CN110611656B - Identity management method, device and system based on master identity multiple mapping - Google Patents
Identity management method, device and system based on master identity multiple mapping Download PDFInfo
- Publication number
- CN110611656B CN110611656B CN201910753722.7A CN201910753722A CN110611656B CN 110611656 B CN110611656 B CN 110611656B CN 201910753722 A CN201910753722 A CN 201910753722A CN 110611656 B CN110611656 B CN 110611656B
- Authority
- CN
- China
- Prior art keywords
- user
- identity
- authentication
- request
- certification authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title claims abstract description 74
- 238000013507 mapping Methods 0.000 title claims abstract description 27
- 238000000034 method Methods 0.000 claims abstract description 20
- 230000007246 mechanism Effects 0.000 claims description 30
- 238000004590 computer program Methods 0.000 claims description 11
- 239000000126 substance Substances 0.000 claims description 4
- 230000008520 organization Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Abstract
The invention discloses an identity management method, device and system based on master identity multiple mapping, and relates to the technical field of computers. One embodiment of the method comprises: receiving a registration request, wherein the registration request indicates an authentication request of a user; determining a certification authority performing the certification request and a credential gateway associated with the certification authority, sending a certification request to the credential gateway for the certification authority to certify the user to generate an identification of the user at the certification authority; associating the primary identity of the user with an identification of the user at the certification authority. The embodiment reduces the difficulty of managing the identity of the user, and improves the login efficiency of the user, thereby improving the user experience.
Description
Technical Field
The invention relates to the technical field of computers, in particular to an identity management method, device and system based on master identity multiple mapping.
Background
With the development of computer technology, the types of applications are more and more, each application has different functions, and a user can process different online services by using different applications.
Generally, before using the function of an application, a user needs to log in by using the identity information of the user in the application, so the user needs to remember the identity information and the corresponding relationship between each identity information and the application to normally log in and use the application. And as the types of applications are more and more, the identity information required to be recorded by the user is more and more, so that the management difficulty of the user on the identity information is higher.
Disclosure of Invention
In view of this, embodiments of the present invention provide an identity management method, apparatus, and system based on master identity multiple mapping, which can perform unified management on identity information of a user, and improve login efficiency.
To achieve the above object, according to a first aspect of the embodiments of the present invention, there is provided an identity management method based on master identity multiple mapping, including:
receiving a registration request, wherein the registration request indicates an authentication request of a user;
determining a certification authority performing the certification request and a credential gateway associated with the certification authority, sending a certification request to the credential gateway for the certification authority to certify the user to generate an identification of the user at the certification authority;
associating the primary identity of the user with an identification of the user at the certification authority.
Optionally, the primary identity is created for the user when the user first sends the registration request.
Optionally, an asymmetric key generation algorithm is used to generate a public key and a private key of the user as the master identity of the user.
Optionally, the primary identity of the user is associated with proof of identity of the user at one or more of the certification authorities.
According to a second aspect of the embodiments of the present invention, there is provided an identity management apparatus based on master identity multiple mapping, including: the system comprises a request receiving module, an authentication module and a management module; wherein the content of the first and second substances,
the request receiving module is used for receiving a registration request, wherein the registration request indicates an authentication request of a user;
the authentication module is used for determining a certification authority for performing the authentication request and a certificate gateway associated with the certification authority, and sending the authentication request for the certification authority to authenticate the user to the certificate gateway so as to generate the identity certificate of the user at the certification authority;
the management module is used for associating the main identity of the user with the identity certificate of the user at the certification authority.
Optionally, the request receiving module is further configured to create the primary identity for the user when the registration request occurs for the first time by the user.
Optionally, the request receiving module is configured to generate a public key and a private key of the user by using an asymmetric key generation algorithm, so as to serve as the principal identity of the user.
Optionally, the management module is configured to associate the primary identity of the user with an identification of the user at one or more of the certification authorities.
According to a third aspect of the embodiments of the present invention, there is provided an identity management system based on master identity multiple mapping, including: a credential gateway, the identity management apparatus based on master identity multiple mapping according to any of the above second aspects, wherein,
the certificate gateway is used for receiving an authentication request which is sent by the identity management device and is about to authenticate the user by an authentication mechanism, and forwarding the authentication request to the authentication mechanism so that the authentication mechanism generates an identity certificate of the user according to the authentication request; wherein the credential gateway is associated with the certification authority.
Optionally, the identity management system further comprises: an authentication mechanism; the authentication mechanism is configured to authenticate authentication information carried in the authentication request, and when the authentication is successful, sign the primary identity indicated by the authentication request to generate an identity certificate of the user.
Optionally, according to a fourth aspect of the embodiments of the present invention, there is provided a server, including: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to carry out the method according to any one of the preceding first aspects.
According to a fifth aspect of embodiments of the present invention, there is provided a computer readable medium having a computer program stored thereon, wherein the program, when executed by a processor, implements the method of any one of the first aspects described above.
One embodiment of the above invention has the following advantages or benefits: when a registration request indicating an authentication request of a user is received, a certification authority capable of making the authentication request and a certificate gateway associated with the certification authority are determined, then an authentication request for the certification authority to authenticate the user is sent to the certificate gateway so as to generate an identity certificate of the user at the certification authority, and then a main identity of the user and the identity certificate of the user at the certification authority are associated. Because each application has an approved certification mechanism, the user can directly log in by using the main identity, and then uses the application which approves the certification mechanism by using the corresponding identity according to the incidence relation between the main identity and the identity of the user at the certification mechanism, that is, the user does not need to log in the corresponding application by the identity information which corresponds to each application, and only needs to log in the identity management device by the main identity, so that the main identity and the identity of the user are uniformly managed by the identity management device, and the login efficiency of the user is improved. Moreover, the user can continuously add the identity certificates in different authentication mechanisms according to the service requirement of the user, and the identity management device manages the plurality of identity certificates without recording a plurality of identity information, so that the difficulty of managing the identity of the user is reduced, and the user experience is improved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic diagram of the main flow of a method for identity management based on master identity multiple mapping according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of the main flow of a method for identity management based on master identity multiple mapping according to a second embodiment of the present invention;
FIG. 3 is a schematic diagram of an identity certificate associated with a master identity, according to an embodiment of the invention;
FIG. 4 is a diagram illustrating the main modules of an identity management device based on multiple mappings of master identities, according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of an identity management system based on master identity multiple mapping, according to an embodiment of the present invention;
FIG. 6 is a schematic flow chart of an application method of an identity management system based on multiple primary identity mappings according to an embodiment of the present invention;
FIG. 7 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 8 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
As shown in fig. 1, an embodiment of the present invention provides an identity management method based on master identity multiple mapping, where the method includes the following steps S101 to S103:
step S101: a registration request is received, wherein the registration request indicates an authentication request of a user.
Here, the user may be an organization having characteristics such as organization name and unified credit code.
Step S102: determining a certification authority that makes the certification request, and a credential gateway associated with the certification authority, sending a certification request about the certification authority to the credential gateway to generate an identification of the user at the certification authority.
Each certification authority has a corresponding certificate gateway to realize communication between the identity management device and the certification authority based on master identity multiple mapping. When an identity management device (hereinafter, referred to as an identity management device) based on master identity multiple mapping receives a registration request of a user, a certification authority capable of performing the authentication request and a credential gateway of the certification authority can be determined according to the authentication request indicated by the registration request, for example, the certification authority capable of performing the authentication request of the user is a certification authority a, the identity management device determines the credential gateway a of the certification authority a and sends the authentication request related to the certification authority a to the credential gateway a, the credential gateway a informs the certification authority a to perform authentication on the authentication request, when the authentication is passed, the certification authority a returns an identity certificate PA of the user to the credential gateway a, and then the credential gateway a returns the identity certificate PA to the identity management device.
Step S103: associating the primary identity of the user with an identification of the user at the certification authority.
And the identity management device creates the master identity M for the user when the user sends the registration request for the first time. When the master identity M is created, the public key and the private key of the user can be generated by using an asymmetric key generation algorithm, and the generated public key and the generated private key are used as the master identity M of the user.
That is to say, the identity management method based on multiple primary identity mappings according to the embodiment of the present invention may include steps S201 to S205 shown in fig. 2:
step S201: a registration request of a user is received, wherein the registration request indicates an authentication request of the user.
Step S202: and judging whether the primary identity of the user exists, if so, executing step S204, otherwise, executing step S203.
Step S203: generating the primary identity of the user and executing step S204.
Step S204: determining a certification authority performing the certification request, and a credential gateway associated with the certification authority, sending a certification request to the credential gateway for the certification authority to certify the user, to generate an identification of the user at the certification authority.
Step S205: associating the primary identity of the user with an identification of the user at the certification authority.
When the identity management device receives the identity certificate PA of the user returned by the credential gateway a, the principal identity M of the user is associated with the identity certificate PA, and it can be understood that, after the user authenticates a plurality of authentication organizations, the identity management device associates a plurality of identity certificates of the user at the plurality of authentication organizations with the principal identity, so as to uniformly manage the identity of the user. For example, if the user authenticates the certification authority B in addition to the certification authority a, and the certification authority B returns the user's identification PB to the identity management device through the credential gateway B, the identity management device associates the user's master identity M, identification PA, and identification PB, and the association result may be stored in the form of an association graph shown in fig. 3, or in the form of a table shown in table 1 below:
TABLE 1
| User principal identity | User identification |
| M | PA |
| M | PB |
As shown in fig. 4, an embodiment of the present invention provides an identity management apparatus 400 based on multiple primary identity mappings, including: a request receiving module 401, an authentication module 402 and a management module 403; wherein the content of the first and second substances,
the request receiving module 401 is configured to receive a registration request, where the registration request indicates an authentication request of a user;
the authentication module 402 is configured to determine a certification authority that performs the authentication request, and a credential gateway associated with the certification authority, and send an authentication request to the credential gateway for the certification authority to authenticate the user, so as to generate an identification of the user at the certification authority;
the management module 403 is configured to associate the primary identity of the user with the identity certificate of the user at the certification authority.
Optionally, the request receiving module 401 is further configured to create the primary identity for the user when the registration request occurs for the first time.
Optionally, the request receiving module 401 is configured to generate a public key and a private key of the user by using an asymmetric key generation algorithm, so as to serve as the principal identity of the user.
Optionally, the management module 403 is configured to associate the primary identity of the user with an identity certificate of the user at one or more of the certification authorities.
As shown in fig. 5, an embodiment of the present invention further provides an identity management system 500 based on master identity multiple mapping, including: the credential gateway 501, the identity management device 400 based on multiple mappings of master identities according to any of the above embodiments, wherein,
the credential gateway 501 is configured to receive an authentication request sent by the identity management apparatus 400 and related to an authentication mechanism authenticating the user, and forward the authentication request to the authentication mechanism, so that the authentication mechanism generates an identity certificate of the user according to the authentication request; wherein the credential gateway 501 is associated with the certification authority.
Optionally, with continued reference to fig. 5, the identity management system based on master identity multiple mapping further comprises: a certification authority 502; the authentication mechanism 502 is configured to authenticate the authentication information carried in the authentication request, and when the authentication is successful, sign the primary identity indicated by the authentication request to generate an identity certificate of the user.
When the user is an organization with characteristics such as organization name and unified credit code, the authentication information carried in the authentication request can be the organization name and the unified credit code of the organization, the authentication organization authenticates the authentication information, actually compares the organization name (hereinafter referred to as M1) and the unified credit code (hereinafter referred to as N1) carried in the authentication request with the organization name (hereinafter referred to as M2) and the unified credit code (hereinafter referred to as N2) pre-stored in the authentication organization of the organization, determines that the authentication information is successful when M1 and M2 are the same and N1 and N2 are the same, and signs the public key in the main identity of the organization by using the private key of the authentication organization to generate the identity certificate of the organization. Therefore, the authentication information of the user is authenticated firstly to ensure the authenticity of the identity of the user, in addition, the identity certificate of the user is obtained by the authentication mechanism signing the public key in the main identity of the user, but the authentication information of the user is not directly signed, namely, the information (the name of the organization, the uniform credit code and the like) of the user is only stored in the authentication mechanism, the information of the user cannot be disclosed in the using process, and the disclosed information is only the identity certificate of the user, namely the authentication mechanism signing the public key, so that the safety of the information of the user is improved, and the privacy of the user is protected.
The following describes in detail an application method of the identity management system based on master identity multiple mapping, which is provided by the embodiment of the present invention, by taking registration of a user with respect to a certificate authority a as an example, and as shown in fig. 6, the method may include the following steps:
step S601: the user sends a first registration request to the identity management device.
Step S602: and the identity management device generates a public key and a private key by using an asymmetric encryption algorithm according to the first registration request, and takes the public key and the private key as the main identity of the user.
Step S603: the user sends a second registration request to the identity management device, wherein the second registration request indicates an authentication request of the user.
Step S604: the identity management device determines a certification authority A which carries out the certification request and a certificate gateway A which is associated with the certification authority A according to the second registration request, and sends the certification request about the certification authority A to certify the user to the certificate gateway A, so that the certificate gateway A forwards the certification request to the certification authority A.
It is understood that when the first registration request sent by the user to the identity management device indicates an authentication request for the user, the identity management device may generate a primary identity of the user according to the first registration request, determine that the certification authority performing the authentication request is certification authority a and a credential gateway associated with certification authority a, and then send the authentication request to the credential gateway associated with certification authority a. That is to say, the first registration request and the second registration request in this embodiment may be the same registration request or different registration requests.
Step S605: and the authentication mechanism A authenticates the authentication information carried in the authentication request, and when the authentication is passed, the public key in the main identity of the user is signed to generate the identity certificate of the user.
Step S606: the certification authority a sends the identity of the user to the credential gateway a so that the credential gateway a forwards the identity to the identity management device.
Step S607: the identity management device associates the identity certificate of the user with the master identity.
An embodiment of the present invention further provides a server, including: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to carry out a method according to any one of the embodiments described above.
An embodiment of the present invention further provides a computer-readable medium, on which a computer program is stored, where the computer program is configured to, when executed by a processor, implement a method according to any one of the above embodiments.
Fig. 7 illustrates an exemplary system architecture 700 to which the identity management method or identity management apparatus of embodiments of the present invention may be applied.
As shown in fig. 7, the system architecture 700 may include terminal devices 701, 702, 703, a network 704, and a server 705. The network 704 serves to provide a medium for communication links between the terminal devices 701, 702, 703 and the server 705. Network 704 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
A user may use the terminal devices 701, 702, 703 to interact with a server 705 over a network 704, to receive or send messages or the like. The terminal devices 701, 702, 703 may have installed thereon various communication client applications, such as a shopping-like application, a web browser application, a search-like application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only).
The terminal devices 701, 702, 703 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 705 may be a server providing various services, such as a background management server (for example only) providing support for shopping websites browsed by users using the terminal devices 701, 702, 703. The backend management server may analyze and perform other processing on the received data such as the product information query request, and feed back a processing result (for example, target push information, product information — just an example) to the terminal device.
It should be noted that the identity management method provided by the embodiment of the present invention is generally executed by the server 705, and accordingly, the identity management apparatus is generally disposed in the server 705.
It should be understood that the number of terminal devices, networks, and servers in fig. 7 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 8, shown is a block diagram of a computer system 800 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 8 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 8, the computer system 800 includes a Central Processing Unit (CPU)801 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data necessary for the operation of the system 800 are also stored. The CPU 801, ROM 802, and RAM 803 are connected to each other via a bus 804. An input/output (I/O) interface 805 is also connected to bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including a signal such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as necessary. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that a computer program read out therefrom is mounted on the storage section 808 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program executes the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 801.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes a request receiving module, an authentication module, and a management module. Where the names of these modules do not in some cases constitute a limitation of the module itself, for example, a management module may also be described as a "module that associates a user's primary identity with the user's proof of identity for the certification authority".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: receiving a registration request, wherein the registration request indicates a certification authority to be certified for a user; determining a credential gateway associated with the certification authority, sending a certification request for the certification authority to the credential gateway to generate an identification of the user for the certification authority; associating the primary identity of the user with an identification of the user for the certification authority.
According to the technical scheme of the embodiment of the invention, when a registration request indicating a certification authority to be certified is received, a certificate gateway associated with the certification authority is determined, then a certification request for a user to register the certification authority is sent to the certificate gateway so as to generate an identity certificate of the user for the certification authority, and then the main identity of the user is associated with the identity certificate of the user for the certification authority. Because each application has an approved certification mechanism, the user can directly log in by using the main identity, and then uses the application which approves the certification mechanism by using the corresponding identity according to the incidence relation between the main identity and the identity of the certification mechanism, namely, the user does not need to log in the corresponding application by the identity information which corresponds to each application respectively, and only needs to log in the identity management device by the main identity, so that the main identity and the identity of the user are uniformly managed by the identity management device, and the login efficiency of the user is improved. Moreover, the user can continuously add the identity certificates corresponding to different authentication mechanisms according to the service requirement of the user, and the identity management device manages the plurality of identity certificates without recording a plurality of identity information, so that the difficulty of managing the identity of the user is reduced, and the user experience is improved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (8)
1. An identity management method based on master identity multiple mapping is characterized by comprising the following steps:
receiving a registration request, wherein the registration request indicates an authentication request of a user;
judging whether the main identity of the user exists or not; if yes, directly executing the following steps; otherwise, generating a public key and a private key of the user by using an asymmetric key generation algorithm, taking the generated public key and private key as the main identity of the user, and then executing the following steps;
determining a certification authority performing the certification request and a credential gateway associated with the certification authority, sending a certification request to the credential gateway for the certification authority to certify the user to generate an identification of the user at the certification authority; authenticating the authentication information carried in the authentication request, and when the authentication is successful, utilizing a private key of the authentication mechanism to sign a public key in the main identity of the user so as to generate an identity certificate of the user to the authentication mechanism;
associating the primary identity of the user with an identification of the user at the certification authority.
2. The method of claim 1, wherein the primary identity of the user is associated with proof of identity of the user at one or more of the certificate authorities.
3. An identity management device based on master identity multiple mapping, comprising: the system comprises a request receiving module, an authentication module and a management module; wherein the content of the first and second substances,
the request receiving module is used for receiving a registration request, wherein the registration request indicates an authentication request of a user;
the request receiving module is also used for judging whether the main identity of the user exists or not; if yes, directly executing the following steps; otherwise, generating a public key and a private key of the user by using an asymmetric key generation algorithm, taking the generated public key and private key as the main identity of the user, and then executing the following steps;
the authentication module is used for determining a certification authority for performing the authentication request and a certificate gateway associated with the certification authority, and sending the authentication request for the certification authority to authenticate the user to the certificate gateway so as to generate the identity certificate of the user at the certification authority; authenticating the authentication information carried in the authentication request, and when the authentication is successful, utilizing a private key of the authentication mechanism to sign a public key in the main identity of the user so as to generate an identity certificate of the user to the authentication mechanism;
the management module is used for associating the main identity of the user with the identity certificate of the user at the certification authority.
4. The identity management device of claim 3,
the management module is used for associating the main identity of the user with the identity certificate of the user at one or more certification authorities.
5. An identity management system based on master identity multiple mapping, comprising: a credential gateway, an identity management device based on master identity multiple mapping as claimed in any of claims 3-4, wherein,
the certificate gateway is used for receiving an authentication request which is sent by the identity management device and is about to authenticate the user by an authentication mechanism, and forwarding the authentication request to the authentication mechanism so that the authentication mechanism generates an identity certificate of the user according to the authentication request; wherein the credential gateway is associated with the certification authority.
6. The identity management system of claim 5, further comprising: an authentication mechanism; wherein the content of the first and second substances,
and the authentication mechanism is used for authenticating the authentication information carried in the authentication request, and signing the main identity indicated by the authentication request to generate the identity certificate of the user when the authentication is successful.
7. A server, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-2.
8. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910753722.7A CN110611656B (en) | 2019-08-15 | 2019-08-15 | Identity management method, device and system based on master identity multiple mapping |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910753722.7A CN110611656B (en) | 2019-08-15 | 2019-08-15 | Identity management method, device and system based on master identity multiple mapping |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110611656A CN110611656A (en) | 2019-12-24 |
| CN110611656B true CN110611656B (en) | 2021-11-26 |
Family
ID=68891050
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910753722.7A Active CN110611656B (en) | 2019-08-15 | 2019-08-15 | Identity management method, device and system based on master identity multiple mapping |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110611656B (en) |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7428750B1 (en) * | 2003-03-24 | 2008-09-23 | Microsoft Corporation | Managing multiple user identities in authentication environments |
| CN100596361C (en) * | 2006-04-26 | 2010-03-31 | 北京华科广通信息技术有限公司 | Safety protection system of information system or equipment and its working method |
| CN101877637A (en) * | 2009-04-30 | 2010-11-03 | 中国移动通信集团江西有限公司 | Single sign-on method and single sign-on system |
| CN102801713A (en) * | 2012-07-23 | 2012-11-28 | 中国联合网络通信集团有限公司 | Website logging-in method and system as well as accessing management platform |
| CN102932341B (en) * | 2012-10-25 | 2016-01-13 | 小米科技有限责任公司 | A kind of cipher processing method, device and equipment |
| CN106612246A (en) * | 2015-10-21 | 2017-05-03 | 星际空间(天津)科技发展有限公司 | Unified authentication method for simulation identity |
| CN107257340B (en) * | 2017-06-19 | 2019-10-01 | 阿里巴巴集团控股有限公司 | A kind of authentication method, authentication data processing method and equipment based on block chain |
| CN108833361B (en) * | 2018-05-23 | 2021-09-24 | 国政通科技股份有限公司 | Identity authentication method and device based on virtual account |
| CN109120597B (en) * | 2018-07-18 | 2020-09-01 | 阿里巴巴集团控股有限公司 | Identity verification and login method and device and computer equipment |
| CN109325342B (en) * | 2018-09-10 | 2024-03-05 | 平安科技(深圳)有限公司 | Identity information management method, device, computer equipment and storage medium |
-
2019
- 2019-08-15 CN CN201910753722.7A patent/CN110611656B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110611656A (en) | 2019-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108551437B (en) | Method and apparatus for authenticating information | |
| US20180374097A1 (en) | A distributed user profile identity verification system for e-commerce transaction security | |
| US8296828B2 (en) | Transforming claim based identities to credential based identities | |
| CN109981287B (en) | Code signing method and storage medium thereof | |
| CN113271311B (en) | Digital identity management method and system in cross-link network | |
| KR101974062B1 (en) | Electronic Signature Method Based on Cloud HSM | |
| CN113193961B (en) | Digital certificate management method and device | |
| EP4350556A1 (en) | Information verification method and apparatus | |
| CN111784887A (en) | Authorization releasing method, device and system for user access | |
| CN110247917B (en) | Method and apparatus for authenticating identity | |
| CN111814131A (en) | Method and device for equipment registration and configuration management | |
| US11689375B2 (en) | Data in transit protection with exclusive control of keys and certificates across heterogeneous distributed computing environments | |
| CN113206746B (en) | Digital certificate management method and device | |
| CN112905990A (en) | Access method, client, server and access system | |
| CN111787044A (en) | Internet of things terminal platform | |
| CN110751467A (en) | Digital currency generation method and system | |
| CN110611656B (en) | Identity management method, device and system based on master identity multiple mapping | |
| CN113206738B (en) | Digital certificate management method and device | |
| CN112966286B (en) | Method, system, device and computer readable medium for user login | |
| CN113179169B (en) | Digital certificate management method and device | |
| CN114567443A (en) | Block chain-based electronic contract signing method and device | |
| CN110602076B (en) | Identity using method, device and system based on master identity multiple authentication | |
| CN110602074B (en) | Service identity using method, device and system based on master-slave association | |
| CN110557259A (en) | identity management method, device and system based on multiple identities | |
| CN115828309B (en) | Service calling method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |