an authentication server, an application server judges that the user passes authentication if the number of the authentication servers sending the authentication confirmation information reaches a set number threshold value aiming at the user, searches the authority of the user according to an authorization list stored in advance locally, and provides corresponding service for the user according to the searched authority of the user. The number threshold value saved by the application server for different users may be the same or different, and may be set manually according to the permission requirement of the user, and if the permission of the user is higher, the number threshold value may be larger. The application server provides corresponding services to the user according to different user permissions, and if the user permission is higher, more services can be provided to the user.

In the embodiment of the invention, the authorization function is combined into the application server, so that the application server directly provides corresponding services for the user after authorizing the user, the interaction time between an authorization node and the application server is saved, the access speed of the user is improved, and the hardware cost and the operation expense are reduced.

Example 7:

for convenience of information query of users and managers in the later period, on the basis of the embodiments of the present invention, in the user authentication system provided in the embodiment of the present invention:

the application server is also used for broadcasting the access record of the user to an authentication server;

the at least two authentication servers are used for receiving the access records of the users broadcasted by the application server, judging whether verification information of the users is stored locally or not according to the user identification information contained in the access records, and if so, storing the access records aiming at the users.

Fig. 5 is a schematic diagram illustrating an authorization process of the user authentication system according to an embodiment of the present invention, as shown in fig. 5,

the application server receives authentication confirmation information of the user sent by the authentication server A and the authentication server C, the number of the authentication servers sending the authentication confirmation information for the user is 2, and when the number reaches a set number threshold value of 2, the application server determines that the user passes the authentication, and provides corresponding services for the user according to an authorization list stored locally and the authority of the user. The user accesses according to the service provided by the application server.

The application server records the access record of the user, broadcasts the access record of the user to the authentication server A, the authentication server B and the authentication server C, and after the three authentication servers receive the access record of the user broadcasted by the application server, judges whether the verification information of the user is stored locally or not according to the user identification information contained in the access record. The application server can send the access record of the user while the user accesses the application server, and can also send the access record of the user after the user completes all accesses, and the specific sending time of the access record can be flexibly set according to needs.

And the authentication server B judges that the verification information of the user is not stored locally according to the user identification information contained in the access record, and discards the access record.

And the authentication server A and the authentication server C judge that the verification information of the user is locally stored according to the user identification information contained in the access record, and then store the access record aiming at the user.

In the embodiment of the invention, the access record of the user is stored in the authentication server, so that the later information query of the user and an administrator is facilitated. And if at least two authentication servers store the access records of the user information according to the identification information of the user, if a certain authentication server is cracked, even if the access records of the user on the authentication server are tampered, the access records of the user on each authentication server cannot be tampered, so that the privacy and the safety of the user are ensured and the difficulty of tampering the access records is improved to a certain extent.

Example 8:

an embodiment of the present invention provides a user authentication method applied to any one of the authentication servers in the foregoing embodiments, and fig. 6 is a schematic diagram illustrating that the user authentication method provided in the embodiment of the present invention is applied to an authentication server, where the method includes the following steps:

s601: and receiving the identity authentication information broadcast by the mobile terminal.

The user authentication method provided by the embodiment of the invention is applied to the authentication servers in the user authentication system, and the user authentication system comprises at least two authentication servers.

Because at least two authentication servers are deployed in the user authentication system, the mobile terminal broadcasts the identity authentication information of the user in a broadcast manner in order to send the identity authentication information to each authentication server, wherein the identity authentication information carries the identification information of the user, and the identification information of the user can be a login account of the user, and can be the information of the user, such as a mobile phone number of the user, which uniquely identifies the user.

S602: judging whether verification information of the user is stored locally or not according to identification information of the user carried in the identity authentication information;

at least two authentication servers are deployed in the user authentication system, for example, the number of the authentication servers may be 2, 3, 5, and the like, each authentication server stores verification information of a user, and the verification information is stored for each user, where the verification information of a user may be registration identity information of the user, or identity information that is generated or encrypted according to an algorithm and includes user identification information, and the like.

The user verification information stored in each authentication server may be completely the same, may be completely different, or may be partially the same.

S603: if so, authenticating the user according to the verification information and the identity authentication information; and if the authentication is passed, sending authentication confirmation information to an application server, so that the application server determines whether the number of the authentication servers sending the authentication confirmation information reaches a set number threshold value aiming at the user, and if so, determining that the user passes the authentication and providing corresponding services for the user.

Specifically, the authentication server stores the verification information of the user for each user, the identification information of the user and the identity authentication information of the user are stored in the verification information, when the authentication server receives the identity authentication information broadcasted by the mobile terminal, whether the verification information of the user is locally stored is judged according to the identification information of the user carried in the identity authentication information, if yes, whether the identity authentication information is consistent with the verification information of the locally stored user is judged, and if yes, the authentication server determines that the user passes the authentication.

The check information and the identity authentication information may be plaintext information, and the information may be encrypted by the same algorithm. The number threshold value stored by the application server for different users may be the same or different, and may be set manually according to the number of authentication servers deployed in the user authentication system and the user's authority, and if the user's authority is higher, the number threshold value may be larger, and if the number of authentication servers deployed in the user authentication system is larger, the number threshold value may also be larger.

Example 9:

in the prior art, the authentication information of all users is stored in the account management node and is stored in a plaintext form, and if the account management node is cracked, all the user authentication information in the user authentication system is revealed, so that the safety of the user authentication information is greatly reduced. On the basis of the above embodiments, in the embodiments of the present invention,

the identity authentication information broadcasted by the mobile terminal is the identity authentication information encrypted by the private key, and each identity authentication information encrypted by the private key is locally stored in the authentication server;

Example 10:

in order to improve the security of the user authentication information, on the basis of the above embodiments, in the embodiment of the present invention, the process of pre-storing the identity authentication information encrypted by the private key includes:

In order to improve the security of user authentication information, a private key and a public key are used in the user authentication system to encrypt and decrypt the user information. Wherein the public key and the private key are generated by a digital certificate server.

The registration process specifically includes that a user sends registration identity information to a digital certificate server through a mobile terminal, wherein the registration identity information carries identification information and login password information of the user, the digital certificate server generates a public key and a private key according to the registration identity information, and the information of the public key and the private key is sent to the mobile terminal. The registration identity information may be plaintext registration identity information or may be registration identity information generated according to a preset algorithm, where the preset algorithm may be a hash algorithm, and the public key and the private key generated by the digital certificate server are different for the registration identity information of different users.

Example 11:

in order to further improve the security of the user identity authentication information, on the basis of the foregoing embodiments, in an embodiment of the present invention, the authenticating the user according to the verification information and the identity authentication information includes:

and judging whether the decrypted identity authentication information is consistent with the identity authentication information.

Generally, a public key is used for decrypting the identity authentication information encrypted by a private key, and if the state of the public key exceeds the validity period or is not activated, the identity authentication information cannot be decrypted normally or the identity authentication information is leaked, so that before the identity authentication information is decrypted, whether the public key stored in the authentication server is valid needs to be judged, and if the public key is valid, the authentication server decrypts the identity authentication information. The process of decrypting the received identity authentication information encrypted by the private key and the locally stored identity authentication information encrypted by the private key by using the public key is the prior art, and is not described in detail in this embodiment.

Example 12:

in order to facilitate the user and the manager to perform information query in the later period, on the basis of the above embodiments, the method further includes:

receiving an access record of a user broadcasted by the application server;

if so, saving the access record for the user.

Example 13:

an embodiment of the present invention provides a user authentication method applied to any application server in the foregoing embodiments, and fig. 7 is a schematic diagram illustrating that the user authentication method provided in the embodiment of the present invention is applied to an application server, where the method includes the following steps:

s701: receiving authentication confirmation information sent by at least two authentication servers, wherein the authentication confirmation information is identity authentication information broadcasted by a mobile terminal and received by the at least two authentication servers, judging that verification information of a user is locally stored according to identification information of the user carried in the identity authentication information, and sending the verification information when the user passes authentication according to the verification information and the identity authentication information;

the user authentication method provided by the embodiment of the invention is applied to an application server in a user authentication system, and the user authentication system comprises the application server and at least two authentication servers. Because at least two authentication servers are deployed in the user authentication system, the user broadcasts the identity authentication information of the user in a broadcast manner in order to send the identity authentication information to each authentication server through the mobile terminal, wherein the number of the authentication servers can be 2, 3, 5 and the like.

And the authentication server authenticates the user according to the verification information, the identity authentication information and the locally stored verification information of the user, and if the user passes the authentication, the authentication server sends authentication confirmation information to the application server.

S702: judging whether the number of authentication servers sending authentication confirmation information reaches a set number threshold value or not aiming at the user;

S703: if so, determining that the user passes the authentication, and providing corresponding service for the user.

The application server provides corresponding services to the user according to different user permissions, and if the user permission is higher, the more accessible application services the application server provides to the user. Specifically, the mobile terminal broadcasts the identity authentication information to each authentication server, and the time length for each authentication server to perform authentication is not very different, so that the application server can start timing when receiving authentication confirmation information sent by a certain authentication server, judge whether the number of the authentication servers sending the authentication confirmation information received within a set time length reaches a set number threshold, if so, determine that the user authentication is passed, otherwise, determine that the user authentication is not passed, and delete the authentication confirmation information for the user.

Example 14:

In order to save hardware resources, on the basis of the foregoing embodiments, in an embodiment of the present invention, the providing a corresponding service to the user includes:

searching the authority of the user according to the stored authorization list;

The user authority of the application server and the service which can be provided for the user can be manually set, the corresponding service is provided for the user differently according to the different user authorities, and if the user authority is higher, the more services can be provided for the user.

Example 15:

for the convenience of the user and the manager to perform information query in the later period, on the basis of the above embodiments of the present invention, the method provided by the present invention further includes:

broadcasting the access record of the user to an authentication server.

Fig. 8 is a structural diagram of a user authentication device applied to an authentication server according to an embodiment of the present invention, and is applied to an authentication server in a user authentication system, where the user authentication system includes at least two authentication servers, and the device includes:

a receiving module 81, configured to receive identity authentication information broadcast by the mobile terminal;

a judging module 82, configured to judge whether verification information of the user is stored locally according to user identification information carried in the identity authentication information; if yes, triggering an authentication module;

the authentication module 83 is configured to authenticate the user according to the verification information and the identity authentication information; if the authentication is passed, triggering a sending module;

a sending module 84, configured to send authentication confirmation information to an application server, so that the application server determines whether the number of authentication servers that send authentication confirmation information for the user reaches a set threshold of times, and if so, determines that the user passes authentication, and provides corresponding services to the user.

The authentication module 83 includes:

a decryption unit 833, configured to identify a public key in the verification information, and decrypt, using the public key, the identity authentication information encrypted by the private key in the locally stored verification information and the received identity authentication information encrypted by the private key;

a judging unit 834, configured to judge whether the decrypted identity authentication information is consistent.

The device further comprises:

the storage module 85 is configured to receive and store the public key sent by the mobile terminal and the registration identity information encrypted by using the private key, where the registration identity information encrypted by using the private key is the registration identity information sent by the mobile terminal to the digital certificate server and the public key and the private key sent by the digital certificate server are received, and the registration identity information is sent after being encrypted by using the private key information.

The authentication module 83 further includes:

a sending unit 831, configured to send an inquiry request for inquiring the validity period of a public key to the digital certificate server, where the inquiry request carries identification information of the user;

a receiving unit 832, further configured to receive information of a validity period of the public key of the user returned by the digital certificate server;

the decrypting unit 833 is further configured to decrypt, if the public key is valid, the received identity authentication information encrypted by the private key and the locally stored identity authentication information encrypted by the private key by using the public key;

the judging unit 834 is further configured to judge whether the decrypted identity authentication information is consistent.

The receiving module 81 is further configured to receive an access record of the user broadcasted by the application server;

the judging module 82 is further configured to judge whether the verification information of the user is stored locally according to the identification information of the user included in the access record, and if yes, trigger the storing module;

the saving module 85 is further configured to save the access record for the user.

Fig. 9 is a structural diagram of a user authentication device applied to an application server according to an embodiment of the present invention, where the device includes:

a receiving module 91, configured to receive authentication confirmation information sent by at least two authentication servers, where the authentication confirmation information is identity authentication information broadcasted by a mobile terminal and received by the at least two authentication servers, determine, according to user identification information carried in the identity authentication information, that verification information of the user is locally stored, and send the verification information and the identity authentication information when the user passes authentication;

a judging module 92, configured to judge whether the number of authentication servers that send authentication confirmation information reaches a set number threshold for the user; if yes, triggering a service providing module;

and a service providing module 93, configured to determine that the user is authenticated, and provide a corresponding service to the user.

The service providing module 93 includes:

a searching unit 931, configured to search the authority of the user according to the stored authorization list;

a service providing unit 932, configured to provide a corresponding service to the user according to the user's right.

The device further comprises:

the sending module 94 is further configured to broadcast the access record of the user to the authentication server.

For the system/apparatus embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference may be made to some descriptions of the method embodiments for relevant points.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A user authentication system, characterized in that the user authentication system comprises: an application server and at least two authentication servers; wherein,

2. The system according to claim 1, wherein the at least two authentication servers are specifically configured to receive identity authentication information encrypted by a private key broadcasted by a mobile terminal, determine whether the identity authentication information encrypted by the private key of the user is locally stored, if so, decrypt the locally stored identity authentication information encrypted by the private key of the user and the received identity authentication information encrypted by the private key by using a public key stored for the user, determine whether the decrypted identity authentication information is consistent, and if so, confirm that the user authentication passes.

3. The system of claim 2, wherein the system further comprises:

4. The system according to claim 3, wherein the at least two authentication servers are further configured to send an inquiry request for inquiring a validity period of a public key to the digital certificate server if it is determined that the verification information of the user is stored locally, where the inquiry request carries the identification information of the user; receiving the information of the validity period of the public key of the user returned by the digital certificate server, and if the public key is valid, decrypting the received identity authentication information encrypted by the private key and the identity authentication information encrypted by the locally stored private key by using the public key; judging whether the decrypted identity authentication information is consistent;

5. The system of claim 3, wherein the digital certificate server is further configured to receive key update information sent by a mobile terminal, where the key update information carries identification information of a user, update the public key and the private key of the user according to the key update information, and send the updated information of the public key and the private key to the mobile terminal.

6. The system of claim 1, wherein the application server is further configured to search the user's right according to the stored authorization list if it is determined that the user is authenticated, and provide a corresponding service to the user according to the user's right.

7. The system of claim 1, wherein the application server is further configured to broadcast the access record of the user to an authentication server;

8. A user authentication method applied to an authentication server in a user authentication system according to any one of claims 1 to 7, the user authentication system including at least two authentication servers, the method comprising:

receiving identity authentication information broadcast by a mobile terminal;

9. The method according to claim 8, wherein the identity authentication information broadcast by the mobile terminal is the identity authentication information encrypted by a private key, and the authentication server locally stores each identity authentication information encrypted by the private key;

10. The method of claim 9, wherein pre-saving the identity authentication information encrypted by the private key comprises:

11. The method of claim 10, wherein the authenticating the user based on the verification information and the identity authentication information comprises:

12. The method of claim 8, wherein the method further comprises:

receiving an access record of a user broadcasted by the application server;

if so, saving the access record for the user.

13. A user authentication method applied to an application server in the user authentication system according to any one of claims 1 to 7, the method comprising:

14. The method of claim 13, wherein the providing the respective service to the user comprises:

searching the authority of the user according to the stored authorization list;

15. The method of claim 13, wherein the method further comprises:

broadcasting the access record of the user to an authentication server.

16. A user authentication apparatus, the apparatus comprising:

17. The apparatus of claim 16, wherein the authentication module comprises:

18. The apparatus of claim 17, wherein the apparatus further comprises:

19. The apparatus of claim 18, wherein the authentication module further comprises:

20. The apparatus of claim 18, wherein the receiving module is further configured to receive an access record of a user broadcasted by the application server;

the saving module is further configured to save the access record for the user.

21. A user authentication apparatus, the apparatus comprising:

22. The apparatus of claim 21, wherein the provide services module comprises:

23. The apparatus of claim 21, wherein the apparatus further comprises: