Summary of the invention
In view of this, UAF reality can be passed through the present invention provides a kind of unified identity authentication method based on UAF and IBC
The certification of existing " no password " can cross IBC and realize that user can be by unification authentication platform authenticating identity, without each service server point
Other user bound account and public key, realize unified authentication, effectively improve the safety and efficiency of certification.
The present invention provides a kind of unified identity authentication methods based on UAF and IBC, comprising:
It is authenticated by user identity of the UAF and IBC to registration;
After completing user identity authentication, resource access process is executed by OAuth agreement.
It is preferably, described before being authenticated by user identity of the UAF and IBC to registration, further includes:
Register user identity.
Preferably, the registration user identity, comprising:
User terminal generates User ID, and the User ID is sent to unification authentication platform;
The unification authentication platform authenticates the User ID, and private is generated for user according to Your Majesty's key and main private key
Key, and the private key is back to the user terminal and is stored.
It is preferably, described to be authenticated by user identity of the UAF and IBC to registration, comprising:
Application in the user terminal generates resource access request, and the resource access request is sent to resource clothes
Business device;
The Resource Server is required by challenge response mode to user's after receiving the resource access request
Identity is authenticated;
The user terminal is signed by the private key, and signing messages is sent to the Resource Server;
The signing messages that the Resource Server is received using the main public key verifications of the unification authentication platform, verifying
By rear, completion user identity authentication.
Preferably, described after completing user identity authentication, resource access process is executed by OAuth agreement, comprising:
The Resource Server sends access mandate request to authorization server;
The authorization server is user by inquiring the access authority of User ID after receiving access mandate request
Issue resource access token;
Corresponding resource is sent in the user terminal by the Resource Server after receiving resource access token
Application.
A kind of unified identity authentication device based on UAF and IBC, comprising:
User identity authentication module, for being authenticated by user identity of the UAF and IBC to registration;
Resource access authorization module, for executing resource by OAuth agreement and accessing after completing user identity authentication
Journey.
Preferably, described device further include:
Customer identity registration module, for registering user identity.
Preferably, the customer identity registration module includes: user terminal and unification authentication platform;Wherein:
The user terminal generates User ID, and the User ID is sent to the unification authentication platform;
The unification authentication platform authenticates the User ID, and private is generated for user according to Your Majesty's key and main private key
Key, and the private key is back to the user terminal and is stored.
Preferably, the user identity authentication module includes: Resource Server, in which:
Application in the user terminal generates resource access request, and the resource access request is sent to the money
Source server;
The Resource Server is required by challenge response mode to user's after receiving the resource access request
Identity is authenticated;
The user terminal is signed by the private key, and signing messages is sent to the Resource Server;
The signing messages that the Resource Server is received using the main public key verifications of the unification authentication platform, verifying
By rear, completion user identity authentication.
Preferably, the resource access authorization module includes: authorization server, in which:
The Resource Server sends access mandate request to the authorization server;
The authorization server is user by inquiring the access authority of User ID after receiving access mandate request
Issue resource access token;
Corresponding resource is sent in the user terminal by the Resource Server after receiving resource access token
Application.
In conclusion the invention discloses a kind of unified identity authentication method based on UAF and IBC, when uniting
It when one authentication, is authenticated first by user identity of the UAF and IBC to registration, then completes user identity authentication
Afterwards, resource access process is executed by OAuth agreement.The present invention can realize the certification of " no password " by UAF, can cross IBC
Realize that user can be real without each service server difference user bound account and public key by unification authentication platform authenticating identity
Now unified authentication effectively improves the safety and efficiency of certification.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
As shown in Figure 1, being a kind of side of the unified identity authentication method embodiment 1 based on UAF and IBC disclosed by the invention
Method flow chart, the method may include following steps:
S101, it is authenticated by user identity of the UAF and IBC to registration;
When needing to carry out unified identity authentication, authenticated first by user identity of the UAF and IBC to registration;Its
In:
UAF is a set of open authentication agreement formulated by FIDO alliance, realizes the strong identity authentication of user " no password ".
UAF registration when by user server end account together with UAF apparatus bound, then in verification process, Yong Huwu
Password need to be inputted, it is only necessary to certification can be completed by living things feature recognition or simple PIN code in UAF equipment and realize account
It logs in.
IBC is based on the basis of traditional PKI (Public Key Infrastructure, Public Key Infrastructure)
It develops, it is main to simplify in specific security application exchangeing problem in a large amount of digital certificates, make security application more easily portion
Administration and use.IBC cryptographic technique uses asymmetric cryptography system, and encryption uses two sets of different keys from decryption, each
The public key of people is exactly his identity, such as the address email, telephone number etc..And private key is then in the form of data by user
Oneself is grasped, and key management is comparatively simple, very easily can carry out encryption and decryption to data information.The basic technology of IBC includes
Data encryption, digital signature, data integrity mechanism, digital envelope, user's identification, user authentication etc..
During authenticating by user identity of the UAF and IBC to registration, protect IBC private by UAF mechanism
Key prevents its leakage, then realizes unified identity authentication by IBC.
S102, after completing user identity authentication, pass through OAuth agreement execute resource access process.
OAuth agreement is open authorization criteria, and third party is allowed to obtain by the interim token that service provider provides
User resources are not necessarily to username and password, have the characteristics that simple, open, safety.
In conclusion in the above-described embodiments, when needing to carry out unified identity authentication, first by UAF and IBC to note
The user identity of volume is authenticated, and then after completing user identity authentication, executes resource access process by OAuth agreement.
The present invention can realize the certification of " no password " by UAF, can cross IBC and realize that user can authenticate body by unification authentication platform
Part, without each service server difference user bound account and public key, realizes unified authentication, effectively improve certification
Safety and efficiency.
As shown in Fig. 2, being a kind of side of the unified identity authentication method embodiment 2 based on UAF and IBC disclosed by the invention
Method flow chart, the method may include following steps:
S201, registration user identity;
When needing to carry out unified identity authentication, it is necessary first to be registered to the initial id information of user, that is, to user
Identity registered.Wherein, the ID of user can be name, mailbox, the identification card number etc. of user.
S202, it is authenticated by user identity of the UAF and IBC to registration;
S203, after completing user identity authentication, pass through OAuth agreement execute resource access process.
In conclusion in the above-described embodiments, when needing to carry out unified identity authentication, registering user identity first, so
It is authenticated afterwards by user identity of the UAF and IBC to registration, then after completing user identity authentication, passes through OAuth agreement
Execute resource access process.The present invention can realize the certification of " no password " by UAF, can cross IBC and realize that user can pass through system
One authentication platform authenticating identity realizes unified authentication without each service server difference user bound account and public key,
Effectively improve the safety and efficiency of certification.
As shown in figure 3, being a kind of side of the unified identity authentication method embodiment 3 based on UAF and IBC disclosed by the invention
Method flow chart, the method may include following steps:
S301, user terminal generate User ID, and User ID are sent to unification authentication platform;
When needing to carry out unified identity authentication, user is firstly the need of the initial id information registration of progress, wherein initial ID can
Think the name, mailbox, identification card number etc. of user, and User ID is transmitted to unification authentication platform.
S302, unification authentication platform authenticate User ID, and private key is generated for user according to Your Majesty's key and main private key, and
Private key is back to the user terminal to store;
Unification authentication platform act mainly as key generation centre in IBC cipher system (Key Generation Center,
KGC private key is generated for user according to Your Majesty's key and main private key after authenticating to User ID in role), and by generation
Private key is back to user terminal, is stored in UAF equipment by user security, completes registration process.
Application in S303, user terminal generates resource access request, and resource access request is sent to resource service
Device;
When the third-party application (APP of such as user mobile phone) in user terminal needs to access application server by user
When resource, the application in user terminal generates resource access request, sends resource access request to Resource Server.
S304, Resource Server require the body to user after receiving resource access request, through challenge response mode
Part is authenticated;
After Resource Server receives resource access request, require to recognize the identity of user by challenge response mode
Card, i.e., selection one is with several N, it is desirable that user signs to N with private key.
S305, user terminal are signed by private key, and signing messages is sent to Resource Server;
After user receives challenge number N, UAF equipment is locked by the biological particular solution such as fingerprint, then N is carried out using private key
Signature, is then sent to Resource Server for signing messages.
The signing messages that S306, Resource Server are received using the main public key verifications of unification authentication platform, after being verified,
Complete user identity authentication;
The user's signature information that Resource Server is then received using the main public key verifications of unification authentication platform, is verified
Afterwards, User ID authentication can be completed.
S307, Resource Server send access mandate request to authorization server;
After completing User ID authentication, Resource Server sends access mandate request to authorization server.
S308, authorization server are user by inquiring the access authority of User ID after receiving access mandate request
Issue resource access token;
Authorization server issues resource access token by the access authority of inquiry User ID for user.
During S309, Resource Server are sent to the user terminal after receiving resource access token, by corresponding resource
Using.
After the resource access permission for receiving User ID, corresponding resource is sent to third party and answered by Resource Server
With completing entire authentication and licensing process.
In conclusion the present invention is based on UAF and IBC to propose a kind of unified authentication mandated program, realized by UAF
The certification of " no password " realizes that user can be distinguished by unification authentication platform authenticating identity without each service server by IBC
User bound account and public key realize unified authentication, improve the safety and efficiency of certification.In addition, private key is deposited
Storage is only realized signature function in inside, will not be used outside hardware, to effectively improve IBC key in UAF hardware device
Safety, it is therefore prevented that private key leakage.
As shown in figure 4, being a kind of knot of the unified identity authentication Installation practice 1 based on UAF and IBC disclosed by the invention
Structure schematic diagram, the apparatus may include:
User identity authentication module 401, for being authenticated by user identity of the UAF and IBC to registration;
When needing to carry out unified identity authentication, authenticated first by user identity of the UAF and IBC to registration;Its
In:
UAF is a set of open authentication agreement formulated by FIDO alliance, realizes the strong identity authentication of user " no password ".
UAF registration when by user server end account together with UAF apparatus bound, then in verification process, Yong Huwu
Password need to be inputted, it is only necessary to certification can be completed by living things feature recognition or simple PIN code in UAF equipment and realize account
It logs in.
IBC is based on the basis of traditional PKI (Public Key Infrastructure, Public Key Infrastructure)
It develops, it is main to simplify in specific security application exchangeing problem in a large amount of digital certificates, make security application more easily portion
Administration and use.IBC cryptographic technique uses asymmetric cryptography system, and encryption uses two sets of different keys from decryption, each
The public key of people is exactly his identity, such as the address email, telephone number etc..And private key is then in the form of data by user
Oneself is grasped, and key management is comparatively simple, very easily can carry out encryption and decryption to data information.The basic technology of IBC includes
Data encryption, digital signature, data integrity mechanism, digital envelope, user's identification, user authentication etc..
During authenticating by user identity of the UAF and IBC to registration, protect IBC private by UAF mechanism
Key prevents its leakage, then realizes unified identity authentication by IBC.
Resource access authorization module 402, for executing resource by OAuth agreement and visiting after completing user identity authentication
Ask process.
OAuth agreement is open authorization criteria, and third party is allowed to obtain by the interim token that service provider provides
User resources are not necessarily to username and password, have the characteristics that simple, open, safety.
In conclusion in the above-described embodiments, when needing to carry out unified identity authentication, first by UAF and IBC to note
The user identity of volume is authenticated, and then after completing user identity authentication, executes resource access process by OAuth agreement.
The present invention can realize the certification of " no password " by UAF, can cross IBC and realize that user can authenticate body by unification authentication platform
Part, without each service server difference user bound account and public key, realizes unified authentication, effectively improve certification
Safety and efficiency.
As shown in figure 5, being a kind of knot of the unified identity authentication Installation practice 2 based on UAF and IBC disclosed by the invention
Structure schematic diagram, the apparatus may include:
Customer identity registration module 501, for registering user identity;
When needing to carry out unified identity authentication, it is necessary first to be registered to the initial id information of user, that is, to user
Identity registered.Wherein, the ID of user can be name, mailbox, the identification card number etc. of user.
User identity authentication module 502, for being authenticated by user identity of the UAF and IBC to registration;
Resource access authorization module 503, for executing resource by OAuth agreement and visiting after completing user identity authentication
Ask process.
In conclusion in the above-described embodiments, when needing to carry out unified identity authentication, registering user identity first, so
It is authenticated afterwards by user identity of the UAF and IBC to registration, then after completing user identity authentication, passes through OAuth agreement
Execute resource access process.The present invention can realize the certification of " no password " by UAF, can cross IBC and realize that user can pass through system
One authentication platform authenticating identity realizes unified authentication without each service server difference user bound account and public key,
Effectively improve the safety and efficiency of certification.
As shown in fig. 6, being a kind of knot of the unified identity authentication Installation practice 3 based on UAF and IBC disclosed by the invention
Structure schematic diagram, the apparatus may include: user terminal 601, unification authentication platform 602, Resource Server 603 and authorization service
Device 604;Wherein:
User terminal 601 generates User ID, and User ID is sent to unification authentication platform 602;
When needing to carry out unified identity authentication, user is firstly the need of the initial id information registration of progress, wherein initial ID can
Think the name, mailbox, identification card number etc. of user, and User ID is transmitted to unification authentication platform.
Unification authentication platform 602 authenticates User ID, private key is generated for user according to Your Majesty's key and main private key, and will
Private key is back to user terminal 601 and is stored;
Unification authentication platform act mainly as key generation centre in IBC cipher system (Key Generation Center,
KGC private key is generated for user according to Your Majesty's key and main private key after authenticating to User ID in role), and by generation
Private key is back to user terminal, is stored in UAF equipment by user security, completes registration process.
Application in user terminal 601 generates resource access request, and resource access request is sent to Resource Server
603;
When the third-party application (APP of such as user mobile phone) in user terminal needs to access application server by user
When resource, the application in user terminal generates resource access request, sends resource access request to Resource Server.
Resource Server 603 requires the identity to user after receiving resource access request, through challenge response mode
It is authenticated;
After Resource Server receives resource access request, require to recognize the identity of user by challenge response mode
Card, i.e., selection one is with several N, it is desirable that user signs to N with private key.
User terminal 601 is signed by private key, and signing messages is sent to Resource Server 603;
After user receives challenge number N, UAF equipment is locked by the biological particular solution such as fingerprint, then N is carried out using private key
Signature, is then sent to Resource Server for signing messages.
The signing messages that Resource Server 603 is received using the main public key verifications of unification authentication platform 602, is verified
Afterwards, user identity authentication is completed;
The user's signature information that Resource Server is then received using the main public key verifications of unification authentication platform, is verified
Afterwards, User ID authentication can be completed.
Resource Server 603 sends access mandate request to authorization server 604;
After completing User ID authentication, Resource Server sends access mandate request to authorization server.
Authorization server 604, by inquiring the access authority of User ID, is issued after receiving access mandate request for user
Send out resource access token;
Authorization server issues resource access token by the access authority of inquiry User ID for user.
Corresponding resource is sent to the user terminal in 601 by Resource Server 603 after receiving resource access token
Using.
After the resource access permission for receiving User ID, corresponding resource is sent to third party and answered by Resource Server
With completing entire authentication and licensing process.
In conclusion the present invention is based on UAF and IBC to propose a kind of unified authentication mandated program, realized by UAF
The certification of " no password " realizes that user can be distinguished by unification authentication platform authenticating identity without each service server by IBC
User bound account and public key realize unified authentication, improve the safety and efficiency of certification.In addition, private key is deposited
Storage is only realized signature function in inside, will not be used outside hardware, to effectively improve IBC key in UAF hardware device
Safety, it is therefore prevented that private key leakage.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other
The difference of embodiment, the same or similar parts in each embodiment may refer to each other.For device disclosed in embodiment
For, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is said referring to method part
It is bright.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure
And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These
Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession
Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered
Think beyond the scope of this invention.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor
The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.