CN110190964B - Identity authentication method and electronic equipment - Google Patents

Identity authentication method and electronic equipment Download PDF

Info

Publication number
CN110190964B
CN110190964B CN201910406642.4A CN201910406642A CN110190964B CN 110190964 B CN110190964 B CN 110190964B CN 201910406642 A CN201910406642 A CN 201910406642A CN 110190964 B CN110190964 B CN 110190964B
Authority
CN
China
Prior art keywords
temporary
key
public key
server
identity authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910406642.4A
Other languages
Chinese (zh)
Other versions
CN110190964A (en
Inventor
顾志松
王彦杰
顾振华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Keda Technology Co Ltd
Original Assignee
Suzhou Keda Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Keda Technology Co Ltd filed Critical Suzhou Keda Technology Co Ltd
Priority to CN201910406642.4A priority Critical patent/CN110190964B/en
Publication of CN110190964A publication Critical patent/CN110190964A/en
Application granted granted Critical
Publication of CN110190964B publication Critical patent/CN110190964B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention relates to the technical field of video conferences, and particularly discloses an identity authentication method and electronic equipment, wherein the method comprises the following steps: generating a temporary key pair; the temporary key pair comprises a temporary public key and a temporary private key; sending the temporary public key to the security hardware; receiving temporary public key authentication data returned by the security hardware based on the temporary public key; the temporary public key authentication data is obtained by signing the temporary public key by using a hardware private key for the security hardware; signing the identity authentication data sent by the client based on the temporary private key to obtain a signature message, and adding the temporary public key authentication data into the signature message; and sending the signature message to the client so that the client can perform identity authentication on the server. In the security hardware, only a hardware private key is needed to sign the temporary public key once, and the rest of signatures for the identity authentication data sent by each client can be completed in the server; the signature is carried out by utilizing the processing performance of the server, so that the efficiency of identity authentication is greatly improved.

Description

Identity authentication method and electronic equipment
Technical Field
The invention relates to the technical field of video conferences, in particular to an identity authentication method and electronic equipment.
Background
In an asymmetric cryptosystem, the public key is made public, while the private key must be kept secret. To securely store the private key, the private key is typically saved to a secure chip, USBKey, or a cryptographic card. Once the private key is imported into the secure hardware, the private key cannot be read any more, and only certain operations, such as signature or decryption, can be performed by using the internal private key.
When the security hardware is used in combination with the video conference platform server, since a video conference may concurrently log in hundreds of thousands of terminal devices, the security hardware needs to perform identity authentication on hundreds of thousands of terminal devices, or decrypt data sent by terminals, and the like. Specifically, each client generates a random number and sends the random number to the server, the server sends the random number to the security hardware, the security hardware signs the random number by using a stored private key and then sends the random number to the client through the server, and then the client verifies the identity of the server by verifying the signature by using a server public key. However, due to the computing performance of these security hardware, the speed of authentication is relatively slow, and meanwhile, in the process of key exchange, a private key in the security hardware in the server needs to be used for decryption, and the speed of key exchange is also slow due to the adoption of the security hardware for decryption, which cannot meet the requirement of high-capacity computing.
Disclosure of Invention
In view of this, embodiments of the present invention provide an identity authentication method and an electronic device, so as to solve the problem of low efficiency of identity authentication.
According to a first aspect, an embodiment of the present invention provides an identity authentication method, where the identity authentication method is performed by a server, and the identity authentication method includes:
generating a temporary key pair; wherein the temporary key pair comprises a temporary public key and a temporary private key;
sending the temporary public key to secure hardware;
receiving temporary public key authentication data returned by the safety hardware based on the temporary public key; the temporary public key authentication data is obtained by signing the temporary public key by a hardware private key for the security hardware;
signing identity authentication data sent by a client based on the temporary private key to obtain a signature message, and adding the temporary public key authentication data to the signature message;
and sending the signature message to the client so that the client can perform identity authentication on the server.
The identity authentication method provided by the embodiment of the invention adopts the hardware private key in the security hardware to determine the identity of the temporary public key, for the identity authentication of the server, the temporary public key only needs to be signed once by adopting the hardware private key in the security hardware, and the rest of the signatures of the identity authentication data sent by each client can be completed in the server; namely, the temporary key pair in the server is adopted to transfer the original signature of the identity authentication data of different clients in the security hardware to the server to finish the signature, and the processing performance of the server is utilized to sign the identity authentication data of different clients, so that the identity authentication efficiency is greatly improved.
With reference to the first aspect, in a first implementation manner of the first aspect, the generating a temporary key pair includes:
starting a data processing process, wherein the data processing process is used for processing communication data between the server and at least one client;
and generating the temporary key pair in the memory of the server by utilizing the data processing process.
According to the identity authentication method provided by the embodiment of the invention, as the temporary secret key pair is temporarily generated when the data processing process is started every time, the security of the next start cannot be influenced even if the temporary secret key pair is stolen, and the identity authentication efficiency is ensured on the premise of not influencing the basic security requirement; meanwhile, because the processes of the operating system all operate in a virtual mode, each process has an independent address space, an attacker generally cannot perform cross-process access on the secret key in the process memory, and the safety of identity authentication is further ensured.
With reference to the first implementation manner of the first aspect, in a second implementation manner of the first aspect, after the step of receiving the temporary public key authentication data returned by the secure hardware based on the temporary public key, the method further includes:
and storing the temporary public key authentication data in a memory of the server.
With reference to the first aspect, in a third implementation manner of the first aspect, after the sending the signed message to the client, the method further includes:
receiving an encrypted session key sent by the client, wherein the encrypted session key is obtained by encrypting the session key by the client by using the temporary public key, and the session key is used for encrypting communication data between the server and the client;
and decrypting the encrypted session key by using the temporary private key to obtain the session key.
The identity authentication method provided by the embodiment of the invention has the advantages that after the identity of the temporary public key is confirmed by the hardware private key in the security hardware, the session key can be decrypted by directly using the server without decrypting by using the security hardware, and the processing performance of the server is far greater than that of the security hardware, so that the encryption and decryption efficiency of the session key can be greatly improved.
With reference to the first embodiment of the first aspect, in a fourth embodiment of the first aspect, the method further includes:
and when the data processing process is finished, clearing the temporary key pair.
The identity authentication method provided by the embodiment of the invention ensures the security of identity authentication by clearing the sensitive data of the temporary key pair.
With reference to the first aspect, or any one of the first to fourth embodiments of the first aspect, in a fifth embodiment of the first aspect, the method further comprises:
clearing the temporary key pair at preset time intervals, and regenerating a new temporary key pair;
signing and authenticating a client which does not authenticate the server by using the new temporary secret key pair, and/or encrypting and decrypting a session secret key by using the new temporary secret key pair; wherein the session key is used for encrypting communication data between the server and the client.
The identity authentication method provided by the embodiment of the invention ensures the safety of the temporary secret key pair through updating the temporary secret key pair, thereby ensuring the safety of identity authentication.
According to a second aspect, an embodiment of the present invention further provides an identity authentication method, where the identity authentication method is performed by a client, and the identity authentication method includes:
acquiring a signature message sent by a server; the signature message is obtained by the server signing the identity authentication data of the client by adopting a temporary private key, the signature message carries temporary public key authentication data, and the temporary public key authentication data is obtained by the security hardware signing the temporary public key by adopting a hardware private key;
adopting a hardware public key to check and sign the temporary public key authentication data so as to extract the temporary public key; wherein the hardware public key corresponds to the hardware private key;
and checking the signed identity authentication data based on the temporary public key so as to authenticate the identity of the server.
The identity authentication method provided by the embodiment of the invention adopts the hardware private key in the security hardware to confirm the identity of the temporary public key, for the identity authentication of the server, only the hardware private key is needed to sign the temporary public key once in the security hardware, and the rest of the signatures of the identity authentication data sent by each client can be completed in the server; namely, the temporary key pair in the server is adopted to transfer the original signature of the identity authentication data of different clients in the security hardware to the server to finish the signature, and the processing performance of the server is utilized to sign the identity authentication data of different clients, so that the identity authentication efficiency is greatly improved.
With reference to the second aspect, in a first implementation manner of the second aspect, after the step of verifying the signed identity authentication data based on the temporary public key, the method further includes:
when the identity authentication of the server is successful, encrypting a session key by using the temporary public key to obtain an encrypted session key; wherein the session key is used for encrypting communication data between the server and the client;
sending the encrypted session key to the server.
According to the identity authentication method provided by the embodiment of the invention, as the temporary public key adopts the hardware private key in the security hardware to determine the identity, the temporary public key generated by the server can be directly used for encrypting the session key, the subsequent decryption of the session key can be directly realized by the server without the security hardware, and the processing performance of the server is far higher than that of the security hardware, so that the efficiency of encrypting and decrypting the session key can be greatly improved.
According to a third aspect, an embodiment of the present invention provides an electronic device, including: a memory and a processor, the memory and the processor being communicatively connected to each other, the memory storing computer instructions, and the processor executing the computer instructions to perform the identity authentication method according to the first aspect or any one of the embodiments of the first aspect.
According to a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores computer instructions for causing a computer to execute the identity authentication method described in the first aspect or any one of the implementation manners of the first aspect.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flow diagram of a method of identity authentication according to an embodiment of the present invention;
FIG. 2 is a flow diagram of a method of identity authentication according to an embodiment of the present invention;
FIG. 3 is a flow diagram of a method of identity authentication according to an embodiment of the present invention;
FIG. 4 is a flow diagram of a method of identity authentication according to an embodiment of the present invention;
FIG. 5 is a flow diagram of a method of identity authentication according to an embodiment of the present invention;
FIG. 6 is a flow diagram of a method of identity authentication according to an embodiment of the present invention;
FIG. 7 is a flow diagram of a method of identity authentication according to an embodiment of the present invention;
fig. 8 is a block diagram of the structure of an identity authentication apparatus according to an embodiment of the present invention;
fig. 9 is a block diagram of the structure of an identity authentication apparatus according to an embodiment of the present invention;
fig. 10 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The application scenarios of the identity authentication method and the key exchange method in the embodiment of the present invention may be as follows: in the video conference, a video conference is performed between a server and clients, wherein the number of the clients can be set according to actual situations, and the following describes in detail by taking a plurality of clients as an example.
The secure hardware described in the embodiments of the present invention is electrically connected to a processor in a server, and the secure hardware can be understood as a password card, a usb key, or the like. The operation speed of the processor of the server far exceeds that of the password card, and the server can also utilize the multi-core processor to perform multi-thread parallel computation, so that the operation performance can be greatly improved. For example, the signature speed of a general USBKey can only reach 50 times/second, and the signature speed of a single core of an Inter Xeon E5-2620 processor can reach 2000 times/second. If 16 cores are calculated in parallel, a signature speed of 2000 x 16-32000 times/second can be achieved. Thus, the identity authentication can theoretically be put to the processor of the server for processing. However, since the hardware private key is stored in the secure hardware and cannot be read, the hardware private key cannot be directly taken into the processor for operation. Based on this, the inventor of the present application proposes to generate a temporary key pair in the server and perform signature authentication with a hardware private key in the secure hardware. The secure hardware only needs to use the hardware private key to perform signature authentication on the temporary key once, and all subsequent data processing can be performed in the server by using the temporary key, so that the data processing efficiency is greatly improved.
Specifically, for the server, the server includes a processor and secure hardware, and based on the identity authentication method provided by the embodiment of the present invention, the secure hardware only needs to perform a signing operation once to sign the temporary public key generated by the server, and all subsequent processes of signing, encrypting and decrypting can be executed in the processor of the server, regardless of the secure hardware. The method can greatly utilize the processing performance of the server and improve the data processing efficiency.
In accordance with an embodiment of the present invention, there is provided an identity authentication method embodiment, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer-executable instructions, and that while a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than here.
The embodiment provides an identity authentication method, which can be applied to a processor of a server in a video conference and can also be applied to other processors, and in short, the method is executed by the server. The processor of the server is hereinafter described in detail as an example. Fig. 1 is a flowchart of an identity authentication method according to an embodiment of the present invention, and as shown in fig. 1, the flowchart includes the following steps:
s11, a temporary key pair is generated.
Wherein the temporary key pair comprises a temporary public key and a temporary private key.
The processor of the server may generate the temporary key pair in real time at the start of the videoconference. The public key of the server is called a hardware public key, and the private key of the server is called a hardware private key. The hardware public key corresponds to the hardware private key, the hardware private key is stored in the secure hardware, and the hardware public key is generally sent to the client in the form of a digital certificate.
The temporary key pair may be updated every video conference, or may be updated every preset time in the same video conference, where the update time or update time of the temporary key pair is not limited at all. For the server to update the temporary key pair, if the client terminal has already verified the server identity and is online before the temporary key pair is updated, the client terminals do not need to verify the server identity again; however, it is necessary to use an updated temporary key pair when encrypting communication data later. If the client is disconnected and on-line again after the temporary key pair is updated, or the newly added clients can be collectively called as clients of the unauthenticated server; the client of the unauthenticated server needs to authenticate the identity of the server and encrypt subsequent communication data by using the updated temporary key.
S12, sending the temporary public key to the secure hardware.
The processor of the server sends the acquired temporary public key to the secure hardware so that the secure hardware signs it with the stored hardware private key.
And S13, receiving the temporary public key authentication data returned by the security hardware based on the temporary public key.
The temporary public key authentication data is obtained by signing the temporary public key by a hardware private key for the security hardware.
After the processor of the server sends the temporary public key to the security hardware, the security hardware signs the acquired temporary public key by using the hardware private key to obtain the authentication data of the temporary public key. After obtaining the temporary public key authentication data, the processor of the server may store the temporary public key authentication data in the memory for subsequent identity authentication.
And S14, signing the identity authentication data sent by the client based on the temporary private key to obtain a signature message, and adding the temporary public key authentication data to the signature message.
When the client is connected with the server, the client sends the identity authentication data to the server, and the processor of the server signs the identity authentication data by using the temporary private key, wherein the specific signature mode is similar to the signature for identity authentication by using a hardware private key, and the description is omitted here.
The processor of the server also adds the temporary public key authentication data sent by the security hardware into the signature message, and sends the temporary public key authentication data to the client.
Alternatively, the authentication data sent by the client may be a random number generated by the client. For example, when a plurality of clients connect to the server, each client generates a random number and sends the random number to the server, and after receiving the random number, the server signs each random number with the temporary private key in the processor, and appends the temporary public key authentication data received in S13 to form a signature message and sends the signature message to the corresponding client.
And S15, sending the signature message to the client for the client to perform identity authentication on the server.
The signature message comprises two kinds of signature data: (1) the secure hardware adopts a hardware private key to sign data of the temporary public key; (2) and the processor of the server adopts the temporary private key to sign the identity authentication data sent by the client. And the processor of the server sends the obtained signature message to the client, and the client performs identity authentication on the server based on the received signature message. Hereinafter, a method of the client authenticating the server will be described in detail.
In the identity authentication method provided by this embodiment, the hardware private key in the secure hardware is used to confirm the identity of the temporary public key, for the identity authentication of the server, the temporary public key only needs to be signed once by the hardware private key in the secure hardware, and the rest of the signatures for the identity authentication data sent by each client can be completed in the server; namely, the temporary key pair is adopted to transfer the original signature of the identity authentication data of different clients in the security hardware to the server to finish the signature, and the processing performance of the server is utilized to sign the identity authentication data of different clients, so that the identity authentication efficiency is greatly improved.
In this embodiment, an identity authentication method is further provided, which may be applied to a processor of a server in a video conference, and fig. 2 is a flowchart of the identity authentication method according to the embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
s21, a temporary key pair is generated.
Wherein the temporary key pair comprises a temporary public key and a temporary private key.
The temporary key pair is generated by a processor of the server in real time when data processing is started, and specifically, the step comprises the following steps:
s211, starting a data processing process.
The data processing process is used for processing communication data between the server and at least one client.
Taking a video conference as an example, when a server starts the video conference, a data processing process is started in a memory, and the data processing process is used for identity authentication and subsequent data encryption and decryption. Alternatively, it is understood that the data processing process is for processing communication data in the entire video conference.
S212, a temporary key pair is generated in the memory of the server by using the data processing process.
The processor of the server generates a temporary key pair in real time in the memory when starting the data processing process.
S22, sending the temporary public key to the secure hardware.
Please refer to S12 in fig. 1, which is not described herein again.
And S23, receiving the temporary public key authentication data returned by the security hardware based on the temporary public key.
The temporary public key authentication data is obtained by the secure hardware through signing the temporary public key by using a hardware private key.
Please refer to S13 in fig. 1, which is not described herein again.
And S24, signing the identity authentication data sent by the client based on the temporary private key to obtain a signature message, and adding the temporary public key authentication data to the signature message.
Wherein, the signature message also carries temporary public key authentication data.
Specifically, the steps include:
and S241, signing the identity authentication data by using the temporary private key to obtain a signature message.
And the processor of the server signs the identity authentication data sent by each client by using the generated temporary private key, so that a signature message can be obtained.
S242, extracting the temporary public key authentication data from the memory.
The processor of the server stores the temporary public key authentication data returned by the secure hardware in the memory after receiving it in S23. At this time, the processor of the server only needs to extract the temporary public key authentication data from the memory.
S243, adding the temporary public key authentication data to the signature message.
The processor of the server appends the temporary public key authentication data to the signature data.
And S25, sending the signature message to the client for the client to perform identity authentication on the server.
Please refer to S15 in fig. 1, which is not described herein again.
S26, determine whether the data processing process is finished.
The monitoring of the process ending may be that the data processing process monitors whether a command to stop the data processing process is received in real time, and when the command is received, the data processing process is ended at the moment.
Alternatively, the processor of the server may also determine whether the data processing process is finished in other manners, and the specific determination method is not limited herein.
When the data processing process is finished, the temporary key pair is cleared. Otherwise, S26 is executed. The safety of identity authentication is ensured by clearing the sensitive data of the temporary key pair.
In the identity authentication method provided by the embodiment, because the temporary key pair is temporarily generated each time the data processing process is started, the security of the next start cannot be influenced even if the temporary key pair is stolen, and the identity authentication efficiency is ensured on the premise of not influencing the basic security requirement; meanwhile, because the processes of the operating system all operate in a virtual mode, each process has an independent address space, an attacker generally cannot perform cross-process access on the secret key in the process memory, and the safety of identity authentication is further ensured.
An embodiment of the present invention further provides an identity authentication method, which may be applied to a processor of a server in a video conference, and fig. 2 is a flowchart of the identity authentication method according to the embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
s31, a temporary key pair is generated.
Please refer to S21 in fig. 2 for details, which are not described herein.
S32, sending the temporary public key to the secure hardware.
Please refer to S21 in fig. 2 for details, which are not described herein.
And S33, receiving the temporary public key authentication data returned by the security hardware based on the temporary public key.
The temporary public key authentication data is obtained by the secure hardware through signing the temporary public key by using a hardware private key.
Please refer to S23 in fig. 2 for details, which are not described herein.
And S34, signing the identity authentication data sent by the client based on the temporary private key to obtain a signature message, and adding the temporary public key authentication data to the signature message.
Please refer to S24 in fig. 2 for details, which are not described herein.
And S35, sending the signature message to the client for the client to perform identity authentication on the server.
Please refer to S25 in fig. 2 for details, which are not described herein.
And S36, receiving the encrypted session key sent by the client.
The encrypted session key is obtained by encrypting the session key by the client by using the temporary public key, and the session key is used for encrypting communication data between the server and the client.
When the client successfully authenticates the identity of the server, the server can receive the encrypted session key sent by the server.
And S37, decrypting the encrypted session key by using the temporary private key to obtain the session key.
The processor of the server decrypts the encrypted session key by using the stored temporary private key, and the session key can be decrypted by using the temporary private key because the encrypted session key is obtained by encrypting by using the temporary public key and the temporary private key corresponds to the temporary public key.
The processor of the subsequent server can utilize the session key obtained by decryption to encrypt and decrypt the video data.
S38, determine whether the data processing process is finished.
When the data processing process is finished, the temporary key pair is cleared. Otherwise, S38 is executed.
In the identity authentication method provided by this embodiment, after the identity of the temporary public key is confirmed by using the hardware private key in the secure hardware, the session key can be decrypted by directly using the processor of the server without decrypting by using the secure hardware, and since the processing performance of the server is much greater than that of the secure hardware, the efficiency of encrypting and decrypting the session key can be greatly improved.
In accordance with an embodiment of the present invention, there is provided an identity authentication method embodiment, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer-executable instructions, and that while a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than here.
In this embodiment, an identity authentication method is provided, which may be applied to a client in a video conference, and fig. 4 is a flowchart of an identity authentication method according to an embodiment of the present invention, as shown in fig. 3, where the flowchart includes the following steps:
and S41, acquiring the signature message sent by the server.
The signature message is obtained by the server signing the identity authentication data of the client by adopting a temporary private key, the signature message carries temporary public key authentication data, and the temporary public key authentication data is obtained by the security hardware signing the temporary public key by adopting a hardware private key.
The signed message is sent to the client by the server, wherein for the description of the temporary public key authentication data, refer to the description of S13 in the embodiment shown in fig. 1 or the description of S23 in the embodiment shown in fig. 2; for the description of the signature message, please refer to S14 in the embodiment shown in fig. 1 or S24 in the embodiment shown in fig. 2, which is not described herein again.
And S42, verifying and signing the temporary public key authentication data by adopting the hardware public key to extract the temporary public key.
Wherein the hardware public key corresponds to the hardware private key.
After the client acquires the signature message, the client checks the signature of the temporary public key authentication data by adopting the hardware public key corresponding to the hardware private key, and aims to extract the temporary public key in the temporary public key authentication data.
And S43, verifying the signed identity authentication data based on the temporary public key so as to authenticate the identity of the server.
The client checks the signed identity authentication data of the server by using the temporary public key, extracts the identity authentication data in the signature message, compares the extracted identity authentication data with the identity authentication data sent to the server, and when the extracted identity authentication data and the identity authentication data are the same, the identity authentication is successful; otherwise, the identity authentication fails.
For example, the client checks the signed random number of the server by using the temporary public key, and extracts a first random number; the client sends the server a second random number, and when the first random number is the same as the second random number, the identity authentication is successful; otherwise, the identity authentication fails.
In the identity authentication method provided by this embodiment, the hardware private key in the secure hardware is used to confirm the identity of the temporary public key, for the identity authentication of the server, the temporary public key only needs to be signed once by the hardware private key in the secure hardware, and the rest of the signatures for the identity authentication data sent by each client can be completed in the server; namely, the temporary key pair is adopted to transfer the original signature of the identity authentication data of different clients in the security hardware to the server to finish the signature, and the processing performance of the server is utilized to sign the identity authentication data of different clients, so that the identity authentication efficiency is greatly improved.
In this embodiment, a key exchange method is provided, which may be applied to a client in a video conference system, and fig. 5 is a flowchart of the key exchange method according to an embodiment of the present invention, as shown in fig. 5, the flowchart includes the following steps:
and S51, acquiring the signature message sent by the server.
The signature message is obtained by the server signing the identity authentication data of the client by adopting a temporary private key, the signature message carries temporary public key authentication data, and the temporary public key authentication data is obtained by the security hardware signing the temporary public key by adopting a hardware private key.
Please refer to S41 in fig. 4 for details, which are not described herein.
And S52, verifying and signing the temporary public key authentication data by adopting the hardware public key to extract the temporary public key.
Wherein the hardware public key corresponds to the hardware private key.
Please refer to S42 in fig. 4 for details, which are not described herein.
And S53, verifying the signed identity authentication data based on the temporary public key so as to authenticate the identity of the server.
Please refer to S43 in fig. 4 for details, which are not described herein.
And S54, when the identity authentication of the server is successful, encrypting the session key by using the temporary public key to obtain an encrypted session key.
Wherein the session key is used for encrypting communication data between the server and the client.
When the client successfully authenticates the server, the client can encrypt the session key by using the temporary public key to obtain an encrypted session key.
S55, the encrypted session key is sent to the server.
The client sends the encrypted session key to the server, and the processor of the subsequent server can decrypt the session key in the encrypted session key by using the temporary private key corresponding to the temporary public key.
In the identity authentication method provided by this embodiment, since the temporary public key has already confirmed the identity by using the hardware private key in the secure hardware, the session key can be directly encrypted by using the temporary public key generated by the server, and the subsequent decryption of the session key can be directly implemented by using the server without using the secure hardware.
In accordance with an embodiment of the present invention, there is provided an identity authentication method embodiment, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer-executable instructions, and that while a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than here.
In this embodiment, an identity authentication method is provided, which may be applied to a video conference system, and fig. 6 is a flowchart of an identity authentication method according to an embodiment of the present invention, as shown in fig. 6, where the flowchart includes the following steps:
s61, the server generates a temporary key pair.
Wherein the temporary key pair comprises a temporary public key and a temporary private key.
Please refer to S11 in fig. 1, which is not described herein again.
As an alternative to this embodiment, reference may also be made to S21 of the embodiment shown in fig. 2.
S62, the server sends the temporary public key to the secure hardware.
Please refer to S12 in fig. 1, which is not described herein again.
And S63, the security hardware adopts the hardware private key to sign the temporary public key so as to obtain the temporary public key authentication data.
Please refer to the description of the temporary public key authentication data in S13 in the embodiment shown in fig. 1 for details, which are not described herein again.
S64, the secure hardware sends the temporary public key authentication data to the server.
Please refer to S14 in fig. 1, which is not described herein again.
As an alternative to this embodiment, reference may also be made to S24 of the embodiment shown in fig. 2.
And S65, the server signs the identity authentication data sent by the client based on the temporary private key to obtain a signature message, and adds the temporary public key authentication data to the signature message.
Please refer to S14 in fig. 1, which is not described herein again.
As an alternative to this embodiment, reference may also be made to S24 of the embodiment shown in fig. 2.
And S66, the server sends the signature message to the client so that the client can authenticate the server.
Please refer to S15 in fig. 1, which is not described herein again.
And S67, the client adopts the hardware public key to check and sign the temporary public key authentication data so as to extract the temporary public key.
Wherein the hardware public key corresponds to the hardware private key.
Please refer to S42 in fig. 4 for details, which are not described herein.
And S68, verifying the signed identity authentication data based on the temporary public key so as to authenticate the identity of the server.
Please refer to S43 in fig. 4 for details, which are not described herein.
In this embodiment, an identity authentication method is provided, which may be applied to a video conference system, and fig. 7 is a flowchart of an identity authentication method according to an embodiment of the present invention, as shown in fig. 7, where the flowchart includes the following steps:
s701, the server generates a temporary key pair.
Wherein the temporary key pair comprises a temporary public key and a temporary private key.
Please refer to S11 in fig. 1, which is not described herein again.
As an alternative to this embodiment, reference may also be made to S21 of the embodiment shown in fig. 2.
S702, the server sends the temporary public key to the security hardware.
Please refer to S12 in fig. 1, which is not described herein again.
And S703, the security hardware adopts the hardware private key to sign the temporary public key so as to obtain the temporary public key authentication data.
Please refer to the description of the temporary public key authentication data in S13 in the embodiment shown in fig. 1 for details, which are not described herein again.
S704, the security hardware sends the temporary public key authentication data to the server.
Please refer to S14 in fig. 1, which is not described herein again.
As an alternative to this embodiment, reference may also be made to S24 of the embodiment shown in fig. 2.
S705, the server signs the identity authentication data sent by the client based on the temporary private key to obtain a signature message, and adds the temporary public key authentication data to the signature message.
Please refer to S14 in fig. 1, which is not described herein again.
As an alternative to this embodiment, reference may also be made to S24 of the embodiment shown in fig. 2.
S706, the server sends the signature message to the client, so that the client can perform identity authentication on the server.
Please refer to S15 in fig. 1, which is not described herein again.
And S707, the client adopts the hardware public key to check and sign the temporary public key authentication data so as to extract the temporary public key.
Wherein the hardware public key corresponds to the hardware private key.
Please refer to S42 in fig. 4 for details, which are not described herein.
And S708, the client checks the signed identity authentication data based on the temporary public key so as to authenticate the identity of the server.
Please refer to S43 in fig. 4 for details, which are not described herein.
And S709, when the identity authentication of the server is successful, the client encrypts the session key by using the temporary public key to obtain an encrypted session key.
Wherein the session key is used for encrypting communication data between the server and the client.
Please refer to S54 in fig. 5, which is not repeated herein.
S710, the client sends the encrypted session key to the server.
Please refer to S55 in fig. 5, which is not repeated herein.
And S711, the server decrypts the encrypted session key by using the temporary private key to obtain the session key.
Please refer to S37 in fig. 3 for details, which are not described herein.
S712, judging whether the data processing process is finished.
When the data processing process is finished, the temporary key pair is cleared. Otherwise, S712 is performed.
In this embodiment, an identity authentication apparatus is further provided, and the apparatus is used to implement the foregoing embodiments and preferred embodiments, and the description already made is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
The present embodiment provides an identity authentication apparatus, which may be applied to a server in a video conference system, as shown in fig. 8, including:
a key generation module 81 for generating a temporary key pair; wherein the temporary key pair comprises a temporary public key and a temporary private key.
A first sending module 82, configured to send the temporary public key to the secure hardware.
A first receiving module 83, configured to receive temporary public key authentication data returned by the secure hardware based on the temporary public key; the temporary public key authentication data is obtained by the secure hardware through signing the temporary public key by using a hardware private key.
And the identity authentication module 84 is configured to sign the identity authentication data sent by the client based on the temporary private key to obtain a signature message, and add the temporary public key authentication data to the signature message.
And a second sending module 85, configured to send the signature message to the client, so that the client performs identity authentication on the server.
In the identity authentication device provided by this embodiment, only the hardware private key needs to be used to sign the temporary public key once in the security hardware, and the rest of the signatures for the identity authentication data sent by each client can be completed in the server; namely, the temporary key pair is adopted to transfer the original signature of the identity authentication data of different clients in the security hardware to the server to finish the signature, and the processing performance of the server is utilized to sign the identity authentication data of different clients, so that the identity authentication efficiency is greatly improved.
The present embodiment provides an identity authentication apparatus, which may be applied to a client in a video conference system, as shown in fig. 9, including:
a first obtaining module 91, configured to obtain a signature message sent by a server; the signature message is obtained by the server signing the identity authentication data of the client by adopting a temporary private key, the signature message carries temporary public key authentication data, and the temporary public key authentication data is obtained by the security hardware signing the temporary public key by adopting a hardware private key.
The signature verification module 92 is configured to verify and sign the temporary public key authentication data by using a hardware public key to extract the temporary public key; wherein the hardware public key corresponds to the hardware private key.
And the determining module 93 is configured to verify the signed identity authentication data based on the temporary public key, so as to perform identity authentication on the server.
The identity authentication device provided by this embodiment adopts the hardware private key in the secure hardware to confirm the identity of the temporary public key, and for the identity authentication of the server, only the hardware private key needs to be adopted to sign the temporary public key once in the secure hardware, and the rest of signatures for the identity authentication data sent by each client can be completed in the server; namely, the temporary key pair is adopted to transfer the original signature of the identity authentication data of different clients in the security hardware to the server to finish the signature, and the processing performance of the server is utilized to sign the identity authentication data of different clients, so that the identity authentication efficiency is greatly improved.
The authentication means, or key exchange means, in this embodiment is presented in the form of functional units, where a unit refers to an ASIC circuit, a processor and memory executing one or more software or fixed programs, and/or other devices that may provide the above-described functionality.
Further functional descriptions of the modules are the same as those of the corresponding embodiments, and are not repeated herein.
An embodiment of the present invention further provides an electronic device, which has the identity authentication apparatus shown in fig. 8 when the electronic device is used as a server in a video conference system; when the electronic device is used as a client in a video conference system, the electronic device has the identity authentication device shown in fig. 9.
Referring to fig. 10, fig. 10 is a schematic structural diagram of an electronic device according to an alternative embodiment of the present invention, as shown in fig. 10, the electronic device may include: at least one processor 101, such as a Central Processing Unit (cpu), at least one communication interface 103, memory 104, and at least one communication bus 102. Wherein the communication bus 102 is used for enabling connection communication between these components. The communication interface 103 may include a Display (Display) and a Keyboard (Keyboard), and the optional communication interface 103 may also include a standard wired interface and a standard wireless interface. The Memory 104 may be a high-speed RAM (Random Access Memory) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The memory 104 may optionally be at least one memory device located remotely from the processor 101. When the electronic device is a server in a video conference system, the processor 101 may be combined with the identity authentication apparatus described in fig. 8, an application program is stored in the memory 104, and the processor 101 calls a corresponding program code stored in the memory 104 for executing the steps of the identity authentication method in the embodiment shown in fig. 1 to 3. When the electronic device is a client in a video conference system, the processor 101 may be combined with the authentication apparatus described in fig. 9, an application program is stored in the memory 104, and the processor 101 calls the corresponding program code stored in the memory 104 for executing the steps of the authentication method in the embodiments shown in fig. 4 to 5.
The communication bus 102 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The communication bus 102 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 10, but this is not intended to represent only one bus or type of bus.
The memory 104 may include a volatile memory (RAM), such as a random-access memory (RAM); the memory may also include a non-volatile memory (english: non-volatile memory), such as a flash memory (english: flash memory), a hard disk (english: hard disk drive, abbreviated: HDD) or a solid-state drive (english: SSD); the memory 104 may also comprise a combination of the above types of memory.
The processor 101 may be a central processing unit (abbreviated as processor), a network processor (abbreviated as NP), or a combination of a processor and an NP.
The processor 101 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
Optionally, the memory 104 is also used to store program instructions. Processor 101 may invoke program instructions to implement the authentication method as shown in the embodiments of fig. 1-3 of the present application, or the authentication method shown in the embodiments of fig. 4-5.
Embodiments of the present invention further provide a non-transitory computer storage medium, where the computer storage medium stores computer-executable instructions, and the computer-executable instructions may execute the identity authentication method or the key exchange method in any of the above method embodiments. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (10)

1. An identity authentication method, wherein the identity authentication method is executed by a server, and wherein the identity authentication method comprises:
generating a temporary key pair; wherein the temporary key pair comprises a temporary public key and a temporary private key;
sending the temporary public key to secure hardware;
receiving temporary public key authentication data returned by the safety hardware based on the temporary public key; the temporary public key authentication data is obtained by signing the temporary public key by a hardware private key for the security hardware;
signing identity authentication data sent by a client based on the temporary private key to obtain a signature message, and adding the temporary public key authentication data to the signature message;
and sending the signature message to the client so that the client can perform identity authentication on the server.
2. The method of claim 1, wherein the generating a temporary key pair comprises:
starting a data processing process, wherein the data processing process is used for processing communication data between the server and at least one client;
and generating the temporary key pair in the memory of the server by utilizing the data processing process.
3. The method of claim 2, wherein after the step of receiving the temporary public key authentication data returned by the secure hardware based on the temporary public key, further comprising:
and storing the temporary public key authentication data in a memory of the server.
4. The method of claim 1, wherein after sending the signed message to the client, further comprising:
receiving an encrypted session key sent by the client, wherein the encrypted session key is obtained by encrypting the session key by the client by using the temporary public key, and the session key is used for encrypting communication data between the server and the client;
and decrypting the encrypted session key by using the temporary private key to obtain the session key.
5. The method of claim 2, further comprising:
and when the data processing process is finished, clearing the temporary key pair.
6. The method according to any one of claims 1-5, further comprising:
clearing the temporary key pair at preset time intervals, and regenerating a new temporary key pair;
signing and authenticating a client which does not authenticate the server by using the new temporary secret key pair, and/or encrypting and decrypting a session secret key by using the new temporary secret key pair; wherein the session key is used for encrypting communication data between the server and the client.
7. An identity authentication method, wherein the identity authentication method is executed by a client, and the identity authentication method comprises:
acquiring a signature message sent by a server; the signature message is obtained by the server signing the identity authentication data of the client by adopting a temporary private key, the signature message carries temporary public key authentication data, and the temporary public key authentication data is obtained by the security hardware signing the temporary public key by adopting a hardware private key;
adopting a hardware public key to check and sign the temporary public key authentication data so as to extract the temporary public key; wherein the hardware public key corresponds to the hardware private key;
and checking the signed identity authentication data based on the temporary public key so as to authenticate the identity of the server.
8. The method of claim 7, wherein the step of verifying the signed authentication data based on the temporary public key further comprises:
when the identity authentication of the server is successful, encrypting a session key by using the temporary public key to obtain an encrypted session key; wherein the session key is used for encrypting communication data between the server and the client;
sending the encrypted session key to the server.
9. An electronic device, comprising:
a memory and a processor, the memory and the processor being communicatively coupled to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the method of identity authentication of any one of claims 1-6, or of claim 7 or 8.
10. A computer-readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 6, or 7 or 8.
CN201910406642.4A 2019-05-16 2019-05-16 Identity authentication method and electronic equipment Active CN110190964B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910406642.4A CN110190964B (en) 2019-05-16 2019-05-16 Identity authentication method and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910406642.4A CN110190964B (en) 2019-05-16 2019-05-16 Identity authentication method and electronic equipment

Publications (2)

Publication Number Publication Date
CN110190964A CN110190964A (en) 2019-08-30
CN110190964B true CN110190964B (en) 2022-03-15

Family

ID=67716468

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910406642.4A Active CN110190964B (en) 2019-05-16 2019-05-16 Identity authentication method and electronic equipment

Country Status (1)

Country Link
CN (1) CN110190964B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111031047B (en) * 2019-12-16 2022-08-12 中国南方电网有限责任公司 Device communication method, device, computer device and storage medium
CN111641615A (en) * 2020-05-20 2020-09-08 深圳市今天国际物流技术股份有限公司 Distributed identity authentication method and system based on certificate
US11765143B2 (en) * 2021-05-21 2023-09-19 Zoom Video Communications, Inc. Systems and methods for securing videoconferencing meetings
CN113315641B (en) * 2021-08-02 2021-10-08 飞天诚信科技股份有限公司 Seed key backup method, electronic equipment and system
CN115529127B (en) * 2022-09-23 2023-10-03 中科海川(北京)科技有限公司 Device authentication method, device, medium and device based on SD-WAN scene

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843675A (en) * 2011-06-24 2012-12-26 中兴通讯股份有限公司 Cluster call voice encryption method, terminal and system
CN106656510A (en) * 2017-01-04 2017-05-10 天地融科技股份有限公司 Encryption key acquisition method and system
CN107196922A (en) * 2017-05-03 2017-09-22 国民认证科技(北京)有限公司 Identity identifying method, user equipment and server
CN107241317A (en) * 2017-05-24 2017-10-10 国民认证科技(北京)有限公司 The method and subscriber terminal equipment and authentication server of living things feature recognition identity
CN108737430A (en) * 2018-05-25 2018-11-02 全链通有限公司 The encryption communication method and system of block chain node
CN109064606A (en) * 2018-08-03 2018-12-21 广州邦讯信息系统有限公司 Gate inhibition's task executing method, system, access control system and readable storage medium storing program for executing

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130219166A1 (en) * 2012-02-20 2013-08-22 Motorola Mobility, Inc. Hardware based identity manager

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843675A (en) * 2011-06-24 2012-12-26 中兴通讯股份有限公司 Cluster call voice encryption method, terminal and system
CN106656510A (en) * 2017-01-04 2017-05-10 天地融科技股份有限公司 Encryption key acquisition method and system
CN107196922A (en) * 2017-05-03 2017-09-22 国民认证科技(北京)有限公司 Identity identifying method, user equipment and server
CN107241317A (en) * 2017-05-24 2017-10-10 国民认证科技(北京)有限公司 The method and subscriber terminal equipment and authentication server of living things feature recognition identity
CN108737430A (en) * 2018-05-25 2018-11-02 全链通有限公司 The encryption communication method and system of block chain node
CN109064606A (en) * 2018-08-03 2018-12-21 广州邦讯信息系统有限公司 Gate inhibition's task executing method, system, access control system and readable storage medium storing program for executing

Also Published As

Publication number Publication date
CN110190964A (en) 2019-08-30

Similar Documents

Publication Publication Date Title
CN110190964B (en) Identity authentication method and electronic equipment
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
CN109818747B (en) Digital signature method and device
CN106161032B (en) A kind of identity authentication method and device
CN112218294A (en) 5G-based access method and system for Internet of things equipment and storage medium
US20090132828A1 (en) Cryptographic binding of authentication schemes
WO2015192670A1 (en) User identity authentication method, terminal and service terminal
CN111030814A (en) Key negotiation method and device
CN107800675A (en) A kind of data transmission method, terminal and server
CN111435913A (en) Identity authentication method and device for terminal of Internet of things and storage medium
KR101739203B1 (en) Password-based user authentication method using one-time private key-based digital signature and homomorphic encryption
US9959403B2 (en) Information processing system for mutual authentication between communication device and storage
EP3133791B1 (en) Double authentication system for electronically signed documents
CN110493177B (en) Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number
CN103888429A (en) Virtual machine starting method, correlation devices and systems
CN114143108A (en) Session encryption method, device, equipment and storage medium
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN111062059B (en) Method and device for service processing
CN113872989B (en) SSL protocol-based authentication method, SSL protocol-based authentication device, computer equipment and storage medium
CN111654503A (en) Remote control method, device, equipment and storage medium
CN113852681B (en) Gateway authentication method and device and security gateway equipment
CN117063174A (en) Security module and method for inter-app trust through app-based identity
CN112422516B (en) Trusted connection method and device based on power edge calculation and computer equipment
CN111291398B (en) Block chain-based authentication method and device, computer equipment and storage medium
CN115529591B (en) Authentication method, device, equipment and storage medium based on token

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant