CN108737394B

CN108737394B - Offline verification system, code scanning device and server

Info

Publication number: CN108737394B
Application number: CN201810433700.8A
Authority: CN
Inventors: 刘小乐; 余斐; 刘兴帮; 蒋子良; 黄志斌; 王巨宏
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2018-05-08
Filing date: 2018-05-08
Publication date: 2020-05-22
Anticipated expiration: 2038-05-08
Also published as: CN108737394A

Abstract

The application discloses offline verification system, code scanning equipment and server relates to the technical field of encryption and decryption, and is used for solving the defect that the verification of a two-dimensional code in the prior art can only be verified online through the server. In the system, the information to be verified of the user and the current time are encrypted based on a one-time encryption algorithm to obtain the verification data, and the verification data is contained in the two-dimensional code sent to the user, so that the two-dimensional code carries the data capable of verifying the two-dimensional code. One side of the code scanning equipment can be verified through the scanned two-dimensional code, and the two-dimensional code scanned is not required to be sent to a verification server on line for verification. In addition, the one-time encryption algorithm is combined with a public and private key to further encrypt the verification data and the user information through the encryption key, so that the information security of the two-dimensional code is ensured. Therefore, the technical scheme that the two-dimension code information safety can be guaranteed, and the code scanning equipment can perform off-line verification on the two-dimension code is achieved.

Description

Offline verification system, code scanning device and server

Technical Field

The application relates to the technical field of encryption and decryption, in particular to an offline verification system, a code scanning device and a server.

Background

This section is intended to provide a background or context to the embodiments of the application that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.

Thanks to the internet technology, people have gained a change of the information communication mode and the payment mode. The information transmitted by the network comprises sensitive information such as payment two-dimensional codes, bus codes and the like. Sensitive information relates to the interests of the user, so the sensitive information needs to be encrypted to ensure the safety of the user information.

In the prior art, the reliability of information is mainly determined by verifying encrypted information. In specific implementation, the information to be verified is often required to be sent to a server on the network side for verification. This requires the server to store a correct version of the information to be verified, and, for example, a two-dimensional code, the information to be verified needs to be sent to the server online by the verification device that scans the two-dimensional code to achieve verification. However, when the network is interrupted, the authentication device cannot send the information to be authenticated to the server, which may result in authentication failure.

Therefore, a new technical solution is needed to solve the problem that the verification cannot be completed offline.

Disclosure of Invention

The embodiment of the application provides an offline verification system, a code scanning device and a server, and is used for solving the problem that verification cannot be completed when verification equipment is offline.

In a first aspect, an embodiment of the present application provides an offline verification system, including a first server, a terminal device, and a verification device, where:

the first server is used for generating a private key and a public key of a user group and determining an encryption key and a decryption key in the private key and the public key; after receiving a two-dimensional code acquisition request sent by a user in the user group, encrypting information to be verified of the user and the current time by adopting a time-based one-time password algorithm to generate verification data, encrypting the verification data and the information to be verified by adopting the encryption key to obtain a ciphertext, converting the ciphertext into a two-dimensional code, and sending the two-dimensional code to terminal equipment of the user for display; and sending the decryption key and the one-time-password algorithm to the authentication devices of the user group;

the authentication device is used for receiving and storing the decryption key of the user group and the one-time password algorithm; after the two-dimensional code displayed by the terminal equipment is scanned, extracting a ciphertext in the two-dimensional code, and obtaining verification data and the information to be verified in the ciphertext by adopting the decryption key; encrypting the information to be verified and the current time by adopting the one-time password algorithm to obtain verification data; comparing whether the check data and the verification data are consistent or not; if the two are consistent, the verification is passed, and if the two are not consistent, the verification fails.

Further, the verification device comprises a second server and a code scanning device, the second server is communicated with the first server, and the code scanning device is communicated with the second server, wherein:

the second server is used for receiving and storing the decryption key of the user group and the one-time password algorithm sent by the first server;

and the code scanning device is used for sending the two-dimension code to the second server for verification after scanning the two-dimension code displayed by the terminal device.

the second server is used for receiving and storing the decryption key of the user group and the one-time password algorithm sent by the first server, and then sending the decryption key and the one-time password algorithm to the code scanning device;

and the code scanning device is used for scanning the two-dimensional code displayed by the terminal device and then verifying the two-dimensional code according to a decryption key stored in the code scanning device and the one-time password algorithm.

Further, the first server is further configured to:

timing a pair of public key and private key of the user group;

when a preset life cycle is timed or a key updating instruction is received, regenerating a pair of new public key and private key;

and updating the encryption key corresponding to the group and the decryption key in the verification device according to the new public key and the new private key.

Further, the first server is further configured to generate a public key and a private key of a next life cycle of the user group, and send a decryption key of the next life cycle to the verification device;

the verification equipment is also used for updating the decryption key to obtain the decryption key of the current life cycle and then storing the decryption key of the previous life cycle and the decryption key of the next life cycle of the user group; when the two-dimensional code is authenticated, decrypting the verification data and the information to be verified in the ciphertext by using a decryption key of the current life cycle; and if the decryption fails, decrypting the verification data and the to-be-verified information in the secret text by using the decryption key of the previous life cycle and/or the decryption key of the next life cycle.

Further, the first server is specifically configured to:

after receiving a two-dimensional code request sent by a user, generating a random number, encrypting information to be verified of the user and the current time by adopting a time-based one-time password algorithm to generate verification data, encrypting the verification data, the information to be verified and the random number by adopting an encryption key to obtain a ciphertext, converting the ciphertext into a two-dimensional code, and sending the two-dimensional code to a terminal device of the user for display;

the verification device is specifically configured to obtain, by using the decryption key, the verification data in the ciphertext, the information to be verified, and the random number; searching the random number in the ciphertext from the pre-stored random numbers; if the verification data is not found and the verification data is consistent with the verification data, the two-dimensional code passes verification; and if the two-dimension code is found, the two-dimension code verification fails.

Further, the first server is further configured to:

extracting a first preset number of time points in a specified time period;

for each time point, performing: and encrypting the information to be verified of the user and the time point by adopting a time-based one-time password algorithm to generate verification data, encrypting the verification data and the information to be verified by adopting an encryption key to obtain a ciphertext, converting the ciphertext into a two-dimensional code, and storing the two-dimensional code corresponding to the user.

Further, the first server is further configured to, after receiving a request sent by a user to acquire multiple two-dimensional codes, acquire a second preset number of two-dimensional codes of the user after the current time of the user, and send the two-dimensional codes to the terminal device of the user;

the terminal device is further configured to store the two-dimensional codes corresponding to the second preset number of time points; when a display request for displaying the stored two-dimensional codes is received, one of the stored two-dimensional codes is selected and displayed.

Further, the terminal device is further configured to, when a first number of refresh requests for refreshing the currently displayed two-dimensional code are received within the validity period, obtain, from the stored two-dimensional codes, a two-dimensional code display that is closest to the time point of the currently displayed two-dimensional code and whose time point is subsequent to the currently displayed two-dimensional code.

Further, the terminal device is further configured to send a two-dimensional code refresh request to the first server when receiving a second number of refresh requests for refreshing the currently displayed two-dimensional code within the validity period, where the first number is smaller than the second number.

Further, the decryption key is a public key, and the encryption key is a private key.

In a second aspect, an embodiment of the present application further provides a code scanning apparatus, including a processor, a memory, a two-dimensional code scanning device, and an interface, where:

the interface is used for receiving a decryption key and a one-time password algorithm sent by the second server, wherein the decryption key is a key used for decryption in a public key and a private key; the one-time password algorithm is a time-based one-time password algorithm;

the memory is used for storing the decryption key and the one-time cryptographic algorithm;

the two-dimensional code scanning device is used for scanning a two-dimensional code displayed by the terminal equipment;

the processor is used for extracting a ciphertext in the two-dimensional code scanned by the two-dimensional code scanning device and obtaining the verification data and the information to be verified in the ciphertext by adopting the decryption key; encrypting the information to be verified and the current time by adopting the one-time password algorithm to obtain verification data; comparing whether the check data and the verification data are consistent or not; and if the two-dimension codes are consistent, the two-dimension codes are determined to pass verification, and if the two-dimension codes are inconsistent, the two-dimension codes are determined to fail verification.

An embodiment of the present application further provides a server, including:

a processor; and

a memory having computer-readable instructions stored thereon for execution by the processor to:

generating a private key and a public key of a user group, and determining an encryption key and a decryption key in the private key and the public key;

after receiving a two-dimensional code acquisition request sent by a user of the user group, encrypting information to be verified of the user and the current time by adopting a time-based one-time password algorithm to generate verification data;

encrypting the verification data and the information to be verified by adopting the encryption key to obtain a ciphertext, converting the ciphertext into a two-dimensional code, and sending the two-dimensional code to the terminal equipment of the user for displaying; and the number of the first and second groups,

and sending the decryption key and the one-time password algorithm to the authentication equipment of the user group.

According to the offline verification system, the code scanning device and the server, the information to be verified of the user and the current time are encrypted based on the one-time encryption algorithm to obtain the verification data, and the verification data are contained in the two-dimensional code sent to the user, so that the two-dimensional code carries the data capable of verifying the two-dimensional code. Therefore, one side of the code scanning device can verify the scanned two-dimensional code through the scanned two-dimensional code without sending the scanned two-dimensional code to a verification server for verification. Therefore, the code scanning device provided by the embodiment of the application is used for off-line verification. In addition, the one-time encryption algorithm is combined with a public and private key to further encrypt the verification data and the user information through the encryption key, so that the information security of the two-dimensional code is ensured. Therefore, the technical scheme that the two-dimension code information safety can be guaranteed, and the code scanning equipment can perform off-line verification on the two-dimension code is achieved.

Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a schematic diagram of an application scenario in an embodiment of the present application;

fig. 2 is a schematic structural diagram of an offline verification system according to an embodiment of the present application;

fig. 3 is a schematic flowchart of a process of acquiring a decryption key and an encryption algorithm by a local area network device and a verification device according to an embodiment of the present application;

fig. 4 is a schematic flowchart of a code scanning device for obtaining a decryption key and a one-time encryption algorithm according to an embodiment of the present application;

fig. 5 is a schematic flowchart illustrating verification performed by the code scanning device according to the embodiment of the present application;

fig. 6 is a schematic flowchart of authentication performed by using an intranet server as a second server according to an embodiment of the present application;

fig. 7 is a schematic interface diagram of a two-dimensional code in a time period specified by a user according to a request of the user according to a requirement of the user;

fig. 8 is a schematic flowchart of an encryption method for information to be verified according to an embodiment of the present application;

fig. 9 is a schematic flowchart of a verification method for information to be verified according to an embodiment of the present application;

fig. 10 is a schematic flowchart illustrating an encryption process performed by taking the identity data of a student as an example according to an embodiment of the present application;

fig. 11 is a schematic flowchart of decryption verification performed by taking the identity data of a student as an example according to an embodiment of the present application;

fig. 12a is a schematic structural diagram of a code scanning apparatus according to an embodiment of the present application;

FIG. 12b is a schematic interface diagram of a code scanning apparatus according to an embodiment of the present disclosure;

fig. 13 is a schematic structural diagram of an encryption apparatus for information to be authenticated according to an embodiment of the present application;

fig. 14 is a schematic structural diagram of an apparatus for verifying information to be verified according to an embodiment of the present application;

fig. 15 is a schematic structural diagram of a computing device according to an embodiment of the present application.

Detailed Description

In order to provide a scheme for verifying information by verifying that a device side can complete information verification offline, the embodiment of the application provides an offline verification system, a code scanning device and a server.

For the convenience of understanding the technical solutions provided by the embodiments of the present application, some key terms used in the embodiments of the present application are explained first:

time-based one-time password algorithm: the result of the algorithm after encryption operation is the same for any time point in the same time step. For example, a time step of 5 minutes, the calculation result for 9:01 am on 1/2/2018 and the calculation result for 9:02 am on 1/2/2018 using the encryption algorithm are the same.

Public Key (Public Key) and Private Key (Private Key): the public key and the private key are a key pair (i.e., a public key and a private key) obtained by an algorithm. Typically, the public key is the part of the key that is disclosed to the outside, while the private key is the non-disclosed part. The key pair derived by such an algorithm can be guaranteed to be unique worldwide. When using this key pair, if one of the keys is used to encrypt a piece of data, the corresponding other key must be used to decrypt the piece of data. For example, encrypting data with a public key necessitates decryption with the private key, and if encrypting with the private key, also must decrypt with the public key, otherwise decryption will not succeed.

PKCS # 1: PCKS (The Public-Key Cryptography Standards) is a set of Public Key Cryptography Standards established by RSA data security companies and their partners in The united states, and includes a series of related protocols in terms of certificate application, certificate updating, certificate revocation list issuing, extension of certificate content and digital signatures, and format of digital envelopes. Wherein, PKCS # 1: RSA public key algorithm encryption and signature mechanisms are defined, primarily for organizing digital signatures and digital envelopes as described in PKCS # 7.

The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it should be understood that the preferred embodiments described herein are merely for illustrating and explaining the present application, and are not intended to limit the present application, and that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.

As shown in fig. 1, it is a scene schematic diagram for completing two-dimensional code verification by the scheme provided in the embodiment of the present application. It should be noted that in this scenario, the code scanning device may implement offline authentication. Specifically, as shown in fig. 1, the scene includes a terminal device 11 of a user 10, a server 12, and a code scanning device 13. The server 12 and the code scanning device 13 store the same time-based one-time password algorithm and may possess a pair of public and private keys. The server stores the encryption key in the public and private key pair, and the code scanning device stores the corresponding decryption key. During encryption, the server firstly encrypts the information of the user 10 and the current time by using a one-time password algorithm to obtain verification data, and then encrypts the verification data and the information of the user 10 by using an encryption key to obtain an encrypted two-dimensional code. It should be noted that the two-dimensional code carries verification data capable of verifying the two-dimensional code by the method.

The user 10 accesses the server 12 through the terminal device 11 to acquire the encrypted two-dimensional code and display the two-dimensional code. After the code scanning equipment scans the two-dimensional code, the verification data and the information of the user 10 are encrypted by adopting the same one-time password algorithm to the current time and the obtained information of the user 10 according to the stored decryption key, the stored verification data and the information of the user 10 to obtain the verification data. According to the characteristics of the one-time password algorithm, the encryption result of the same information in the same time step is the same. Therefore, in principle, if the two-dimensional code is accurate and effective, the verification data and the verification data are consistent, otherwise, the verification data and the verification data are inconsistent. Therefore, for the code scanning equipment, if the verification data and the verification data are consistent, the two-dimensional code passes verification, and otherwise, the verification fails.

Therefore, the code scanning device can verify the two-dimensional code only according to the stored decryption key and the one-time password algorithm, and the two-dimensional code does not need to be sent to the server 12 for verification in an online mode. In this way, off-line verification of the code scanning device 13 is achieved.

In specific implementation, how to perform the system layout of the network architecture for implementing the offline verification illustrated in fig. 1 will be described in detail below with reference to fig. 2. Before this, it should be noted that the terminal device 11 in fig. 1 may be a device capable of displaying a two-dimensional code, such as a mobile phone and a tablet computer. The terminal device 11 may obtain the two-dimensional code through the access server 12 installed on the client itself, or may obtain the two-dimensional code through a small program or even a short message in the client, and any manner capable of obtaining the two-dimensional code is applicable to the application scenario shown in fig. 1, which is not limited in this application.

In addition, the terminal device 11 and the server 12 are communicatively connected through a network, which may be a local area network, a cellular network, a wide area network, and the like.

Of course, the information to be verified is not limited to the two-dimensional code illustrated in fig. 1, and may also be other information to be verified, such as fingerprint authentication, information to be verified for company check-in, and the like, and the embodiments of the present application are all applicable.

Next, referring to fig. 2, an offline verification system provided in an embodiment of the present application is described in detail.

As shown in fig. 2, which is a schematic structural diagram of an offline verification system provided in the embodiment of the present application, the system may include a first server 21, a terminal device 22, and a verification device 23, where:

the first server 21 is configured to generate a private key and a public key of a user group, and determine an encryption key and a decryption key in the private key and the public key; after receiving a two-dimensional code acquisition request sent by a user in the user group, encrypting information to be verified of the user and the current time by adopting a time-based one-time password algorithm to generate verification data, encrypting the verification data and the information to be verified by adopting an encryption key to obtain a ciphertext, converting the ciphertext into a two-dimensional code, and sending the two-dimensional code to the terminal equipment 22 of the user for display; and sending said decryption key and said one-time-password algorithm to an authentication device 23 of said user group;

here, the user group is a set composed of a plurality of users. Thus, a group of users can share a pair of public and private keys, which will be described in detail later and will not be described in detail here.

The authentication device 23 is configured to receive and store a decryption key of the user group and the one-time-password algorithm; after the two-dimensional code displayed by the terminal equipment is scanned, extracting a ciphertext in the two-dimensional code, and obtaining verification data and the information to be verified in the ciphertext by adopting the decryption key; encrypting the information to be verified and the current time by adopting the one-time password algorithm to obtain verification data; comparing whether the check data and the verification data are consistent or not; if the two are consistent, the verification is passed, and if the two are not consistent, the verification fails.

In this way, the system can realize the off-line verification of the two-dimensional code based on the public and private key pair. The related services of the two-dimension code needing to be verified are not limited by the online.

Wherein, in one embodiment, the authentication device comprises a second server and a code scanning device, the second server is communicated with the first server, and the code scanning device is communicated with the second server. In addition, the decryption key and the one-time-password algorithm sent by the first server can be stored in the second server and/or the code scanning device. Specifically, referring to fig. 3, taking an extranet server as a first server and an intranet server as a second server as an example, a process of acquiring a decryption key and an encryption algorithm by a local area network device and a verification device in the embodiment of the present application is described, where in fig. 3:

the first server, which may be an extranet server, is the internet or other server capable of supporting a wide range of network devices and requiring online communication. After receiving a key pair generation request sent by a user group, the public key and the private key of the user group are generated, an encryption key and a decryption key in the public key and the private key are determined, the first server stores the encryption key and sends the decryption key and a one-time cryptographic algorithm to a second server of the user group.

The key pair may be generated using an RSA (Ron Rivest, Adi Shamir, Leonard Adieman) algorithm, among others. In order to secure information, the public key may be an encryption key and the private key may be a decryption key, and the private key may be a secret key and the public key may be a decryption key. For the one-time password algorithm, when implemented, it may be any one of the following algorithms:

HOTP (HMAC-based One-Time Password ).

TOTP (Time-Based One-Time Password).

HMAC (Hash-based message authentication code, Hash function-based message authentication code algorithm).

And the second server receives and stores the decryption key and the encryption algorithm.

The second server may be a Local Area Network (LAN) server. A local area network is a computer communication network that connects various computers, external devices, databases, etc. within a local geographical area (e.g., within a school, factory, or gateway), typically within a few kilometers of a square or a circle. It can be connected with remote first server by means of data communication network or special-purpose data circuit to form a large-range information processing system. Local area networks may implement functions such as file management, application sharing, printer sharing, scanner sharing, scheduling within workgroups, email and fax communication services, etc. The devices within the local area network are able to perform data transfer and access even if the local area network server is unable to communicate with the first server.

If the code scanning device needs to verify the two-dimensional code by itself, the intranet server may issue the encryption key and the encryption algorithm to the code scanning device (as shown by the dotted line in fig. 3).

When the two-dimensional code is verified, the verification can be performed by adopting the following corresponding scheme according to the storage positions of the decryption key and the one-time password algorithm:

when the first scheme, the decryption key and the one-time password algorithm are only stored in the intranet server, as shown in fig. 4:

the terminal equipment requests an external network server to acquire and display the two-dimensional code; and the intranet server can receive and store the decryption key of the user group and the one-time password algorithm sent by the extranet server.

And the code scanning equipment can scan the two-dimensional code displayed by the terminal equipment and then sends the scanning information of the two-dimensional code to the intranet server for verification.

And in the second mode, when the decryption key and the one-time password algorithm are stored in the code scanning device, as shown in fig. 5 (the operation of obtaining the two-dimensional code and storing the encryption key and the encryption algorithm can be referred to in fig. 5, and details are not described here). Only the second server receives and stores the decryption key of the user group and the one-time password algorithm sent by the first server, and then sends the decryption key and the one-time password algorithm to the code scanning device; and after scanning the two-dimensional code displayed by the terminal equipment by code scanning equipment, verifying the two-dimensional code according to a decryption key stored by the code scanning equipment and the one-time password algorithm.

Further, user groups are further described herein. A user group is an identity when interacting with the first server. In particular, the first server may communicate with the client or applet in the identity of the user group. The identity may be pre-registered in the first server. For example, a school or B enterprise registers its own group with the identity of the respective enterprise in the first server, and even users in a certain area may federate to apply for a user group identity. Taking school a as an example, the terminal device 11 may apply for a key pair of school a to the first server in the identity of school a. In this way, the students in school a become users in the user group of school a, and the students in school a share the key pair of school a to encrypt their own information.

In order to ensure the security of the decryption key, the decryption key and the one-time cipher algorithm should be transmitted in a Secure manner such as https (HyperText Transfer Protocol over Secure Socket Layer), so as to avoid the risk of eavesdropping in the transmission path.

Further, in order to improve information security and avoid hidden information security risks caused by key leakage, in the embodiment of the application, the key pair of the user group may have a life cycle. The malicious cracking of the key takes time, and even if the key is leaked, the leaked key can be invalid due to the coming of the life cycle under the condition that the key pair of the user group is periodically refreshed. The failed key will lose its effect so the user information is also secure. The first server is further configured to time a pair of public and private keys of the user group for periodic updating of the key pair; when a preset life cycle is timed or a key updating instruction is received, regenerating a pair of new public key and private key; and updating the encryption key corresponding to the group and the decryption key in the verification device according to the new public key and the new private key.

In particular, to update the key, an interface for updating the key may be deployed in the first server, and may be accessible to both the second server and/or the code scanning device. In addition, a decryption key for the next life cycle can be recorded in the interface, and can be conveniently acquired by the second server and/or the code scanning device.

In order to ensure the normal operation of the authentication service, frequent key refreshing should be avoided. For example, when the period for refreshing the key is 24 hours, the second server and the code scanning device can be offline for 24 hours. The specific refresh frequency can be set according to actual requirements, for example, the key pairs of different user groups can have different life cycles, so as to meet the requirements of different user groups.

In order to deal with the situation that the refresh of the key pair may cause that the decryption key in the second server and/or the code scanning device cannot be updated in time and the encrypted two-dimensional code cannot be decrypted, the following scheme can be adopted to solve the problem, specifically:

the first server is further used for generating a public key and a private key of the next life cycle of the user group and sending a decryption key of the next life cycle to the second server;

and the second server is also used for updating the decryption key to obtain the decryption key of the current life cycle and then storing the decryption key of the previous life cycle and the decryption key of the next life cycle of the user group.

Thus, the second server and/or the code scanning device can store the decryption keys of the current life cycle, the last life cycle and the next life cycle. The second server or the code scanning device can decrypt the verification data and the information to be verified in the secret text by adopting a decryption key of the current life cycle when the two-dimensional code is authenticated; and if the decryption fails, decrypting the verification data and the to-be-verified information in the secret text by using the decryption key of the previous life cycle and/or the decryption key of the next life cycle. In this way, the device (such as the second server or the code scanning device) for authenticating the two-dimensional code can realize verification even if the device is not synchronous with the first server key.

If the decryption keys of a plurality of life cycles are stored, the validity period of the decryption keys is 24 hours, and the verification device can be off-line for 24-48 hours (according to the off-line time). Therefore, the verification equipment can not only realize off-line verification, but also provide sufficient time for network repair under the condition of unplanned network disconnection without influencing the verification service.

In addition, because the two-dimensional code is encrypted by adopting the current time, in order to solve the problem that the verification error or the secret key cannot be updated due to the asynchronous time of the first server and the verification device, the validity period of the two-dimensional code can be set to overcome the problem. For example, the validity period may be 2 minutes, which can sufficiently accommodate the error of time asynchronism between the two parties.

Further, when the user on the side of the authentication apparatus finds that the authentication apparatus is stolen, the decryption key is leaked, and the like, the administrator of the first server may be notified urgently. Therefore, the administrator can send the updating instruction in time and update the key pair quickly, so that the loss caused by information leakage is reduced as much as possible.

In specific implementation, if one two-dimensional code allows multiple verification, user information is easily leaked or a user is easily damaged. For example, other users can complete payment by using the stolen two-dimensional code, so that the users who have stolen the two-dimensional code suffer from loss. Therefore, in the embodiment of the present application, in order to protect the information of the user and the benefit of the user, one two-dimensional code is allowed to be verified only once. Therefore, the first server can generate a random number after receiving a two-dimension code request sent by a user, encrypt information to be verified of the user and current time by adopting a time-based one-time password algorithm to generate verification data, encrypt the verification data, the information to be verified and the random number by adopting an encryption key to obtain a ciphertext, convert the ciphertext into a two-dimension code, and send the two-dimension code to the terminal equipment of the user for display. When the verification equipment performs verification, the decryption key is adopted to obtain verification data in the ciphertext, the information to be verified and the random number; searching the random number in the ciphertext from the pre-stored random numbers; if the verification data is not found and the verification data is consistent with the verification data, the two-dimensional code passes verification; and if the two-dimension code is found, the two-dimension code verification fails.

In this way, even if the same user requests the two-dimensional code for multiple times, the random number in the two-dimensional code obtained for different requests and the current time during encryption are different, so different requests correspond to different two-dimensional codes. For the verification device, the random number of each verified two-dimensional code can be stored, and when the two-dimensional code is verified, as long as the random number of the two-dimensional code to be verified is contained in the stored random numbers, the two-dimensional code is verified, the two-dimensional code can be determined to be used, and then the verification failure of the two-dimensional code can be directly determined.

Of course, in specific implementation, random numbers within a certain time period can be stored. For example, random numbers of two-dimensional codes of the last two days or the last 24 hours are stored. In this way, expired random numbers can be deleted to free up storage resources. In addition, the number of the stored random numbers also determines the efficiency of searching the random numbers in the two-dimensional code to be verified to a certain extent, so that the verification efficiency of the two-dimensional code can be improved by storing the random numbers within a certain time length.

In an embodiment, the first server may be further configured to extract a first preset number of time points in a specified time period; a set number of time points can be extracted within each time step. For example, a time step of 5 minutes, a time point is extracted every 5 minutes from the current time of 9: 00.

Based on the extracted time points, for each time point: and encrypting the information to be verified of the user and the time point by adopting a time-based one-time password algorithm to generate verification data, encrypting the verification data and the information to be verified by adopting an encryption key to obtain a ciphertext, converting the ciphertext into a two-dimensional code, and storing the two-dimensional code corresponding to the user.

In this way, when a two-dimensional code acquisition request of a user is received, the two-dimensional code of the corresponding time period can be acquired from the stored two-dimensional code and sent to the user. For example, the respective time period may be a time period within the same time step as the transmission time of the acquisition request.

In addition, based on the two-dimensional codes stored at different time points, the terminal device can be offline under the condition that the verification device is offline. Specifically, the first server is further configured to, after receiving a request sent by a user to acquire multiple two-dimensional codes, acquire a second preset number of two-dimensional codes of the user after the current time of the user, and send the two-dimensional codes to the terminal device of the user;

the terminal device may store the two-dimensional codes corresponding to the second preset number of time points; and when a display request for displaying the stored two-dimensional codes is received, one of the stored two-dimensional codes is selected for display.

In the specific implementation, the two-dimensional code which is not displayed and has the earliest time point is preferentially selected to be displayed. For example, 5 two-dimensional codes are stored, which are S1, S2, S3, S4, and S5 in chronological order, respectively. For the first payment, S1 may be displayed, for the second payment S2, and so on.

As shown in fig. 6, a schematic diagram of a two-dimensional code verification process when a client (installed in a terminal device) is offline is shown, where:

and the client acquires the plurality of two-dimensional codes from the first server through the terminal equipment for caching.

And the second server acquires the decryption key and the one-time password algorithm from the first server for storage.

And after scanning the two-dimensional code displayed by the client, the code scanning equipment sends the two-dimensional code to the second server for verification.

And the second server sends the verification result to the code scanning equipment after verification.

Certainly, in the specific implementation, the two-dimensional codes may be sorted according to time sequence, and once each two-dimensional code is displayed, the two-dimensional code may be deleted from the storage space. Continuing with the above example, the display of S1 is deleted, and the second payment is directly displayed with the first-ranked S2. In specific implementation, the displayed two-dimensional code can be deleted after verification is completed, and the two-dimensional code can also be deleted after a preset display time length is displayed. The preset display duration may be determined based on empirical values. The preset display time length is used for representing the time length required by the two-dimensional code to be verified by the verification equipment.

Further, it is possible that the currently displayed two-dimensional code may not be verified, and the user may refresh the displayed two-dimensional code. Specifically, the terminal device is further configured to, when a first number of refresh requests for refreshing a currently displayed two-dimensional code are received within the validity period, obtain, from the stored two-dimensional codes, a two-dimensional code display that is closest to a time point of the currently displayed two-dimensional code and whose time point is subsequent to the currently displayed two-dimensional code. For example, continuing with the above example, if the current display is S2, then refresh is performed to obtain S3 for display.

In specific implementation, the time points encrypted by using the one-time password algorithm in the two-dimensional code cannot be directly obtained, so that when the first server sends the two-dimensional codes of a plurality of time points, the sent two-dimensional codes can be marked according to the sequence of the time points. In this way, the terminal device can determine the acquisition order of the two-dimensional code according to the mark. The specific marking and identification marking method may be determined by negotiation between the first server and the terminal device, which is not described in this embodiment of the present application.

In addition, it should be noted that the validity period is a set period of time. After a validity period has passed, the validity period is recalculated. In an implementation, the validity period may be determined according to an empirical value, and may be set to 2 seconds, for example. And if the user requests to refresh the two-dimensional code within 2 seconds, acquiring new two-dimensional code display.

In addition, in one embodiment, since the one-time password algorithm requires the two-dimensional code within the same time step to pass the verification, in order to avoid the verification failure caused by the generation and verification of the two-dimensional code not within the same time step, the two-dimensional code acquired on line can be preferentially used for verification. In this way, the terminal device is further configured to send a two-dimensional code refresh request to the first server when receiving a second number of refresh requests for refreshing the currently displayed two-dimensional code within the validity period, where the first number is smaller than the second number. Since the first number is smaller than the second number, it is possible that the two-dimensional codes stored by the user are all verified or invalidated when the second number of refresh requests are received. The two-dimensional code is acquired from the first server. Therefore, for a user, the two-dimension code acquisition way can be diversified, the user can use the two-dimension code conveniently, and the user can be better ensured to use the two-dimension code smoothly to carry out related services.

In addition, because the first server is required to perform encryption operation for online obtaining of the two-dimensional code, the refresh frequency of the same user should not be too high in order to reasonably utilize the processing resources of the first server. Therefore, in order to save processing resources of the first server, the embodiments of the present application provide the following two schemes:

according to the first scheme, after receiving a two-dimensional code refreshing request of a user, a first server starts timing, and after receiving the two-dimensional code refreshing request of the user again within a specified refreshing time, the first server discards the refreshing request. That is, the first server does not process the two-dimensional code refresh request received again. For example, the first server receives a two-dimensional code refresh request of the user a, and generates a new two-dimensional code to return to the user within the following 2 seconds (i.e., the specified refresh duration), and if the refresh request of the user a is received within the 2 seconds, the new two-dimensional code will not be processed.

And in the second scheme, after the terminal equipment detects the refresh operation of refreshing the two-dimensional code for the first time, timing is started and a refresh request of the two-dimensional code is generated to the first server, and if the refresh operation of refreshing the two-dimensional code is detected again within the specified refresh duration of timing, the detected information is discarded, namely the two-dimensional code refresh request cannot be generated.

In addition, if a refresh request is sent to the first server and no response of the first server is received within a specified feedback time (e.g., 4 seconds), the two-dimensional code which is not displayed can be continuously acquired from the stored two-dimensional code for display verification. And if a refreshing request is sent to the first server and a new two-dimensional code fed back by the first server is obtained, replacing all stored two-dimensional codes with the new two-dimensional code, so that the two-dimensional code acquired online is preferentially used.

Certainly, in order to facilitate the user to use the offline two-dimensional code, the user may also request the two-dimensional code of the specified time period from the first server according to the own requirement. For example, if the two-dimensional code usage of the user is regular. For example, the office workers consume the two-dimensional code in the lunch time period, and the riding time on and off the office is relatively regular. In order to save network traffic of a user or avoid the situation that the user cannot acquire the two-dimensional code in time under the condition of offline or poor network state. The user may acquire the two-dimensional code from the first server in advance with reference to the interface shown in fig. 7. In fig. 7, the user can apply for the two-dimensional code in advance from the first server and download the two-dimensional code according to the plan and actual needs of the user. The method comprises the steps that after a first server receives a two-dimensional code request in a request acquisition time period sent by a user, a plurality of time points are extracted from the request time period, a two-dimensional code is generated according to a one-time password algorithm and an encryption key aiming at each time point and is returned to the user, wherein the time period corresponding to the two-dimensional code is marked when each two-dimensional code is returned to the user, so that the user can know when the two-dimensional code can be used. Correspondingly, in order to facilitate that a user can use the two-dimensional code for verification in a requested time period, the first server also confirms whether the key pair in the time period requested by the user is updated or not, if the key pair is required to be updated, the updated decryption key is sent to the verification device in advance for storage, and the verification device is informed of the effective time of the decryption key, so that the verification device can determine which decryption key is used for verification according to the effective time of the decryption key.

In addition, in the embodiment of the present application, in order to handle a special situation, the first server may also be configured with a decryption verification interface that is general for the entire network, so as to implement online verification.

Based on the same inventive concept, the embodiment of the application also provides an encryption method for information to be verified, the system only exemplifies the two-dimensional code, and the method expands the used information, namely the method is suitable for any information needing verification. As shown in fig. 8, is a flow chart of the method, comprising the steps of:

step 801: and encrypting the information to be verified and the current time by adopting a time-based one-time password algorithm to obtain verification data.

Step 802: and encrypting the verification data and the information to be verified by adopting an encryption key to obtain a ciphertext, wherein the encryption key is a key used for encryption in a pair of a public key and a private key.

Therefore, the cipher text of the information to be verified comprises the verification data capable of verifying the identity of the information to be verified through the combination of the encryption key and the one-time password algorithm. Therefore, for the equipment for verifying the information to be verified, the information to be verified does not need to be sent to the verification server for verification on line, and off-line verification can be realized only according to the verification data.

In one embodiment, for the same information to be verified, the time for encryption is different, and the obtained verification data may be different. Therefore, the same information to be verified can generate different ciphertexts according to the encryption time. In order to allow the same ciphertext to be checked only once, in the embodiment of the application, before the check data and the information to be verified are encrypted by using the encryption key and the ciphertext is obtained, a random number can be generated; and then, encrypting the verification data, the information to be verified and the random number by adopting an encryption key during encryption to obtain a ciphertext. As described above, the random number can be used to determine whether the ciphertext of the information to be verified has been verified when the information to be verified is verified.

For a common user, one user corresponds to a set of key pairs. However, as the number of users increases, the number of key pairs increases, and a burden is imposed on generating and managing the key pairs. Therefore, in specific implementation, in order to simplify management of the key pair, in the embodiment of the present application, information serving as information to be verified may be grouped in advance; generating a pair of public key and private key corresponding to each group according to an asymmetric encryption algorithm; determining one of the pair of public and private keys as an encryption key and the other as a decryption key; the encryption key is then stored in association with the packet.

Therefore, only one user group corresponds to one set of key pairs, the number of the key pairs is greatly reduced, and the management is convenient. Taking a school as an example, if the information of each student in the school corresponds to a set of key pairs, then a school has thousands of students, and thousands of key pairs are managed for the school. But if the school is assigned only one key pair as a group, the number of key pairs is greatly reduced. In this way, when the verification data and the information to be verified are encrypted by using the encryption key, the verification data and the information to be verified are encrypted by using the encryption key corresponding to the group where the information to be verified is located, so as to obtain a ciphertext.

In order to facilitate the off-line verification of the verification device, for each group, after a pair of a public key and a private key corresponding to the group is generated according to an asymmetric encryption algorithm, a decryption key is sent to the verification device preset by the group. In addition, in order to prevent the insecurity of information caused by key leakage and stealing, in the embodiment of the application, a pair of public key and private key corresponding to each group is timed for each group; when a preset life cycle is timed or a key updating instruction is received, regenerating a pair of new public key and private key; and updating the encryption key corresponding to the group and the decryption key in the verification device according to the new public key and the new private key.

Thus, as mentioned above, since the key pair is updated periodically, even if the key is leaked or stolen, the information to be authenticated of the user can still be protected after the key pair is updated.

In one embodiment, the number of bytes that the fixed key can encrypt is limited, so in specific implementation, a key with a suitable length may be selected according to a specific application scenario. Generally, for campus two-dimensional codes, two-dimensional codes for cars, two-dimensional codes for employees to sign in, and other scenes, a public and private key pair with the length of 512 bits, 768 bits, or 1024 bits can be mainly selected to generate the key pair by using the RSA algorithm. According to the implementation principle of RSA, since PKCS #1 defaults to 11 bytes of padding bytes, a 768-bit key can encrypt 768/8-11-85 bytes at most, and a 1024-bit key can encrypt 1024/8-11-117 bytes. Exceeding the fixed length requires increasing the key length or performing round-robin encryption of the original text. Specifically, the fragmentation cyclic encryption can be implemented according to the following method:

and encrypting the information to be verified and the current time by adopting a time-based one-time password algorithm, and determining whether the byte number of the information to be verified exceeds the longest byte number of single encryption before the verification data is obtained. If not, encrypting the information to be verified and the current time by adopting a time-based one-time password algorithm. If the number of bytes exceeds the longest byte number of the single secret, the information to be verified is sliced, and the mark of each slice is determined according to the sequence of each slice in the information to be verified; encrypting each fragment and the current time by adopting a time-based one-time password algorithm to obtain verification data of each fragment; encrypting the check data of each fragment by adopting an encryption key to obtain a ciphertext of each fragment; and determining the sequence of the ciphertext of each fragment according to the mark of each fragment, and combining the ciphertext of each fragment according to the determined sequence to obtain the ciphertext of the information to be verified.

Therefore, when the number of bytes of the information to be verified is too large, the offline verification of the verification equipment can be realized through the fragment encryption.

Based on the same inventive concept, corresponding to the aforementioned encryption method, the embodiment of the present application further provides a verification method of encrypted information, as shown in fig. 9, the method includes the following steps:

step 901: and acquiring the ciphertext of the information to be verified.

Step 902: decrypting the ciphertext according to the decryption key to obtain the check data and the information to be verified in the ciphertext; the decryption key and the encryption key used for encrypting the information to be verified are combined into a pair of a public key and a private key.

Step 903: encrypting the current time and the information to be verified in the ciphertext by adopting a cryptographic algorithm to obtain verification data; the cryptographic algorithm is the same as a time-based one-time cryptographic algorithm used to encrypt the information to be authenticated.

Step 904: and comparing the verification data with the verification data in the ciphertext.

Step 905: and if the verification data is the same as the verification data obtained by decryption, determining that the information to be verified passes the verification.

Certainly, in specific implementation, if the verification data is different from the verification data obtained by decryption, it is determined that the information to be verified fails to be verified.

In one embodiment, the decryption key is obtained according to the following procedure:

and receiving a decryption key issued by the encryption device, or receiving a decryption key updating request issued by the verification device, and updating the stored decryption key according to the decryption key in the updating request.

The encryption device is, for example, the aforementioned first server.

Further, as described above, the encrypted information to be verified can be used only once by using the random number, and the decrypted cipher text in the embodiment of the present application further includes the random number. Therefore, before the information to be verified is verified, it is required to determine that the random number in the ciphertext is not found in the pre-stored random numbers, wherein the pre-stored random numbers are obtained by decrypting other ciphertexts within a specified time length; and when the verification data is different from the verification data obtained by decryption, and/or the random number in the ciphertext is found in the pre-stored random numbers, the verification fails. That is, before comparing the verification data with the verification data, if the random number in the ciphertext is found in the pre-stored random numbers, the verification is considered to be failed regardless of the comparison result. And only when the random number in the ciphertext is not found in the pre-stored random numbers and the comparison result of the verification data and the verification data is consistent, the verification is considered to be passed.

Further, when the foregoing piece encryption exists, before decrypting the ciphertext according to a pre-stored decryption key, it should be first determined whether the ciphertext of the information to be verified includes a piece mark. And if the ciphertext does not contain the fragment mark, directly decrypting the ciphertext according to a pre-stored decryption key. If the fragment mark is included, the ciphertext of one of the fragments can be obtained for verification, specifically:

decrypting the ciphertext of the fragment according to the decryption key to obtain verification data and fragment data of the fragment; encrypting the current time and the fragment data by adopting a time-based one-time password algorithm to obtain verification data of the fragment; comparing the verification data of the fragment with the verification data in the ciphertext of the fragment; if the verification data of the fragment is the same as the verification data in the ciphertext of the fragment, determining that the information to be verified passes the verification; otherwise, determining that the information to be verified fails to verify.

In summary, in the embodiment of the present application, the offline verification of the information to be verified by the verification device can be implemented by using the decryption key and the time-based one-time cryptographic algorithm. The normal operation of the verification equipment service is ensured.

The campus code is taken as an example to further explain the scheme of offline verification in the embodiment of the present application.

As shown in fig. 10, the information to be authenticated is the identity data of the student such as the student number, and the time-based one-time password algorithm is the TOTP algorithm. The miscellaneous data may be the aforementioned random number, or may include other data in specific implementation as long as it can verify that the information to be verified is verified. During encryption, identity data of students and current time are encrypted by adopting a TOTP algorithm to generate TOTP verification data, then the identity data, the TOTP verification data and miscellaneous data of the students are used as original data, and an asymmetric encrypted private key is used for encryption to obtain a ciphertext. For convenience of transmission, the ciphertext Base64 is obtained after Base64 conversion.

As shown in fig. 11, for the decryption process, the ciphertext Base64 is first subjected to Base64 conversion to obtain the ciphertext original text. And then decrypting by adopting the asymmetric encrypted public key to obtain the original data. The original data includes identity data, TOTP verification data 1 and miscellaneous data. And then the decryption section encrypts the current time and the identity data according to a TOTP algorithm to obtain TOTP verification data 2 (namely verification data). And comparing the TOTP verification data 2 with the TOTP verification data 1, and if the two are consistent, the verification is passed.

In addition, based on the same inventive concept, an offline code scanning apparatus is further provided in the embodiments of the present application, as shown in fig. 12a, which is a schematic structural diagram of a scanning apparatus, and includes a processor 1201, a memory 1202, a two-dimensional code scanning device 1203, and an interface 1204, where:

the interface 1204 is configured to receive a decryption key and a one-time password algorithm sent by the second server, where the decryption key is a key used for decryption in a public key and a private key; the one-time password algorithm is a time-based one-time password algorithm;

the memory 1202 is configured to store the decryption key and the one-time-password algorithm;

the two-dimensional code scanning device 1203 is used for scanning a two-dimensional code displayed by the terminal equipment;

the processor 1201 is configured to extract a ciphertext in the two-dimensional code scanned by the two-dimensional code scanning device, and obtain, by using the decryption key, verification data in the ciphertext and the to-be-verified information; encrypting the information to be verified and the current time by adopting the one-time password algorithm to obtain verification data; comparing whether the check data and the verification data are consistent or not; and if the two-dimension codes are consistent, the two-dimension codes are determined to pass verification, and if the two-dimension codes are inconsistent, the two-dimension codes are determined to fail verification.

Fig. 12b is a schematic view of an interface of a code scanning device. The code scanning interface can scan the code two-dimensional code through a scanning function. Of course, in specific implementation, the code scanner device may not have a display interface, but may be a common code scanner, for example, a code scanner that may use an image capturing device and an optical imaging device to capture a two-dimensional code.

Corresponding to the encryption method for information to be verified provided in the embodiment of the present application, an embodiment of the present application further provides an encryption apparatus for information to be verified, and as shown in fig. 13, the apparatus includes:

the verification data determining module 1301 is configured to encrypt the information to be verified and the current time by using a time-based one-time password algorithm to obtain verification data;

a ciphertext determining module 1302, configured to encrypt the check data and the to-be-verified information by using an encryption key to obtain a ciphertext, where the encryption key is a key used for encryption in a pair of a public key and a private key.

Wherein in one embodiment, the apparatus further comprises:

a random number generation module, configured to generate a random number before the verification data determination module 1301 encrypts the verification data and the to-be-verified information with an encryption key to obtain a ciphertext;

the ciphertext determining module is specifically configured to encrypt the check data, the information to be verified, and the random number with the encryption key.

Wherein, in one embodiment, the apparatus further comprises:

the grouping module is used for grouping the information serving as the information to be verified before the verification data determining module encrypts the information to be verified and the current time by adopting a time-based one-time password algorithm to obtain verification data;

the key pair generation module is used for generating a pair of public key and private key corresponding to each group according to an asymmetric encryption algorithm;

a decryption key determining module for determining one of the pair of public and private keys as an encryption key and the other as a decryption key;

the encryption key storage module is used for correspondingly storing the encryption key and the packet;

the ciphertext determining module is specifically configured to encrypt the check data and the to-be-verified information by using an encryption key corresponding to a group in which the to-be-verified information is located, so as to obtain the ciphertext.

Wherein, in one embodiment, the apparatus further comprises:

the decryption key distribution module is used for generating a pair of public key and private key corresponding to the group according to the asymmetric encryption algorithm in the key pair generation module and then sending the decryption key to the group of preset verification equipment;

the timing module is used for timing a pair of public key and private key corresponding to each group;

the key updating module is used for regenerating a pair of new public key and private key when a preset life cycle is timed out or a key updating instruction is received;

and the verification device key updating module is used for updating the encryption key corresponding to the group and the decryption key in the verification device according to the new public key and the new private key.

Wherein, in one embodiment, the apparatus further comprises:

the byte number determining module is used for encrypting the information to be verified and the current time by adopting a time-based one-time password algorithm in the verification data determining module, and determining that the byte number of the information to be verified does not exceed the longest byte number of single encryption before the verification data is obtained.

Wherein, in one embodiment, the apparatus further comprises:

the fragmentation module is used for fragmenting the information to be verified if the byte number determining module determines that the byte number of the data to be verified exceeds the longest byte number of single encryption, and determining the mark of each fragment according to the sequence of each fragment in the information to be verified;

the fragment encryption module is used for encrypting each fragment and the current time by adopting a time-based one-time password algorithm to obtain verification data of each fragment; encrypting the check data of each fragment by adopting an encryption key to obtain a ciphertext of each fragment; and determining the sequence of the ciphertext of each fragment according to the mark of each fragment, and combining the ciphertext of each fragment according to the determined sequence to obtain the ciphertext of the information to be verified.

Corresponding to the verification method for the information to be verified provided in the embodiment of the present application, an embodiment of the present application further provides a verification apparatus for the information to be verified, and as shown in fig. 14, the apparatus includes:

a ciphertext obtaining module 1401, configured to obtain a ciphertext of the information to be verified;

the decryption module 1402 is configured to decrypt the ciphertext according to a decryption key to obtain check data and information to be verified in the ciphertext; the decryption key and an encryption key used for encrypting the information to be verified are combined into a pair of a public key and a private key;

an encryption module 1403, configured to encrypt the current time and the information to be verified in the ciphertext by using a cryptographic algorithm to obtain verification data; the cryptographic algorithm is the same as a time-based one-time cryptographic algorithm used for encrypting the information to be authenticated;

a comparison module 1404, configured to compare the verification data with the verification data in the ciphertext;

the verification module 1405 is configured to determine that the to-be-verified information is verified if the verification data is the same as the verification data obtained by decryption.

Otherwise, if the verification data is different from the verification data obtained by decryption, determining that the information to be verified fails to be verified.

Wherein, in one embodiment, the apparatus further comprises:

and the key acquisition module is used for receiving the decryption key issued by the encryption equipment, or receiving a decryption key updating request issued by the encryption equipment and updating the stored decryption key according to the decryption key in the updating request.

Wherein, in one embodiment, the decrypted ciphertext further comprises a random number; the device further comprises:

the random number processing module is used for determining that the random number in the ciphertext is not found in the pre-stored random numbers before the verification module determines that the information to be verified passes the verification, wherein the pre-stored random numbers are obtained by decrypting other ciphertexts within a specified time length;

and the verification module is specifically used for failing verification if the verification data is different from the verification data obtained by decryption and/or the random number in the ciphertext is found in the pre-stored random numbers.

Wherein, in one embodiment, the apparatus further comprises:

the fragment ciphertext acquisition module is used for acquiring the ciphertext of one fragment if the ciphertext of the information to be verified contains the fragment mark;

the fragment decryption module is used for decrypting the ciphertext of the fragment according to the pre-stored decryption key to obtain the verification data and the fragment data of the fragment;

the fragment encryption module is used for encrypting the current time and the fragment data by adopting a time-based one-time password algorithm to obtain verification data of the fragment;

the fragment comparison module is used for comparing the verification data of the fragment with the verification data in the ciphertext of the fragment;

the fragment verification module is used for determining that the information to be verified passes the verification if the verification data of the fragment is the same as the verification data in the ciphertext of the fragment; otherwise, determining that the information to be verified fails to verify.

For convenience of description, the above parts are separately described as modules (or units) according to functional division. Of course, the functionality of the various modules (or units) may be implemented in the same one or more pieces of software or hardware when implementing the present application.

Having described the encryption and authentication method and apparatus of information to be authenticated according to an exemplary embodiment of the present application, a computing apparatus according to another exemplary embodiment of the present application will be described next.

As will be appreciated by one skilled in the art, aspects of the present application may be embodied as a system, method or program product. Accordingly, various aspects of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.

In some possible embodiments, a computing device according to the present application may include at least one processor, and at least one memory (e.g., the aforementioned first server). Wherein the memory stores program code, and when the program code is executed by the processor, the program code causes the processor to execute the steps of the system privilege opening method according to various exemplary embodiments of the present application described above in the specification. For example, the processor may perform

steps

801 and 802 shown in FIG. 8, or

steps

901 and 905 shown in FIG. 9.

The computing device 150 according to this embodiment of the present application is described below with reference to fig. 15. The computing device 150 shown in fig. 15 is only an example and should not bring any limitations to the function and scope of use of the embodiments of the present application.

As shown in fig. 15, the computing apparatus 150 is in the form of a general purpose computing device. Components of computing device 150 may include, but are not limited to: the at least one processor 151, the at least one memory 152, and a bus 153 connecting the various system components (including the memory 152 and the processor 151).

Bus 153 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, or a local bus using any of a variety of bus architectures.

The memory 152 may include readable media in the form of volatile memory, such as Random Access Memory (RAM)1521 and/or cache memory 1522, and may further include Read Only Memory (ROM) 1523.

Memory 152 may also include a program/utility 1525 having a set (at least one) of program modules 1524, such program modules 1524 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.

The computing apparatus 150 may also communicate with one or more external devices 154 (e.g., keyboard, pointing device, etc.), may also communicate with one or more devices that enable a user to interact with the computing apparatus 150, and/or may communicate with any device (e.g., router, modem, etc.) that enables the computing apparatus 150 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 155. Also, the computing device 150 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) through the network adapter 156. As shown, the network adapter 156 communicates with other modules for the computing device 150 over the bus 153. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the computing device 150, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.

In some possible embodiments, various aspects of the encryption and/or authentication method for information to be authenticated provided by the present application may also be implemented in the form of a program product, which includes program code for causing a computer device to execute the steps in the encryption method for information to be authenticated and/or the authentication method for information to be authenticated according to various exemplary embodiments of the present application described above in this specification when the program product runs on the computer device, for example, the computer device may execute the

steps

801 and 802 shown in fig. 8 and/or the

steps

901 and 905 shown in fig. 9.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The program product for system privilege opening of embodiments of the present application may employ a portable compact disk read-only memory (CD-ROM) and include program code, and may be executable on a computing device. However, the program product of the present application is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

A readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device over any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., over the internet using an internet service provider).

It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functions of two or more units described above may be embodied in one unit, according to embodiments of the application. Conversely, the features and functions of one unit described above may be further divided into embodiments by a plurality of units.

Further, while the operations of the methods of the present application are depicted in the drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. An offline verification system is characterized by comprising a first server, a terminal device and a verification device, wherein:

the first server is used for generating a private key and a public key of a user group and determining an encryption key and a decryption key in the private key and the public key; after receiving a two-dimensional code acquisition request sent by a user in the user group, encrypting information to be verified of the user and the current time by adopting a time-based one-time password algorithm to generate verification data, encrypting the verification data and the information to be verified by adopting the encryption key to obtain a ciphertext, converting the ciphertext into a two-dimensional code, and sending the two-dimensional code to a terminal device of the user for display; and sending the decryption key and the one-time-password algorithm to the authentication devices of the user group;

2. The system of claim 1, wherein the authentication device comprises a second server in communication with the first server and a code scanning device in communication with the second server, wherein:

3. The system of claim 1, wherein the authentication device comprises a second server in communication with the first server and a code scanning device in communication with the second server, wherein:

4. The system of claim 1, wherein the first server is further configured to:

timing a pair of public key and private key of the user group;

and updating the encryption key corresponding to the user group and the decryption key in the verification device according to the new public key and the new private key.

5. The system of claim 3, wherein the first server is further configured to generate a public key and a private key for a next life cycle of the user group, and to send a decryption key for the next life cycle to the verification device;

6. The system according to claim 1, wherein the first server is specifically configured to, after the two-dimensional code acquisition request sent by the user in the user group is received, encrypt information to be verified of the user and current time by using a time-based one-time password algorithm to generate verification data, encrypt the verification data and the information to be verified by using the encryption key to obtain a ciphertext, convert the ciphertext into a two-dimensional code, and send the two-dimensional code to the terminal device of the user for display, perform:

after receiving the two-dimension code request sent by a user, generating a random number, encrypting the information to be verified of the user and the current time by adopting the time-based one-time password algorithm to generate the check data, encrypting the check data, the information to be verified and the random number by adopting the encryption key to obtain the ciphertext, converting the ciphertext into the two-dimension code, and sending the two-dimension code to the terminal equipment of the user for display;

the verification device is specifically configured to execute the decryption key to obtain the verification data and the to-be-verified information in the ciphertext; encrypting the information to be verified and the current time by adopting the one-time password algorithm to obtain verification data; comparing whether the check data and the verification data are consistent or not; if the verification is consistent, the verification is passed, if the verification is inconsistent, the verification fails, the execution is as follows: obtaining the verification data, the information to be verified and the random number in the ciphertext by using the decryption key; searching the random number in the ciphertext from pre-stored random numbers; if the verification data is not found and the verification data is consistent with the verification data, the two-dimensional code passes verification; and if the two-dimension code is found, the two-dimension code verification fails.

7. The system of claim 1, wherein the first server is further configured to:

extracting a first preset number of time points in a specified time period;

8. The system of claim 7,

the first server is further used for acquiring a second preset number of two-dimensional codes of the user after the stored current time of the user after receiving a request sent by the user for acquiring the plurality of two-dimensional codes, and sending the two-dimensional codes to the terminal equipment of the user;

9. The system according to claim 8, wherein the terminal device is further configured to, when a first number of refresh requests for refreshing the currently displayed two-dimensional code are received within the validity period, obtain from the stored two-dimensional codes a two-dimensional code display that is closest to a time point of the currently displayed two-dimensional code and whose time point is subsequent to the currently displayed two-dimensional code.

10. The system of claim 9, wherein the terminal device is further configured to send a two-dimensional code refresh request to the first server when a second number of refresh requests for refreshing a currently displayed two-dimensional code are received within a validity period, and the first number is smaller than the second number.

11. The system according to any one of claims 1-10, wherein the decryption key is a public key and the encryption key is a private key.

12. The code scanning device is characterized by being a code scanning device in verification equipment, and comprising a processor, a memory, a two-dimensional code scanning device and an interface, wherein:

the interface is used for receiving a decryption key and a one-time password algorithm which are sent by a second server and included by the verification equipment, wherein the decryption key is a key used for decryption in a public key and a private key; the one-time password algorithm is a time-based one-time password algorithm;

the processor is used for extracting a ciphertext in the two-dimensional code scanned by the two-dimensional code scanning device and obtaining verification data in the ciphertext and information to be verified of a user by adopting the decryption key; encrypting the information to be verified and the current time by adopting the one-time password algorithm to obtain verification data; comparing whether the check data and the verification data are consistent or not; if the two-dimension codes are consistent, the two-dimension codes are determined to pass verification, and if the two-dimension codes are not consistent, the two-dimension codes are determined to fail verification;

the ciphertext is obtained by encrypting information to be verified of a user and current time by a first server through a time-based one-time password algorithm to generate verification data and encrypting the verification data and the information to be verified through the encryption key; and the two-dimensional code is obtained by converting the ciphertext by the first server, and the two-dimensional code is sent to the terminal equipment of the user by the first server for displaying.

13. A server, comprising:

a processor; and

after receiving a two-dimensional code acquisition request sent by the user of the user group, encrypting the information to be verified of the user and the current time by adopting a time-based one-time password algorithm to generate verification data;

sending the decryption key and the one-time password algorithm to the authentication equipment of the user group, so that the authentication equipment receives and stores the decryption key and the one-time password algorithm of the user group; after the two-dimensional code displayed by the terminal equipment is scanned, extracting a ciphertext in the two-dimensional code, and obtaining verification data and the information to be verified in the ciphertext by adopting the decryption key; encrypting the information to be verified and the current time by adopting the one-time password algorithm to obtain verification data; comparing whether the check data and the verification data are consistent or not; if the two are consistent, the verification is passed, and if the two are not consistent, the verification fails.