CN110460588A - Realize method, apparatus, the computer system and storage medium of Information Authentication - Google Patents

Abstract

This disclosure relates to block chain technical field, a kind of method, apparatus for realizing Information Authentication, computer system and storage medium are disclosed.The described method includes: terminal obtains public key corresponding to the private key that the terminal is held；The digital signature of the public key, the cryptographic digest of institute's verification information and cryptographic digest is sent to the receiving end of network access behavior by terminal, to request receiving end to verify the digital signature according to the cryptographic digest using the public key, wherein, institute's verification information is the Partial key information verified required for terminal.Each embodiment of the application is by the third party based on block chain technology come execution information verifying, it does not need to obtain the relevant any data of required verification information except cryptographic digest, thus it ensure that Information Authentication safety and reliability, there is only the interactions of ciphertext for entire information verification process.

Description

Realize method, apparatus, the computer system and storage medium of Information Authentication

The application be on May 31st, 2018 it is submitting, entitled " realize the method for Information Authentication, system, device and The divisional application of the Chinese patent application CN201810553455.4 of computer system ".

Technical field

The present invention relates to technical field of data security, in particular to a kind of method, apparatus for realizing Information Authentication, computer System and computer readable storage medium.

Background technique

With the fast development of internet, various businesses scene often needs before executing network access behavior for terminal Certain Information Authentication is carried out to this, under the premise of verification information is correct ensuring, Cai Huiwei terminal executes network and visits Ask behavior.

The Information Authentication carried out, is whether the terminal of identification triggering network access behavior has the process of permission, for For receiving end corresponding to network access behavior, it is only limitted to have the terminal of permission and executing triggered network access row For not having the terminal of permission, then receiving end is refused.

Existing Information Authentication realizes, without exception both for being carried out in user oriented real information collected, When the provided information of terminal is verified to be the real information corresponding to user, determine that this terminal has permission.

For example, the range of information such as bank card number, telephone number that the user that real information is real name possesses.

But this is actually to track the setting for tracing to the source and being intended for real information progress.For receiving end, It is unrelated with the information content itself it is only necessary to confirm whether the terminal of initiated network access behavior has permission, not Focus on the information content.

The realization of existing information verifying, inevitably brings the input and transmitting of real information, this can not also keep away The terminal that causes exempted from is the case where information for carrying out Information Authentication and providing is stolen.

It follows that the realization of existing information verifying, there is institute's verification informations to be leaked, i.e., all real informations are let out The insecurity of dew, it would be highly desirable to improve the realization of Information Authentication, improve information security.

Summary of the invention

Safety is not high in Information Authentication realization in order to solve the relevant technologies, and information is easy to the technical issues of revealing, this Invention provides a kind of method, apparatus for realizing Information Authentication, computer system and computer readable storage medium storing program for executing.

A method of realizing Information Authentication, which comprises

Terminal obtains public key corresponding to the private key that the terminal is held；

The digital signature of the public key, the cryptographic digest of institute's verification information and cryptographic digest is sent to network access by terminal The receiving end of behavior, to request receiving end to verify the digital signature according to the cryptographic digest using the public key,

Wherein, institute's verification information is the Partial key information verified required for terminal.

A kind of computer system, the computer system include:

Processor；And

Memory is stored with computer-readable instruction on the memory, and the computer-readable instruction is by the processing Device realizes foregoing method when executing.

A kind of computer readable storage medium is stored thereon with computer-readable instruction, the computer-readable instruction quilt Processor realizes foregoing method when executing.

A kind of device for realizing Information Authentication carries out Information Authentication, described device for the network access behavior to terminal Include:

Acquiring unit is configured as obtaining public key corresponding to the private key that terminal is held；

Request unit is configured as: the number of the public key, the cryptographic digest of institute's verification information and cryptographic digest is signed Name is sent to the receiving end of network access behavior, to request receiving end using the public key according to cryptographic digest verifying Digital signature,

Wherein, institute's verification information is the Partial key information verified required for terminal.

The technical solution that the embodiment of the present invention provides can include the following benefits:

For the verifying of given information, when Information Authentication is initiated in the network access behavior to terminal, acquisition is tested The information content, the i.e. cryptographic digest of content corresponding to given information are demonstrate,proved, and given information is the part verified required for terminal Key message, then terminal sends digital signature, cryptographic digest and public key to the receiving end of network access behavior, on the one hand with This come ensure carried out Information Authentication only by way of ciphertext realize, and do not need obtain cryptographic digest except it is required The relevant any data of verification information are wanted, thus ensure that the safety and reliability of Information Authentication, entire Information Authentication There is only the interactions of ciphertext for journey；On the other hand, also with this avoid verifying relevant other information intervention so that terminal institute The Information Authentication that need to be carried out does not need that only Information Authentication can be reached using other key messages with Partial key information Purpose.

It should be understood that the above general description and the following detailed description are merely exemplary, this can not be limited Invention.

Detailed description of the invention

The drawings herein are incorporated into the specification and forms part of this specification, and shows and meets implementation of the invention Example, and in specification together principle for explaining the present invention.

Fig. 1 is the simplified schematic diagram of implementation environment according to the present invention shown according to an exemplary embodiment；

Fig. 2 is a kind of block diagram of device shown according to an exemplary embodiment；

Fig. 3 is a kind of flow chart of method for realizing Information Authentication shown according to an exemplary embodiment；

Fig. 4 is the flow chart that step 310 is described according to Fig. 3 corresponding embodiment；

Fig. 5 is according to the flow chart that step 330 is described shown in Fig. 3 corresponding embodiment；

Fig. 6 is according to the flow chart that step 335 is described shown in Fig. 5 corresponding embodiment；

Fig. 7 is a kind of flow chart of method for realizing Information Authentication shown according to Fig. 6 corresponding embodiment；

Fig. 8 is according to the flow chart that step 333 is described shown in Fig. 6 corresponding embodiment；

Fig. 9 is according to the flow chart that step 330 is described shown in Fig. 3 corresponding embodiment；

Figure 10 is according to the flow chart that step 370 is described shown in Fig. 3 corresponding embodiment；

Figure 11 is a kind of flow chart of method for realizing Information Authentication shown according to an exemplary embodiment；

Figure 12 is a kind of flow chart of the method for realizing Information Authentication shown according to another exemplary embodiment；

Figure 13 is according to the flow chart that step 850 is described shown in Figure 11 corresponding embodiment；

Figure 14 is the simplified schematic diagram that framework is realized in an Information Authentication shown according to an exemplary embodiment；

Figure 15 is the simplified schematic diagram for showing an Information Authentication according to another exemplary embodiment and realizing framework；

Figure 16 is to realize that information is handed between third party shown according to an exemplary embodiment, receiving end and terminal three The mutually corresponding data structure schematic diagram of institute；

Figure 17 is a kind of block diagram of system for realizing Information Authentication shown in an exemplary embodiment；

Figure 18 is according to the block diagram that verifying initiation module is described shown in Figure 17 corresponding embodiment；

It is the block diagram that requests verification module is described for implementing to exemplify that Figure 19, which is according to Figure 18 correspondence,；

Figure 20 is according to the frame that the path searcher module of third party's configuration is described shown in Figure 17 corresponding embodiment Figure；

Figure 21 is according to the block diagram that cryptographic digest authentication module is described shown in Figure 17 corresponding embodiment；

Figure 22 is a kind of block diagram of device for realizing Information Authentication shown according to an exemplary embodiment；

Figure 23 is the block diagram of the verification of correctness module shown according to another exemplary embodiment.

Specific embodiment

Here will the description is performed on the exemplary embodiment in detail, the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistented with the present invention.On the contrary, they be only with it is such as appended The example of device and method being described in detail in claims, some aspects of the invention are consistent.

Fig. 1 is the signal schematic drawing of implementation environment according to the present invention shown according to an exemplary embodiment.One In a exemplary embodiment, the Information Authentication that the present invention carries out in a network, the whole key messages that will be held by each terminal Security guarantee is provided, so that any key message will not all be revealed in the Information Authentication carried out, and then is protected eventually Hold the privacy of corresponding user.

Information Authentication corresponding to any network access behavior, the third party that can be realized through the invention reach, Therefore, framework as shown in Figure 1, the network that terminal 110 is initiated to either side access behavior, are needing to carry out information to this When verifying, receiving end 130 corresponding to network access behavior can all request disposed third party 150 to provide terminal 110 Cryptographic digest is verified, and accordingly sets knot identifying that the Partial key information for needing to verify corresponding to cryptographic digest is correctly present in When the matched all key messages of structure institute, the terminal 110 for accessing behavior for triggering network obtains the result being verified.

That is, for any terminal, for example, initiating to be intended for any receiving end 130, example for a terminal 110 Such as, the network access of 1 to n receiving end 130, will all transfer to 150 execution information of third party to verify, to ensure by this framework Information security.

Third party 150 carries out the storage of all key messages, and morphologically, third party 150 can be independent mechanism, It can be by many ways forming.

That is, the institute in third party 150 and third party 150 can be realized by the region chain under distributed structure/architecture There is key message storage, to guarantee can not distorting for key message.

The third party 150 that key message storage is realized by region chain, will be made of several node servers.Several Node server all carries out the storage of key message, and being all will be for realizing Information Authentication.Several node servers Constitute the business network based on block chain, that is, carry out the business network of Information Authentication.Either key message is adopted as a result, Collection, or information authentication service is provided to receiving end 130 corresponding to network access behavior or terminal 110, it will all be based on area Domain chain carries out.

Fig. 2 is a kind of block diagram of device shown according to an exemplary embodiment.Third party shown in FIG. 1 can be dress 200 are set, for example, device 200 can be server.

Referring to Fig. 2, which can generate bigger difference because configuration or performance are different, may include one or More than one central processing unit (central processing units, CPU) 222 is (for example, one or more are handled Device) and memory 232, one or more storage application programs 242 or data 244 storage medium 230 (such as one or More than one mass memory unit).Wherein, memory 232 and storage medium 230 can be of short duration storage or persistent storage.It deposits Storage may include one or more modules (diagram is not shown) in the program of storage medium 230, and each module may include To the series of instructions operation in server.Further, central processing unit 222 can be set to logical with storage medium 230 Letter executes the series of instructions operation in storage medium 230 on the device 200.Device 200 can also include one or one with Upper power supply 226, one or more wired or wireless network interfaces 250, one or more input/output interfaces 258, And/or one or more operating systems 241, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM etc..By third party described in following Fig. 3, Fig. 4, Fig. 5, Fig. 6, Fig. 7 and embodiment illustrated in fig. 8 Performed step can be based on the apparatus structure shown in Fig. 2.

Fig. 3 is a kind of flow chart of method for realizing Information Authentication shown according to an exemplary embodiment.Realization letter The method for ceasing verifying, in one exemplary embodiment, as shown in figure 3, at least including the following steps.

In the step 310, Information Authentication is initiated to the network access behavior of terminal, obtains the encryption of institute's verification information content Abstract, the information are the Partial key information verified required for terminal.

Wherein, first it should be pointed out that signified terminal, refers to any terminal for carrying out network access, for example, terminal can be with It is the portable mobile terminals such as smart phone, the tablet computer for accessing a certain website, naturally it is also possible to be the electronic equipments such as computer.

The network access carried out with terminal, the triggered network access behavior of corresponding access object, i.e. terminal Receiving end generally requires to carry out Information Authentication to terminal according to itself configuration, just can be for eventually after terminal is by Information Authentication End executes triggered network and accesses behavior.

For example, this website is jumped into the Information Authentication page when terminal is initiated to browse the information of a certain website orientation, this When, terminal needs thus and after carrying out Information Authentication, can browse information.

It follows that the row that the network access behavior of terminal, as terminal access any object are initiated by means of network For according to accessed corresponding difference, the network access behavior of terminal is also different.

In terminal, Information Authentication is initiated by behavior is accessed for the network triggered, for example, terminal will be jumped into information Verify the page.

At this point, terminal will acquire the cryptographic digest of institute's verification information content, i.e. institute's verification information content is the shape with ciphertext Formula exists, and what is then verified, being verified for this ciphertext of cryptographic digest has just corresponded to institute's requests verification letter Breath is verified.

It should be appreciated that initiating Information Authentication to the network access behavior of terminal, practical is also to send out to user corresponding to terminal The Information Authentication risen, therefore, the information of institute's requests verification is often related to user.The information of institute's requests verification is often a user Or one kind user institute is unique corresponding.

Therefore, the information of institute's requests verification, the key message necessarily verified required for terminal.But as previously described, The purpose that access object verifies terminal is to determine whether terminal has the permission for executing it network access behavior, institute The information for needing to verify is the key message that terminal is held, in exemplary embodiment in the specific implementation, will also be eventually Hold the real information of corresponding user.

When Information Authentication is initiated in the network access behavior to terminal, only the Partial key information of required verifying will be obtained Cryptographic digest is taken, rather than is directed to all key messages.

It should further illustrate, the Information Authentication carried out is in order to which all key messages to terminal carry out information It whether there is and whether correctly verify, identification terminal is come with this, even user corresponding to terminal is to have put on record, example Such as, registered and have permission.

And in the execution of step 310, then it is the progress that all key message verifyings are characterized with Partial key information, because This will need to cooperate in third party and third party in subsequent step executes for the accuracy and reliability for guaranteeing verifying Tree construction is realized.

Signified all key messages are for a terminal, are to be used for for user corresponding to an even terminal The all information of user corresponding to terminal and terminal is described.For example, whole real informations corresponding to user.And Partial key Information is then information corresponding to a certain field in all key messages.Partial key information is then one in all key messages Item or several key messages, for example, key message corresponding to a field.

In some scenes, the Information Authentication carried out for user corresponding to terminal, is the real information for being intended for user, For example, a series of real informations such as the name of user, gender, Mobile Directory Number, address, these real informations just constitute end The whole key messages for holding corresponding user to be verified after triggering network access behavior, and name therein this Information corresponding to field will exist due to being a part of whole key messages as Partial key information.

In addition, the cryptographic digest of institute's verification information content can be and be obtained to Partial key information progress hashed The cryptographic Hash obtained.Certainly, the cryptographic digest of institute's verification information content can also be obtained by some other encryption functions, herein not It is defined.

Certainly, the cryptographic Hash of institute's verification information content, i.e. cryptographic digest are obtained by hashed, this ciphering process is adopted With being able to all being converted to institute's verification information content into the ciphertext of a regular length, be conducive to the execution of subsequent process.

In one exemplary embodiment, terminal device jumps execution information verifying for the network access carried out, in institute In the Information Authentication for jumping progress, submitted information, the i.e. corresponding cryptographic digest of Partial key information are obtained.This cryptographic digest is only One describes the content of submitted Partial key information.

To be executed by terminal for step 310.The network that terminal is triggered for itself accesses behavior, initiates letter Breath verifying, and the cryptographic digest of institute's verification information content is obtained thus, this cryptographic digest will be for realizing third party to terminal The Information Authentication of triggered network access behavior.

It can define, for terminal, the information content verified is held by oneself always, without passing Broadcast is gone, and safety obtains firm guarantee.

Fig. 4 is the flow chart that step 310 is described according to Fig. 3 corresponding embodiment.The step 310, as shown in figure 4, Include the following steps in one exemplary embodiment.

In step 311, the Information Authentication instruction of the triggered network access behavior of terminal is received.

In step 313, the information of instruction verifying is instructed according to Information Authentication, the encryption for generating corresponding informance content is plucked It wants.

Wherein, terminal receives Information Authentication instruction with network behavior itself is triggered.Terminal pair referred herein The reception of Information Authentication instruction, carries out in the terminal, is substantially that a process of terminal accesses behavior to the network triggered It is responded, receives corresponding Information Authentication instruction.

Information Authentication instruction, as terminal jump execution information verifying in the case where network access behavior corresponds to receiving end control Instruction.Signified information verification process, can be the registration login process of user, be also possible to certain a kind of user to held letter The process verified is ceased, herein without limiting.

But which type of information verification process can not be corresponded to, all will be jumped with terminal into Information Authentication and be mentioned The information of friendship, and receive Information Authentication instruction.For example, inputting account information in the Information Authentication of the jumped entrance of terminal Deng and after submitting, just receive Information Authentication instruction.

Therefore, Information Authentication instruction carries the information of requests verification, this information is the part verified required for terminal Key message.Cryptographic digest is generated to this information content, third party can be requested to give this and verified.

It in a step 330, is that network accesses behavior request third party to terminal progress Information Authentication by cryptographic digest.

Wherein, as previously described, Information Authentication is to jump execution under the receiving end control of network access behavior, also It is to say, the Information Authentication carried out is that the network for terminal in receiving end is accessed and carried out.But carried out Information Authentication Main body be third party, therefore, terminal will by cryptographic digest obtained be itself triggering network access behavior ask Third party is asked to verify.

Third party, be different from a side of terminal and receiving end, and third party be independently of terminal and receiving end it Between.Third party is for realizing Information Authentication, and therefore, third party stores all information.That is, for each terminal or All key messages of user corresponding to each terminal of person are all stored in third party, and network accesses the receiving end of behavior, then does not have There is any key message of storage, and also can not obtain any key message via the progress of Information Authentication, therefore, is protected The safety of information is demonstrate,proved.Even if receiving end is an illegal website, can not also steal to obtain.

The third party disposed is used for the receiving end execution information verifying for each terminal and the access behavior of each network.Also It is to say, is the Information Authentication that network accesses that behavior is carried out to third party's request by cryptographic digest, can be terminal institute directly Progress is requested to third party, is also possible to what the requested third party in receiving end that terminal is requested access to carried out.

For example, the execution that terminal can access behavior for own net requests third party to carry out Information Authentication, for subsequent institute The network of triggering accesses behavior and provides third-party information authentication results.

In addition to this, terminal is triggered after network access behavior, once needing to carry out Information Authentication, then obtains thus The cryptographic digest of institute's verification information content, terminal will pass through receiving end corresponding to this cryptographic digest response to network access behavior The Information Authentication of initiation is tested at this point, receiving end will request third party to carry out information to terminal based on cryptographic digest obtained Card.

Therefrom, it may be appreciated that, third party is to dispose to carry out Information Authentication and independently, and it is self-existent, it is any Terminal and receiving end can not all obtain the data that third party is stored, and also can not influence or interfere performed by third party Information Authentication is able to ensure that the independence and reliability of the verifying of third party's execution information, and any terminal and receiving end can not It distorts.

In step 350, the Information Authentication that third party carries out according to terminal request, in corresponding tree construction by leaf node It traces back and obtains the corresponding certification path of verification information to root node, the corresponding values match of leaf node is in terminal on corresponding tree construction All key messages of required verifying.

Wherein, with by cryptographic digest for terminal trigger network access behavior to third party request progress information test Card, third party will execute the requested Information Authentication of terminal thus.The Information Authentication carried out is by disposing in third party Tree construction realize.

It should be appreciated that third party is as self-existent authentication mechanism, it is terminal and end by constructed tree construction The corresponding user in end close the storage of all key messages.Constructed each tree construction is all to be uniquely corresponding to a user Or a kind of user, this will be obtained according to the realization flexible deployment of carried out Information Authentication.For example, if the Information Authentication carried out Be be intended for the verifying of each user, such as verifying current request carry out network access user whether be real user, and Non- machine, then in this scenario, each tree construction are all uniquely corresponding to a user.

In another example i.e. verifying current request carries out if the Information Authentication carried out is intended for every a kind of user and carries out Whether the user of network access is certain a kind of or a certain group of user, then each tree construction is all uniquely corresponding to one in this scenario Class user, tree construction will be used to store data common to such user.

Third party searches the leaf for corresponding to this cryptographic digest in corresponding tree construction according to cryptographic digest obtained Node, and traced back by leaf node to root node, by the child node and root node between leaf node, leaf node and root node Form certification path.For cryptographic digest, pass through the node on this cryptographic digest and certification path, if it is possible to reconstruct It obtains with the consistent tree of the Local Phase of tree construction as a result, being just able to verify that obtain cryptographic digest to be to be present in corresponding tree construction In.

For a user, all corresponding content in each field of all key messages all will be with the shape of cryptographic digest Formula is stored in the leaf node of corresponding tree construction.That is, the corresponding numerical value of leaf node is to be matched with use on tree construction One field of all key messages in family.

In one exemplary embodiment, tree construction can be by obtain constructed by level operation to all key messages It arrives.For example, all key messages correspond to the information content of each field, corresponding cryptographic digest is all generated, then in institute In the cryptographic digest of acquisition, corresponding cryptographic digest is obtained after merging two-by-two again, and so on, successively forward Operation is promoted, until finally obtaining only one numerical value, this numerical value is the corresponding numerical value of root node in tree construction.

And the numerical value that the operation of intermediate institute obtains, then it is that each node layer institute is corresponding, leaf node is then to all The cryptographic digest that the information content of the key message in each field generates.

For example, constructed tree construction can be Merkle tree, the cryptographic Hash of the information content corresponding to each field, as The corresponding numerical value of leaf node in Merkle tree, and thus up existing node, then be that two nodes institutes of next level are right The cryptographic Hash answered is merged into character string, and hashed is obtained again later.

Third party is each group of key message, such as the aforementioned signified all key messages for corresponding to user or one are eventually Held key message is held, all constructs corresponding tree construction, and associated with a public key.Constructed tree construction passes through institute Associated public key and correspond to terminal and user.

In one exemplary embodiment, tree construction and public key be in third-party associated storage, to be with public key be index into Capable storage of data structure.Corresponding, in the Information Authentication for requesting to carry out, third party will be with received public key For index entry, it is indexed the lookup of middle institute's storage of public keys, the tree construction for the index mapping searched.

In another exemplary embodiment, it as the public key of index, can be public key itself, be certainly also likely to be to public affairs Key carries out the operation of hashed value by hash function, then take obtained hashed value as the association of index progress public key and tree construction Storage comes to improve safety further with this.

Hash can be in one exemplary embodiment by the hashed value that the operation of hash function institute obtains to public key Value or some other forms.

One group of key message obtains under the action of tree construction rapidly and efficiently to retrieve for subsequent Information Authentication realization, and And only need to store cryptographic digest corresponding to each field on the leaf node of tree construction, it can not directly be closed Therefore the storage of key information further ensures and disposes third-party safety.

In one exemplary embodiment, third party exists in the form of independent mechanism, for example, third party is the clothes of deployment Business device or server cluster, are the realizations under the framework of center, constructed tree construction will be with public key associated storage, other positions The storage accordingly carried out is then for realizing backup.

In another exemplary embodiment, using distributed structure/architecture, third party by forming in many ways, i.e., multiple node ginsengs With, and then the Information Authentication business network formed.Identical data are all stored between third-party node, that is to say, that institute There is tree construction all to store in third-party each node.

It further illustrates, on each node, a storage of data structure interlinks to be formed on a block between block The block chain stored on this node.Constructed tree construction will be stored as the block data on node.

Accordingly, for for the receiving end of terminal or network access behavior, such as need that third party's progress information is requested to be tested Card, it is only necessary to be connected to a node, and then position the block on so far node to find for carrying out Information Authentication for oneself Tree construction.

Block chain is company to creation block after acquisition obtained each group of key message building tree construction in node A block is connected to be formed by.More early to construct obtained tree construction, the position on block chain is more forward, and last constructed Obtained tree construction is just placed in the tail end of block chain.

Third party is being formed in the form of block chain by forming in many ways, and to constructed all polytree structure cochains Each party, i.e., store in each node, for carrying out the third party of Information Authentication, information can be effectively prevent to distort Occur, also effectively information can be avoided to lose.

But the third-party deployment of either center framework or the third-party deployment of distributed structure/architecture, all to be carried out letter Breath verifying provides the third party for being different from terminal and network access behavior receiving end, realizes and is individually present and reliable and stable Authenticate mechanism.

In step 370, tree construction matching is correctly present in by the information that certification path verifies terminal to cryptographic digest All key messages in.

Wherein, as previously described, after obtaining certification path corresponding to cryptographic digest as tree construction, can thus add The nodal value of each level indicated by close abstract and certification path reconstructs tree construction, and constructed tree construction is if it is user institute A part of corresponding tree construction, then can confirm correctly to exist in the matched all key messages of tree construction corresponding to user and be asked Seek the information of verifying.

It should be appreciated that either tree construction part exist or entire tree construction, all without exception corresponded to it is identical Root node, therefore whether third party is correctly present in tree construction in the information for verifying terminal to cryptographic digest by certification path When all key messages matched, it is only necessary to compare the root node that rebuilds numerical value not.

If numerical value is consistent, third-party authentication passes through, and illustrates that cryptographic digest is a leaf on tree construction corresponding to user Numerical value corresponding to node；, whereas if numerical value is not consistent, then authentication failed, cryptographic digest are not the corresponding tree of user Numerical value corresponding to leaf node in structure.

Node corresponding to the Information Authentication instruction that certification path is used to be carried out for third party confirms that encryption is plucked with this The existence and correctness wanted, and do not need all to traverse all nodes on tree construction, very rapidly and efficiently.

Fig. 5 is according to the flow chart that step 330 is described shown in Fig. 3 corresponding embodiment.In an exemplary implementation In example, as shown in Figure 5, step 330 at least includes the following steps.

In step 331, terminal executes signature algorithm to cryptographic digest and obtains corresponding digital signature.

Wherein, as previously described, terminal needs the network access to be carried out to be weighed with the progress that network accesses Limit, and then side can continue to the network currently carried out access, signified permission is obtained by the Information Authentication carried out.

It is on the one hand the content to institute's requests verification information in this Information Authentication, i.e., Partial key information generates encryption On the other hand abstract in the exemplary embodiment, will also sign to cryptographic digest, obtain and guarantee cryptographic digest safety, keep away Exempt from the digital signature that cryptographic digest is tampered, in addition, receiving end will also be made to be able to carry out authentication by means of digital signature, Guarantee the legitimacy that the terminal of verifying is initiated to receiving end.

Terminal just uses held private key pair encryption to make a summary and executes signature algorithm, obtain after generating cryptographic digest Corresponding digital signature.

It should be appreciated that each terminal, also can be regarded as each user corresponding to terminal, suffer from unique existing private Key, and the public key corresponding to private key.In the in store private key of terminal, with the encryption for data, and corresponding public key, It can then be transferred to receiving end with the information exchange that itself is carried out, be perhaps stored in receiving end or be stored in digital signature Management server so that receiving end is obtained from the management server of this digital signature, herein without limiting, public key Be arranged by according to actual operation it needs to be determined that.

In step 333, signed by the receiving end verifying number that digital signature and cryptographic digest request network to access behavior Name.

Wherein, terminal be cryptographic digest generated generate digital signature after, terminal will by digital signature and plus The receiving end of close web feed request network access behavior carries out Information Authentication to terminal, however, as previously described, network accesses behavior Receiving end itself, and without Information Authentication, and Information Authentication will be carried out by means of third party.

But after receiving terminal by digital signature and the information verification request of cryptographic digest initiation, receiving end will To the legitimate verification of terminal corresponding to this information verification request, this process will be plucked by digital signature obtained and encryption It to be realized.

In exemplary embodiment in the specific implementation, receiving end obtains the corresponding public key of the held private key of terminal, make A character string is obtained with public key decryptions digital signature, whether therebetween consistent, such as if comparing this character string and cryptographic digest The obtained character string of fruit and cryptographic digest are consistent therebetween, then illustrate that cryptographic digest is not tampered with, and request to carry out Information Authentication be it is legal, digital signature authentication passes through.

If this character string and cryptographic digest be not consistent therebetween, illustrate that cryptographic digest has been tampered, asked The Information Authentication for asking progress is illegal, digital signature authentication failure.

In step 335, if digital signature authentication passes through, the receiving end of network access behavior is asked by cryptographic digest Third party is asked to carry out Information Authentication to terminal.

Wherein, only when digital signature authentication passes through, request third party executes terminal institute for the receiving end of network access behavior Request the Information Authentication carried out.

At this point, third party will be requested to carry out terminal by cryptographic digest and public key the receiving end of network access behavior Information Authentication.Wherein, cryptographic digest corresponds to the information content of requests verification, and public key then be used to index in third party The corresponding data stored of terminal, i.e., tree construction corresponding to the terminal of aforementioned meaning.

By this exemplary embodiment, the Information Authentication to carry out needed for terminal provides network access behavior receiving end and matches Third party under closing realizes, since most of scenes are all since the receiving end of network access behavior needs to carry out information to terminal The information verification process of verifying and initiation, therefore, the realization of exemplary embodiment as described above will be able to adapt to most of fields Scape also ensures the versatility under various scenes while providing a kind of Information Authentication that safety is splendid realization.

Fig. 6 is according to the flow chart that step 335 is described shown in Fig. 5 corresponding embodiment.In an exemplary reality It applies in example, step 335, as shown in fig. 6, at least including the following steps.

In step 401, network access behavior receiving end obtain terminal information to be verified corresponding to cryptographic digest with And the public key corresponding to the held private key of terminal.

Wherein, first it should be noted that the Partial key letter verified required for terminal information to be verified, as terminal Breath.And cryptographic digest is the content of unique description terminal information to be verified.For example, the Information Authentication carried out is to be intended for What the real information of user carried out, then terminal information to be verified, is that terminal institute's login user corresponds to the true of a certain item attribute Real information, such as the real information of corresponding name this attribute, only the part of whole real information corresponding to user is deposited In.Corresponding, in the existence form of data, terminal information to be verified is a certain in corresponding whole real informations Information corresponding to field.

The private key that terminal is held is in one exemplary embodiment the private key that terminal institute login user is uniquely held. In other words, the private key that terminal is held also is understood as the private key that terminal is stored.It, only can be in terminal part to guarantee safety A unique private key is affixed one's name to, with the information exchange service for being carried out by terminal, that is, encrypts interacted information.This private key has pair The public key answered.

Network accesses the receiving end of behavior, requests the Information Authentication carried out to obtain terminal letter to be verified by terminal Corresponding cryptographic digest is ceased, at this point, receiving end is obtained from terminal with cryptographic digest on the one hand by with the acquisition of cryptographic digest The public key of transmission；On the other hand, receiving end passes through the storage itself carried out or signs from outside, such as aforementioned signified number The management server of name obtains the public key for corresponding to the held private key of terminal.

At this point, being stored for the public key itself carried out, or for the external public key stored, network accesses behavior Receiving end can search required for obtaining according to the account information of terminal institute login user, such as user identifier or terminal iidentification Public key.

As a result, corresponding to terminal, network access both receiving end cryptographic digest obtained and public key of behavior it Between be corresponding.

In step 403, information is initiated to third party according to the Information Authentication that cryptographic digest and public key are carried out by terminal Checking request, information verification request carry cryptographic digest and public key.

Wherein, the receiving end of network access behavior is being that terminal request third party carries out letter according to cryptographic digest and public key When breath verifying, it will be generated by cryptographic digest and public key and initiate information verification request to third party.

Network accesses the receiving end of behavior by initiated information verification request, on the one hand third party is requested to carry out terminal On the other hand corresponding Information Authentication also provides the Information Authentication that will be executed for third party to the cryptographic digest of verifying, And for avoiding identity from falsely using and finding the public keys of data corresponding to terminal.

By this exemplary embodiment, the receiving end of network access behavior and the information friendship that third party is between the two are realized It mutually, the receiving end of arbitrary network access behavior all can be by access third party come real when needing to carry out the Information Authentication of terminal The Information Authentication carried out required for existing, thus for the receiving end of network access behavior, it is no longer necessary to focus on information and test The realization of card, and content can be accessed for the network that terminal provides by more focusing on itself, on the one hand reduce erection net Network accesses the receiving end difficulty of behavior, on the other hand also increases the safety and reliability of receiving end.

Fig. 7 is a kind of flow chart of method for realizing Information Authentication shown according to Fig. 6 corresponding embodiment.In an example Property embodiment in, information verification request carried terminal be cryptographic digest attached by timestamp, before executing step 350, this Realize the method for Information Authentication as shown in fig. 6, further comprising the steps of.

In step 510, third party judges the letter of terminal request progress according to the timestamp carried in information verification request Breath verifies whether time-out.

Wherein, as previously described, information verification request carries cryptographic digest and the public key corresponding to the held private key of terminal, In addition to this, in the present example embodiment, it is timestamp attached by cryptographic digest that information verification request, which also carries terminal,.

The timestamp that information verification request carries is used to indicate the generation time of cryptographic digest, and then will use timestamp Judge whether the current Information Authentication carried out as terminal request is overtime, is ensuring to request the Information Authentication carried out and have not timed out Under, the cryptographic digest that can be carried to information verification request executes third party according to public key and whether there is corresponding key message Verifying.

In step 530, if the Information Authentication time-out that terminal request carries out, the information that refusal terminal request carries out are tested Card.

Wherein, if having requested the Information Authentication carried out according to the timestamp confirmation terminal carried in information verification request Through time-out, i.e., at the time point indicated relative to timestamp, the time range of setting is currently had exceeded, this information verification request It is initiated too late, refusal is carried out corresponding Information Authentication by third party.

It will avoid the playback of information under the action of timestamp as a result, and then guarantee the safety of Information Authentication and reliable Property.

Fig. 8 is according to the flow chart that step 333 is described shown in Fig. 6 corresponding embodiment.In an exemplary reality It applies in example, as shown in figure 8, the step 333, at least includes the following steps.

In step 601, terminal obtains the corresponding public key of held private key.

In step 603, public key, digital signature and cryptographic digest are sent to the receiving end of network access behavior, with request Digital signature is verified according to cryptographic digest using public key in receiving end.

Wherein, as previously described, terminal disposes private key for information exchange that itself is carried out, and private key has correspondence Public key.Between the receiving end that terminal and network access, the information exchange carried out such as needs to guarantee safety, then terminal will The private key disposed using itself carries out information encryption, such as the signature process of aforementioned meaning, obtains digital signature, and then will add Close abstract, digital signature and public key are sent to the receiving end of network access behavior together, to respond progress indicated by receiving end Information Authentication.

Terminal is sent public therewith during sending digital signature and cryptographic digest to the receiving end of network access behavior On the one hand key realized in the form of ensureing that carried out Information Authentication only passes through ciphertext by this, and do not need to obtain encryption and pluck Thus the relevant any data of required verification information except wanting ensure that the safety and reliability of Information Authentication, whole There is only the interactions of ciphertext for a information verification process.

On the other hand, also by with this come avoid verifying institute relevant other information intervention so that terminal needed for progress Information Authentication do not need only reach the purpose of Information Authentication with Partial key information using other key messages.

Fig. 9 is according to the flow chart that step 330 is described shown in Fig. 3 corresponding embodiment.In an exemplary reality It applies in example, as shown in Figure 3, which at least includes the following steps.

In step 331, the Information Authentication that third party is carried out by terminal request obtains and corresponds to the held private key of terminal Public key.

Wherein, as previously described, the Information Authentication that third party is initiated with terminal is tested obtaining corresponding to terminal request After the cryptographic digest for demonstrate,proving the information content, the public key of the held private key of counterpart terminal will be also obtained, for example, third party visits from network Ask that the receiving end of behavior obtains this public key.

With the Information Authentication that terminal request carries out, third party will request the execution master of progress Information Authentication as terminal Body, and be that terminal carries out Information Authentication according to information obtained, such as cryptographic digest, public key.

Therefore, no matter terminal requests to carry out Information Authentication to third party by which kind of mode, for example, terminal is visited by network Ask that the receiving end of behavior requests to carry out Information Authentication or terminal directly to third party's request progress Information Authentication to third party Deng the Information Authentication carried out by terminal request is obtained the public key corresponding to the held private key of terminal by third party.

Public key is answered as the added confidential information of decryption in information exchange, such as the tool of digital signature in third party With in the Information Authentication executed for terminal, for public key obtained by the index as data, public key is for terminal or terminal institute The information that corresponding user's unique identification is stored.

In step 333, corresponding tree construction is positioned according to the public key of acquisition, third party is to be associated with public key with tree construction Storage.

Wherein, it should be understood that third party is realization Information Authentication, for example, realize the Information Authentication for being intended for all multi-users, Whole key messages corresponding to each user are stored with the public key index of this user.

For terminal requests the Information Authentication carried out, essence is also that user corresponding to terminal requests the information carried out Verifying, therefore, the public key of user are the private keys held corresponding to place terminal, and whole key messages corresponding to user The corresponding whole key messages of terminal where as.For third party, the main body that request carries out Information Authentication is terminal, Therefore third party is to carry out Information Authentication for terminal.But substantially, third party is also for the progress of user corresponding to terminal Information Authentication.

Either to terminal still for the user in terminal, related whole key messages are held with terminal The public key for having private key is to index and be associated storage.

And be realize rapidly and efficiently search, whole key messages be storage is realized in a manner of tree construction, and make public key with Tree construction is interrelated therebetween.

After requesting the Information Authentication carried out to obtain public key by terminal in third party as a result, it can be found by public key Corresponding tree construction, i.e. tree construction associated by this public key are the tree construction where cryptographic digest, because public key is unique right Ying Yuyi private key, therefore, the generation that identity is falsely used is avoided also by public key.

In step 335, according to the information of requests verification on tree construction, retrieval corresponds to the leaf node of information, from The leaf node that retrieval obtains, which is traced back to root node, obtains the certification path that several nodes are constituted.

Wherein, the information of requests verification will be completed to verify in third party in a manner of corresponding cryptographic digest, this encryption is plucked If being described to the consistency of requests verification information in terms of content.On tree construction, obtained according to cryptographic digest and this encryption It makes a summary corresponding leaf node, and the child node corresponding in the positioning of a upper level according to this leaf node, and so on, until Reach root node.

It should be noted that leaf node corresponding with cryptographic digest, as carry out operation two-by-two with cryptographic digest and obtain Obtain the leaf node of upper level child node；The leaf node child node corresponding in the positioning of a upper level is cryptographic digest with The corresponding upper child node of acquired nodal value carries out operation two-by-two therewith after the nodal value of corresponding leaf node merges.

For the child node that cryptographic digest is successively retrieved on tree construction, it will be matched with cryptographic digest and construct to obtain The same path for reaching root node corresponding to tree construction, i.e., reached the path of root node on tree construction by cryptographic digest, therefore, by The leaf node retrieved traces back to root node the certification path for just obtaining cryptographic digest.

Certification path is used to judge whether the information content corresponding to cryptographic digest to be strictly necessary being, for changing It, will judge the whether certain necessary being of cryptographic digest on the leaf node of tree construction by certification path.

By the acquisition of retrieval and certification path in institute's tree construction, will be able to effectively improve third party's progress information The efficiency of verifying, and then a large amount of information verification process can be completed.

Figure 10 is according to the flow chart that step 370 is described shown in Fig. 3 corresponding embodiment.In an exemplary reality It applies in example, as shown in Figure 10, which at least includes the following steps.

In step 371, trace back from certification path acquisition along the leaf node of tree construction to the node value sequence of root node.

Wherein, it should be understood that tree construction is dispersed with several sub- sections by several levels laid in different levels Point, and each child node all has unique corresponding father node in a upper level, also has at least one sub- section in next level Point.

That is, the node on tree construction, including leaf node and root node, it is all connected layer by layer.From being obtained Certification path can be obtained several layer by layer connected nodes, i.e. a leaf node is traced back to being distributed on the path of root node All nodes, the corresponding nodal value of these nodes institute just constitute node value sequence.

Node value sequence includes several existing nodal values of sequence, and node value sequence will be used to carry out cryptographic digest This cryptographic digest whether there is in the judgement of the tree construction positioned.

In step 373, the building of corresponding tree construction is carried out to cryptographic digest according to node value sequence, encryption is obtained and plucks Will on constructed tree construction the corresponding numerical value of root node.

Wherein, the level operation carried out according to tree construction, also mutually copes in cryptographic digest and node value sequence and includes Nodal value carries out in level, constructs cryptographic digest and the corresponding tree construction of node value sequence.

In step 375, the verifying cryptographic digest corresponding numerical value of root node and node value sequence on constructed tree construction In correspond to root node nodal value it is whether consistent.

It wherein, which leaf node to be either starting with for a tree construction, with the progress of level operation, Finally it will all collect to unique root node.If cryptographic digest is that position to obtain a leaf node on tree construction corresponding Numerical value, then the corresponding numerical value of root node is necessarily positioned by public key on the tree construction of cryptographic digest and nodal value sequence construct Obtain the nodal value for corresponding to root node in the corresponding numerical value of root node on tree construction and node value sequence.

In step 377, if the corresponding numerical value of cryptographic digest is consistent with the nodal value of corresponding root node, verifying is obtained The information of terminal is correct.

Wherein, each tree construction constructed by third party, the corresponding numerical value of leaf node is all to be matched with Partial key Information, and so on, the corresponding numerical value of all leaf nodes is just matched with all key messages on this tree construction.

The tree construction that level operation is carried out for cryptographic digest and node value sequence and is constructed, if root node is corresponding thereon Numerical value it is consistent with the nodal value of root node is corresponded in node value sequence, i.e., provable cryptographic digest is the constructed tree of third party The corresponding numerical value of a leaf node in structure, and then can determine the corresponding information content of cryptographic digest, the i.e. letter of requests verification Breath content is the matched Partial key information of leaf node institute on tree construction constructed by third party.

Tree construction constructed by third party for comparison is to be positioned by abovementioned steps by public key, this tree knot Numerical value on structure leaf node is all key messages verified required for being matched with terminal, and the information of current request verifying is A part therein.Therefore it is verified cryptographic digest and whether the tree construction of nodal value sequence construct is positioned to by public key To a part of tree construction, if numerical value corresponding to the two root node is identical, this is verified, and verifying is also obtained terminal Information it is correct.

By exemplary embodiment as described above, terminal and the have been built for Information Authentication present in internet The information interaction system that tripartite participates in, and then the various networks access behavior initiated by terminal realizes that information is tested in third party Card, thus it is ensured that the receiving end of network access behavior no longer carries out key message, such as relevant various privacies of user institute and quick Feel the storage of information, worry about network no longer needed to access behavior receiving end in the access of network that user is carried out, for example, it is various not There is the case where leakage information in security website, ensure that the safety of network access.

For the network access that terminal is carried out, information required for network accesses will be completed by means of third party and will be tested Card obtains smoothly network and accesses, and also do not need that various registrations are repeated, and does not thus also need various to what is accessed Website reveals self information, ensure that the network access and the safety of information of terminal.

For the various websites for terminal access, i.e., for the network access behavior receiving end of aforementioned meaning, no longer need It supports the realization of Information Authentication, and required Information Authentication can be completed only by means of third party, both reached verifying letter The purpose of breath to confirm that the terminal that current request accesses corresponds to normal users, and obtains the website of lightweight It realizes, the website erection in network becomes more simple.

Following is the third-party realization of the present invention, and providing one kind by the execution of following methods embodiment can be terminal Realize the third party of Information Authentication, and then the receiving end for being intended for various terminals and the access behavior of various networks realizes that information is tested Card.

Figure 11 is a kind of flow chart of method for realizing Information Authentication shown according to an exemplary embodiment.Show at one In example property embodiment, as shown in figure 11, the method for the realization Information Authentication at least includes the following steps as shown in figure 11.

In step 810, it receives terminal request and carries out cryptographic digest transmitted by Information Authentication, terminal is network access row For execution initiate Information Authentication, cryptographic digest corresponds to terminal and needs the Partial key information verified.

In step 830, it is traced back from leaf node to root node in corresponding tree construction, obtains the corresponding certification of verification information Path, the corresponding values match of leaf node needs all key messages verified in terminal on corresponding tree construction.

In step 850, the information of terminal is verified to cryptographic digest by certification path, network accesses behavior in terminal It is executed when Information Authentication passes through by corresponding receiving end.

Wherein, terminal request carries out cryptographic digest transmitted by Information Authentication, and third party is just accordingly setting after receipt This cryptographic digest is retrieved in structure, if this tree construction equally exists the received cryptographic digest of third party institute, then eventually The Information Authentication carried out is requested to pass through in end.

That retrieves in tree construction fast implements the existing way for being to rely on tree construction child nodes, carries out leaf node extremely Path searching between root node carries out the Information Authentication of terminal using certification path obtained to cryptographic digest.

Third party is independently of the receiving end of terminal and network access behavior, one group of pass that user or terminal are held Key information is all stored in third party in a manner of tree construction, i.e. each group of key message has all corresponded to a tree construction, therefore The Information Authentication that tripartite carries out required for capable of realizing for terminal.

In one exemplary embodiment, third party is as independent authentication mechanism, will by reliable line under type into The acquisition of each group of key message of row, respectively each group of key message collected construct tree construction, and with center framework or Person's distributed structure/architecture and corresponding public key associated storage tree construction.

For example, all users are all carried out with the acquisition of identity information by the mode under a line, each user is acquired All identity informations just constitute one group of key message.The building of tree construction is carried out for all users on this basis and is deposited Storage.

Thus the Information Authentication that the third party realized carries out required for can realizing for each user is the net of user Network access provides a kind of safer quick Information Authentication mode.

In one exemplary embodiment, step 810 includes: and triggers network access behavior according to terminal to request to carry out Information Authentication, receives the information verification request that network access behavior corresponds to receiving end transmission, and information verification request carrying is verified The cryptographic digest of the information content and public key corresponding to the held private key of terminal.

Wherein, the receiving end of network access behavior, such as various websites, to terminal, there is Information Authentication demands, for example, Whether the user that access is initiated in verifying is real user, or an only machine, to shield the false access of machine initiation.

At this point, will be realized by third party to the Information Authentication of terminal institute.Third party receives network access behavior receiving end hair The information verification request sent, the information verification request are used to initiate the Information Authentication of corresponding terminal, the information content verified Corresponding to cryptographic digest entrained by information verification request.

Cryptographic digest corresponding to the requests verification information content is transmitted to third party, in addition to this, is also transmitted to third party Corresponding to the public key of the held private key of terminal, in order to carry out the retrieval of data.

In another exemplary embodiment, the method for the realization Information Authentication also includes at least before step 830 Following steps.

Tree construction is positioned according to the public key carried in information verification request, obtains the corresponding tree construction of institute's verification information.

Wherein, tree construction is used to carry out the storage of cryptographic digest corresponding to information, and each tree construction with it is unique right The public key associated storage answered.

It should be appreciated that tree construction is uniquely corresponding to one group of key message, and the information verified is requested, as this A part of one group of key message will also correspond to a tree construction.

Tree construction is at least used to carry out the storage of cryptographic digest corresponding to each key message in one group of key message. That is the corresponding numerical value of leaf node is cryptographic digest corresponding to a key message on tree construction, this will be so that institute be real Existing third party can either carry out Information Authentication, and without storage real information, there is no the risks of information leakage.

Certainly, the storage of each key message can also be carried out on this leaf node, at this point, the child node of a upper level but Carry out the storage of corresponding cryptographic digest.

Figure 12 is a kind of flow chart of the method for realizing Information Authentication shown according to another exemplary embodiment.The realization The method of Information Authentication, in another exemplary embodiment, information verification request carried terminal are attached by cryptographic digest Timestamp, as shown in figure 12, before executing step 830, the method for the realization Information Authentication is further comprising the steps of.

In step 910, the Information Authentication of terminal request progress is judged according to the timestamp carried in information verification request It is whether overtime.

In step 930, if the Information Authentication time-out that terminal request carries out, the information that refusal terminal request carries out are tested Card, the Information Authentication failure of terminal.

Wherein, information verification request carries timestamp, and third party will be used to verify received information verification request Validity is reused to avoid cryptographic digest entrained by information verification request, that is, shields Replay Attack occurred.

Whether third party is overtime according to timestamp check information checking request, if had timed, out, third party is not verified, Thus but also the cryptographic digest being stolen can not be reused.

It should be noted that timestamp entrained by information verification request, be terminal for the information of request progress test When card is signed, it is additional in digital signature.

Specifically, terminal by request carry out Information Authentication carry out generate correspond to Partial key information, for example, one close The cryptographic digest of key information obtains digital signature to this cryptographic digest and current time stamp signature.

Corresponding, timestamp is received with cryptographic digest and by third party, so that third party will make first With received timestamp it is whether overtime to verify the Information Authentication that terminal request carries out.

Figure 13 is according to the flow chart that step 850 is described shown in Figure 11 corresponding embodiment.The step 850, In In one exemplary embodiment, as shown in figure 13, at least include the following steps.

In step 851, trace back from certification path acquisition along the leaf node of tree construction to the node value sequence of root node.

In step 853, the building of corresponding tree construction is carried out to cryptographic digest according to node value sequence, encryption is obtained and plucks Will on constructed tree construction the corresponding numerical value of root node.

In step 855, the cryptographic digest corresponding numerical value of root node and node value sequence on constructed tree construction are verified In correspond to root node nodal value it is whether consistent.

In step 857, if the corresponding numerical value of cryptographic digest is consistent with the nodal value of root node is corresponded to, verify The information for obtaining terminal is correctly present in the matched all key messages of tree construction, and the Information Authentication of terminal passes through.

By constructing third party in a network in exemplary embodiment as described above, this third party can be supported respectively The Information Authentication carried out required for self terminal and the access behavior of various networks, and then the Information Authentication carried out by terminal is newly-increased Approach, enhances the flexibility and safety of Information Authentication.

By taking the Information Authentication of progress required for a website as an example, the side of above-mentioned realization Information Authentication is described in conjunction with concrete scene Method.The Information Authentication carried out required for this website, is only permitted to verify whether the user of current accessed website is real user Perhaps real user accesses.

At this point, signified user is current logged in user, in brief, signified user for terminal It is user corresponding to terminal.The access that user initiates website, all by therefore, being carried out to user performed by terminal Information Authentication, be to user corresponding to terminal carry out Information Authentication.

Figure 14 is the simplified schematic diagram that framework is realized in an Information Authentication shown according to an exemplary embodiment.This Information Authentication Realize framework include third party 1010, by means of third party 1010 carry out Information Authentication network access behavior receiving end 1030, And the terminal 1050 of triggering network access behavior.

This scene needs to carry out the website of Information Authentication, is one of network access behavior receiving end 1030, that is, schemes 14 Web servers 1031 indicated.

User corresponding to terminal 1050, after triggering network access behavior to Web server 1031 by terminal 1050, Web server 1031 just requests to carry out Information Authentication to this user to third party 1010.

Third party 1010 stores real information corresponding to each user, that is to say, that in third party 1010, Mei Yiyong Whether the corresponding real information in family all uniquely corresponds to a tree construction, correct with the information verified in this tree construction retrieval request In the presence of.

For a user, the more minority of Web server 1031 accessed, therefore, be not it is daily known to, when It is preceding to complete Information Authentication by means of third party 1010, and then it is able to the network access behavior that smooth execution is triggered, and will not be certainly The real information of body is retained on Web server 1031.

Figure 15 is the simplified schematic diagram for showing an Information Authentication according to another exemplary embodiment and realizing framework.This Information Authentication Realize framework, as shown in Figure 15, third party will constitute an Information Authentication business network 1110, net by forming in many ways The receiving end 1030 of network access behavior will be connected to a node 1111 therein by the access to Information Authentication business network, And then the tree construction by storing on this 1111 place block chain of node completes the Information Authentication carried out required for terminal.

Each node 1111 all stores the real information of all users by block chain, and the real information of each user is still It corresponds to tree construction and is stored, a tree construction is present on a block.Block chain is stored on each node 1111 Tree construction it is identical.

It should be appreciated that any node 1111 can carry out the acquisition of user's real information by line under type, use one Family real information collected will generate cryptographic digest to real information corresponding to each field, and so on, obtain this user Cryptographic digest in one's power corresponding to all real informations of acquisition.

Each cryptographic digest is all used as the corresponding numerical value of a leaf node, constructs tree construction with this to carry out level operation, Such as Merkle tree.The unique corresponding tree construction of each user for having carried out real information acquisition is obtained on this node 1111.

At this point, this node 1111 will carry out point-to-point transmission to other nodes in Information Authentication business network, to realize The synchronization of constructed tree construction.

At this point, any one node 1111 is just able to carry out currently requested in connection for Web server 1031 Information Authentication.

Accordingly by now it is appreciated that the Information Authentication carried out, provides only cryptographic digest, and do not provide in plain text, and It, therefore, can be with effective protection privacy only corresponding to Partial key information.

It is further elaborated on, no matter third party is framework as shown in figure 14 or distribution as shown in figure 15 Framework, the internal storage accordingly carried out for real information is all roughly the same.

Figure 16 is to realize that information is handed between third party shown according to an exemplary embodiment, receiving end and terminal three The mutually corresponding data structure schematic diagram of institute.The process for combining terminal request to carry out Information Authentication herein is illustrated.

Private key and corresponding public key are generated in the Information Authentication that terminal is carried out, wherein private key will be held by terminal Have, public key is then supplied to the receiving end of network access behavior, such as a tissue 1330 and third party shown in Figure 16, that is, schemes The third-party institution 1350 shown in 16.

Before the content that terminal issues tissue 1330 accesses, require to carry out the authentication of user, The information verification process of i.e. aforementioned meaning, to be allowed access in verifying user as the rear of real user；, whereas if institute The authentication of progress fails, then it is assumed that the current user for initiating access is fictitious users, i.e. machine, and then refuses such user Access.

Based on this, in the subscriber authentication carried out to terminal, data structure in terminal as shown in figure 16 is carried out The information of subscriber authentication is name, i.e., content corresponding to name field in real information corresponding to user.

Terminal generates cryptographic digest to the information content corresponding to name field in itself real information, and uses private key, That is Private Key executes signature algorithm to cryptographic digest HASH (name) and timestamp and generates digital signature, this timestamp It is corresponding when generating cryptographic digest HASH (name) obtain.

Cryptographic digest HASH (name) generated, digital signature Sign and public key Public Key are sent to by terminal Tissue 1330, to request to carry out the authentication of user.Due to cryptographic digest, i.e. HASH (name) corresponds to the name of user , therefore the verifying of currently requested progress is to verify the Real Name of this user to whether there is and correctness.

Tissue 1330 is receiving cryptographic digest HASH (name), digital signature Sign and public key transmitted by terminal After Public Key, digital signature Sign is decrypted using public key Public Key first, to obtain a string of characters and time Stamp, then compares this string of characters and whether cryptographic digest HASH (name) be consistent, verifies and passes through if consistent, if not phase Unanimously, then illustrate that cryptographic digest HASH (name) is tampered.

After verification passes through, tissue 1330 is just by cryptographic digest HASH (name), timestamp and public key Public Key is sent to the third-party institution 1350, and the request third-party institution 1350 is that user carries out authentication.

The third-party institution 1350 verifies whether time-out to timestamp first, if overtime, then refuse user thus and carries out body Part verifying, and then the authentication of user is caused to fail, the result of authentication failed is returned to tissue 1330.

And if had not timed out, the data structure in third party's machine 1350 as illustrated in FIG. 16, the third-party institution The public key Public Key according to transmitted by tissue 1330 is searched tree construction by 1350, to public key associated by each tree construction Public Key is searched, to obtain the associated tree construction of public key transmitted by tissue 1330, i.e., as in the third-party institution 1350 The Merkle tree 1351 shown.

Merkle tree 1351 and Public Key associated storage.Specifically, in Public Key and Merkle tree 1351 Nodal value on root node 1400, i.e. Root hash associated storage.

As shown by Merkle tree 1351, in all real informations of user, in information corresponding to each field Appearance is all stored respectively on each leaf node.For example, store the information content corresponding to name field on leaf node 1401； Store the information content corresponding to sex field on leaf node 1402；It is right to store mobile field institute on leaf node 1403 Answer the information content；Store the information content corresponding to address field on leaf node 1405.

As a result, by the information content hashed stored on each leaf node, cryptographic Hash obtained will store leaf Upper level child node corresponding to node.For example, store HASH (name) in child node 1501, i.e., corresponding to name field The cryptographic Hash of the information content；It stores in child node 1502 HASH (sex), i.e. the cryptographic Hash of the information content corresponding to sex field； It stores in child node 1503 HASH (mobile), i.e. the cryptographic Hash of the information content corresponding to mobile field；Child node 1505 On store HASH (address), i.e. the cryptographic Hash of the information content corresponding to address field.

And so on, upward Hash two-by-two between child node, until root node.

The third-party institution 1350 is that the real information storage of each user all constructs Merkle tree 1351, and with this user Public key associated storage.

Certainly, it should be noted that, can also be without institute for the Merkle tree 1351 of the real information building of each user The storage of corresponding informance content, but the cryptographic Hash storage of the information content corresponding to each field is directly carried out in leaf node, Thus the real information content is neither stored, and can be realized the verifying for being directed to the real information content, it is highly-safe, do not believe Breath is leaked the risk being tampered.

The third-party institution 1350 verifies cryptographic digest by searching for obtained Merkle tree 1351, if this adds Close abstract is to exist on Merkle tree 1351 and correctly, then be verified to the return of tissue 1330 as a result, at this point, user Triggered network access can be realized at the terminal.

In this information exchange, it can be seen that tissue 1330 and the real information that can not know user, and exist for user The information verified is provided in terminal, also only part real information, and the cryptographic digest generated to this is also It executes at the terminal, therefore, for terminal, there is no the risk of information leakage and possibilities, avoid identity and falsely use.

As a result, in the progress of this Information Authentication, part real information is only provided, all real informations are verified with this, While the accuracy of verifying is improved, privacy is also protected, avoids information exposure.

Following is apparatus of the present invention embodiment, and the method that can be used for executing the above-mentioned realization Information Authentication of the present invention is implemented Example.For undisclosed details in apparatus of the present invention embodiment, the embodiment of the method that the present invention realizes Information Authentication is please referred to.

Figure 17 is a kind of block diagram of system for realizing Information Authentication shown in an exemplary embodiment.In an exemplary reality It applies in example, the system deployment of the realization Information Authentication is in terminal and to the third party of terminal progress Information Authentication, such as Figure 17 institute Show, which includes but is not limited to: verifying initiation module 1710, requests verification module 1730, path searcher module 1750 and add Close Digest Authentication module 1770.

Initiation module 1710 is verified, Information Authentication is initiated for the network access behavior to terminal, obtains institute's verification information The cryptographic digest of content, the information are the Partial key information verified required for terminal；

Requests verification module 1730, for being that the network accesses behavior request third party to end by the cryptographic digest End carries out Information Authentication；

Path searcher module 1750, the Information Authentication for being carried out in third party according to the terminal request, is accordingly setting Structure, which is traced back by leaf node to root node to obtain, verifies the corresponding certification path of the information, leaf node on corresponding tree construction All key messages of corresponding values match verifying required for the terminal；

Cryptographic digest authentication module 1770, for being tested by the certification path the cryptographic digest in the third party The information for demonstrate,proving the terminal is correctly present in the matched all key messages of the tree construction.

Figure 18 is according to the block diagram that verifying initiation module is described shown in Figure 17 corresponding embodiment.In an example Property embodiment in, the verifying initiation module 1710, as shown in figure 18, including but not limited to: instruction receiving unit 1711 and encryption Summarization generation unit 1713.

Instruction receiving unit 1711, for receiving the Information Authentication instruction of the triggered network access behavior of terminal；

It is right to generate institute for instructing the information of instruction verifying according to the Information Authentication for cryptographic digest generation unit 1713 Answer the cryptographic digest of the information content.

It is the block diagram that requests verification module is described for implementing to exemplify that Figure 19, which is according to Figure 18 correspondence,.Show at one In example property embodiment, the requests verification module 1730, as shown in figure 19, including but not limited to: signature unit 1731, request are initiated Unit 1733 and third party's request unit 1735.

Signature unit 1731 is configured in the terminal, and the signature unit is for executing signature to the cryptographic digest Algorithm obtains corresponding digital signature；

Request initiating cell 1733, is configured in the terminal, and the request initiating cell is used for through the number label Name and cryptographic digest request the receiving end of the network access behavior to verify the digital signature；

Third party's request unit 1735 is configured in the receiving end of the network access behavior, and the third party requests single If member passes through for the digital signature authentication, the third party is requested to carry out the terminal by the cryptographic digest Information Authentication.

In one exemplary embodiment, third party's request unit is configured to execute:

Obtain cryptographic digest corresponding to terminal information to be verified and corresponding to the held private key of the terminal Public key；

Information Authentication is initiated to third party according to the Information Authentication that the cryptographic digest and public key are carried out by the terminal Request, the information verification request carry the cryptographic digest and public key.

In one exemplary embodiment, information verification request carried terminal is timestamp attached by cryptographic digest, should The system for realizing Information Authentication further includes overtime authentication module.

Overtime authentication module is configured in third party, and overtime authentication module according in the information verification request for taking Whether the Information Authentication that the timestamp of band judges that the terminal request carries out is overtime；

If the Information Authentication time-out that the terminal request carries out, the time-out authentication module refuses the terminal request The Information Authentication of progress.

In one exemplary embodiment, request initiating cell 1733 is configured to execute:

Obtain the corresponding public key of held private key；

The public key, digital signature and cryptographic digest are sent to the receiving end of network access behavior, described in requesting The digital signature is verified according to the cryptographic digest using the public key in receiving end.

Figure 20 is according to the frame that the path searcher module of third party's configuration is described shown in Figure 17 corresponding embodiment Figure.In one exemplary embodiment, as shown in figure 20, which includes but is not limited to: public key acquisition list Member 1751, tree searching unit 1753 and route searching unit 1755.

Public key acquisition unit 1751 obtains for requesting the Information Authentication carried out by terminal and corresponds to the terminal The public key of held private key；

Set searching unit 1753, for positioning corresponding tree construction according to the public key of acquisition, the third party be by Public key and tree construction associated storage；

Route searching unit 1755, for the information on the tree construction according to requests verification, retrieval corresponds to described The leaf node of information, the leaf node obtained from retrieval, which is traced back to root node, obtains the certification road that several nodes are constituted Diameter.

Figure 21 is according to the block diagram that cryptographic digest authentication module is described shown in Figure 17 corresponding embodiment.At one In exemplary embodiment, as shown in figure 21, which includes but is not limited to: retrieval unit 1771, reconfiguration unit 1773 and comparison unit 1775.

Retrieval unit 1771, for tracing back from certification path acquisition along the leaf node of the tree construction to root The node value sequence of node；

Reconfiguration unit 1773, for carrying out the structure of corresponding tree construction to the cryptographic digest according to the node value sequence It builds, obtains the cryptographic digest corresponding numerical value of root node on constructed tree construction；

Comparison unit 1775, for verifying the cryptographic digest corresponding numerical value of root node on constructed tree construction It is whether consistent with the nodal value in the node value sequence corresponding to root node；

If the corresponding numerical value of the cryptographic digest is consistent with the nodal value of root node is corresponded to, the comparison The information that the verifying of unit 1775 obtains the terminal is correct.

Figure 22 is a kind of block diagram of device for realizing Information Authentication shown according to an exemplary embodiment.In an example In property embodiment, the device of the realization Information Authentication, as shown in figure 22, including but not limited to: cryptographic digest receiving module 1810, Certification path obtains module 1830 and verification of correctness module 1850.

Cryptographic digest receiving module 1810 carries out cryptographic digest transmitted by Information Authentication, institute for receiving terminal request Stating terminal is the execution initiation Information Authentication that network accesses behavior, and the cryptographic digest corresponds to the terminal and needs to verify Partial key information；

Certification path obtains module 1830 and is verified for tracing back from leaf node to root node in corresponding tree construction The corresponding certification path of the information, the corresponding values match of leaf node needs to verify in the terminal on corresponding tree construction All key messages；

Verification of correctness module 1850, for verifying the letter of the terminal to the cryptographic digest by the certification path Breath is correctly present in the matched all key messages of the tree construction, and the network access behavior will be in the information of the terminal It is executed when being verified by corresponding receiving end.

In one exemplary embodiment, cryptographic digest receiving module 1810 is also used to trigger network access row according to terminal By the Information Authentication that carries out of request, receive network access behavior and correspond to the information verification request that receiving end is sent, it is described Information verification request carries the cryptographic digest of institute's verification information content and the public key corresponding to the held private key of terminal.

In another exemplary embodiment, the device of the realization Information Authentication further includes public key locating module.The public key Locating module is used to position tree construction according to the public key carried in the information verification request, and it is corresponding to obtain institute's requests verification information Tree construction,

Wherein, the tree construction is used to carry out the storage of cryptographic digest corresponding to information, and each tree construction is and only One corresponding public key associated storage.

In another exemplary embodiment, the device of the realization Information Authentication further includes timestamp judgment module.Time The information that stamp judgment module is used to judge that the terminal request carries out according to the timestamp carried in the information verification request is tested Whether card is overtime；

If the Information Authentication time-out that the terminal request carries out, the timestamp judgment module refuse the terminal request The Information Authentication of progress, the Information Authentication failure of the terminal.

Figure 23 is the block diagram of the verification of correctness module shown according to another exemplary embodiment.In an exemplary implementation In example, the verification of correctness module 1850, as shown in figure 23, including but not limited to: node traces back unit 1851, tree reconfiguration unit 1853 and root node comparing unit 1855.

Node traces back unit 1851, for tracing back from certification path acquisition along the leaf node of the tree construction to root The node value sequence of node；

Reconfiguration unit 1853 is set, for carrying out corresponding tree construction to the cryptographic digest according to the node value sequence Building, obtains the cryptographic digest corresponding numerical value of root node on constructed tree construction；

Root node comparing unit 1855, for verifying the cryptographic digest corresponding number of root node on constructed tree construction It is worth whether consistent with the nodal value in the node value sequence corresponding to root node；

If the corresponding numerical value of the cryptographic digest is consistent with the nodal value of root node is corresponded to, the root node ratio The information for obtaining the terminal to the verifying of unit 1855 is correctly present in the matched all key messages of the tree construction, described The Information Authentication of terminal passes through.

Optionally, the present invention also provides a kind of computer system, which can be used for aforementioned shown implementation ring In border, execute as above it is any shown in method all or part of step.The computer system includes:

Processor；

Memory for storage processor executable instruction；

The computer-readable instruction realizes preceding method when being executed by the processor.

The concrete mode that the processor of device in the embodiment executes operation is held in the embodiment of preceding method Detailed description is gone, no detailed explanation will be given here.

In the exemplary embodiment, a kind of storage medium is additionally provided, which is computer readable storage medium, It such as can be the provisional and non-transitorycomputer readable storage medium for including instruction.The storage medium is for example including instruction Memory, above-metioned instruction can by the processor of device execute to complete the above method.

It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, and And various modifications and change can executed without departing from the scope.The scope of the present invention is limited only by the attached claims.

Claims (13)

1. a kind of method for realizing Information Authentication, which is characterized in that Information Authentication is carried out for the network access behavior to terminal, The described method includes:

Terminal obtains public key corresponding to the private key that the terminal is held；

The digital signature of the public key, the cryptographic digest of institute's verification information and cryptographic digest is sent to network access behavior by terminal Receiving end, to request receiving end to verify the digital signature according to the cryptographic digest using the public key,

Wherein, institute's verification information is the Partial key information verified required for terminal.

2. the method according to claim 1, wherein the encryption of the public key, institute's verification information is plucked in terminal It to be sent to the digital signature of cryptographic digest before the receiving end of network access behavior, the method also includes:

The cryptographic digest of terminal acquisition institute's verification information；

Terminal executes signature algorithm to the cryptographic digest to obtain the corresponding digital signature.

3. according to the method described in claim 2, it is characterized in that, the terminal obtains the cryptographic digest packet of institute's verification information It includes:

Terminal receives the Information Authentication instruction of the network access behavior triggered for the terminal；

The information that instruction verifying is instructed according to the Information Authentication, generates the cryptographic digest of the information.

4. the method according to claim 1, wherein the method also includes:

If the digital signature is verified, the receiving end request third party of the network access behavior adds according to described Close abstract carries out Information Authentication to the terminal.

5. according to the method described in claim 4, it is characterized in that, third root is requested in the receiving end of network access behavior Carrying out Information Authentication to the terminal according to the cryptographic digest includes:

The information that the receiving end of the network access behavior is carried out according to the cryptographic digest and the public key by the terminal It verifies to third party and initiates information verification request, the information verification request carries the cryptographic digest and public key.

6. according to the method described in claim 5, it is characterized by further comprising:

The third party is traced back to root node by leaf node in corresponding tree construction and is verified according to the information verification request The corresponding certification path of the information, the corresponding values match of leaf node is verified required for the terminal on corresponding tree construction All key messages；

Correctly it is present in the tree construction matching by the information that the certification path verifies the terminal to the cryptographic digest All key messages in.

7. according to the method described in claim 6, it is characterized in that, the information verification request carried terminal is that the encryption is plucked Attached timestamp is wanted, wherein in the third party according to the information verification request, in corresponding tree construction by leaf node It traces back to root node and obtains before verifying the corresponding certification path of the information, the method also includes:

The third party tests according to the information that the timestamp carried in the information verification request judges that the terminal request carries out Whether card is overtime；

If the Information Authentication time-out that the terminal request carries out, refuses the Information Authentication that the terminal request carries out.

8. according to the method described in claim 6, it is characterized in that, described test the cryptographic digest by the certification path The information for demonstrate,proving the terminal is correctly present in the matched all key messages of the tree construction, comprising:

It traces back from certification path acquisition along the leaf node of the tree construction to the node value sequence of root node；

The building for carrying out corresponding tree construction to the cryptographic digest according to the node value sequence, obtains the cryptographic digest and exists The corresponding numerical value of root node on constructed tree construction；

The cryptographic digest is verified to correspond in the corresponding numerical value of root node and the node value sequence on constructed tree construction Whether the nodal value of root node is consistent；

If the corresponding numerical value of the cryptographic digest is consistent with the nodal value of root node is corresponded to, verifying obtains the terminal Information it is correct.

9. a kind of computer system, which is characterized in that the computer system includes:

Processor；And

Memory is stored with computer-readable instruction on the memory, and the computer-readable instruction is held by the processor Method according to any one of claim 1 to 8 is realized when row.

10. a kind of computer readable storage medium, which is characterized in that be stored thereon with computer-readable instruction, the computer Method according to any one of claim 1 to 8 is realized when readable instruction is executed by processor.

11. a kind of device for realizing Information Authentication, which is characterized in that carry out information for the network access behavior to terminal and test Card, described device include:

Acquiring unit is configured as obtaining public key corresponding to the private key that terminal is held；

Request unit is configured as: the digital signature of the public key, the cryptographic digest of institute's verification information and cryptographic digest is sent out It send to the receiving end of network access behavior, to request receiving end to verify the number according to the cryptographic digest using the public key Signature,

Wherein, institute's verification information is the Partial key information verified required for terminal.

12. device according to claim 11, which is characterized in that the acquiring unit is also configured to

Obtain the cryptographic digest of institute's verification information；

Signature algorithm is executed to obtain the corresponding digital signature to the cryptographic digest.

13. device according to claim 12, which is characterized in that the acquiring unit realizes acquisition by handling as follows The cryptographic digest of institute's verification information:

Receive the Information Authentication instruction of the network access behavior triggered for the terminal；

The information that instruction verifying is instructed according to the Information Authentication, generates the cryptographic digest of the information.