CN110826043B - Digital identity application system and method, identity authentication system and method - Google Patents
Digital identity application system and method, identity authentication system and method Download PDFInfo
- Publication number
- CN110826043B CN110826043B CN201810899070.3A CN201810899070A CN110826043B CN 110826043 B CN110826043 B CN 110826043B CN 201810899070 A CN201810899070 A CN 201810899070A CN 110826043 B CN110826043 B CN 110826043B
- Authority
- CN
- China
- Prior art keywords
- identity
- digital identity
- eid
- digital
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention discloses a digital identity application system and method and an identity authentication system and method, belonging to the technical field of digital identities. In the scheme, because the eID codes are the digital identities which are issued by an authoritative trusted platform and uniquely correspond to each type of identity real-name information of the user, the obtained digital identities are sufficiently authoritative and have higher security level, and the reliability, the security and the effectiveness of the digital identities can be improved based on the characteristics of the eID technology, so that the risks of stealing, tampering and falsifying the digital identities are reduced, and the identity information security of the user is ensured. User cost can be practiced thrift through the pure online mode to can improve application and authentication efficiency, and, the user can realize the authentication of multiple certificate through a digital identity two-dimensional code, has realized the purpose of "many certificates unifying, many certificates of a sign indicating number", need not to make a round trip to switch between a plurality of platforms, and the operation is more convenient, and efficiency is higher.
Description
Technical Field
The invention relates to the technical field of digital identities, in particular to a digital identity application system and method and an identity authentication system and method.
Background
In order to reduce the inconvenience of carrying an entity identity (such as an identity card), a digital identity technology is provided, namely, the identity of a user is carried on some carriers (such as a mobile phone) in a digital identity information mode, when the user needs to use the identity, the digital identity information is displayed by directly using the mobile phone, so that the trouble of carrying the entity identity can be omitted, the loss and the embezzlement of the entity identity can be avoided, and the identity information safety of the user is improved.
To use the digital identity technology, firstly, a digital identity is applied, and further, an authentication and use process of the digital identity is further required to be perfected.
Disclosure of Invention
The embodiment of the invention provides a digital identity application system and method, and an identity authentication system and method, which are used for improving the safety of digital identities, are effective and convenient to operate, and are beneficial to popularization and use of the digital identities.
On one hand, a digital identity application system is provided, and the system comprises terminal equipment and a digital identity management platform; wherein:
the terminal equipment is used for obtaining at least two types of identity real name information of the same user; sending a digital identity issuing request and the identity real-name information of at least two types to the digital identity management platform, wherein the digital identity issuing request is used for requesting to issue a digital identity;
the digital identity management platform is used for sending the received identity real-name information of the at least two types to a trusted platform after obtaining the digital identity issuing request so as to enable the trusted platform to issue at least two eID codes respectively and uniquely corresponding to the identity real-name information of the at least two types; receiving the at least two eID codes sent by the trusted platform; and generating the digital identity of the user according to the at least two eID codes and a preset generation mode.
In one aspect, a method for applying for a digital identity is provided, where the method includes:
receiving at least two types of identity real-name information and digital identity issuing requests of the same user, wherein the identity real-name information and the digital identity issuing requests are sent by terminal equipment, and the digital identity issuing requests are used for requesting to issue digital identities;
sending the at least two types of identity real-name information to a trusted platform so that the trusted platform issues at least two eID codes respectively and uniquely corresponding to the at least two types of identity real-name information;
receiving the at least two eID codes sent by the trusted platform;
and generating the digital identity of the user according to the at least two eID codes and a preset generation mode.
In one aspect, a method for applying for a digital identity is provided, the method comprising:
obtaining at least two types of identity real name information of the same user;
sending the at least two types of identity real-name information and the digital identity signing and sending request to a digital identity management platform, so that the digital identity management platform sends the at least two types of identity real-name information to a trusted platform, and at least two eID codes which are generated by the trusted platform and respectively and uniquely correspond to the at least two types of identity real-name information are obtained; wherein the digital identity issuance request is used for requesting issuance of a digital identity;
receiving the at least two eID codes sent by the digital identity management platform;
and generating the digital identity of the user according to a preset generation mode based on the at least two eID codes.
On one hand, an identity authentication system is provided, and the system comprises an identity authentication request terminal, terminal equipment and a digital identity management platform; wherein:
the terminal equipment is used for obtaining an identity authentication request; sending the identity authentication request to the digital identity management platform; the digital identity management platform stores digital identity identifications of a plurality of users, the digital identity identification of each user comprises at least two eID codes, and each eID code is generated by the credible platform based on one type of identity real-name information of the user;
the digital identity management platform is used for determining a corresponding target digital identity mark based on the identity authentication request;
the identity authentication request terminal is used for acquiring a target eID code corresponding to the target digital identity; determining an eID code to be authenticated from the target eID code according to an identity authentication scene; and sending the eID code to be authenticated to the trusted platform so as to verify whether the eID code to be authenticated is valid through the trusted platform.
In one aspect, an identity authentication method is provided, and the method includes:
receiving an identity authentication request sent by terminal equipment;
determining corresponding target digital identity marks from the stored digital identity marks of a plurality of users based on the identity authentication request; the digital identity of each user comprises at least two network electronic identity eID codes, and each eID code is uniquely and correspondingly generated by a trusted platform based on one type of identity real-name information of the user; enabling the identity authentication request end to obtain a target eID code corresponding to the target digital identity, and determining an eID code to be authenticated from the target eID code according to an identity authentication scene; and sending the eID code to be authenticated to the trusted platform so as to verify whether the eID code to be authenticated is valid through the trusted platform.
In one aspect, an identity authentication method is provided, and the method includes:
acquiring target network electronic identity identification eID codes corresponding to target identity identifications, wherein the target identity identifications are determined by a digital identity management platform according to identity authentication requests, the digital identity management platform stores digital identity identifications of a plurality of users, the digital identity identification of each user comprises at least two eID codes, and each eID code is uniquely and correspondingly generated by a trusted platform based on one type of identity real-name information of the user;
determining an eID code to be authenticated from the target eID code according to an identity authentication scene;
and sending the eID code to be authenticated to the trusted platform so as to verify whether the eID code to be authenticated is valid through the trusted platform.
In one aspect, a digital identity application apparatus is provided, the apparatus comprising:
the terminal equipment comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving at least two types of identity real name information and digital identity issuing requests of the same user, which are sent by the terminal equipment, and the digital identity issuing requests are used for requesting to issue digital identities;
the sending module is used for sending the at least two types of identity real-name information to a trusted platform so as to enable the trusted platform to issue at least two eID codes respectively and uniquely corresponding to the at least two types of identity real-name information;
a second receiving module, configured to receive the at least two eID codes sent by the trusted platform;
and the generating module is used for generating the digital identity of the user according to the at least two eID codes and a preset generating mode.
In one aspect, a digital identity application apparatus is provided, the apparatus comprising:
the obtaining module is used for obtaining at least two types of identity real name information of the same user;
the sending module is used for sending the at least two types of identity real-name information and the digital identity signing and sending request to a digital identity management platform so that the digital identity management platform sends the at least two types of identity real-name information to a trusted platform to obtain at least two eID codes which are generated by the trusted platform and respectively and uniquely correspond to the at least two types of identity real-name information; the digital identity issuing request is used for requesting to issue a digital identity;
the receiving module is used for receiving the at least two eID codes sent by the digital identity management platform;
and the generating module is used for generating the digital identity of the user based on the at least two eID codes according to a preset generating mode.
In one aspect, an identity authentication apparatus is provided, the apparatus comprising:
the receiving module is used for receiving an identity authentication request sent by the terminal equipment;
the determining module is used for determining corresponding target digital identity marks from the stored digital identity marks of a plurality of users based on the identity authentication request; the digital identity of each user comprises at least two network electronic identity identification eID codes, and each eID code is uniquely and correspondingly generated by a trusted platform based on one type of identity real-name information of the user; enabling the identity authentication request terminal to obtain a target eID code corresponding to the target digital identity, and determining an eID code to be authenticated from the target eID code according to an identity authentication scene; and sending the eID code to be authenticated to the trusted platform so as to verify whether the eID code to be authenticated is valid through the trusted platform.
In one aspect, an identity authentication apparatus is provided, the apparatus comprising:
the system comprises an obtaining module and a processing module, wherein the obtaining module is used for obtaining target network electronic identity identification eID codes corresponding to a target identity, the target identity is determined by a digital identity management platform according to an identity authentication request, the digital identity management platform stores digital identity of a plurality of users, the digital identity of each user comprises at least two eID codes, and each eID code is uniquely and correspondingly generated by a trusted platform based on one type of identity real-name information of the user;
the first determining module is used for determining an eID code to be authenticated from the target eID code according to an identity authentication scene;
and the sending module is used for sending the eID code to be authenticated to the trusted platform so as to authenticate whether the eID code to be authenticated is valid or not through the trusted platform.
In one aspect, a server is provided, the server including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the steps included in the method of the above aspects according to the obtained program instructions.
In one aspect, a terminal device is provided, where the terminal device includes:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the steps included in the method of the above aspects according to the obtained program instructions.
In one aspect, a storage medium is provided, the storage medium storing computer-executable instructions for causing a computer to perform the steps included in the method of the above aspects.
In the embodiment of the invention, because the eID codes are the digital identities which are issued by an authoritative trusted platform and uniquely correspond to each type of identity real-name information of the user, the obtained digital identities are sufficiently authoritative and have higher security level, and based on the characteristics of authority, security, universality and privacy of the eID technology, the reliability, security and effectiveness of the digital identities can be improved, the risks of stealing, tampering and falsifying the digital identities are reduced, and the identity information security of the user is ensured. Meanwhile, the application of the digital identity can be completed in a pure online mode, so that the user cost can be saved, the application is more convenient, the application efficiency can be improved, and the popularization of the scheme is further facilitated. Moreover, the user can realize the identity authentication of various certificates through one digital identity two-dimensional code, the purpose of 'all certificates in one, one code and many certificates' is realized, the switching back and forth between a plurality of platforms is not needed, the operation is more rapid and convenient, the efficiency is higher, the use experience of the user is further improved, and the popularization of the scheme is more facilitated.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1A is a schematic diagram of an application scenario in which a digital identity application scheme according to an embodiment of the present invention is applied;
fig. 1B is a schematic diagram of an application scenario in which the digital identity application scheme in the embodiment of the present invention is applied;
fig. 1C is a schematic diagram of an application scenario to which the digital identity application scheme in the embodiment of the present invention is applied;
FIG. 2A is a block diagram of a digital identity application system according to an embodiment of the present invention;
FIG. 2B is a block diagram of a digital identity application system according to an embodiment of the present invention;
FIG. 2C is a block diagram of a digital identity application system according to an embodiment of the present invention;
FIG. 3 is an interaction diagram of a digital identity application method in an embodiment of the present invention;
fig. 4 is an architecture diagram of a terminal device in an embodiment of the present invention;
fig. 5 is a schematic diagram of a mapping between a terminal device and a mobile phone according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating an example of requesting authorization from a WeChat client during a digital identity application process in accordance with an embodiment of the present invention;
FIG. 7 is a schematic illustration of in vivo authentication in an embodiment of the present invention;
FIG. 8 is a schematic diagram of a digital identity two-dimensional code generated in an embodiment of the present invention;
FIG. 9 is an interaction diagram of a digital identity application method in an embodiment of the present invention;
fig. 10 is a schematic diagram of an application scenario to which the identity authentication scheme in the embodiment of the present invention is applied;
fig. 11 is a schematic diagram of an application scenario in which the identity authentication scheme in the embodiment of the present invention is applied;
fig. 12 is a schematic diagram of an application scenario to which the identity authentication scheme in the embodiment of the present invention is applied;
FIG. 13A is an architecture diagram of an identity authentication system in an embodiment of the present invention;
FIG. 13B is an architecture diagram of an identity authentication system in an embodiment of the present invention;
FIG. 13C is an architecture diagram of an identity authentication system in an embodiment of the present invention;
FIG. 13D is an architecture diagram of an identity authentication system in an embodiment of the present invention;
FIG. 14 is an interaction diagram of the identity authentication method in an embodiment of the present invention;
FIG. 15 is an interaction diagram of the identity authentication method in the embodiment of the present invention;
FIG. 16 is a block diagram of a digital identity application apparatus according to an embodiment of the present invention;
FIG. 17 is a block diagram of a digital identity application apparatus according to an embodiment of the present invention;
FIG. 18 is a block diagram of an embodiment of an identity authentication device;
FIG. 19 is a block diagram of an embodiment of an identity authentication device;
FIG. 20 is a block diagram of a server according to an embodiment of the present invention;
fig. 21 is a schematic structural diagram of a terminal device in the embodiment of the present invention;
fig. 22 is a schematic structural diagram of a terminal device in the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. The embodiments and features of the embodiments of the present invention may be arbitrarily combined with each other without conflict. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
The terms "first" and "second" in the description and claims of the present invention and the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the term "comprises" and any variations thereof, which are intended to cover non-exclusive protection. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
In the embodiment of the present invention, the "plurality" may mean at least two, for example, two, three, or more, and the embodiment of the present invention is not limited.
In addition, the term "and/or" herein is only one kind of association relationship describing the association object, and means that there may be three kinds of relationships, for example, a and/or B, and may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in this document generally indicates that the preceding and following related objects are in an "or" relationship, unless otherwise specified.
Some terms referred to herein are explained below to facilitate understanding by those skilled in the art.
1. The digital identity is a concept relative to an entity identity, the entity identity is some entity objects capable of proving the identity of a user citizen, such as a Chinese resident identity card, a motor vehicle driving license, a Hongkong and Macau pass, a hometown returning license and the like, the plaintext identity information of the user can be directly obtained through the entity identity, and the digital identity can be understood as presenting the identity information of the user in a digital information mode, so that the digital identity is understood as a set of codes of the identity information of the citizen network certificate generated based on cryptography by using the entity identity as a basis.
2. Digital id, that is, the digital Identity is an information representation, that is, the Identity of a user can be uniquely determined by the digital id, the digital id is, for example, an encrypted character string or a code with a specified number of bits, and the like, and the digital id may be carried on some carrier, for example, a mobile terminal such as a mobile phone or a tablet computer, or, for example, a Subscriber Identity Module (SIM) card, an embedded Subscriber Identity Module (eSIM) chip, a bank card, a social security card, and the like.
3. Real-name information, identity information that can be used to uniquely identify a user, such as some possible real-name information including an identification number, a name and identification number, a driver's license number, a name and identification number, and a user's face image, among others.
4. The identity real-name information can be understood in the same understanding mode as the real-name information, in other words, the identity real-name information of a certain user can uniquely identify the user.
5. eID coding, wherein eID is English abbreviation of Electronic Identity, and one possible Chinese translation is network Electronic Identity, or can be translated into citizen network Electronic Identity, or can also comprise other possible translation modes.
eID is based on the entity identity certification of citizens, and based on the cryptographic technology, a digital mark (network electronic identity) signed to citizens by a public network identity recognition system of the ministry of public security based on a cryptographic algorithm can be used, when the eID is signed to a user, for example, a unique code representing the user identity, namely a network identity code (eID code) of the user is calculated by using personal identity information and a random number of the user, the identity can be remotely recognized on line on the premise of not revealing the identity information, and the transmission of the identity information of the plaintext of the citizens on the network can be reduced while the uniqueness of the digital identity signed to each citizen is ensured.
The eID has incomparable advantages in authority, safety, universality and privacy, and can meet the safety guarantee requirements of citizens in various aspects such as individual privacy, network transaction, virtual property and the like.
Authority: the eID is issued by a public network identity recognition system of the ministry of public security in a unified way, has extreme power and can carry out cross-region and cross-industry network identity service;
safety: the eID contains a pair of asymmetric keys generated in the intelligent security chip, and the eID cannot be illegally read, copied, tampered or used through a high-strength security mechanism;
universality: the eID is not limited by the physical form of the carrier as long as the safe intelligent chip in the carrier meets the eID carrier relevant standard;
privacy: the unique identification of the eID is generated by adopting a national commercial cryptographic algorithm, does not contain any plaintext personal identity information, and can effectively protect citizen identity information.
The current digital identity application process, such as a network card, can generally only apply for a lightweight black-and-white network card online, but the lightweight black-and-white network card generally cannot be widely applied to commercial applications, if the function is to be realized, a user is required to carry an entity identity (such as an identity card) to go offline and a 'trusted terminal' specified by a government department to activate online and in the field, or the entity identity can be carried to a place specified by the government department to be activated after face checking by a worker, so that the network card is upgraded to a higher-level color network card. Moreover, at present, each platform signs the identity information of the user by using the encryption technology of the platform itself to obtain the corresponding digital identity, so that the authority of the local encryption mode is not high, the reliability is low, the digital identity of the user is easy to be tampered or even stolen, and the security of the digital identity is low.
In addition, in the current digital identity application scheme, only mutually independent digital identities can be generated for each entity identity certificate, for example, one platform can only apply for the digital identity corresponding to the identity card number, while the other platform can only apply for the digital identity corresponding to the driving license code, so that when the digital identities of different certificate types need to be used, switching between different platforms is needed, which is inconvenient to use and has low operation efficiency.
Through analyzing the prior art, the inventor of the invention finds that the prior digital identity application process needs offline activation, so that more time is spent on a user, the user cost is higher, which is one of the reasons unfavorable for use and popularization, meanwhile, the reliability and effectiveness are lower, which is the second reason unfavorable for use and popularization, and moreover, the use of the digital identity is too limited due to the limitation of the entity identity identification type, the use is inconvenient for the user, the operation efficiency is lower, which is the third reason unfavorable for popularization. In view of this, the inventor considers that offline activation and upgrade as in the prior art can be omitted if a pure online application mode is adopted, so that the user cost can be reduced to a certain extent, and simultaneously, the inventor also considers that the reliability and effectiveness of the digital identity are improved by a digital identity issuing mode of an authority, so that the safety of the privacy information of the user can be ensured as much as possible. In addition, in order to improve the operation efficiency, the inventor considers that a plurality of digital identities generated based on a plurality of entity identity certificates are borne by the same digital identity, namely, the purpose of 'multi-certificate-in-one' is realized, so that when different digital identities are required to be used, a user does not need to manually switch among a plurality of platforms back and forth, and the digital identities are automatically recognized by one platform, so that the operation of the user can be more convenient, and the effectiveness and the operation efficiency of the operation are improved.
According to the analysis and consideration, the inventor designs a technical scheme for realizing the integration of pure online application of multiple digital identities by using an eID technology, based on the characteristics of the eID technology, the reliability, the safety and the effectiveness of the digital identities can be improved, the risks of stealing, tampering and falsifying the digital identities are reduced, the identity information safety of users is ensured, meanwhile, the on-site operation of the users can be omitted by adopting a pure online application mode, the user cost is greatly reduced, meanwhile, the risks of certificate loss and the like caused by offline activation of carried entity certificates can be avoided, and the universality of the scheme is enhanced, so that the use and the popularization are facilitated. And multiple digital identities corresponding to multiple types of identity real-name information are borne by the same digital identity identifier, for example, the digital identities corresponding to the identity card number, the digital identity and the hong Kong and Australia pass are borne by the same two-dimensional code, so that the purpose of one-code and multiple-pass is realized, a user only needs to use one two-dimensional code when using the two digital identities, and the switching between different platforms is not needed like the prior art, so that the efficiency and the convenience of user operation can be improved to a certain extent.
After the design idea of the embodiment of the present invention is introduced, some simple descriptions are provided below for application scenarios to which the digital identity application scheme in the embodiment of the present invention is applicable, and it should be noted that the application scenarios described below are only used for illustrating the embodiment of the present invention and are not limited. In specific implementation, the technical scheme provided by the embodiment of the invention can be flexibly applied according to actual needs.
Referring to fig. 1A, fig. 1A is an application scenario to which the digital identity application scheme in the embodiment of the present invention is applied, where the application scenario includes a terminal device 101, a terminal device 102, a server 103, and a server 104, where the terminal device 101 corresponds to a user 1, that is, it can be understood that the terminal device 101 is used by the user 1, and a relationship between the terminal device 102 and a user 2 can also be understood in this way, the terminal device 101 can perform information interaction with the server 103 through a network, and similarly, the terminal device 102 can also perform information interaction with the server 103 through a network, specifically, the terminal device 101 and the terminal device 102 can interact with the server 103 through the same network, for example, communicate with the server 103 through the same Wireless Fidelity (WiFi) network, or can communicate with the server 103 through different networks (for example, two different WiFi networks or respective mobile communication networks), and fig. 1A is illustrated by taking communication between the different networks and the server 103 as an example. In addition, the server 103 may also communicate with the server 104 through a network, for example, the server 103 may send multiple types of identity real-name information of multiple users to the server 104 through a public security network to request the server 104 to issue digital identities for the multiple users, and specifically, the server 104 may be requested to uniquely generate corresponding eID codes for each type of identity real-name information of each user to ensure authority and uniqueness of the digital identities, so in practice, the server 103 may be understood as a platform capable of applying and managing digital identities, such as a digital identity management platform described later, and the server 104 may be understood as an authority capable of issuing digital identities for users based on the eID coding technology, such as a third institute of public security (i.e., third institute of public security).
The terminal device 101 and the terminal device 102 may both have a digital identity management client installed and run therein, the interaction between the terminal device 101 and the server 103 and the terminal device 102 and the server 103 may specifically refer to information interaction between the digital identity management client installed therein and the server 103, the digital identity management client may be an Application (APP), and the Application may be an independent APP, or may also be an applet running on another platform in an applet manner, or may also be a function module embedded in a certain APP, for example, an applet running on a WeChat and capable of applying for a digital identity, or may also be a function module embedded in a Payment and capable of applying for a digital identity, and the like, and correspondingly, the server 103 may be regarded as a background server maintained by the digital identity management client.
Referring to fig. 1B again, fig. 1B is another application scenario to which the digital identity application scheme in the embodiment of the present invention is applied, in comparison with fig. 1A, a server 105 is added in fig. 1B, the server 103 may communicate with the server 105 through a network, to continue the above example in which the user 1 applies for a digital identity through the terminal device 101, before sending each type of identity real name information of the user 1 to the server 104 to generate an eID code, the server 103 may further send each type of identity real name information to the server 105 to determine, by the server 105, whether each type of identity real name information is real and valid identity real name information, because the server 105 has a platform for verifying whether the identity real name information of the user is real and valid, in one possible understanding manner, the server 105 may be understood as a background server of a population query center of a public security department, then validity verification may be performed on an identity number of the user at this time, or in another possible understanding manner, the server 105 may be understood as a server of a driving license query center in a traffic management system, then the server 105 may be deployed according to other validity verification authority numbers of the driving license management authority, and the like. Since the corresponding types of real identity information of most citizens are stored in the server 105, in this way, the server 103 can ensure that the various types of real identity information are real and legal before sending the information to the server 104, so as to ensure the authenticity and validity of the information, and at the same time, the application of the digital identity can be a real user application.
Referring to fig. 1C again, fig. 1C is another application scenario to which the digital identity application scheme in the embodiment of the present invention is applied, and with respect to fig. 1B, communication may also be performed between the server 104 and the server 105 in fig. 1C, or the above-mentioned example in which the user 1 applies for a digital identity through the terminal device 101 is continued, based on a communication connection between the server 104 and the server 105, information interaction may be performed between the public security department population query center and the public security department three, for example, information interaction may be performed through an internal network of the public security department, so as to facilitate business cooperation between different departments, for example, in one possible case, after receiving the user's identity number sent by the server 103, the server 104 may send the obtained identity number to the server 105 for secondary verification in order to ensure that the identity number is true and valid (because the user 1 may make a malicious application with a forged identity number in reality), so as to further ensure validity and validity of the application.
The terminal device 101 and the terminal device 102 may be a mobile phone, a tablet computer, a PDA (Personal Digital Assistant), a notebook computer, an intelligent wearable device (such as a smart watch and a smart bracelet), a Personal computer, and the like, and no matter which device is used, a Digital identity management client may be operated in the device, so that a user can apply for a Digital identity through the Digital identity management client. Also, the aforementioned server 103, server 104, and server 105 may each be a personal computer, a midrange computer, a cluster of computers, or the like.
To further illustrate the digital identity application scheme provided by the embodiments of the present invention, the following detailed description is provided with reference to the accompanying drawings and the detailed description. Although embodiments of the present invention provide method steps as shown in the following embodiments or figures, more or fewer steps may be included in the method based on conventional or non-inventive efforts. In steps where no necessary causal relationship exists logically, the order of execution of the steps is not limited to that provided by embodiments of the present invention. The method can be executed in sequence or in parallel according to the method shown in the embodiment or the figures when the method is executed in an actual processing procedure or a device (for example, a parallel processor or an application environment of multi-thread processing).
Referring to fig. 2A, an embodiment of the present invention provides a digital identity application system, where the digital identity application system includes a terminal device and a digital identity management platform; or as shown in fig. 2B, the digital identity application system provided in the embodiment of the present invention includes a terminal device, a digital identity management platform, and a trusted platform; or as shown in fig. 2C, the digital identity application system provided in the embodiment of the present invention includes a terminal device, a digital identity management platform, a trusted platform, and an authority query platform. The terminal device may be, for example, the terminal device 101 or the terminal device 102, a digital identity management client is installed and operated in the terminal device, the digital identity management platform may be, for example, the server 103, and is configured to respond to digital identity issuance requests of multiple users, the trusted platform may be, for example, the server 104, the trusted platform may generate uniquely corresponding eID codes based on various types of identity real-name information of the users, and the authority query platform is, for example, the server 105, such as a public security department population query center or a driver's license query center in a traffic management department, and is configured to perform validity check on different types of identity real-name information.
The digital identity application system in the embodiment of the present invention may be, for example, a system composed of all devices included in any application scenario in fig. 1A to fig. 1C, and is not described here.
The following describes a digital identity application scheme in the embodiment of the present invention with reference to an interaction diagram of the digital identity application method in the embodiment of the present invention shown in fig. 3.
Step 301: the terminal equipment obtains at least two types of identity real name information of the same user.
In practice, a user may have multiple types of identity real-name information, each type of identity real-name information is identity real-name information corresponding to one type of entity identification, for example, for the same user, the user may have multiple types of entity certificates such as an identity card, a driver's license, a transit card of hong Kong and Macau, a hometown card, a passport, and the like, and each type of entity identification includes corresponding identity real-name information, taking the identity card as an example, the identity real-name information corresponding to the identity card includes a name, an identity card number, a corresponding identity card number, a birth date, and a home address, and taking the driver's license as an example, the identity real-name information corresponding to the driver's license includes a name, a driver's license number, a corresponding identity card number, a birth date, and a home address, that is, each type of identity card has corresponding identity real-name information, and in the embodiment of the present invention, the identity real-name information corresponding to different types of identity cards is called different types of identity real-name information, and at least two types of identity real-name information includes multiple types of identity documents corresponding multiple types of identity real-name information.
When a user needs to apply for digital identity, the corresponding type of identity real-name information required to be applied can be input to the terminal device, or the terminal device can automatically acquire the corresponding type of identity real-name information required to be applied by the user by using a data collection function commonly used by the user in the terminal device, so that the purposes of 'all-in-one and one-code and multiple-card' are realized, at least two types of identity real-name information of the same user can be obtained, for example, the identity real-name information corresponding to an identity card and the identity real-name information corresponding to a driving license are obtained.
Step 302: the terminal equipment sends the at least two types of identity real-name information and the digital identity signing and issuing request to the digital identity management platform, and then the digital identity management platform receives the at least two types of identity real-name information and the digital identity signing and issuing request.
In the embodiment of the present invention, in consideration of convenient use of a user, the application entry for the digital identity may be set as a software module, for example, designed in a form of a client (for example, called a digital identity management client) installed in the terminal device so as to be directly used by the user. In a specific implementation process, the digital identity management client may run in the terminal device as an independent APP, and a user needs to download an installation package and install the installation package in the terminal device when using a digital application function, or the digital identity management client may run in the terminal device in a applet manner, that is, the digital identity management client may be used without installation depending on other APPs, for example, referring to the terminal device in the embodiment of the present invention shown in fig. 4, it can be seen that the terminal device includes an operating system, a digital identity management client, and an applet management client, where the applet management client may be used to bear and manage running of multiple applets, and at this time, the digital identity management client may run in the applet client in the applet manner of an applet, and both the applet management client and the digital identity management client are provided with interfaces interacting with the operating system, so that the terminal device may use the capabilities of the operating system to monitor and manage the applet management client, and at the same time, the digital identity management client and the applet management client may also call bottom interface communication interaction, for example, a specific interaction situation is that: the digital identity management client calls the interactive interface to request the authorization of the applet management client, and then based on the authorization, the registration information of the account corresponding to the applet management client and the binding information of the payment account of the applet management client can be obtained, for example, the registration mobile phone number and the account identification of the applet management client can be obtained, the bank card number bound to the payment account of the applet management client and the related user information corresponding to the bank card number can be obtained, and the like.
For the convenience of intuitive understanding of the reader, the corresponding mapping schematic diagram of the terminal device and the mobile phone shown in fig. 5 is further described, that is, when the terminal device is a mobile phone running an android Operating System (OS) as an example, the applet management client in the terminal device can be regarded as a WeChat client running in the mobile phone, and the digital identity management client in the terminal device can be regarded as an ABC client, where the ABC client is a digital identity management client designed according to the digital identity application scheme provided in the embodiment of the present invention.
Since the WeChat can implement the functions of the applet, the ABC client shown in FIG. 5 can also operate in the applet mode, and the ABC client can perform underlying communication with the WeChat client, and both the ABC client and the WeChat client can communicate with the android OS of the handset.
After introducing the terminal device in the embodiment of the present invention, continuing to describe the digital identity issuance request in step 302, in one possible manner, the user opens the ABC client in the mobile phone and clicks the application start button, and the mobile phone may accordingly determine the digital identity issuance request, in another possible manner, when the user requests the authorization of the WeChat client through the interactive interface of the ABC client, the mobile phone may accordingly determine the digital identity issuance request, and in still another possible manner, the user may further trigger the application of the digital identity through a specific voice or a specific gesture or other specific manner, and correspondingly, the terminal device may determine the corresponding identity issuance request after detecting these specific operations.
Further, after the digital identity issuing request is obtained, the terminal device sends at least two types of identity real name information to the digital identity management platform to request for issuing the digital identity.
In addition, in consideration of a convenient presentation mode of the applet, when the ABC client operates in the wechat client in the applet mode, the related information corresponding to the wechat client may be obtained by requesting authorization from the wechat client, and a possible authorization schematic diagram is shown in fig. 6. In addition, when the ABC client initiates an authorization request to the WeChat client, the terminal device can also judge whether the login of the WeChat client fails, and if the login of the WeChat client fails, the authorization request of the ABC client cannot be accepted naturally, so that a notification of the login failure of the WeChat client can be sent to the ABC client at the moment, and when the WeChat client recovers the login, a notification of recovering the login is sent to the ABC client, so that the interaction performance between the WeChat client and the ABC client can be improved, and the interaction effectiveness and timeliness are improved.
Step 303: the digital identity management platform sends the at least two types of identity real-name information to the authority inquiry platform for validity verification, so that the authority inquiry platform verifies the validity of the at least two types of identity real-name information.
It should be noted that the authority query platform may include one or more query platforms, and different authority query platforms may check different types of real-name information, for example, the public security department population query center may check the real-name information corresponding to the identification card, and the driving license query center of the traffic management department may check the real-name information corresponding to the driving license, so in the embodiment of the present invention, the digital identity management platform may send corresponding real-name information to corresponding authority query platforms according to the specific types of the real-name information, so as to perform validity check on each type of real-name information respectively.
Step 304: and the authority inquiry platform performs validity verification on at least two types of identity real-name information.
Step 305: and the authoritative query platform sends query feedback for confirming effectiveness to the digital identity management platform.
Taking the population query center of the ministry of public security as an example, after the identity real-name information sent by the digital identity management platform is obtained, the identity real-name information can be compared with a citizen information base stored in the citizen information base for searching, if the corresponding user information is searched in the citizen information base, the identity real-name information sent by the digital identity management platform can be determined to be real, namely the identity real-name information of a real user is indicated, and then effective query feedback is sent to the digital identity management platform.
In addition, in the process of verifying the real name information of the identity, the digital identity management platform may further send a living body verification instruction to the terminal device, where the living body verification instruction is used to instruct the user to perform living body verification on the human body, further, after the terminal device obtains the living body verification instruction, the terminal device may output a living body verification request, for example, prompt the user in the form of voice or characters that the user needs to perform living body verification on the human body, and perform living body verification on the user accurately in a living body verification manner, and after obtaining the living body verification request output by the terminal device, the user may perform living body verification on the terminal device, for example, by means of blinking eyes of a camera of the terminal device according to the instruction of the terminal device, reading a segment of characters or numbers, turning the terminal device in multiple directions, and the like as shown in the schematic living body verification diagram of fig. 7, the terminal device may determine whether the current user is a living body based on a preset living body verification policy, and when the current user is determined to be a living body, send confirmation information to the digital identity management platform to inform the digital identity management platform that the current user is a living body really is a living body. The method can verify that the user is a live person or a real person to a certain extent by a living body verification mode, and ensures the validity of the digital identity application.
Meanwhile, in the process of in-vivo verification, the terminal device can also obtain a face image of the user and send the obtained face image to the digital identity management platform, and then in step 304, the digital identity management platform can send the obtained face image and the identity real-name information to the authoritative query platform together to perform double verification of the identity information and the face appearance, so that the verification effectiveness is further increased.
According to another possible verification mode of the identity real-name information, a bound mobile phone number of the WeChat client can be obtained firstly, namely the mobile phone number when the WeChat client is registered, then a short message verification code is sent to the mobile phone number through the digital identity management platform, meanwhile, the terminal equipment can display a verification interface (namely the short message verification interface) through the digital identity management client, if the terminal equipment is a real legal user, the short message verification code can be obtained, the obtained short message verification code is input into the short message verification interface to complete short message verification, the voluntary application willingness of the user and a real person can be determined through the short message verification mode, and the validity of digital identity application can be further improved.
In the specific implementation process, other verification methods can be adopted to ensure the authenticity and validity of the application will, and the embodiments of the present invention are not listed.
Step 306: after determining that the at least two types of identity real-name information are valid in any way, the digital identity management platform sends the at least two types of identity real-name information to a trusted platform (such as ministry of public security, for example) to issue the digital identity through the trusted platform, for example, to issue an eID code.
After receiving the at least two types of identity real-name information sent by the digital identity management platform, the trusted platform determines that the user wishes to issue the digital identity based on the at least two types of identity real-name information, but the trusted platform may have suspicion on related information sent by the digital identity management platform, so in order to ensure the validity of the information, the trusted platform may also further verify the obtained identity real-name information.
Step 307: one possible verification method of the trusted platform is to send the obtained at least two types of identity real name information to the authority query platform, so as to perform verification on the at least two types of identity real name information again through the authority query platform.
Step 308: and the authority inquiry platform performs validity verification on at least two types of identity real-name information sent by the trusted platform.
Step 309: and the authoritative query platform sends query feedback for confirming effectiveness to the trusted platform.
In the specific implementation process, the implementation of steps 307 to 309 and 303 to 305 may be the same, and it can be understood that the description is not repeated here.
Step 310: after the trusted platform obtains the inquiry feedback which is sent by the authority inquiry platform and confirms that the at least two types of identity real-name information sent by the digital identity platform are both trusted, the at least two types of identity real-name information are respectively processed into unique corresponding eID codes based on a self-owned encryption algorithm, so that at least two eID codes respectively corresponding to the at least two types of identity real-name information are obtained, and then the issuance of the digital identity of the user is completed.
Since multiple eID codes may be returned to the digital identity management platform at the same time, in order to facilitate the digital identity management platform to distinguish the multiple eID codes, that is, to know which eID code each eID code corresponds to, in an embodiment of the present invention, before returning multiple eID codes to the digital identity management platform, the trusted platform may further add a matching certificate type identifier to the corresponding eID code according to real name information of each type of identity, because a general eID code has a fixed format and length, for example, 3 bytes may be added to a head or a tail of the eID code to represent a certificate type corresponding to the eID code, for example, 000 represents an identity card, 001 represents a driver certificate, 010 represents a hong kong macau pass, 100 represents a hometown certificate, and so on, and the total number of added bytes is related to the number of general bearable certificate types, for example, if only 4 types of passports are carried, then only 2 bytes may be added, and then 00, 01, 10, and 11 may respectively represent these 4 types of 011 certificates.
It should be noted that, the document type identifier set for each eID code is described only in the manner that the new byte is added to represent the document type, and other manners may also be adopted for identifier setting in practice, which is no longer an example, generally speaking, the manner of the document type identifier set for each eID code by the trusted platform may be agreed with the digital identity management platform in advance, so that after the digital identity management platform obtains the eID code with the document type identifier set, although the eID code itself cannot be decoded and identified, the document type identifier included in each eID code may be determined according to the agreed decoding manner, thereby implementing corresponding identification of the document type of each eID code.
In a possible implementation manner, the trusted platform can directly send the generated eID codes to the digital identity management platform, namely, the eID codes are independent from one another, so that the digital identity management platform can process the eID codes according to the use requirements of the digital identity management platform, and the eID codes cannot be influenced with one another.
In another possible embodiment, the trusted platform may further combine the generated plurality of eID codes into a string of eID codes according to a predetermined combination rule, for example, combine the plurality of eID codes into a string of eID codes in an end-to-end manner, where the string of eID codes includes the foregoing eID codes, and distinguish each connection position by a certain identifier, in this way, the eID code finally sent to the digital identity management platform by the trusted platform is a string of connection-combined eID codes, and the eID codes may be physically bound by a combination manner, so as to uniformly manage and process the eID codes, for example, the string of eID codes after combination may be directly sent to another device, or the digital identity identifier may be directly generated according to the string of eID codes after combination, or the string of eID codes after combination may be directly deleted, which is equivalent to that the number of operations may be reduced.
Step 311: no matter what processing is performed on the generated eID codes by the trusted platform (of course, no processing may be performed in practice), for example, the aforementioned processing of adding the certificate type identifier is performed, or the aforementioned combination processing is performed, after the processing, the trusted platform sends the processed eID codes to the digital identity management platform, so that the digital identity management platform obtains the digital identity issued by the trusted platform, and further, a corresponding digital identity identifier can be generated according to the available digital identity.
Step 312: after receiving the multiple eID codes returned by the trusted platform, the digital identity management platform can generate a digital identity of the user according to the received multiple eID codes, that is, the digital identity finally generated by the digital identity management platform comprises the multiple eID codes corresponding to the at least two types of identity real name information, so that the purpose that one digital identity bears the multiple eID codes is achieved.
In a specific implementation process, a specific presentation form of the digital identity may be, for example, directly an eID code, or an encrypted eID code, or may be a two-dimensional code including the eID code or the encrypted eID code, or may also be another presentation form, where the presentation form of the two-dimensional code facilitates use of a scan-down code in performing offline identity authentication using the digital identity. Based on multiple different presentation modes, the digital identity management platform can generate a digital identity according to a preset generation mode, a plurality of received eID codes are generated to generate a digital identity, one digital identity is used for bearing a plurality of eID codes, one digital identity is used for bearing identity real-name information corresponding to a plurality of certificates, and the purpose of 'multi-certificate-in-one' is realized.
In addition, the digital identity management platform may also directly send the received multiple eID codes to the terminal device, or may also send the encrypted eID codes to the terminal device, specifically, for example, may send the eID codes to a digital identity management client of the terminal device. Further, after receiving the multiple eID codes, the terminal device may also generate a digital identity of the user according to the received multiple eID codes like a digital identity management platform, and in order to facilitate direct offline code scanning for identity authentication, the digital identity generated in the terminal device may be presented in a two-dimensional code manner, and the generated two-dimensional code is also shown in fig. 8, for example. The digital identity of the user is presented in the terminal equipment in a two-dimensional code mode, and the digital identity can be directly used as a digital identity certificate for offline identity authentication, so that the terminal user can directly scan the code for use, and the operation is more convenient.
The digital identity two-dimensional code generated by both the digital identity management platform and the terminal equipment can be refreshed at regular time, for example, the digital identity two-dimensional code is refreshed once every 10 seconds, or the digital identity two-dimensional code can be manually refreshed according to the triggering of a user, the possibility that the digital identity two-dimensional code is embezzled by a refreshing mode can be reduced, and the refreshing essence is, for example, the presentation style of the two-dimensional code is changed, or the time for updating is added into the two-dimensional code updated every time, and the like. In addition, the digital identity two-dimensional code in the embodiment of the present invention may prohibit screen capture, for example, if the current interface of the terminal device displays the digital identity two-dimensional code, the screen capture instruction may not be responded and prompt information for prohibiting screen capture may be output if the screen capture instruction is detected, or the current digital identity two-dimensional code may be disabled and a new digital identity two-dimensional code may be regenerated when the screen capture instruction is detected, which may prevent dynamic refresh of the digital identity two-dimensional code, reduce copy and embezzlement, and ensure information security through a series of ways.
Because the eID code is a digital identity which is signed by an authoritative trusted platform and uniquely corresponds to each type of identity real-name information of the user, the obtained digital identity is sufficiently authoritative and has higher security level, and based on the characteristics of authority, security, universality and privacy of the eID technology, the reliability, security and effectiveness of the digital identity can be improved, the risks of stealing, tampering and falsifying the digital identity are reduced, and the identity information security of the user is ensured.
Meanwhile, the application of the digital identity can be completed in a pure online mode, so that the user cost can be saved, the application is more convenient, the application efficiency can be improved, and the popularization of the scheme is further facilitated.
Step 313: in another possible embodiment, after generating the digital identity according to the received plural eID codes, the digital identity management platform may further generate an authorization credential corresponding to the digital identity, for example, generate a token code, and may dynamically update the authorization credential according to a predetermined update period or according to a trigger of the user, that is, the authorization credential may be dynamically changed.
Step 314: and the digital identity management platform sends the generated authorization certificate to the terminal equipment, and since the authorization certificate may be dynamically changed, the updated authorization certificate can be sent to the terminal equipment again after the authorization certificate is updated every time.
Step 315: the terminal equipment receives the authorization certificate sent by the digital identity management platform, and can generate the digital identity two-dimensional code of the user according to the authorization certificate received for the first time, namely the generated digital identity two-dimensional code does not contain eID codes and only contains the authorization certificate.
Further, after receiving the updated authorization credential, the terminal device may update the previously generated digital identity two-dimensional code based on the re-received authorization credential, that is, add the new authorization credential to the updated digital identity two-dimensional code.
The authorization voucher can be understood as a key for acquiring eID codes from the digital identity management platform, and then the key can be held to request the digital identity management platform when the eID codes are required. For example, after a two-dimensional code including a token code is generated in a digital identity management client, a merchant needing to authenticate the identity of a user may scan the two-dimensional code to obtain the token code, and then send the obtained token code to a digital identity management platform to request for a corresponding eID code.
Because the terminal equipment is mainly used for foreground interaction, the security of the terminal equipment is generally inferior to that of a background server (such as a digital identity management platform), in order to ensure the security of eID codes, a protection mechanism of authorization certificates is adopted in foreground display and transmission, the eID codes are not required to be directly displayed at the front end, and because the front end information is easy to steal, the security of the eID codes can be ensured as much as possible by searching the corresponding eID codes in the background through the authorization certificates of the front end.
Step 316: the digital identity management platform deletes the aforementioned at least two types of identity real-name information for generating the digital identity of the user.
That is, after the eID code is obtained, the digital identity management platform can delete the identity real-name information used for generating the eID code in time, so that the real-name information of the user is not saved on the platform as much as possible, the real-name information is prevented from being stolen and illegally used, and the security of the privacy information of the user is ensured to the maximum extent.
In a specific implementation process, once the digital identity management platform obtains the eID code sent by the trusted platform, the identity real-name information corresponding to the eID code can be deleted, and the storage time of the real-name information of the user on the platform can be reduced as much as possible through a timely deletion processing mode, so that the risk of stealing the real-name information of the user is reduced to the greatest extent.
According to the introduction, the application and issuance of the digital identities of multiple types of identity real-name information of one user are completed through the digital identity management platform, in practice, the digital identities including multiple certificate information can be applied and issued for other users in a similar mode, or new digital identities can be reapplied for users who have applied for the digital identities, that is, the digital identity management platform is equivalent to a platform for applying and managing the digital identities of a plurality of users, the platform can store the digital identity identifications of a plurality of users, and the digital identity identification of each user can include one or more types of identity real-name information.
In the embodiment of the invention, in the process of applying for the digital identity including a plurality of eID codes, a digital identity management platform (or terminal equipment) can obtain the plurality of eID codes at one time, and then directly generate the digital identity according to the plurality of eID codes received together.
In an actual situation, a user may only use one type of identity real-name information for each application, for example, if the user has applied a digital identity for the first time by using an identity card in 7 and 28 days in 2018, and wants to apply a digital identity to a newly obtained driving license after obtaining the driving license through a driving school examination in 8 and 1 days in 2018, the scheme implemented by the present invention may be adopted to add the identity real-name information corresponding to the identity card and the driving license to one digital identity, that is, to bear the identity real-name information corresponding to the identity card and the driving license through one digital identity, and for convenience of understanding, the following describes a process of adding different types of identity real-name information to the same digital identity in a division manner with reference to fig. 9 and the foregoing example.
Step 901: the terminal device obtains the first type of identity real-name information of the user, for example, the terminal device obtains identity real-name information corresponding to the identity card of zhang san in 2018, 7 month and 28 month, where the identity real-name information corresponding to the identity card of zhang san can be understood as the first type of identity real-name information.
Step 902: and the terminal equipment sends the acquired first type of identity real name information and the first digital identity signing and sending request to the digital identity management platform. The first digital identity issuing request is used for requesting to issue an eID code uniquely corresponding to the first type of identity real-name information.
Step 903: after receiving a first type of identity real-name information and a first digital identity issuing request sent by terminal equipment, the digital identity management platform sends the first type of identity real-name information to the trusted platform so as to request the trusted platform to issue an eID code uniquely corresponding to the first type of identity real-name information.
Step 904: the trusted platform generates an eID code that uniquely corresponds to the first type of identity real name information, for example referred to as a first eID code.
Step 905: and the trusted platform sends the generated first eID code to the digital identity management platform.
Step 906: the digital identity management platform generates a digital identity of the user according to the received first eID code, and therefore the generated digital identity includes the first eID code.
Step 907: the terminal device obtains the second type of identity real-name information of the user again, and continues with the foregoing example, that is, the terminal device obtains the identity real-name information corresponding to the driving license of zhang san in 2018, month 8 and day 1, where the identity real-name information corresponding to the driving license of zhang san can be understood as the second type of identity real-name information.
Step 908: and the terminal equipment sends the acquired second type of identity real-name information and the second digital identity signing and sending request to the digital identity management platform. And the second digital identity issuing request is used for requesting to issue an eID code uniquely corresponding to the second type of identity real name information.
Step 909: after receiving the second type of identity real-name information and the second digital identity issuing request sent by the terminal equipment, the digital identity management platform sends the second type of identity real-name information to the trusted platform so as to request the trusted platform to issue the eID code uniquely corresponding to the second type of identity real-name information.
Step 910: the trusted platform generates an eID code uniquely corresponding to the second type of identity real name information, for example, referred to as a second eID code.
Step 911: and the trusted platform sends the generated second eID code to the digital identity management platform.
Step 912: after receiving the second eID code sent by the trusted platform, the digital identity management platform determines that the user wants to load the identity real name information corresponding to the multiple certificates with the same digital identity, so the digital identity management platform updates the digital identity generated in step 906 according to the newly received second eID code, specifically, after the second eID code is also added to the previously generated digital identity, through the updating operation of step 912, the updated digital identity simultaneously includes the first eID code and the second eID code, thereby achieving the purpose of "all-in-one evidence".
In the whole application process, the wind control level of the digital identity issuing request can be determined according to a preset risk determination strategy, specifically, the wind control level can be determined by calling a wind control interface of a WeChat background server through an interface by a digital identity management platform, because the WeChat background server has a mature wind control technology at present, no additional improvement on the digital identity management platform is needed by the method, the wind control cost is low, further, the safety verification is performed based on a safety verification mode corresponding to the determined wind control level, the corresponding safety verification mode is short message verification assuming that the wind control level is 1 level, the corresponding safety verification mode is short message verification and human body living body verification assuming that the wind control level is 4 level, and the like, the digital identity management platform sends the identity real name information and the digital identity issuing request to a trusted platform to request eID coding after the identity information and the human body verification are verified by adopting the corresponding safety verification mode and the verification is passed.
According to the embodiment of the invention, risk monitoring is carried out on the whole application process through the wind control strategy, so that risks can be avoided as much as possible in each stage of the application process, and the safety of the application process is improved.
Meanwhile, in the whole application process, a device identifier of the terminal device and a client identifier of the digital Identity management client (for example, the ABC client) may also be obtained, where the device identifier is, for example, an International Mobile Equipment Identity (IMEI) or a Media Access Control (MAC) address, and the client identifier is, for example, an open id of an applet, and the like.
If the device identifier and the client identifier are determined to meet the preset condition, it is indicated that a current security risk exists, for example, if the number of times of mistaken login on other devices in a short time of the client identifier reaches a threshold value, it may be determined that the preset condition is met, at this time, it is indicated that a risk of stealing the number exists, for example, a hacker tries to steal an account of the digital identity client to falsify an eID code therein, at this time, the risk is considered to be large, so that a risk prompt information may be output to prompt a user that the generated digital identity identifier is abnormally used, or the hacker may directly prompt the user to logout an original digital identity identifier and then reapply the digital identity identifier, and so on.
Further, because the digital identity application scheme in the prior art can only bear different digital identities on each platform, correspondingly, only specific types of identity real name information of the user can be verified on one platform during identity verification, which is relatively limited and poor in flexibility, and is not beneficial to popularization and application, the embodiment of the invention also provides an identity authentication scheme for realizing flexible verification of the identity of the user through a digital identity bearing way of 'all-in-one' aiming at the digital identity application process in the prior art, correspondingly, the application scene is richer, and the application and popularization are more facilitated.
The identity authentication scheme in the embodiment of the invention can be applied to any scene needing real-name authentication, such as real-name authentication during industrial and commercial registration, real-name delivery express delivery, hotel real-name check-in, internet bar real-name internet authentication, real-name authentication for purchasing various traffic tickets (such as airline tickets, high-speed railway tickets, ferry tickets, train tickets and bus tickets), library real-name reader certificate or book-borrowing certificate, real-name authentication for visiting museum exhibition, bank application bank cards (bank opening), securities business, insurance purchase, house buying and the like.
According to the requirements of real-name authentication scenes, the scenes can be divided into strong scenes and weak scenes, the real-name authentication level of the strong scenes is higher than that of the weak scenes, for example, for banking business, four verification modes of name authentication, identity card authentication, face authentication and short message authentication are needed to complete corresponding verification, at the moment, the strong scenes can be understood, for example, when a user goes to a library to handle a book borrowing certificate, only the name authentication and the identity card authentication are needed, and at the moment, the weak scenes can be understood.
Some brief descriptions are given below to application scenarios to which the digital identity authentication scheme in the embodiment of the present invention is applicable, and it should be noted that the application scenarios described below are only used for illustrating the embodiment of the present invention and are not limited. In specific implementation, the technical scheme provided by the embodiment of the invention can be flexibly applied according to actual needs.
Referring to fig. 10, fig. 10 is an application scenario in which the identity authentication scheme in the embodiment of the present invention is applied, where the application scenario includes a user terminal 1001, a merchant server 1002, a real-name authentication server 1003, and a trusted platform server 1004. The user terminal 1001 runs a digital identity management client (or may also be referred to as a user client or an identity authentication client), and also runs an APP corresponding to a merchant (for example, referred to as a merchant client), so the user terminal 1001 may be respectively in communication connection with a merchant server 1002 and a real-name authentication server 1003, specifically, the merchant server 1002 is a server maintained corresponding to the merchant client, the real-name authentication server 1003 is a server maintained corresponding to the digital identity management client, in addition, the merchant server 1002 may communicate with a trusted platform server 1004, and the real-name authentication server 1003 may also communicate with the trusted platform server 1004 (not shown in fig. 10).
That is to say, the merchant client and the digital identity management client operate in the user terminal 1001 at the same time, and when the user performs a service (for example, purchases a high-speed railway ticket) that needs to perform real-name authentication at the merchant client, the user can directly click the verification interface in the merchant client to directly jump from the merchant client to the digital identity management client, thereby implementing online identity authentication.
Referring to fig. 11 again, fig. 11 is an application scenario applicable to the identity authentication scheme in the embodiment of the present invention, where the application scenario includes a user terminal 1101, a merchant terminal 1102, a merchant server 1103, a real name authentication server 1104 and a trusted platform server 1105, and a difference from the application scenario shown in fig. 10 is that a merchant client and a digital identity management client separately operate in the merchant terminal 1102 and the user terminal 1101, at this time, the merchant terminal 1102 may directly obtain a digital identity two-dimensional code displayed in the user terminal 1101 in a code scanning manner, or the user terminal 1101 may also send the digital identity two-dimensional code therein to the merchant terminal 1102 through a network.
Referring to fig. 12 again, fig. 12 is an application scenario in which the identity authentication scheme in the embodiment of the present invention is applied, where the application scenario includes a user terminal 1201, a merchant code scanning gate 1202, a merchant server 1203, a real-name authentication server 1204, and a trusted platform server 1205, where the merchant code scanning gate 1202 may implement identity authentication on a user by scanning a digital identity two-dimensional code displayed in the user terminal 1201, and may allow the user to pass through the gate when the authentication passes. For example, a user purchases a train ticket on line by using a digital identity two-dimensional code, the digital identity two-dimensional code needs to be displayed to realize identity authentication when the user takes a train at a railway station, relevant information of the train ticket purchased by the user is determined after the identity authentication, and the user is allowed to take the train directly, so that the user does not need to get and carry an entity train ticket, and economic loss and user information leakage caused by loss of the entity train ticket are reduced.
The user terminal 1001, the user terminal 1101, and the user terminal 1201 may be a mobile phone, a tablet computer, a palm computer, a notebook computer, an intelligent wearable device (e.g., an intelligent watch and an intelligent bracelet), a personal computer, and the like, and all the servers in the foregoing fig. 10 to fig. 12 may be a personal computer, a large and medium sized computer, a computer cluster, and the like.
To further explain the identity authentication scheme provided by the embodiment of the present invention, the following detailed description is made with reference to the accompanying drawings and the detailed description. Although embodiments of the present invention provide method steps as shown in the following embodiments or figures, more or fewer steps may be included in the method based on conventional or non-inventive efforts. In steps where no necessary causal relationship exists logically, the order of execution of the steps is not limited to that provided by embodiments of the present invention. The method can be executed in sequence or in parallel according to the method shown in the embodiment or the figures when the method is executed in an actual processing procedure or a device (for example, a parallel processor or an application environment of multi-thread processing).
Referring to fig. 13A, an embodiment of the present invention provides an identity authentication system, where the identity authentication system includes an identity authentication request end, a terminal device, and a digital identity management platform; or as shown in fig. 13B, an identity authentication system provided in the embodiment of the present invention includes only a terminal device and a digital identity management platform; or as shown in fig. 13C, an identity authentication system provided in the embodiment of the present invention includes a terminal device, a digital identity management platform, a trusted platform, and an identity authentication request end; or as shown in fig. 13D, an identity authentication system provided in an embodiment of the present invention includes a terminal device, a digital identity management platform, and a trusted platform. In fig. 13B and 13D, since the terminal device and the identity authentication request end are the same device, only the terminal device is shown, that is, in the embodiment of the present invention, the terminal device and the identity authentication request end may be the same device or may be different devices.
The identity authentication system in the embodiment of the present invention may be, for example, a system composed of all devices included in any application scenario in fig. 13A to 13D, and is not described here.
The following describes an identity authentication scheme in the embodiment of the present invention with reference to an interaction diagram of an identity authentication method in the embodiment of the present invention shown in fig. 14. For convenience of understanding, fig. 14 schematically illustrates an identity authentication request terminal and a terminal device as two separate devices, and in practical understanding, the identity authentication request terminal may be understood as a merchant, specifically, a merchant terminal corresponding to the merchant, and the terminal device may be understood as a user, and a digital identity management client is installed in the terminal device, where the digital identity management client is a client for managing the use of a digital identity of the user.
Step 1401: the terminal equipment obtains an identity authentication request. In a specific implementation process, the identity authentication request may be generated by being triggered by an identity authentication request terminal, or may also be generated by being triggered by the terminal device itself.
For example, a user uses a mobile phone of the user to purchase a train ticket online, the user may log in a ticket-purchasing client on the mobile phone, or search a ticket-purchasing applet or a ticket-purchasing public number on a WeChat to reach a ticket-purchasing page, in the process of purchasing the ticket, a merchant may prompt the user to perform identity verification, for example, a control capable of directly jumping to an authentication client (e.g., a digital identity management client) is displayed on a ticket-purchasing interface, when identity authentication is required, the user may jump to the authentication client from the ticket-purchasing page after clicking the control, and an operation of clicking the control by the user may trigger generation of the aforementioned identity authentication request, that is, the terminal device itself triggers generation of the identity authentication request. The application scenario described herein can be understood as a specific scenario of online identity authentication, that is, the entire authentication process can be directly performed online.
For another example, when a user goes to a bank to handle business, the bank needs to authenticate the identity of the user, at this time, the bank can scan the digital identity two-dimensional code displayed by the user through a mobile phone through a code scanning device arranged on a counter, a digital identity authentication request can be generated after the code scanning device scans the digital identity two-dimensional code of the user, and at this time, the identity authentication request can be generated by the code scanning operation trigger of the code scanning device. The scenario of identity authentication by code scanning as described herein can be understood as a specific scenario of offline identity authentication, that is, the identity authentication process needs to be completed by code scanning.
Step 1402: and the terminal equipment sends the acquired identity authentication request to the digital identity management platform. For example, a digital identity management client is installed in the terminal device, and the terminal device can send the obtained identity authentication request to the digital identity management platform through the digital identity management client.
As described in the foregoing embodiments of the digital identity application method, the digital identity management platform in the embodiments of the present invention stores digital identities of a plurality of users, where, for example, the digital identity of a certain user includes an eID code, the digital identity of a certain user includes a plurality of eID codes, each eID code is uniquely and correspondingly generated by the trusted platform based on a specific type of real identity information of the user, that is, the digital identity management platform may be understood as a platform that manages digital identities of a plurality of users, and the digital identity may include eID codes respectively and uniquely corresponding to a plurality of types of real identity information.
Step 1403: after receiving the identity authentication request, the digital identity management platform may determine a corresponding target digital identity based on the identity authentication request.
For example, after receiving an identity authentication request sent by a digital identity management client, the digital identity management platform may search for a corresponding digital identity based on a client identifier of the digital identity management client, or may directly carry an equipment identifier of a terminal device in the identity authentication request, or may also adopt other manners. For convenience of description, in the embodiment of the present invention, the digital identity obtained based on the client identifier lookup is referred to as a target digital identity.
For example, the digital identity management client is an applet running in the WeChat, the corresponding client identifier may be, for example, an open id of the digital identity management client, and for example, the digital identity management client is an independently running APP, and the corresponding client identifier may be a unique APP identifier allocated when the user registers in the APP, for example, a character string actually allocated when the user registers, or a unique user nickname set by the user, and the like.
Step 1404: and the digital identity management platform determines a target eID code corresponding to the target digital identity. As described above, each digital identity may correspond to multiple eID codes, and thus after the target digital identity is determined, multiple eID codes corresponding to the target digital identity may be correspondingly determined.
Step 1405: and the identity authentication request terminal obtains the target eID code. In a specific implementation process, the identity authentication request terminal can obtain the target eID code in a plurality of different ways.
Because the digital identity management platform is a background server and the identity authentication request end is front-end equipment, the digital identity management platform and the identity authentication request end are generally inconvenient to directly communicate, and based on the situation, the digital identity management platform can send the target eID code to the identity authentication request end based on a preset transmission mode so as to ensure the effectiveness of data transmission between the background server and the foreground equipment. One possible transmission mode is: the digital identity management platform sends the target eID code to a background server (namely a merchant background) of the identity authentication request end, and the merchant background forwards the target eID code to the identity authentication request end; another possible transmission method is: the digital identity management platform sends the target eID code to a digital identity management client, and then forwards the target eID code to an identity authentication request end through terminal equipment where the digital identity management client is located; yet another possible transmission scheme is: the method comprises the steps that a digital identity management platform sends a target eID code to a terminal device, the terminal device generates a digital identity two-dimensional code based on the target eID code and displays the digital identity two-dimensional code, and an identity authentication request end obtains the target eID code by scanning the digital identity two-dimensional code displayed in the terminal device.
Step 1406: after the identity authentication request end obtains the target eID code, the eID code needing authentication can be determined from the target eID code based on the current identity authentication scene.
Different identity authentication scenarios can be provided based on different merchant attributes and specific services. For example, when a bank transacts a bank card application service, identity card authentication and face authentication are required, when a train ticket is purchased online, identity card authentication is required, when a port passes by a port, port and australian pass is required, when a traffic management department transacts traffic services, driver licenses are required to be authenticated, and the like.
Four different identity authentication scenarios are listed, each of the identity authentication scenarios corresponds to a different identity authentication requirement, and in the specific implementation process, the following two ways can be adopted to distinguish the different identity authentication requirements.
In the first mode, the identity authentication requirements are different for the types of the certificates. That is, in different identity authentication scenarios, the types of certificates required for the authentication of the merchants may be different, for example, in the above example, the bank needs to authenticate the identity card, the bank needs to authenticate the traffic pass of port and australia, and the traffic management department needs to authenticate the driver's license.
The second mode is the identity authentication requirement with different certificate numbers, and in the mode, the certificate types are not limited and only the number of the certificates is related. For example, merchant a needs to authenticate one type of certificate without limiting what kind of certificate the one type of certificate is, while merchant B needs to authenticate both types of certificates at the same time, and so on.
For the identity authentication requirement in the first mode, the certificate type corresponding to each eID code can be identified according to the certificate type identifier included in each eID code, and specifically, each eID code in the target eID code can be identified so as to select the eID code to be authenticated, which is matched with the current identity authentication requirement. That is to say, each eID code may include a document type identifier matching with corresponding type of identity real-name information, for example, a certain eID code is generated based on identity real-name information corresponding to an identity card, a document type identifier for representing the identity card may be added in advance at a head or a tail of the eID code, and implementation of adding the document type identifier in the eID code may be described in the foregoing embodiments of the digital identity application, and will not be described repeatedly here.
In another possible implementation manner, when the identity authentication request is triggered, the identity authentication request end can determine the type of the certificate to be authenticated according to the current identity authentication requirement, and then the identity authentication request carries the type of the certificate to be authenticated, so that after the digital identity management platform obtains the identity authentication request, before the eID code is returned to the identity authentication request end, the eID code matched with the type of the certificate requested to be authenticated by the merchant can be determined from the target eID code, and then the determined matched eID code is sent to the identity authentication request end, so that the eID code sent by the digital identity management platform and received by the identity authentication request end is the eID code to be authenticated, which is finally required to be used for verification. That is to say, the digital identity management platform can screen the target eID code based on the certificate type requesting authentication, so that the screening effectiveness can be improved to a certain extent, and the identity authentication efficiency can be improved.
For the identity authentication requirement in the second mode, only a predetermined number of eID codes corresponding to the identity authentication requirement need to be selected from the target eID codes.
No matter what identity authentication requirement is based on, the identity authentication request end can select the eID code to be authenticated for verification from the target eID codes.
Step 1407: and the identity authentication request end sends the determined eID code to be authenticated to the trusted platform so as to request the trusted platform to carry out validity verification on the eID code to be authenticated.
Step 1408: further, the trusted platform verifies the eID code to be authenticated. All the eID codes are issued by the trusted platform, so that the validity of the eID codes to be authenticated can be accurately verified through the trusted platform.
Step 1409: and after the verification is finished, the trusted platform sends a verification result to the identity authentication request terminal.
Specifically, the verification result includes two results, namely, a verification valid result and a verification invalid result, and when the verification result obtained by the identity authentication request end is the verification valid result, the identity authentication of the current user can be determined to pass, so that the identity authentication of the user is completed.
In a specific implementation process, the purpose of the merchant for authenticating the identity of the user may include: (1) Only used for identity authentication to judge the digital identity of the user is real and valid; (2) The identity authentication is carried out while the identity real-name information of the user is required to be obtained. The following is separately described for these two cases.
For the situation of the (1) situation, because the authentication is only a pure authentication purpose, the identity authentication request end can determine that the identity authentication of the user passes according to the verification result fed back by the trusted platform.
For the case (2), the identity authentication request terminal may further send a real-name data acquisition request to the trusted platform to request the trusted platform to feed back identity real-name information of the predetermined certificate type. After receiving a real-name data acquisition request sent by an identity authentication request end, if it is determined that an eID code to be authenticated sent by the identity authentication request end is real and effective, the trusted platform can directly search identity real-name information (for example, called target identity real-name information) of the same type as a predetermined certificate type in the real-name data acquisition request from all types of identity real-name information included in a target eID code corresponding to the eID code to be authenticated, and finally return the determined target identity real-name information to the identity authentication request end, so that the identity authentication request end completes a corresponding service request based on the obtained target identity real-name information. In another possible implementation manner, before sending the target identity real-name information to the identity authentication request end, the trusted platform may authenticate the identity authentication request end to determine whether the identity authentication request end has the authority to directly acquire data, for example, some government departments and financial institutions may have a data acquisition authority in advance with the trusted platform, because the government departments and financial institutions have better credit investigation, the authority to acquire the identity real-name information of the user generally cannot be illegally used, and for some individual enterprises or other departments whose credit investigation is not absolutely reliable, the data acquisition authority cannot be opened.
In addition, for the safety of data transmission, all data transmitted between the merchant and the trusted platform can be encrypted based on the CA certificate of the merchant, so that the data safety is improved.
In addition, the process of performing identity authentication on the line scan-down code will be described below with reference to fig. 15, and please refer to fig. 15, which illustrates an example in which the identity authentication management client is an applet (referred to as an authentication applet), and the identity authentication request terminal is a merchant client and is also an applet (referred to as a merchant applet).
Step 1501: the authentication applet displays a digital identity two-dimensional code that includes an authorization credential.
That is to say, in the authentication applet, for security, the directly displayed digital identity two-dimensional code includes an authorization credential that is generated by an authentication background according to a predetermined update period, instead of an eID code. The authorization document is, for example, token code, and for the specific implementation process of the authorization document, reference may be made to the description of the embodiment in the foregoing digital identity application scheme, and the description is not repeated here.
Step 1502: the merchant applet scans the digital identity two-dimensional code displayed in the authentication applet, and then a code scanning image can be obtained.
Step 1503: and the merchant applet analyzes the code scanning image to obtain the authorization certificate therein.
Step 1504: for security, a mode that the authorization certificate acquires the eID code from the background can be adopted, and based on the method, the merchant applet sends the acquired authorization certificate to the merchant background.
Step 1505: after receiving the authorization certificate, the merchant background sends the authorization certificate to the authentication background, and requests the authentication background for the corresponding eID code in a background access mode.
Step 1506: the authentication background authenticates the merchant and determines whether the authentication is passed.
The authentication background is used as a platform for managing the digital identity of the user, and only the commercial tenant with the cooperation relation with the platform can use the identity authentication function of the platform, so the legality of the commercial tenant can be identified in an authentication mode, and only the cooperation commercial tenant can complete authentication, so that the authentication request of the risk commercial tenant can be rejected, certain maintenance cost of the commercial tenant can be collected based on the cooperation relation, and certain income can be brought to the platform. In a specific implementation process, for example, the authentication may be performed according to a principal name or a cooperation code of the merchant, which is not limited in this embodiment of the present invention.
Step 1507: and when the authentication is passed, the authentication background searches a target digital identity corresponding to the authorization certificate sent by the merchant background.
Step 1508: and the authentication background determines a target eID code corresponding to the target digital identity.
Step 1509: and the authentication background sends the determined target eID code to the merchant background.
The security of eID coding can be ensured as much as possible by requesting the eID coding from the background through the authorization certificate, and the security is improved.
The authentication background can also perform security verification before sending the target eID code to the merchant background. In the specific implementation process, whether security verification is required and how to perform the security verification can be selected according to the following policies.
1) If the merchant and the platform agree with a predetermined verification mode in advance, it is equivalent to that the merchant customizes a security verification mode in advance when cooperating, for example, the verification mode agreed by the merchant a is short message verification and face verification, the verification mode agreed by the merchant B is only face verification, and so on, so that verification can be performed according to the predetermined verification mode if agreed in advance.
2) If the merchants and the platform do not agree with the security verification mode in advance, the platform can perform verification according to the self-default security verification mode, for example, the same security verification mode of short message verification plus face verification is performed for all merchants.
3) If the merchant and the platform do not agree with the security verification mode in advance, the platform may determine an industry attribute of the merchant according to the merchant identifier of the merchant, for example, the determined industry attribute is referred to as a target industry attribute, for example, it is determined that the merchant belongs to a financial industry, or belongs to an educational industry, or belongs to an individual business, and the like. And then the safety verification is completed in the determined safety verification mode.
Step 1510: after the merchant background obtains the target eID codes, the merchant background sends the target eID codes to the merchant applet so that the merchant applet can perform subsequent operation based on the target eID codes.
For example, lee four needs to check in at a hotel, and before checking in, hotel staff needs to authenticate lee four with an identity card. The lee four takes out the mobile phone of the lee four and runs the authentication applet, so that the digital identity two-dimensional code of the lee four can be displayed to hotel staff through the authentication applet, and then the hotel staff can scan the digital identity two-dimensional code displayed by the lee four by using a code scanning machine (such as a code scanning gun or a mobile phone) configured by the hotel, namely, the application scene shown in fig. 11. Furthermore, the code scanning machine tool can obtain eID codes corresponding to the identity card of the plum four according to the introduced flow after obtaining the code scanning image, and finally, the code scanning machine tool sends the eID codes corresponding to the identity card to the trusted platform so as to judge whether the plum four passes the identity authentication according to the verification result of the trusted platform aiming at the eID codes corresponding to the identity card, for example, the verification result returned by the trusted platform is passed, the prompt that the verification passes can be carried out on the code scanning machine tool, and after seeing the prompt, hotel staff can confirm that the identity of the plum four passes the authentication.
In the embodiment of the invention, the reliability, the safety and the effectiveness of the digital identity can be improved by utilizing the eID technology, the risks of stealing, tampering and falsifying the digital identity are reduced, and the identity information safety of a user is ensured. Moreover, when identity authentication is carried out through digital identity, based on a digital identity application and storage mechanism of ' all-in-one ' of multiple certificates ', the requirement of differentiated identity authentication can be met, the flexibility and effectiveness of identity authentication are improved, and the use and popularization of users are facilitated.
The embodiment of the invention provides a digital identity application system, which comprises terminal equipment and a digital identity management platform; wherein:
the terminal equipment is used for obtaining at least two types of identity real name information of the same user and sending a digital identity issuing request and the at least two types of identity real name information to a digital identity management platform, wherein the digital identity issuing request is used for requesting to issue a digital identity.
The digital identity management platform is used for sending received identity real-name information of at least two types to a trusted platform after acquiring a digital identity issuing request so as to enable the trusted platform to issue at least two eID codes respectively and uniquely corresponding to the identity real-name information of at least two types, then receiving the at least two eID codes sent by the trusted platform, and then generating a digital identity of a user according to at least two eID codes and a preset generation mode.
In a possible implementation manner, the digital identity management platform is configured to send different types of identity real-name information of the user to the trusted platform based on different digital identity issuance requests, generate a digital identity of the user based on an initially received eID code sent by the trusted platform, and update the digital identity of the user according to another eID code sent by the trusted platform and received again.
In a possible implementation manner, the digital identity management platform is further configured to generate an authorization credential corresponding to the digital identity of the user according to a predetermined update period, and send the generated authorization credential to the terminal device.
The terminal equipment is also used for generating the digital identity two-dimensional code of the user according to the authorization certificate received for the first time and updating the digital identity two-dimensional code of the user according to the authorization certificate received for the second time.
In one possible implementation, each eID code of the at least two eID codes comprises a certificate type identifier matched with identity real name information of a corresponding type.
The embodiment of the invention also provides an identity authentication system, which comprises an identity authentication request end, terminal equipment and a digital identity management platform; wherein:
the terminal equipment is used for obtaining an identity authentication request; and sending the identity authentication request to a digital identity management platform; the digital identity management platform stores digital identity identifications of a plurality of users, the digital identity identification of each user comprises at least two eID codes, and each eID code is uniquely and correspondingly generated by the trusted platform based on one type of identity real-name information of the user.
The digital identity management platform is used for determining a corresponding target digital identity based on the identity authentication request.
The identity authentication request end is used for obtaining a target eID code corresponding to a target digital identity, determining an eID code to be authenticated from the target eID code according to an identity authentication scene, and finally sending the eID code to be authenticated to a trusted platform so as to verify whether the eID code to be authenticated is valid through the trusted platform.
In a possible implementation manner, a digital identity management client is installed in the terminal device, and the terminal device may obtain the identity authentication request through the installed digital identity management client.
The digital identity management platform may determine a target digital identity corresponding to the digital identity management client based on the identity authentication request.
In a possible implementation manner, the identity authentication request terminal is further configured to scan a digital identity two-dimensional code displayed by the terminal device, determine an authorization credential in the digital identity two-dimensional code according to the obtained code scanning image, and send the authorization credential to the digital identity management platform.
The digital identity management platform is further used for determining a target digital identity corresponding to the authorization certificate.
In one possible implementation, the identity authentication request comprises a certificate type requesting authentication, and each eID code in the target eID codes comprises a certificate type identifier matched with identity real name information of a corresponding type.
The digital identity management platform is used for determining eID codes which are included in the target digital identity and matched with the certificate type requesting authentication.
The identity authentication request terminal is used for acquiring eID codes matched with the certificate type requiring authentication as eID codes to be authenticated.
Based on the same inventive concept, please refer to fig. 16, an embodiment of the present invention provides a digital identity application apparatus, which includes a first receiving module 1601, a sending module 1602, a second receiving module 1603, and a generating module 1604. Wherein:
the first receiving module 1601 is configured to receive at least two types of identity real name information and digital identity issuing requests of the same user sent by a terminal device, where the digital identity issuing requests are used to request issuing of digital identities;
a sending module 1602, configured to send the at least two types of identity real-name information to a trusted platform, so that the trusted platform issues at least two eID codes uniquely corresponding to the at least two types of identity real-name information, respectively;
a second receiving module 1603, configured to receive at least two eID codes sent by the trusted platform;
the generating module 1604 is configured to generate the digital identity of the user according to at least two eID codes and according to a predetermined generating manner.
Based on the same inventive concept, please refer to fig. 17, an embodiment of the present invention provides a digital identity application apparatus, which includes an obtaining module 1701, a sending module 1702, a receiving module 1703, and a generating module 1704. Wherein:
an obtaining module 1701 for obtaining at least two types of identity real name information of the same user;
a sending module 1702, configured to send the at least two types of identity real-name information and the digital identity signing and sending request to the digital identity management platform, so that the digital identity management platform sends the at least two types of identity real-name information to the trusted platform, so as to obtain at least two eID codes, which are generated by the trusted platform and uniquely correspond to the at least two types of identity real-name information respectively; the digital identity issuing request is used for requesting to issue a digital identity;
a receiving module 1703, configured to receive at least two eID codes sent by the digital identity management platform;
a generating module 1704, configured to generate the digital identity of the user according to a predetermined generating manner based on the at least two eID codes.
The related contents of the steps related to the foregoing digital identity application method embodiment may be referred to the functional description of the corresponding functional module in the embodiment of the present invention, and are not described herein again.
Based on the same inventive concept, please refer to fig. 18, an embodiment of the present invention provides an identity authentication apparatus, which includes a receiving module 1801 and a determining module 1802. Wherein:
a receiving module 1801, configured to receive an identity authentication request sent by a terminal device;
a determining module 1802, configured to determine, based on the identity authentication request, a corresponding target digital identity from the stored digital identities of the plurality of users; the digital identity of each user comprises at least two eID codes, each eID code is uniquely and correspondingly generated by a trusted platform based on one type of identity real-name information of the user, so that the identity authentication request end obtains a target eID code corresponding to the target digital identity, and the eID code to be authenticated is determined from the target eID codes according to an identity authentication scene; and sending the eID code to be authenticated to the trusted platform so as to verify whether the eID code to be authenticated is valid through the trusted platform.
With reference to fig. 18, the identity authentication apparatus further includes a sending module 1803, configured to transmit the target eID code corresponding to the target digital identity identifier to the identity authentication request end in a predetermined transmission manner, so that the identity authentication request end sends the eID code to be authenticated, determined from the target eID code according to the identity authentication scenario, to the trusted platform, and after receiving the authentication validity notification sent by the trusted platform, determines that the identity authentication is passed.
Based on the same inventive concept, please refer to fig. 19, an embodiment of the invention provides an identity authentication apparatus, which includes an obtaining module 1901, a determining module 1902, and a sending module 1903. Wherein:
an obtaining module 1901, configured to obtain target network electronic identity identifier eID codes corresponding to a target identity identifier, where the target identity identifier is determined by a digital identity management platform according to an identity authentication request, the digital identity management platform stores digital identity identifiers of a plurality of users, the digital identity identifier of each user includes at least two eID codes, and each eID code is uniquely and correspondingly generated by a trusted platform based on one type of identity real-name information of the user;
a determining module 1902, configured to determine, according to an identity authentication scenario, an eID code to be authenticated from the target eID code;
the sending module 1903 is configured to send the to-be-authenticated eID code to the trusted platform, so as to authenticate whether the to-be-authenticated eID code is valid through the trusted platform.
The relevant content of each step related to the embodiment of the identity authentication method may be referred to the functional description of the corresponding functional module in the embodiment of the present invention, and is not described herein again.
The division of the modules in the embodiments of the present invention is schematic, and is only a logical function division, and in actual implementation, there may be another division manner, and in addition, each functional module in each embodiment of the present invention may be integrated in one processor, or may exist alone physically, or two or more modules are integrated in one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
Based on the same inventive concept, an embodiment of the present invention further provides a server, please refer to fig. 20, which shows a schematic structural diagram of a server provided in an embodiment of the present invention, and the server may be, for example, the server 103 in fig. 1A to 1C, the real-name authentication server 1003 in fig. 10, the real-name authentication server 1104 in fig. 11, or the real-name authentication server 1204 in fig. 12. The server in the embodiment of the invention can realize the digital identity application method and the identity authentication method. Specifically, the method comprises the following steps:
the server includes a processor 2001, a system memory 2004 including a random access memory 2002 and a read only memory 2003, and a system bus 2005 connecting the system memory 2004 and the processor 2001. The server also includes a basic input/output system (I/O system) 2006 to facilitate transfer of information between devices within the computer, and a mass storage device 2007 to store an operating system 2013, application programs 2022, and other program modules 2015.
The processor 2001 is a control center of the server, and may connect various portions of the entire server using various interfaces and lines, and perform various functions of the server and process data by operating or executing instructions stored in a memory (e.g., the random access memory 2002 and the read only memory 2003) and calling data stored in the memory, thereby performing overall monitoring of the server.
Optionally, the processor 2001 may include one or more processing units, and the processor 2001 may integrate an application processor and a modem processor, wherein the application processor mainly handles an operating system, a user interface, an application program, and the like, and the modem processor mainly handles wireless communication. It will be appreciated that the modem processor described above may not be integrated into the processor 2001. In some embodiments, the processor 2001 and memory may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.
The processor 2001 may be a general-purpose processor such as a Central Processing Unit (CPU), a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like, that may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in the processor.
The memory, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory may include at least one type of storage medium, and may include, for example, a flash Memory, a hard disk, a multimedia card, a card-type Memory, a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a charged Erasable Programmable Read Only Memory (EEPROM), a magnetic Memory, a magnetic disk, an optical disk, and so on. The memory is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory in embodiments of the present invention may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.
The basic input/output system 2006 includes a display 2008 for displaying information and an input device 2009 such as a mouse, keyboard, etc. for a user to input information. Wherein the display 2008 and input device 2009 are both connected to the processor 2001 through a basic input/output system 2006 connected to the system bus 2005. The basic input/output system 2006 may also include an input/output controller for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, an input-output controller may also provide output to a display screen, a printer, or other type of output device.
The mass storage device 2007 is connected to the processor 2001 through a mass storage controller (not shown) connected to the system bus 2005. The mass storage device 2007 and its associated computer-readable media provide non-volatile storage for the server package. That is, mass storage device 2007 may include a computer-readable medium (not shown) such as a hard disk or CD-ROM drive.
Without loss of generality, the computer-readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, EPROM, EEPROM, flash memory or other solid state memory technology, CD-ROM, DVD, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will appreciate that the computer storage media is not limited to the foregoing.
The server package may also operate in accordance with various embodiments of the present invention by connecting to remote computers on a network, such as the internet. That is, the server package may be connected to the network 2012 through a network interface unit 2011 that is coupled to the system bus 2005, or the network interface unit 2011 may be utilized to connect to other types of networks and remote computer systems (not shown).
Based on the same inventive concept, the embodiment of the invention also provides a terminal device, which can be a terminal device, such as a smart phone, a tablet computer, a PDA, a notebook computer, a vehicle-mounted device, an intelligent wearable device, and the like. The terminal device may be a hardware structure, a software module, or a hardware structure plus a software module. The terminal device can be realized by a chip system, and the chip system can be formed by a chip and can also contain the chip and other discrete devices. The terminal device is, for example, the terminal device 101 or the terminal device 102 in fig. 1A to 1C, or may be the user terminal 1001, the user terminal 1101, the user terminal 1201, or the merchant terminal 1102 in fig. 10 to 12.
As shown in fig. 21, a terminal device in the embodiment of the present invention includes at least one processor 2101 and a memory 2102 connected to the at least one processor, a specific connection medium between the processor 2101 and the memory 2102 is not limited in the embodiment of the present invention, in fig. 21, the processor 2101 and the memory 2102 are connected by a bus 2100, the bus 2100 is shown by a thick line in fig. 21, and a connection manner between other components is only schematically illustrated and is not limited. The bus 2100 may be divided into an address bus, a data bus, a control bus, etc., and is represented by only one thick line in fig. 21 for ease of illustration, but does not represent only one bus or type of bus.
In the embodiment of the present invention, the memory 2102 stores instructions executable by the at least one processor 2101, and the at least one processor 2101 may execute the steps included in the aforementioned digital identity application method or identity authentication method by executing the instructions stored in the memory 2102.
The processor 2101 is a control center of the terminal device, and may connect various parts of the entire terminal device by using various interfaces and lines, and perform overall monitoring of the terminal device by operating or executing instructions stored in the memory 2102 and calling data stored in the memory 2102, thereby performing various functions and processing data of the terminal device. Alternatively, the processor 2101 may comprise one or more processing units and the processor 2101 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 2101. In some embodiments, the processor 2101 and the memory 2102 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.
The processor 2101 may be a general-purpose processor, such as a Central Processing Unit (CPU), digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like, that may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in a processor.
The memory 2102, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The memory 2102 may include at least one type of storage medium, which may include, for example, flash memory, hard disks, multimedia cards, card-type memory, RAM, SRAM, PROM, ROM, EEPROM, magnetic memory, magnetic disks, optical disks, and so forth. The memory 2102 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 2102 in embodiments of the present invention may also be circuitry or any other device capable of performing a memory function for storing program instructions and/or data.
Referring to another schematic structural diagram of the terminal device shown in fig. 22, the terminal device may further include an input unit 2201, a display unit 2202, a radio frequency unit 2203, an audio circuit 2204, a speaker 2205, a microphone 2206, a Wireless Fidelity (WiFi) module 2207, a bluetooth module 2208, a power supply 2209, an external interface 2210, an earphone jack 2211, and other components. It will be understood by those skilled in the art that fig. 22 is merely an example of a terminal device and is not intended to limit the terminal device, and that terminal devices may include more or fewer components than those shown, or some components may be combined, or different components may be included.
The input unit 2201 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the terminal device. For example, the input unit 2201 may include a touch screen 22011 as well as other input devices 22012. The touch screen 22011 may collect touch operations of a user (such as operations of the user on or near the touch screen 22011 by using any suitable object, such as a finger, a joint, a stylus, etc., or the like), i.e., the touch screen 22011 may be configured to detect touch pressure and touch input position and touch input area, and drive the corresponding connection device according to a preset program. The touch screen 22011 can detect a touch operation of the user on the touch screen 22011, convert the touch operation into a touch signal and send the touch signal to the processor 2101, or understand that touch information of the touch operation can be sent to the processor 2101, and can receive and execute a command sent by the processor 2101. The touch information may include at least one of pressure magnitude information and pressure duration information. The touch screen 22011 may provide an input interface and an output interface between the terminal device and the user. In addition, the touch screen 22011 can be implemented in various types, such as resistive, capacitive, infrared, and surface acoustic wave. The input unit 2201 may include other input devices 22012 in addition to the touch screen 22011. For example, other input devices 22012 may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
A display unit 2202 is available for displaying information input by a user or information provided to the user and various menus of the terminal device. Further, the touch screen 22011 may cover the display unit 2202, and when the touch screen 22011 detects a touch operation on or near the touch screen, the touch screen transmits the pressure information to the processor 2101 to determine the pressure information of the touch operation. In the embodiment of the present invention, the touch screen 22011 and the display unit 2202 may be integrated into one component to realize input, output, and display functions of the terminal device. For convenience of description, the embodiment of the present invention is schematically illustrated by taking the touch screen 22011 as an example of the functional set of the touch screen 22011 and the display unit 2202, but in some embodiments, the touch screen 22011 and the display unit 2202 may be taken as two separate components.
When the display unit 2202 and the touch panel are superimposed on each other in the form of layers to form the touch screen 22011, the display unit 2202 can function as an input device and an output device, and when functioning as an output device, can be used to display images, for example, to enable playing of various videos. The Display unit 2202 may include at least one of a Liquid Crystal Display (LCD), a Thin Film Transistor Liquid Crystal Display (TFT-LCD), an Organic Light Emitting Diode (OLED) Display, an Active Matrix Organic Light Emitting Diode (AMOLED) Display, an In-Plane Switching (IPS) Display, a flexible Display, a 3D Display, and the like. Some of these displays may be configured to be transparent to allow a user to view from the outside, which may be referred to as transparent displays, and the terminal device may include two or more display units (or other display means) according to a particular desired embodiment, for example, the terminal device may include an external display unit (not shown in fig. 22) and an internal display unit (not shown in fig. 22).
The rf unit 2203 can be used for receiving and transmitting information or signals during a call. Typically, the radio frequency circuitry includes, but is not limited to, an antenna, at least one Amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. Further, the radio frequency unit 2203 may also communicate with network devices and other devices through wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to Global System for Mobile communications (GSM), general Packet Radio Service (GPRS), code Division Multiple Access (CDMA), wideband Code Division Multiple Access (WCDMA), long Term Evolution (LTE), email, short Messaging Service (SMS), etc.
The audio circuitry 2204, speaker 2205, microphone 2206 can provide an audio interface between a user and the terminal device. The audio circuit 2204 may transmit the received audio data converted electrical signal to the speaker 2205, and the audio data is converted into sound signal by the speaker 2205 and output. On the other hand, the microphone 2206 converts the collected sound signals into electrical signals, which are received by the audio circuit 2204 and then converted into audio data, which are then processed by the audio data output processor 2102 and then passed through the radio frequency unit 2203 to be sent to another electronic device, for example, or output to the memory 2103 for further processing, and the audio circuit may also include a headphone jack 2211 for providing a connection interface between the audio circuit and a headphone.
WiFi belongs to short-distance wireless transmission technology, and the terminal device can help the user send and receive e-mail, browse web page and access streaming media etc. through WiFi module 2207, which provides wireless broadband internet access for the user. Although fig. 22 shows the WiFi module 2207, it is understood that it does not belong to the essential constitution of the terminal device, and may be omitted entirely as needed within the scope not changing the essence of the invention.
Bluetooth is a short-range wireless communication technology. By using the bluetooth technology, the communication between mobile communication terminal devices such as a palm computer, a notebook computer and a mobile phone can be effectively simplified, the communication between the devices and the Internet (Internet) can also be successfully simplified, and the terminal devices enable the data transmission between the terminal devices and the Internet to be more rapid and efficient through the bluetooth module 2208, thereby widening the way for wireless communication. Bluetooth technology is an open solution that enables wireless transmission of voice and data. Although fig. 22 shows the bluetooth module 2208, it is understood that it does not belong to the essential constitution of the terminal device and may be omitted entirely as needed within the scope not changing the essence of the invention.
The terminal device may also include a power supply 2209 (such as a battery) for receiving external power or for powering various components within the terminal device. Preferably, the power source 2209 may be logically connected to the processor 2102 via a power management system, so that the power management system may perform functions of managing charging, discharging, and power consumption.
The terminal device may further include an external interface 2210, where the external interface 2210 may include a standard Micro USB interface, and may also include a multi-pin connector, which may be used to connect the terminal device to communicate with other devices, and may also be used to connect a charger to charge the terminal device.
Although not shown, the terminal device in the embodiment of the present invention may further include a camera, a flash, and other possible functional modules, which are not described herein again.
Based on the same inventive concept, embodiments of the present invention further provide a storage medium storing computer instructions, which, when executed on a computer, cause the computer to perform the steps of the digital identity application method or the identity authentication method as described above.
Based on the same inventive concept, the embodiment of the present invention further provides a digital identity application apparatus, where the apparatus includes at least one processor and a readable storage medium, and when instructions included in the readable storage medium are executed by the at least one processor, the steps of the digital identity application method as described above may be performed.
Based on the same inventive concept, embodiments of the present invention further provide an identity authentication apparatus, where the identity authentication apparatus includes at least one processor and a readable storage medium, and when instructions included in the readable storage medium are executed by the at least one processor, the steps of the identity authentication method as described above may be performed.
Based on the same inventive concept, the embodiment of the present invention further provides a chip system, where the chip system includes a processor and may further include a memory, and is used to implement the steps of the aforementioned digital identity application method and identity authentication method. The chip system may be formed by a chip, and may also include a chip and other discrete devices.
In some possible embodiments, the aspects of the digital identity application method and the identity authentication method provided by the present invention can also be implemented in the form of a program product, which comprises program code for causing a computer to perform the steps of the digital identity application method and the identity authentication method according to various exemplary embodiments of the present invention described above, when the program product runs on the computer.
Based on the same inventive concept, the embodiment of the present invention further provides a digital identity application apparatus, which includes: a memory for storing program instructions; and a processor for calling the program instructions stored in the memory and executing the steps of the digital identity application method according to the various exemplary embodiments of the present invention described above according to the obtained program instructions.
Based on the same inventive concept, the embodiment of the present invention further provides an identity authentication apparatus, including: a memory for storing program instructions; and a processor, configured to call the program instructions stored in the memory, and execute the steps of the identity authentication method according to various exemplary embodiments of the present invention described above according to the obtained program instructions.
Based on the same inventive concept, embodiments of the present invention also provide a storage medium storing computer-executable instructions for causing a computer to perform the steps of the digital identity application method and the identity authentication method according to various exemplary embodiments of the present invention described above.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (13)
1. A digital identity application system is characterized in that the system comprises a terminal device and a digital identity management platform; wherein:
the terminal equipment is used for acquiring at least two types of identity real name information of the same user; sending a digital identity issuing request and the identity real-name information of at least two types to the digital identity management platform, wherein the digital identity issuing request is used for requesting to issue a digital identity;
the digital identity management platform is used for sending the received identity real-name information of the at least two types to a trusted platform after obtaining the digital identity issuing request so as to enable the trusted platform to issue at least two network electronic identity identification eID codes respectively and uniquely corresponding to the identity real-name information of the at least two types; receiving the at least two eID codes sent by the trusted platform; generating a digital identity of the user according to the at least two eID codes and a preset generation mode;
the digital identity management platform is also used for generating an authorization certificate corresponding to the digital identity of the user according to a preset updating period; sending the generated authorization voucher to the terminal equipment;
the terminal equipment is also used for generating a digital identity two-dimensional code of the user according to the authorization certificate received for the first time; and updating the digital identity two-dimensional code of the user according to the re-received authorization certificate.
2. The system of claim 1, wherein the digital identity management platform is configured to send different types of identity real-name information of the user to the trusted platform based on different digital identity issuance requests; generating a digital identity of the user based on the first received eID code sent by the trusted platform; and updating the digital identity of the user according to the received other eID codes sent by the trusted platform again.
3. The system of claim 1 or 2, wherein each of the at least two eID codes includes a credential type identifier that matches a corresponding type of identity real name information.
4. A method for digital identity application, the method comprising:
receiving at least two types of identity real-name information and digital identity issuing requests of the same user, wherein the identity real-name information and the digital identity issuing requests are sent by terminal equipment, and the digital identity issuing requests are used for requesting to issue digital identities;
sending the at least two types of identity real-name information to a trusted platform so that the trusted platform issues at least two network electronic identity identification eID codes respectively and uniquely corresponding to the at least two types of identity real-name information;
receiving the at least two eID codes sent by the trusted platform;
generating a digital identity of the user according to the at least two eID codes and a preset generation mode;
generating an authorization certificate corresponding to the digital identity of the user according to a preset updating period; sending the generated authorization certificate to the terminal equipment so that the terminal equipment generates the digital identity two-dimensional code of the user according to the authorization certificate received for the first time; and updating the digital identity two-dimensional code of the user according to the re-received authorization certificate.
5. A method of applying for a digital identity, the method comprising:
obtaining at least two types of identity real name information of the same user;
sending the at least two types of identity real-name information and the digital identity signing and sending request to a digital identity management platform, so that the digital identity management platform sends the at least two types of identity real-name information to a trusted platform, and at least two network electronic identity identification eID codes which are generated by the trusted platform and respectively and uniquely correspond to the at least two types of identity real-name information are obtained; wherein the digital identity issuance request is used for requesting issuance of a digital identity;
receiving the at least two eID codes sent by the digital identity management platform;
generating a digital identity of the user in a predetermined generation manner based on the at least two eID codes;
sending the generated digital identity of the user to the digital identity management platform so that the digital identity management platform generates an authorization certificate corresponding to the digital identity of the user according to a preset updating period;
generating a digital identity two-dimensional code of the user according to the authorization certificate received for the first time; and updating the digital identity two-dimensional code of the user according to the re-received authorization certificate.
6. An identity authentication system is characterized by comprising an identity authentication request terminal, terminal equipment and a digital identity management platform; wherein:
the terminal equipment is used for obtaining an identity authentication request; sending the identity authentication request to the digital identity management platform; the digital identity management platform stores digital identity identifications of a plurality of users, the digital identity identification of each user comprises at least two network electronic identity identification eID codes, and each eID code is uniquely and correspondingly generated by the trusted platform based on one type of identity real-name information of the user;
the digital identity management platform is used for determining a corresponding target digital identity based on the identity authentication request;
the identity authentication request terminal is used for acquiring a target eID code corresponding to the target digital identity; determining an eID code to be authenticated from the target eID code according to an identity authentication scene; sending the eID code to be authenticated to the trusted platform so as to verify whether the eID code to be authenticated is valid or not through the trusted platform;
the identity authentication request terminal is also used for scanning the digital identity two-dimensional code displayed by the terminal equipment; determining an authorization certificate in the digital identity two-dimensional code according to the obtained code scanning image; and sending the authorization credential to the digital identity management platform;
the digital identity management platform is further configured to determine the target digital identity corresponding to the authorization credential.
7. The system of claim 6, wherein a digital identity management client is installed in the terminal device;
the terminal equipment is used for obtaining the identity authentication request through the digital identity management client;
the digital identity management platform is used for determining the target digital identity corresponding to the digital identity management client based on the identity authentication request.
8. The system of claim 6 or 7, wherein the identity authentication request includes a certificate type requesting authentication, each eID code in the target eID codes includes a certificate type identification matching identity real name information of a corresponding type;
the digital identity management platform is used for determining eID codes which are included in the target digital identity and matched with the certificate type requesting authentication;
the identity authentication request end is used for acquiring eID codes matched with the certificate type requested to be authenticated as eID codes to be authenticated.
9. An identity authentication method, the method comprising:
receiving an identity authentication request sent by terminal equipment;
determining corresponding target digital identity identifications from the stored digital identity identifications of a plurality of users based on the identity authentication request; the digital identity of each user comprises at least two network electronic identity identification eID codes, and each eID code is uniquely and correspondingly generated by a trusted platform based on one type of identity real-name information of the user; enabling an identity authentication request end to obtain a target eID code corresponding to the target digital identity, determining an eID code to be authenticated from the target eID code according to an identity authentication scene, and sending the eID code to be authenticated to the trusted platform so as to verify whether the eID code to be authenticated is valid or not through the trusted platform;
receiving an authorization certificate sent by the identity authentication request terminal, wherein the authorization certificate is determined from the digital identity two-dimensional code displayed by the identity authentication request terminal through scanning of the terminal equipment and according to an obtained code scanning image;
determining the target digital identity corresponding to the authorization credential.
10. An identity authentication method, the method comprising:
the method comprises the steps of obtaining target network electronic identity identification eID codes corresponding to a target identity, wherein the target identity is determined by a digital identity management platform according to an identity authentication request, the digital identity management platform stores digital identity of a plurality of users, the digital identity of each user comprises at least two eID codes, and each eID code is generated by a trusted platform based on one type of identity real-name information of the user;
determining an eID code to be authenticated from the target eID code according to an identity authentication scene;
sending the eID code to be authenticated to the trusted platform so as to verify whether the eID code to be authenticated is valid or not through the trusted platform;
scanning a digital identity two-dimensional code displayed by the terminal equipment; determining an authorization certificate in the digital identity two-dimensional code according to the obtained code scanning image; and sending the authorization certificate to the digital identity management platform so that the digital identity management platform determines a target digital identity corresponding to the authorization certificate.
11. A server, characterized in that the server comprises:
a memory for storing program instructions;
a processor for calling the program instructions stored in said memory and executing the steps comprised in the method of claim 4 or 9 according to the obtained program instructions.
12. A terminal device, characterized in that the terminal device comprises:
a memory for storing program instructions;
a processor for calling the program instructions stored in said memory and executing the steps comprised in the method of claim 5 or 10 according to the obtained program instructions.
13. A storage medium storing computer-executable instructions for causing a computer to perform the steps comprised by the method of claim 4 or 5, or to perform the steps comprised by the method of claim 9 or 10.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810899070.3A CN110826043B (en) | 2018-08-08 | 2018-08-08 | Digital identity application system and method, identity authentication system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810899070.3A CN110826043B (en) | 2018-08-08 | 2018-08-08 | Digital identity application system and method, identity authentication system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110826043A CN110826043A (en) | 2020-02-21 |
CN110826043B true CN110826043B (en) | 2022-11-25 |
Family
ID=69540768
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810899070.3A Active CN110826043B (en) | 2018-08-08 | 2018-08-08 | Digital identity application system and method, identity authentication system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110826043B (en) |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111507439A (en) * | 2020-04-14 | 2020-08-07 | 腾讯云计算(北京)有限责任公司 | User information checking method and system based on information code |
CN111597539B (en) * | 2020-04-23 | 2023-04-25 | 维沃移动通信有限公司 | Identity authentication method, identity authentication device and electronic equipment |
WO2022042745A1 (en) * | 2020-08-31 | 2022-03-03 | 北京书生网络技术有限公司 | Key management method and apparatus |
CN112087303B (en) * | 2020-09-15 | 2023-04-28 | 炬星科技(深圳)有限公司 | Certificate presetting and issuing method, robot and server |
CN112685064B (en) * | 2020-12-30 | 2024-03-22 | 南京擎盾信息科技有限公司 | Processing method and device for equipment identification, storage medium and electronic device |
CN113177797A (en) * | 2021-05-06 | 2021-07-27 | 巽腾(广东)科技有限公司 | User identity information authentication method, system, device, equipment and storage medium |
CN113489592B (en) * | 2021-07-01 | 2023-03-24 | 公安部第三研究所 | System and method for achieving opening processing of shortcut clearance capability aiming at eID electronic license |
CN113923144B (en) * | 2021-09-18 | 2023-09-01 | 北京奇艺世纪科技有限公司 | Service testing system, method, electronic equipment and storage medium |
CN114095211B (en) * | 2021-10-29 | 2023-08-22 | 新大陆(福建)公共服务有限公司 | Trusted digital identity personnel verification method and system |
CN118114213A (en) * | 2022-11-30 | 2024-05-31 | 中移(成都)信息通信科技有限公司 | Authentication method, authentication device, service platform and storage medium |
CN116644071B (en) * | 2023-06-08 | 2024-04-05 | 中国长江三峡集团有限公司 | Material coding management method, device, computer equipment and storage medium |
CN117057384B (en) * | 2023-08-15 | 2024-05-17 | 厦门中盾安信科技有限公司 | User code string generation method, medium and device supporting multi-type business handling |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN2507065Y (en) * | 2001-09-24 | 2002-08-21 | 陈德范 | Electronic certificate |
CN102420834A (en) * | 2011-12-29 | 2012-04-18 | 公安部第三研究所 | Generation and verification control method for network identity code in electronic network identity card |
CN103886460A (en) * | 2014-04-22 | 2014-06-25 | 徐永君 | On-site payment system and method implemented based on identity authentication token |
CN206212040U (en) * | 2016-10-31 | 2017-05-31 | 金联汇通信息技术有限公司 | A kind of real-name authentication system for express delivery industry |
US9805213B1 (en) * | 2009-06-03 | 2017-10-31 | James F. Kragh | Identity validation and verification system and associated methods |
CN107404478A (en) * | 2017-07-21 | 2017-11-28 | 金联汇通信息技术有限公司 | EID coded queries method, system and its corresponding server |
CN108093000A (en) * | 2018-02-08 | 2018-05-29 | 山东合天智汇信息技术有限公司 | A kind of information query method based on eID authentications, apparatus and system |
-
2018
- 2018-08-08 CN CN201810899070.3A patent/CN110826043B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN2507065Y (en) * | 2001-09-24 | 2002-08-21 | 陈德范 | Electronic certificate |
US9805213B1 (en) * | 2009-06-03 | 2017-10-31 | James F. Kragh | Identity validation and verification system and associated methods |
CN102420834A (en) * | 2011-12-29 | 2012-04-18 | 公安部第三研究所 | Generation and verification control method for network identity code in electronic network identity card |
CN103886460A (en) * | 2014-04-22 | 2014-06-25 | 徐永君 | On-site payment system and method implemented based on identity authentication token |
CN206212040U (en) * | 2016-10-31 | 2017-05-31 | 金联汇通信息技术有限公司 | A kind of real-name authentication system for express delivery industry |
CN107404478A (en) * | 2017-07-21 | 2017-11-28 | 金联汇通信息技术有限公司 | EID coded queries method, system and its corresponding server |
CN108093000A (en) * | 2018-02-08 | 2018-05-29 | 山东合天智汇信息技术有限公司 | A kind of information query method based on eID authentications, apparatus and system |
Non-Patent Citations (3)
Title |
---|
公民网络电子身份标识eID的发展与应用;胡传平;《铁道警察学院学报》;20150215(第01期);全文 * |
基于eID的网络可信身份体系建设研究;汪志鹏等;《信息网络安全》;20150930(第09期);第97-100页 * |
我国互联网电子身份证体系机制研究;张越今;《中国人民公安大学学报(自然科学版)》;20130215(第01期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN110826043A (en) | 2020-02-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110826043B (en) | Digital identity application system and method, identity authentication system and method | |
CN110300083B (en) | Method, terminal and verification server for acquiring identity information | |
US9730065B1 (en) | Credential management | |
CN111475841B (en) | Access control method, related device, equipment, system and storage medium | |
CN110400145A (en) | A kind of digital identity application system and method, identity authorization system and method | |
CN103155513B (en) | Accelerate the method and apparatus of certification | |
CN109472166A (en) | A kind of electronic signature method, device, equipment and medium | |
US8855312B1 (en) | Mobile trust broker | |
US8752158B2 (en) | Identity management with high privacy features | |
CN110073387A (en) | Confirm being associated between communication equipment and user | |
US20140351596A1 (en) | Method, system and apparatus for authenticating user identity | |
CN106506472A (en) | A kind of safe mobile terminal digital certificate method and system | |
US20230275762A1 (en) | Did system using browser-based security pin authentication, and control method thereof | |
US20110239281A1 (en) | Method and apparatus for authentication of services | |
CN108242999B (en) | Key escrow method, device and computer-readable storage medium | |
JP2014529964A (en) | System and method for secure transaction processing via a mobile device | |
CN111355732B (en) | Link detection method and device, electronic equipment and storage medium | |
CN110569643A (en) | traffic management method and device based on block chain network | |
US11936649B2 (en) | Multi-factor authentication | |
US9756031B1 (en) | Portable access to auditing information | |
CN109977039A (en) | HD encryption method for storing cipher key, device, equipment and readable storage medium storing program for executing | |
CN110876144A (en) | Mobile application method, device and system of identity certificate | |
CN116915493A (en) | Secure login method, device, system, computer equipment and storage medium | |
CN111178896B (en) | Bus taking payment method, device and storage medium | |
WO2023236884A1 (en) | Fraudulent behavior detection method and apparatus, electronic device, and readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40021600 Country of ref document: HK |
|
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |