CN111414608A - Method for server to accept registration - Google Patents
Method for server to accept registration Download PDFInfo
- Publication number
- CN111414608A CN111414608A CN202010160817.0A CN202010160817A CN111414608A CN 111414608 A CN111414608 A CN 111414608A CN 202010160817 A CN202010160817 A CN 202010160817A CN 111414608 A CN111414608 A CN 111414608A
- Authority
- CN
- China
- Prior art keywords
- data
- authentication
- verification
- signature
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for a server to accept registration, belonging to the technical field of information; the invention receives and analyzes the registration response data sent by the client through the server to obtain the client data and the equipment data, the server determines the equipment type according to the authentication declaration format type in the equipment data, and completes the verification registration corresponding to different equipment types according to different equipment type verification modes.
Description
Technical Field
The invention relates to the technical field of information, in particular to a method for a server to accept registration.
Background
In the traditional identity authentication method, a client side is required to send a password to a password library of a remote server for comparison, but the password is intercepted and cracked, and is stored in the same remote server, so that if a super administrator account is stolen, the passwords of all users in the remote server are leaked. To solve the technical problem, the prior art discloses a method for participating authentication equipment in a registration process, which improves the security of a user in the identity authentication process, currently, when single-type authentication equipment is registered through a server, the equipment types need to correspond to the verification methods of the server one by one, the server can verify and register the single-type equipment without judging the equipment types, however, the existing equipment tends to be multi-type, the server does not have compatibility for the authentication and registration of the multi-type equipment, and how the server verifies and registers the multi-type authentication equipment becomes a problem to be solved urgently.
Disclosure of Invention
The invention provides a method for receiving registration by a server, which comprises the following steps:
step S1, the server receives the registration request sent by the client, analyzes the registration request, generates a challenge value, generates registration data according to the challenge value and the registration information, and sends the registration data to the client;
step S2, the server receives the registration response data sent by the client, analyzes the registration response data to obtain client data and device data, verifies the client data, and decodes and analyzes the device data if the verification is successful to obtain first data, second data, and third data;
step S3, the server determines the format type of the authentication declaration according to the first data, obtains the signature data in the third data, verifies the signature of the signature data according to the verification method corresponding to the determined format type of the authentication declaration, and executes step S4 if the signature verification is successful; the authentication declaration format types are at least two;
step S4, the server obtains the user credential identifier in the second data, and determines whether the obtained user credential identifier exists in the list of registered user credential identifiers, if so, it prompts the registration failure, and ends, otherwise, it saves the registration information, and returns a registration completion response to the client.
The invention provides a system for receiving registration by a server, which comprises: a server, a client and an authentication device;
the server includes: the device comprises a receiving module, an analyzing module, a generating module, a verifying module, a determining module, an obtaining module, a judging module and a sending module;
the receiving module is used for receiving a registration request sent by the client; the system is also used for receiving registration response data sent by the client;
the analysis module is used for analyzing the registration request received by the receiving module; the server is also used for analyzing the registration response data received by the receiving module to obtain client data and equipment data;
the generation module is used for generating a challenge value and generating registration data according to the challenge value and the registration information;
the verification module is used for verifying the client data analyzed by the analysis module, and decoding and analyzing the equipment data to obtain first data, second data and third data if the verification is successful; the authentication system is also used for verifying the signature data according to a verification method corresponding to the determined authentication declaration format type;
the determining module is used for determining the format type of the authentication statement according to the first data obtained by the verifying module and acquiring signature data in third data;
the obtaining module is used for obtaining the user certificate identification in the second data when the signature verification module successfully verifies the signature of the signature data;
the judging module is used for judging whether the acquired user certificate identification exists in the registered user certificate identification list or not and prompting registration failure when the acquired user certificate identification exists in the registered user certificate identification list;
the sending module is used for sending the registration data generated by the generating module to the client; and the judging module is also used for returning a registration completion response to the client when judging that the acquired user certificate identification does not exist in the registered user certificate identification list.
The invention has the beneficial effects that: the invention provides a method for a server to receive registration, the server receives and analyzes registration response data sent by a client to obtain client data and equipment data, the server determines the equipment type according to the authentication statement format type in the equipment data, and completes the authentication registration corresponding to different equipment types according to different equipment type authentication modes.
Drawings
Fig. 1 is a flowchart of a method for a server to receive registration according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for receiving registration by a server according to a second embodiment of the present invention;
fig. 3 is a block diagram of a system for accepting registration by a server according to a third embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
An embodiment of the present invention provides a method for a server to accept registration, where the method is applied to a system including the server, a client and an authentication device, and as shown in fig. 1, the method includes:
step S1, the server receives the registration request sent by the client, analyzes the registration request, generates a challenge value, generates registration data according to the challenge value and the registration information, and sends the registration data to the client;
step S2, the server receives the registration response data sent by the client, analyzes the registration response data to obtain client data and equipment data, verifies the client data, and decodes and analyzes the equipment data if the verification is successful to obtain first data, second data and third data;
step S3, the server determines the format type of the authentication declaration according to the first data, obtains the signature data in the third data, verifies the signature of the signature data according to the verification method corresponding to the determined format type of the authentication declaration, and executes step S4 if the signature verification is successful; the authentication declaration format types are at least two;
step S4, the server obtains the user credential identifier in the second data, and determines whether the obtained user credential identifier exists in the list of registered user credential identifiers, if so, it prompts the registration failure, and if not, it ends, otherwise, it saves the registration information, and returns a registration completion response to the client.
Optionally, in this embodiment, verifying the client data specifically includes: the server acquires the access information, the abstract value and the registration information of the relying party in the client data, compares the access information, the abstract value and the registration information of the relying party stored in the server according to the access information, the abstract value and the registration information of the relying party stored in the server, if the access information, the abstract value and the registration information are consistent, the verification is successful, and if the access information, the abstract value and the registration information are inconsistent, the verification is.
Optionally, in this embodiment, the authentication assertion format type specifically includes a first authentication assertion format type;
when the server determines that the authentication declaration format type is the first authentication declaration format type according to the first data, verifying the signature of the signature data according to a verification method corresponding to the authentication declaration format type specifically includes: and the server checks the signature data according to a verification method corresponding to the first authentication declaration format type.
Preferably, in this embodiment, the verifying the signature of the signature data by the server according to the verification method corresponding to the first authentication declaration format type specifically includes: and the server acquires a first preset field in the third data, determines an authentication type according to the first preset field, performs signature verification on the signature data according to the authentication type, and executes the step S4 if the signature verification is successful, otherwise, the process is finished.
Further preferably, in this embodiment, the authentication type includes a first authentication type;
when the server determines that the authentication type is the first authentication type according to the first preset field, verifying the signature of the signature data according to the authentication type specifically comprises the following steps:
step A1, the server acquires the certificate of the authentication equipment in the third data, checks the signature data through a preset algorithm, if the signature is successfully checked, the step A2 is executed, and if the signature is not successfully checked, the step is ended;
step A2, the server obtains the device certificate chain in the third data, the credibility of the obtained device certificate chain is verified through the root certificate of the corresponding device stored in the server, if the verification is successful, the step S4 is executed, otherwise, the operation is finished.
Further preferably, in this embodiment, the authentication type includes a second authentication type;
when the server determines that the authentication type is the second authentication type according to the first preset field, verifying the signature of the signature data according to the authentication type specifically comprises the following steps:
step B1, the server acquires the public key in the certificate key pair in the second data, verifies whether the preset algorithm is matched with the public key in the certificate key pair, if so, executes step B2, otherwise, finishes;
and step B2, the server checks the signature data through a preset algorithm according to the public key in the certificate key pair, if the signature is successfully checked, the step S4 is executed, and if the signature is not successfully checked, the process is ended.
Optionally, in this embodiment, the authentication assertion format type specifically includes a second authentication assertion format type;
when the server determines that the authentication declaration format type is the second authentication declaration format type according to the first data, verifying the signature of the signature data according to a verification method corresponding to the authentication declaration format type specifically includes: and the server checks the signature data according to a verification method corresponding to the second authentication declaration format type.
Preferably, in this embodiment, the server performs signature verification on the signature data according to a verification method corresponding to the second authentication declaration format type, specifically:
step C1, the server acquires the public key of the device certificate in the third data, checks the signature data through a preset algorithm according to the public key of the device certificate and the client data, if the signature is successfully checked, the step C2 is executed, otherwise, the process is ended;
and C2, the server acquires the certificate corresponding to the authentication type in the third data, the credibility of the certificate is verified, if the verification is successful, the step S4 is executed, and if not, the operation is ended.
Optionally, in this embodiment, in step S3, after determining the authentication assertion format type according to the first data, the server further includes: and the server decodes and analyzes the third data according to a preset coding method.
Example two
An embodiment two of the present invention provides a method for a server to accept registration, where the method is applied to a system including the server, a client and an authentication device, and as shown in fig. 2, the method includes:
step 101, a server receives a registration request sent by a client, analyzes the registration request, generates a challenge value, generates registration data according to the challenge value and registration information, and sends the registration data to the client;
in this embodiment, the generating the challenge value specifically includes: the server generates a string of 32 bytes of random numbers as a challenge value;
for example, the challenge generated by the server is "challenge" 0ZCM4Dqj _ mpl48zWHiii LL lRt66tCO L K-pydCN 6Mo L U;
specifically, the registration information includes: registering user information and a registration generation policy, wherein the registration generation policy comprises: a registration authentication key algorithm, a user certificate identification list, selectable parameters and the like; optional parameters such as user authentication, confirmation mode, extension, etc.;
the registered user information includes a user name, such as user: a feitian 123;
the registration generation strategy is as follows:
{"pubKeyCredParams":[{"type":"public-key","alg":-7}],"authenticatorSelection":{"authenticatorAttachment":"cross-platform","requireResidentKey":false,"userVerification":"preferred"},"attestation":"direct"};
the registration data generated according to the challenge value and the registration information is as follows:
{"rp":{"id":"www.lina.com","name":"WebAuthnTest"},"user":{"name":"ftTest","displayName":"ftTest","id":"ZnRUZXN0"},"challenge":"0ZCM4Dqj_mpl48zWHiiiLLlRt66tCOLK-pydCN6MoLU","pubKeyCredParams":[{"type":"public-key","alg":-7}],"authenticatorSelection":{"authenticatorAttachment":"cross-platform","requireResidentKey":false,"userVerification":"preferred"},"attestation":"direct"};
specifically, after receiving the registration data, the client further includes: the client side obtains the access information, the challenge value and the equipment binding information of the relying party, carries out Hash operation on the obtained access information, the challenge value and the equipment binding information of the relying party according to a preset Hash algorithm to obtain an abstract value, and organizes the abstract value, the access information of the relying party and the registration information into client side data to be sent to the authentication equipment;
the access information includes: access type (type), relying party access source (origin), etc.;
specifically, the algorithm for the client to perform the hash operation on the acquired relying party access information, challenge value and device binding information according to the preset hash algorithm is specifically SHA 256;
optionally, after receiving the client data sent by the client, the authentication device further includes:
step a1, the authentication device organizes the first data according to the registration information in the client data in a preset mode; the first data includes: authentication declaration format identification and identifier;
for example, the first data is: { "fmt": "packed" };
step a2, the authentication device generates a certificate key pair according to the registration information in the client data, generates a user certificate identifier corresponding to the user information, obtains a device unique identifier, and organizes a public key in the generated certificate key pair, the generated user certificate identifier and the device unique identifier to obtain second data;
for example, the device unique identifier is: "attData": { "aaguid": 77010BD7212A4FC9B236D2CA5E9D4084},
public key of the credential key pair: "public Key": { "x": 8802525CE55A25FC347BFD5432AC489966D3BFDB305B5E9E335834599130A5BE, "y": 3E624CAC2B30C7EFC5F6B990C4A2B2F81023A838A39AD2FB4D04096FF71E376E },
user credential identification: "critical id": BC965FB4D1564D33FCF6EF02DDE3B443164591AE11D6A5043249D1670353898E3E89CCFB7B4818A39C25D2BEC931D520E9B97F1505328BA4E9E5707A0C506CDCE102C74CC8B3D5D510BFDE023533E1DBAD54E80767EF5E6AC677C8CA531430EE,
the second data is:
{"rpIdHash":8BCE4F2C0F8F2D6E493A90F1D5BAC31E2738D935CF17ADAD2C381DB622E407E2,"flags":69,"signCount":5593,"attData":{"aaguid":77010BD7212A4FC9B236D2CA5E9D4084,"credentialId":BC965FB4D1564D33FCF6EF02DDE3B443164591AE11D6A5043249D1670353898E3E89CCFB7B4818A39C25D2BEC931D520E9B97F1505328BA4E9E5707A0C506CDCE102C74CC8B3D5D510BFDE023533E1DBAD54E80767EF5E6AC677C8CA531430EE,"publicKey":{"x":8802525CE55A25FC347BFD5432AC489966D3BFDB305B5E9E335834599130A5BE,"y":3E624CAC2B30C7EFC5F6B990C4A2B2F81023A838A39AD2FB4D04096FF71E376E,"crv":1,"alg":"ES256","kty":2}}};
step a3, the authentication device acquires a digest value in the client data, takes the digest value and the second data as data to be signed, signs the data to be signed according to a preset algorithm to obtain signature data, acquires a certificate, a certificate chain, the signature data and verifies the signature algorithm organization to obtain third data;
for example, the authentication device certificate: "attestnCert": 308201E53082018CA003020102020900D79549BD1A 79549A 06082A8648CE3D 79549C 0C 79549F 79549D 79549A 180F 79549A 306F310B 79549D 301B 79549A 0C 79549E 6F6C6F 79549B 0C 79549E 79549F 79549F 6F 311D301B 79549C 79549F 79549F 8648CE3D 79549A 8648D 3D 79549C 0673C92BCFA06A6BAF70BD8DBF 79549C 6B 79549B 8DBC6890D3D 79549 BB889AA FED219B 79549D 79549D 301E 01E 5B 1EE6D AFF 26071A6B3A 79549D 79549E 79549E 12B 31A 3631B BBB 79549B 0603672B 79549A 79549B 79549A 79549B 0603D 79549B 79549A 79549B 3D 79549B 79549A 3D 79549B 3D 79549B 79549A 3D 79549B 3B: e CA D1A 06082A8648CE3D C0C F D180F A306F310B 301B 0C E6F6C6F B0C E F6E311D301B C F A8648CE3D B0673C92BCFA06A6BAF70BD8DBF C6CE4035B 8DBC6890D3D BB889AA89FED219B D301E 01FF5 FF 1EE6D26071A6B 3D D D0E EF12B 31DFBBB62E 66D678ABBDF B2B E51C B51C 7212A4FC9B D2CA5E9D D130101FF A06010A 8648CE3D 41A64C9FD 8F 9F 999B 999F 999B 0651F 35A 35F 35D 35A 48F 35D 35F 35A 48D 35F 35D 48A 48F 35D 35F 35D 35A 48F 35D 48F 35D 35A 3D 48F 35D 48A 48D 35F 35A 48F 35D 48A 3D 35D 48F 35D 48A 3D 48F 35D 48F 35A 48A 3D 35D 48F 35D 35A 3D 35F 35A 3D 35D 48F 35A 3D 35F 47D 48A 3D 35D 48A 3D 35D 48F 35D 48A 3D 48F 35D 48F 47D 48A 3D 35A 3D 35A 3D 48F 35A 3D 35F 35A 48F 35A 3D 35D 48A 3D 48F 35D 48A 3D 35A 3D 35F 35A 3D 35A 3D 48F 35A 6D 48F 35,
signature data: "sig": 3045022100D28D9484CDEFD44A1011C203F9AB7076B5E59342CED27B4B30B1129F71593804022068C4674F87A7ED72AC5A0EF3FAC32C92FF74C29D3EE62A769AF1981F47057AE0,
and (3) verifying a signature algorithm: "alg": "ES 256" is used in the present invention,
the third data is: { "sig": 3045022100D28D9484CDEFD44A1011C203F9AB7076B5E59342CED27B4B30B1129F71593804022068C4674F87A7ED72AC5A0EF3FAC32C92FF74C29D3EE62A769AF1981F47057AE0, "attestnCert": 308201E53082018CA003020102020900D79549BD1A 79549A 06082A8648CE3D 79549C 0C 79549F 79549D 79549A 180F 79549A 306F310B 79549D 301B 79549A 0C 79549E 6F6C6F 79549B 0C 79549E 79549F 79549F 6F 311D301B 79549C 79549F 79549F 8648CE3D 79549A 8648D 3D 79549C 0673C92BCFA06A6BAF70BD8DBF 79549C 6B 79549B 8DBC6890D3D 79549 BB889AA FED219B 79549D 79549D 301E 01E 5B 1EE6D AFF 26071A6B3A 79549D 79549E 79549E 12B 31A 3631B BBB 79549B 0603672B 79549A 79549B 79549A 79549B 0603D 79549B 79549A 79549B 3D 79549B 79549A 3D 79549B 3D 79549B 79549A 3D 79549B 3B: e CA D BD1A 06082A8648CE3D C0C F D180F A306F310B 301B 0C E6F6C6F B0C E F6E311D301B C F A8648CE3D A8648CE3D B0673C92BCFA06A6BAF70BD8DBF C6CE4035B 8DBC6890D3D BB889AA89FED219B D301E 01FF5 FF 1EE6D26071A6B 3D D D0E EF12B 31DFBBB62E 66D678ABBDF B2B 51C 7212A 4B 236D2CA5E9D D130101FF A06047A 8648CE3D 41A64C9FD 8F 9F 999B 999F 999B 0651F 35A 48D 48A 48F 35D 48A 48D 35F 35D 48A 48D 48F 35D 48A 48D 35D 48F 35A 48D 48F 35D 48A 48D 35D 48A 3D 48F 35D 48A 48D 48A 3D 03D 48F 35D 48F 35A 3D 35D 48A 3D 48F 35D 03D 48A 3D 48F 35A 3D 48F 35D 48A 3D 03D 48F 35D 48A 3D 03D 48F 35D 03D 35 DE 3D 48A 3D 48F 35 DE 3D 03D 48A 3D 6D 03D 6D 3D 03D 6D 03D 3D 6D 3D 03D 6D 3D 6D 3D 03D 3D 6DE 3D 03B 3D 6B 1E 12B 3D 6B 1A 1F 35A 1E 3D 6D 03D 6B 1E 3D 6D 03B 1A 1E 3D: "ES 256" };
a4, the authentication device encodes the third data according to a preset encoding mode to obtain encoded third data, encodes the first data, the second data and the encoded third data according to the preset encoding mode to obtain device data, and sends the device data to the client;
optionally, after receiving the client data sent by the client, the authentication device further includes: the authentication equipment acquires the registration information in the client data, acquires a user certificate identification list in the registration information, searches the user certificate identification list of the authentication equipment, judges whether the same user certificate identification exists or not, prompts the registration failure if the same user certificate identification exists, and finishes the process, otherwise, returns to the step a 1;
optionally, in this embodiment, the signature algorithm is ECDSA (Elliptic Curve Digital signature algorithm);
for example, the encoded third data is:
{"map":{"alg":{"value":-7,"majorType":"NEGATIVE_INTEGER"},"x5c":{"objects":[{"bytes":[48,-126,1,-27,48,-126,1,-116,-96,3,2,1,2,2,9,0,-41,-107,73,-67,26,103,23,97,48,10,6,8,42,-122,72,-50,61,4,3,2,48,23,49,21,48,19,6,3,85,4,3,12,12,70,84,32,70,73,68,79,32,48,50,48,48,48,32,23,13,49,56,48,56,49,51,48,48,48,48,48,48,90,24,15,50,48,51,51,48,56,49,50,50,51,53,57,53,57,90,48,111,49,11,48,9,6,3,85,4,6,19,2,85,83,49,29,48,27,6,3,85,4,10,12,20,70,101,105,116,105,97,110,32,84,101,99,104,110,111,108,111,103,105,101,115,49,34,48,32,6,3,85,4,11,12,25,65,117,116,104,101,110,116,105,99,97,116,111,114,32,65,116,116,101,115,116,97,116,105,111,110,49,29,48,27,6,3,85,4,3,12,20,70,84,32,66,105,111,80,97,115,115,32,70,73,68,79,50,32,85,83,66,48,89,48,19,6,7,42,-122,72,-50,61,2,1,6,8,42,-122,72,-50,61,3,1,7,3,66,0,4,-80,103,60,-110,-68,-6,6,-90,-70,-9,11,-40,-37,-10,55,-104,56,-104,76,108,-28,3,91,24,36,71,-72,-37,-58,-119,13,61,-126,69,-106,-128,-101,-72,-119,-86,-119,-2,-46,25,-79,3,65,-99,6,-123,-97,48,30,1,-1,90,-5,30,-26,-46,96,113,-90,-77,-93,103,48,101,48,29,6,3,85,29,14,4,22,4,20,-17,18,-76,70,86,58,49,-33,-69,-74,46,49,-10,109,103,-118,-69,-33,53,21,48,19,6,11,43,6,1,4,1,-126,-27,28,2,1,1,4,4,3,2,5,32,48,33,6,11,43,6,1,4,1,-126,-27,28,1,1,4,4,18,4,16,119,1,11,-41,33,42,79,-55,-78,54,-46,-54,94,-99,64,-124,48,12,6,3,85,29,19,1,1,-1,4,2,48,0,48,10,6,8,42,-122,72,-50,61,4,3,2,3,71,0,48,68,2,32,43,65,-90,76,-97,-41,119,115,-120,65,-108,38,-100,-56,-7,-71,19,48,115,127,-103,9,-69,27,34,78,113,86,111,116,-56,4,2,32,49,-119,-53,-92,58,-122,-118,-39,-116,74,1,79,-37,-47,90,34,9,97,-92,23,42,61,82,-104,25,84,-40,-96,-128,-32,81,98],"chunked":false,"majorType":"BYTE_STRING"},{"bytes":[48,-126,1,126,48,-126,1,37,-96,3,2,1,2,2,1,1,48,10,6,8,42,-122,72,-50,61,4,3,2,48,23,49,21,48,19,6,3,85,4,3,12,12,70,84,32,70,73,68,79,32,48,50,48,48,48,32,23,13,49,54,48,53,48,49,48,48,48,48,48,48,90,24,15,50,48,53,48,48,53,48,49,48,48,48,48,48,48,90,48,23,49,21,48,19,6,3,85,4,3,12,12,70,84,32,70,73,68,79,32,48,50,48,48,48,89,48,19,6,7,42,-122,72,-50,61,2,1,6,8,42,-122,72,-50,61,3,1,7,3,66,0,4,-48,102,-83,26,-107,59,28,-19,76,-107,77,-41,-37,-19,118,-89,11,-18,-46,-112,122,-119,118,-98,115,54,-1,38,32,-66,75,25,-98,-66,116,72,-90,-43,-128,-127,36,-52,116,21,58,-17,52,45,81,4,-34,85,97,120,-19,71,-114,8,49,2,84,-6,-93,-123,-93,96,48,94,48,29,6,3,85,29,14,4,22,4,20,73,21,100,45,-43,-69,-58,-34,51,58,94,9,-107,-4,-121,35,54,-45,-65,11,48,31,6,3,85,29,35,4,24,48,22,-128,20,73,21,100,45,-43,-69,-58,-34,51,58,94,9,-107,-4,-121,35,54,-45,-65,11,48,12,6,3,85,29,19,4,5,48,3,1,1,-1,48,14,6,3,85,29,15,1,1,-1,4,4,3,2,1,6,48,10,6,8,42,-122,72,-50,61,4,3,2,3,71,0,48,68,2,32,48,124,-6,-96,33,98,20,7,-28,1,5,-91,70,-79,-47,-14,-46,-50,81,51,25,100,-50,-108,-105,-1,52,-78,77,-103,-108,-91,2,32,7,108,9,-22,118,81,51,-54,23,-2,112,56,-35,24,122,72,-102,47,51,101,-16,8,33,-1,-1,-30,-30,-84,16,27,7,67],"chunked":false,"majorType":"BYTE_STRING"}],"chunked":false,"majorType":"ARRAY"},"sig":{"bytes":[48,69,2,33,0,-46,-115,-108,-124,-51,-17,-44,74,16,17,-62,3,-7,-85,112,118,-75,-27,-109,66,-50,-46,123,75,48,-79,18,-97,113,89,56,4,2,32,104,-60,103,79,-121,-89,-19,114,-84,90,14,-13,-6,-61,44,-110,-1,116,-62,-99,62,-26,42,118,-102,-15,-104,31,71,5,122,-32],"chunked":false,"majorType":"BYTE_STRING"}},"keys":[{"string":"alg","chunked":false,"majorType":"UNICODE_STRING"},{"string":"sig","chunked":false,"majorType":"UNICODE_STRING"},{"string":"x5c","chunked":false,"majorType":"UNICODE_STRING"}],"chunked":false,"majorType":"MAP"};
the first data, the second data and the encoded third data are encoded according to a preset encoding mode to obtain device data as follows:
{"attestationObject":"o2NmbXRmcGFja2VkZ2F0dFN0bXSjY2FsZyZjc2lnWEcwRQIhANKNlITN79RKEBHCA_mrcHa15ZNCztJ7SzCxEp9xWTgEAiBoxGdPh6ftcqxaDvP6wyyS_3TCnT7mKnaa8ZgfRwV64GN4NWOCWQHpMIIB5TCCAYygAwIBAgIJANeVSb0aZxdhMAoGCCqGSM49BAMCMBcxFTATBgNVBAMMDEZUIEZJRE8gMDIwMDAgFw0xODA4MTMwMDAwMDBaGA8yMDMzMDgxMjIzNTk1OVowbzELMAkGA1UEBhMCVVMxHTAbBgNVBAoMFEZlaXRpYW4gVGVjaG5vbG9naWVzMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMR0wGwYDVQQDDBRGVCBCaW9QYXNzIEZJRE8yIFVTQjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLBnPJK8-gamuvcL2Nv2N5g4mExs5ANbGCRHuNvGiQ09gkWWgJu4iaqJ_tIZsQNBnQaFnzAeAf9a-x7m0mBxprOjZzBlMB0GA1UdDgQWBBTvErRGVjox37u2LjH2bWeKu981FTATBgsrBgEEAYLlHAIBAQQEAwIFIDAhBgsrBgEEAYLlHAEBBAQSBBB3AQvXISpPybI20spenUCEMAwGA1UdEwEB_wQCMAAwCgYIKoZIzj0EAwIDRwAwRAIgK0GmTJ_Xd3OIQZQmnMj5uRMwc3-ZCbsbIk5xVm90yAQCIDGJy6Q6horZjEoBT9vRWiIJYaQXKj1SmBlU2KCA4FFiWQGCMIIBfjCCASWgAwIBAgIBATAKBggqhkjOPQQDAjAXMRUwEwYDVQQDDAxGVCBGSURPIDAyMDAwIBcNMTYwNTAxMDAwMDAwWhgPMjA1MDA1MDEwMDAwMDBaMBcxFTATBgNVBAMMDEZUIEZJRE8gMDIwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNBmrRqVOxztTJVN19vtdqcL7tKQeol2nnM2_yYgvksZnr50SKbVgIEkzHQVOu80LVEE3lVheO1HjggxAlT6o4WjYDBeMB0GA1UdDgQWBBRJFWQt1bvG3jM6XgmV_IcjNtO_CzAfBgNVHSMEGDAWgBRJFWQt1bvG3jM6XgmV_IcjNtO_CzAMBgNVHRMEBTADAQH_MA4GA1UdDwEB_wQEAwIBBjAKBggqhkjOPQQDAgNHADBEAiAwfPqgIWIUB-QBBaVGsdHy0s5RMxlkzpSX_zSyTZmUpQIgB2wJ6nZRM8oX_nA43Rh6SJovM2XwCCH__-LirBAbB0NoYXV0aERhdGFY5IvOTywPjy1uSTqQ8dW6wx4nONk1zxetrSw4HbYi5AfiRQAAFdl3AQvXISpPybI20spenUCEAGC8ll-00VZNM_z27wLd47RDFkWRrhHWpQQySdFnA1OJjj6JzPt7SBijnCXSvskx1SDpuX8VBTKLpOnlcHoMUGzc4QLHTMiz1dUQv94CNTPh261U6Adn715qxnfIylMUMO6lAQIDJiABIVggiAJSXOVaJfw0e_1UMqxImWbTv9swW16eM1g0WZEwpb4iWCA-YkysKzDH78X2uZDEorL4ECOoOKOa0vtNBAlv9x43bg"};
optionally, the client receives device data returned by the authentication device, generates registration response data according to the device data and the client data, and sends the registration response data to the server.
For example, the client data is:
{"clientDataJSON":"eyJjaGFsbGVuZ2UiOiIwWkNNNERxal9tcGw0OHpXSGlpaUxMbFJ0NjZ0Q09MSy1weWRDTjZNb0xVIiwib3JpZ2luIjoiaHR0cHM6Ly93d3cubGluYS5jb206ODQ0MyIsInR5cGUiOiJ3ZWJhdXRobi5jcmVhdGUifQ"};
the client generates registration response data according to the equipment data and the client data as follows:
{"clientDataJSON":"eyJjaGFsbGVuZ2UiOiIwWkNNNERxal9tcGw0OHpXSGlpaUxMbFJ0NjZ0Q09MSy1weWRDTjZNb0xVIiwib3JpZ2luIjoiaHR0cHM6Ly93d3cubGluYS5jb206ODQ0MyIsInR5cGUiOiJ3ZWJhdXRobi5jcmVhdGUifQ","attestationObject":"o2NmbXRmcGFja2VkZ2F0dFN0bXSjY2FsZyZjc2lnWEcwRQIhANKNlITN79RKEBHCA_mrcHa15ZNCztJ7SzCxEp9xWTgEAiBoxGdPh6ftcqxaDvP6wyyS_3TCnT7mKnaa8ZgfRwV64GN4NWOCWQHpMIIB5TCCAYygAwIBAgIJANeVSb0aZxdhMAoGCCqGSM49BAMCMBcxFTATBgNVBAMMDEZUIEZJRE8gMDIwMDAgFw0xODA4MTMwMDAwMDBaGA8yMDMzMDgxMjIzNTk1OVowbzELMAkGA1UEBhMCVVMxHTAbBgNVBAoMFEZlaXRpYW4gVGVjaG5vbG9naWVzMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMR0wGwYDVQQDDBRGVCBCaW9QYXNzIEZJRE8yIFVTQjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLBnPJK8-gamuvcL2Nv2N5g4mExs5ANbGCRHuNvGiQ09gkWWgJu4iaqJ_tIZsQNBnQaFnzAeAf9a-x7m0mBxprOjZzBlMB0GA1UdDgQWBBTvErRGVjox37u2LjH2bWeKu981FTATBgsrBgEEAYLlHAIBAQQEAwIFIDAhBgsrBgEEAYLlHAEBBAQSBBB3AQvXISpPybI20spenUCEMAwGA1UdEwEB_wQCMAAwCgYIKoZIzj0EAwIDRwAwRAIgK0GmTJ_Xd3OIQZQmnMj5uRMwc3-ZCbsbIk5xVm90yAQCIDGJy6Q6horZjEoBT9vRWiIJYaQXKj1SmBlU2KCA4FFiWQGCMIIBfjCCASWgAwIBAgIBATAKBggqhkjOPQQDAjAXMRUwEwYDVQQDDAxGVCBGSURPIDAyMDAwIBcNMTYwNTAxMDAwMDAwWhgPMjA1MDA1MDEwMDAwMDBaMBcxFTATBgNVBAMMDEZUIEZJRE8gMDIwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNBmrRqVOxztTJVN19vtdqcL7tKQeol2nnM2_yYgvksZnr50SKbVgIEkzHQVOu80LVEE3lVheO1HjggxAlT6o4WjYDBeMB0GA1UdDgQWBBRJFWQt1bvG3jM6XgmV_IcjNtO_CzAfBgNVHSMEGDAWgBRJFWQt1bvG3jM6XgmV_IcjNtO_CzAMBgNVHRMEBTADAQH_MA4GA1UdDwEB_wQEAwIBBjAKBggqhkjOPQQDAgNHADBEAiAwfPqgIWIUB-QBBaVGsdHy0s5RMxlkzpSX_zSyTZmUpQIgB2wJ6nZRM8oX_nA43Rh6SJovM2XwCCH__-LirBAbB0NoYXV0aERhdGFY5IvOTywPjy1uSTqQ8dW6wx4nONk1zxetrSw4HbYi5AfiRQAAFdl3AQvXISpPybI20spenUCEAGC8ll-00VZNM_z27wLd47RDFkWRrhHWpQQySdFnA1OJjj6JzPt7SBijnCXSvskx1SDpuX8VBTKLpOnlcHoMUGzc4QLHTMiz1dUQv94CNTPh261U6Adn715qxnfIylMUMO6lAQIDJiABIVggiAJSXOVaJfw0e_1UMqxImWbTv9swW16eM1g0WZEwpb4iWCA-YkysKzDH78X2uZDEorL4ECOoOKOa0vtNBAlv9x43bg"};
102, the server receives registration response data sent by the client, and analyzes the registration response data to obtain client data and equipment data;
step 103: the server verifies the client data, if the verification is successful, the step 104 is executed, and if the verification is failed, the registration failure is prompted, and the process is finished;
in this embodiment, the server verifies the client data, specifically: the server acquires the access information, the abstract value and the registration information of the relying party in the client data, verifies the access information, executes the step 104 if the verification is successful, and prompts the failure of the registration if the verification is failed.
Step 104, the server decodes and analyzes the equipment data through a preset coding method to obtain first data, second data and third data;
in this embodiment, the first data is in an authentication assertion format, the second data is authenticator data, and the third data is authentication assertion statement data;
for example, the first data is: { "fmt": "packed" };
the second data is:
{"rpIdHash":8BCE4F2C0F8F2D6E493A90F1D5BAC31E2738D935CF17ADAD2C381DB622E407E2,"flags":69,"signCount":5593,"attData":{"aaguid":77010BD7212A4FC9B236D2CA5E9D4084,"credentialId":BC965FB4D1564D33FCF6EF02DDE3B443164591AE11D6A5043249D1670353898E3E89CCFB7B4818A39C25D2BEC931D520E9B97F1505328BA4E9E5707A0C506CDCE102C74CC8B3D5D510BFDE023533E1DBAD54E80767EF5E6AC677C8CA531430EE,"publicKey":{"x":8802525CE55A25FC347BFD5432AC489966D3BFDB305B5E9E335834599130A5BE,"y":3E624CAC2B30C7EFC5F6B990C4A2B2F81023A838A39AD2FB4D04096FF71E376E,"crv":1,"alg":"ES256","kty":2}}};
the third data is:
{"sig":3045022100D28D9484CDEFD44A1011C203F9AB7076B5E59342CED27B4B30B1129F71593804022068C4674F87A7ED72AC5A0EF3FAC32C92FF74C29D3EE62A769AF1981F47057AE0,"attestnCert":308201E53082018CA003020102020900D79549BD1A671761300A06082A8648CE3D04030230173115301306035504030C0C4654204649444F20303230303020170D3138303831333030303030305A180F32303333303831323233353935395A306F310B3009060355040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6F6769657331223020060355040B0C1941757468656E74696361746F72204174746573746174696F6E311D301B06035504030C1446542042696F50617373204649444F32205553423059301306072A8648CE3D020106082A8648CE3D03010703420004B0673C92BCFA06A6BAF70BD8DBF6379838984C6CE4035B182447B8DBC6890D3D824596809BB889AA89FED219B103419D06859F301E01FF5AFB1EE6D26071A6B3A3673065301D0603551D0E04160414EF12B446563A31DFBBB62E31F66D678ABBDF35153013060B2B0601040182E51C0201010404030205203021060B2B0601040182E51C0101040412041077010BD7212A4FC9B236D2CA5E9D4084300C0603551D130101FF04023000300A06082A8648CE3D040302034700304402202B41A64C9FD77773884194269CC8F9B91330737F9909BB1B224E71566F74C80402203189CBA43A868AD98C4A014FDBD15A220961A4172A3D52981954D8A080E05162,"caCert":308201E53082018CA003020102020900D79549BD1A671761300A06082A8648CE3D04030230173115301306035504030C0C4654204649444F20303230303020170D3138303831333030303030305A180F32303333303831323233353935395A306F310B3009060355040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6F6769657331223020060355040B0C1941757468656E74696361746F72204174746573746174696F6E311D301B06035504030C1446542042696F50617373204649444F32205553423059301306072A8648CE3D020106082A8648CE3D03010703420004B0673C92BCFA06A6BAF70BD8DBF6379838984C6CE4035B182447B8DBC6890D3D824596809BB889AA89FED219B103419D06859F301E01FF5AFB1EE6D26071A6B3A3673065301D0603551D0E04160414EF12B446563A31DFBBB62E31F66D678ABBDF35153013060B2B0601040182E51C0201010404030205203021060B2B0601040182E51C0101040412041077010BD7212A4FC9B236D2CA5E9D4084300C0603551D130101FF04023000300A06082A8648CE3D040302034700304402202B41A64C9FD77773884194269CC8F9B91330737F9909BB1B224E71566F74C80402203189CBA43A868AD98C4A014FDBD15A220961A4172A3D52981954D8A080E05162,3082017E30820125A003020102020101300A06082A8648CE3D04030230173115301306035504030C0C4654204649444F20303230303020170D3136303530313030303030305A180F32303530303530313030303030305A30173115301306035504030C0C4654204649444F20303230303059301306072A8648CE3D020106082A8648CE3D03010703420004D066AD1A953B1CED4C954DD7DBED76A70BEED2907A89769E7336FF2620BE4B199EBE7448A6D5808124CC74153AEF342D5104DE556178ED478E08310254FAA385A360305E301D0603551D0E041604144915642DD5BBC6DE333A5E0995FC872336D3BF0B301F0603551D230418301680144915642DD5BBC6DE333A5E0995FC872336D3BF0B300C0603551D13040530030101FF300E0603551D0F0101FF040403020106300A06082A8648CE3D04030203470030440220307CFAA021621407E40105A546B1D1F2D2CE51331964CE9497FF34B24D9994A50220076C09EA765133CA17FE7038DD187A489A2F3365F00821FFFFE2E2AC101B0743,"alg":"ES256"}。
step 105, the server determines the format type of the authentication declaration according to the first data, if the format type of the authentication declaration is a first type, step 106 is executed, if the format type of the authentication declaration is a second type, step 113 is executed, and if the format type of the authentication declaration is other types, corresponding operation is executed;
in this embodiment, the server determines the authentication assertion format type according to the first data, specifically: the server acquires the authentication declaration format identifier, determines that the authentication declaration format type is a first type if the authentication declaration format identifier is a first character, and determines that the authentication declaration format type is a second type if the authentication declaration format identifier is a second character; specifically, other types include: tpm, android-key, android-safe, none
For example, the first character is: a packed; the second character is: fido-u 2 f.
Step 106, the server decodes and analyzes the third data according to a preset coding method, and acquires a first preset field from the analyzed data;
step 107, the server determines an authentication type according to the first preset field, if the authentication type is the first authentication type, step 108 is executed, if the authentication type is the second authentication type, step 111 is executed, and if the authentication type is other authentication types, corresponding operation is executed;
in this embodiment, the first preset field is specifically an authentication type field;
the server determines the authentication type according to the first preset field as follows: the server determines the authentication type according to the authentication type field, determines the authentication type to be a first authentication type when the authentication type field is a basic authentication type, and determines the authentication type to be a second authentication type when the authentication type field is a self-authentication type; when the authentication type field is other, determining that the authentication type is other authentication types;
for example, if the authentication type field is Basic or AttCA, then the authentication type is determined to be a first authentication type, including a x5c certificate chain;
if the authentication type field is a self authentication type (self authentication), determining that the authentication type is a second authentication type;
the authentication type field is other (ECDAA), and then the authentication type is determined to be other authentication type ecdakeyid.
Step 108, the server acquires the authentication equipment certificate, the preset signature algorithm and the signature data in the third data;
in this embodiment, the certificate of the authentication device in the third data acquired by the server specifically includes: authenticating an equipment public key certificate written in when equipment leaves a factory;
the signature data in the third data acquired by the server specifically includes: the authentication equipment signs the abstract value of the client data and the second data through a private key of the authentication equipment according to a preset algorithm to obtain signature data; the private key of the authentication equipment is specifically an equipment private key written in when the authentication equipment leaves a factory
Step 109, the server checks the signature of the signature data through a preset algorithm according to the certificate of the authentication equipment in the third data, if the signature is successfully checked, step 110 is executed, otherwise, the process is ended;
step 110, the server acquires the equipment certificate chain in the third data, verifies the credibility of the acquired equipment certificate chain through the root certificate of the corresponding equipment stored in the server, if the verification is successful, step 116 is executed, otherwise, the operation is finished;
optionally, the server obtains the public key certificate of the authentication device in the third data, and verifies the normalization and the credibility of the public key certificate of the authentication device, if the verification is successful, step 116 is executed, otherwise, the process is ended;
step 111, the server acquires a public key in the certificate key pair in the second data, verifies whether the preset algorithm is matched with the public key in the certificate key pair, if so, executes step 112, otherwise, ends;
step 112, the server acquires the signature data in the third data, checks the signature of the signature data through a preset algorithm according to the public key in the certificate key pair, if the signature is successfully checked, the step 116 is executed, otherwise, the step is finished;
step 113, the server decodes and analyzes the third data according to a preset encoding method, and obtains an equipment certificate public key and signature data in the analyzed data;
step 114, the server checks the signature data through a preset algorithm according to the equipment certificate public key and the client data, if the signature is successfully checked, step 115 is executed, otherwise, the process is ended;
step 115, the server acquires a certificate corresponding to the authentication type in the third data, the credibility of the certificate is verified, if the verification is successful, the step 116 is executed, otherwise, the operation is finished;
and step 116, the server acquires the user certificate identification from the second data, judges whether the user certificate identification identical to the acquired user certificate identification exists according to the registered user certificate identification list, prompts the registration failure if the user certificate identification is identical to the acquired user certificate identification, and ends the registration, otherwise, stores the registration information and returns a registration completion response to the client.
EXAMPLE III
The third embodiment of the invention provides a system for accepting registration by a server, which comprises a system of the server, a client and an authentication device.
As shown in fig. 3, the server includes: the system comprises a receiving module 11, an analyzing module 12, a generating module 13, a verifying module 14, a determining module 15, an obtaining module 16, a judging module 17 and a sending module 18;
a receiving module 11, configured to receive a registration request sent by a client; the system is also used for receiving registration response data sent by the client;
the analysis module 12 is configured to analyze the registration request received by the receiving module 11; the server is further configured to analyze the registration response data received by the receiving module 11 to obtain client data and device data;
a generating module 13, configured to generate a challenge value, and generate registration data according to the challenge value and the registration information;
the verification module 14 is configured to verify the client data obtained through analysis by the analysis module 12, and decode and analyze the device data if the verification is successful to obtain first data, second data, and third data; the authentication declaration format type is used for identifying the signature data;
the determining module 15 is configured to determine the format type of the authentication declaration according to the first data obtained by the verifying module 14, and obtain signature data in the third data;
the obtaining module 16 is configured to obtain a user credential identifier in the second data when the verification module 14 successfully verifies the signature data;
a judging module 17, configured to judge whether the obtained user credential identifier exists in the registered user credential identifier list, and prompt that the registration is failed when judging that the obtained user credential identifier exists in the registered user credential identifier list;
a sending module 18, configured to send the registration data generated by the generating module 13 to the client; and is further configured to return a registration completion response to the client when the determining module 17 determines that the obtained user credential identifier does not exist in the list of registered user credential identifiers.
Optionally, in this embodiment, the verification module 14 includes a first verification unit, and the first verification unit is specifically configured to: and acquiring the access information, the abstract value and the registration information of the relying party in the client data, comparing the access information, the abstract value and the registration information of the relying party stored in the client data according to the access information, the abstract value and the registration information of the relying party, wherein if the access information, the abstract value and the registration information are consistent, the verification is successful, and if the access information, the abstract value and the registration information are inconsistent, the verification is failed.
Optionally, in this embodiment, the authentication assertion format type specifically includes a first authentication assertion format type;
the verification module 14 includes a second verification unit, and the second verification unit is specifically configured to verify the signature data according to a verification method corresponding to the first authentication declaration format type.
Preferably, in this embodiment, the second authentication unit includes: an acquisition unit, a determination unit and a verification unit,
the acquisition unit is used for acquiring a first preset field in the third data;
the determining unit is used for determining the authentication type according to the first preset field;
the verification unit is used for verifying the signature of the signature data according to the authentication type determined by the determination unit, if the signature verification is successful, the acquisition module 16 is triggered to acquire the user credential identifier in the second data, otherwise, the operation is finished.
Further preferably, in this embodiment, the authentication type includes a first authentication type;
when the authentication type determined by the determining unit according to the first preset field is the first authentication type, the verifying unit comprises: the system comprises a first acquisition subunit and a first verification subunit;
the first obtaining subunit is configured to obtain the authentication device certificate in the third data; the device certificate chain is also used for acquiring the device certificate chain in the third data;
the first verification subunit is used for verifying the signature of the signature data through a preset algorithm, and if the signature verification is successful, the first acquisition subunit is triggered to acquire the equipment certificate chain in the third data; and is further configured to verify the credibility of the acquired device certificate chain by using the root certificate of the corresponding device stored in the server, and if the verification is successful, trigger the acquisition module 16 to acquire the user credential identifier in the second data.
Further preferably, in this embodiment, the authentication type includes a second authentication type;
when the authentication type determined by the determining unit according to the first preset field is a second authentication type, the verifying unit comprises: the second acquisition subunit, the second verification subunit and the third verification subunit;
the second obtaining subunit is configured to obtain a public key in the credential key pair in the second data;
the second verification subunit is used for verifying whether the preset algorithm is matched with the public key in the certificate key pair;
the third verifying subunit is configured to, when the second verifying subunit verifies that the preset algorithm matches the public key in the credential key pair, verify the signature of the signature data through the preset algorithm according to the public key in the credential key pair, and if the verification is successful, trigger the obtaining module 16 to obtain the user credential identifier in the second data, otherwise, end the verification.
Optionally, in this embodiment, the authentication assertion format type specifically includes a second authentication assertion format type;
the verification module 14 includes a third verification unit, and the third verification unit is specifically configured to verify the signature data according to a verification method corresponding to the second authentication declaration format type.
Preferably, in this embodiment, the third verification unit specifically includes: a third acquisition subunit, a fourth verification subunit, a fourth acquisition subunit and a fifth verification subunit;
the third obtaining subunit is configured to obtain the device certificate and the certificate public key in the third data;
the fourth verification subunit is used for verifying the signature of the signature data through a preset algorithm according to the equipment certificate public key and the client data;
the fourth obtaining subunit is configured to, when the fourth verifying subunit succeeds in verifying, obtain a certificate corresponding to the authentication type in the third data;
the fifth verifying subunit is configured to verify the authenticity of the certificate, and if the verification is successful, the obtaining module 16 is triggered to obtain the user credential identifier in the second data, otherwise, the process is ended.
Optionally, in this embodiment, the parsing module 12 is further configured to, after the determining module 15 determines the authentication assertion format type according to the first data, decode and parse the third data according to a preset encoding method.
The technical scheme provided by the embodiment of the invention has the beneficial effects that: the invention provides a method for a server to receive registration, wherein the server receives and analyzes registration response data sent by a client to obtain client data and equipment data, determines the equipment type according to an authentication statement format type in the equipment data, and completes corresponding verification registration according to the equipment type.
The method for receiving registration by a server provided by the present invention is described in detail above, and a specific example is applied in the description to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method of the present invention and the core idea thereof; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (18)
1. A method for a server to accept registrations, the method comprising:
step S1, the server receives the registration request sent by the client, analyzes the registration request, generates a challenge value, generates registration data according to the challenge value and the registration information, and sends the registration data to the client;
step S2, the server receives the registration response data sent by the client, analyzes the registration response data to obtain client data and device data, verifies the client data, and decodes and analyzes the device data if the verification is successful to obtain first data, second data, and third data;
step S3, the server determines the format type of the authentication declaration according to the first data, obtains the signature data in the third data, verifies the signature of the signature data according to the verification method corresponding to the determined format type of the authentication declaration, and executes step S4 if the signature verification is successful; the authentication declaration format types are at least two;
step S4, the server obtains the user credential identifier in the second data, and determines whether the obtained user credential identifier exists in the list of registered user credential identifiers, if so, it prompts the registration failure, and ends, otherwise, it saves the registration information, and returns a registration completion response to the client.
2. The method according to claim 1, wherein said verifying said client data is in particular: the server acquires the access information, the abstract value and the registration information of the relying party in the client data, compares the access information, the abstract value and the registration information of the relying party stored in the server according to the access information, the abstract value and the registration information of the relying party stored in the server, if the access information, the abstract value and the registration information are consistent, the verification is successful, and if the access information, the abstract value and the registration information are inconsistent, the verification is failed.
3. The method according to claim 1, wherein the authentication assertion format type specifically comprises a first authentication assertion format type;
when the server determines that the authentication declaration format type is the first authentication declaration format type according to the first data, the verifying the signature of the signature data according to the verification method corresponding to the authentication declaration format type specifically includes: and the server checks the signature data according to a verification method corresponding to the first authentication declaration format type.
4. The method according to claim 3, wherein the verifying the signature data by the server according to the verification method corresponding to the first authentication declaration format type specifically includes: and the server acquires a first preset field in the third data, determines an authentication type according to the first preset field, verifies the signature of the signature data according to the authentication type, and executes the step S4 if the signature verification is successful, otherwise, the operation is finished.
5. The method of claim 4, wherein the authentication type comprises a first authentication type;
when the server determines that the authentication type is the first authentication type according to the first preset field, the verifying the signature of the signature data according to the authentication type specifically comprises:
step A1, the server acquires the certificate of the authentication equipment in the third data, checks the signature data through a preset algorithm, if the signature is successfully checked, the step A2 is executed, and if the signature is not successfully checked, the step is ended;
step a2, the server obtains the device certificate chain in the third data, verifies the credibility of the obtained device certificate chain through the root certificate of the corresponding device stored in the server, if the verification is successful, step S4 is executed, otherwise, the process is ended.
6. The method of claim 4, wherein the authentication type comprises a second authentication type;
when the server determines that the authentication type is the second authentication type according to the first preset field, the verifying the signature of the signature data according to the authentication type specifically comprises:
step B1, the server acquires a public key in the certificate key pair in the second data, verifies whether a preset algorithm is matched with the public key in the certificate key pair, if so, executes step B2, otherwise, finishes;
and step B2, the server checks the signature data through a preset algorithm according to the public key in the certificate key pair, if the signature is successfully checked, the step S4 is executed, and if the signature is not successfully checked, the process is ended.
7. The method according to claim 1, wherein the authentication assertion format type specifically comprises a second authentication assertion format type;
when the server determines that the authentication declaration format type is the second authentication declaration format type according to the first data, the verifying the signature of the signature data according to the verification method corresponding to the authentication declaration format type specifically includes: and the server checks the signature data according to a verification method corresponding to the second authentication declaration format type.
8. The method according to claim 7, wherein the server verifies the signature data according to a verification method corresponding to the second authentication declaration format type, specifically:
step C1, the server acquires the public key of the device certificate in the third data, checks the signature data through a preset algorithm according to the public key of the device certificate and the client data, if the signature is successfully checked, the step C2 is executed, otherwise, the process is finished;
step C2, the server obtains the certificate corresponding to the authentication type in the third data, the credibility of the certificate is verified, if the verification is successful, the step S4 is executed, otherwise, the operation is finished.
9. The method according to claim 1, wherein in step S3, after the server determines the authentication assertion format type according to the first data, the method further comprises: and the server decodes and analyzes the third data according to a preset coding method.
10. A system for a server to accept registrations, the system comprising: a server, a client and an authentication device;
the server includes: the device comprises a receiving module, an analyzing module, a generating module, a verifying module, a determining module, an obtaining module, a judging module and a sending module;
the receiving module is used for receiving a registration request sent by the client; the system is also used for receiving registration response data sent by the client;
the analysis module is used for analyzing the registration request received by the receiving module; the server is also used for analyzing the registration response data received by the receiving module to obtain client data and equipment data;
the generation module is used for generating a challenge value and generating registration data according to the challenge value and the registration information;
the verification module is used for verifying the client data analyzed by the analysis module, and decoding and analyzing the equipment data to obtain first data, second data and third data if the verification is successful; the authentication system is also used for verifying the signature data according to a verification method corresponding to the determined authentication declaration format type;
the determining module is used for determining the format type of the authentication statement according to the first data obtained by the verifying module and acquiring signature data in third data;
the obtaining module is used for obtaining the user certificate identification in the second data when the signature verification module successfully verifies the signature of the signature data;
the judging module is used for judging whether the acquired user certificate identification exists in the registered user certificate identification list or not and prompting registration failure when the acquired user certificate identification exists in the registered user certificate identification list;
the sending module is used for sending the registration data generated by the generating module to the client; and the judging module is also used for returning a registration completion response to the client when judging that the acquired user certificate identification does not exist in the registered user certificate identification list.
11. The system of claim 10, wherein the verification module comprises a first verification unit, the first verification unit being configured to: and acquiring the access information, the abstract value and the registration information of the relying party in the client data, comparing the access information, the abstract value and the registration information of the relying party stored in the client data according to the access information, the abstract value and the registration information of the relying party, wherein if the access information, the abstract value and the registration information are consistent, the verification is successful, and if the access information, the abstract value and the registration information are inconsistent, the verification is failed.
12. The system according to claim 10, wherein the authentication assertion format type specifically comprises a first authentication assertion format type;
the verification module comprises a second verification unit, and the second verification unit is specifically used for verifying the signature data according to the verification method corresponding to the first authentication declaration format type.
13. The system of claim 12, wherein the second authentication unit comprises: an acquisition unit, a determination unit and a verification unit,
the acquisition unit is used for acquiring a first preset field in third data;
the determining unit is used for determining an authentication type according to the first preset field;
the verification unit is used for verifying the signature of the signature data according to the authentication type determined by the determination unit, if the signature verification is successful, the acquisition module is triggered to acquire the user certificate identification in the second data, and if not, the verification is finished.
14. The system of claim 13, wherein the authentication type comprises a first authentication type;
when the authentication type determined by the determining unit according to the first preset field is the first authentication type, the verifying unit includes: the system comprises a first acquisition subunit and a first verification subunit;
the first obtaining subunit is configured to obtain an authentication device certificate in the third data; the device certificate chain is also used for acquiring the device certificate chain in the third data;
the first verification subunit is used for verifying the signature of the signature data through a preset algorithm, and if the signature verification is successful, the first acquisition subunit is triggered to acquire an equipment certificate chain in the third data; and the system is further used for verifying the credibility of the acquired equipment certificate chain through the root certificate of the corresponding equipment stored in the server, and triggering the acquisition module to acquire the user certificate identification in the second data if the verification is successful.
15. The system of claim 13, wherein the authentication type comprises a second authentication type;
when the authentication type determined by the determining unit according to the first preset field is a second authentication type, the verifying unit includes: the second acquisition subunit, the second verification subunit and the third verification subunit;
the second obtaining subunit is configured to obtain a public key in a credential key pair in the second data;
the second verification subunit is used for verifying whether the preset algorithm is matched with the public key in the certificate key pair;
and the third verification subunit is used for verifying the signature of the signature data through the preset algorithm according to the public key in the certificate key pair when the second verification subunit verifies that the preset algorithm is matched with the public key in the certificate key pair, and if the signature verification is successful, the third verification subunit triggers the acquisition module to acquire the user certificate identification in the second data, otherwise, the third verification subunit ends.
16. The system according to claim 10, wherein the authentication assertion format type specifically comprises a second authentication assertion format type;
the verification module comprises a third verification unit, and the third verification unit is specifically used for verifying the signature data according to a verification method corresponding to the second authentication declaration format type.
17. The system according to claim 16, wherein the third verification unit specifically comprises: a third acquisition subunit, a fourth verification subunit, a fourth acquisition subunit and a fifth verification subunit;
the third obtaining subunit is configured to obtain the device certificate and the certificate public key in the third data;
the fourth verification subunit is used for verifying the signature of the signature data through a preset algorithm according to the equipment certificate public key and the client data;
the fourth obtaining subunit is configured to, when the fourth verifying subunit successfully verifies the signature, obtain a certificate corresponding to the authentication type in the third data;
and the fifth verification subunit is used for verifying the credibility of the certificate, if the verification is successful, the acquisition module is triggered to acquire the user certificate identifier in the second data, and if not, the operation is finished.
18. The system according to claim 10, wherein the parsing module is further configured to, after the determining module determines the authentication assertion format type according to the first data, perform decoding parsing on third data according to a preset encoding method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010160817.0A CN111414608B (en) | 2020-03-10 | 2020-03-10 | Method for receiving registration by server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010160817.0A CN111414608B (en) | 2020-03-10 | 2020-03-10 | Method for receiving registration by server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111414608A true CN111414608A (en) | 2020-07-14 |
| CN111414608B CN111414608B (en) | 2023-04-18 |
Family
ID=71490995
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010160817.0A Active CN111414608B (en) | 2020-03-10 | 2020-03-10 | Method for receiving registration by server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111414608B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112242905A (en) * | 2020-12-10 | 2021-01-19 | 飞天诚信科技股份有限公司 | Method and system for realizing data communication based on registration interface of browser |
| CN112311558A (en) * | 2020-12-28 | 2021-02-02 | 飞天诚信科技股份有限公司 | Working method of key device and key device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106686004A (en) * | 2017-02-28 | 2017-05-17 | 飞天诚信科技股份有限公司 | Login authentication method and system |
| US20180212782A1 (en) * | 2014-08-18 | 2018-07-26 | Balazs Csik | Methods For Digitally Signing An Electronic File And Authentication Method |
| CN108881310A (en) * | 2018-08-15 | 2018-11-23 | 飞天诚信科技股份有限公司 | A kind of Accreditation System and its working method |
| CN109150541A (en) * | 2018-08-15 | 2019-01-04 | 飞天诚信科技股份有限公司 | A kind of Verification System and its working method |
-
2020
- 2020-03-10 CN CN202010160817.0A patent/CN111414608B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180212782A1 (en) * | 2014-08-18 | 2018-07-26 | Balazs Csik | Methods For Digitally Signing An Electronic File And Authentication Method |
| CN106686004A (en) * | 2017-02-28 | 2017-05-17 | 飞天诚信科技股份有限公司 | Login authentication method and system |
| CN108881310A (en) * | 2018-08-15 | 2018-11-23 | 飞天诚信科技股份有限公司 | A kind of Accreditation System and its working method |
| CN109150541A (en) * | 2018-08-15 | 2019-01-04 | 飞天诚信科技股份有限公司 | A kind of Verification System and its working method |
Non-Patent Citations (1)
| Title |
|---|
| 徐静 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112242905A (en) * | 2020-12-10 | 2021-01-19 | 飞天诚信科技股份有限公司 | Method and system for realizing data communication based on registration interface of browser |
| CN112242905B (en) * | 2020-12-10 | 2021-03-16 | 飞天诚信科技股份有限公司 | Method and system for realizing data communication based on registration interface of browser |
| CN112311558A (en) * | 2020-12-28 | 2021-02-02 | 飞天诚信科技股份有限公司 | Working method of key device and key device |
| CN112311558B (en) * | 2020-12-28 | 2021-04-06 | 飞天诚信科技股份有限公司 | Working method of key device and key device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111414608B (en) | 2023-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2017059741A1 (en) | Authentication method and device based on authentication device | |
| WO2017041621A1 (en) | Method and device for performing registration based on authentication device | |
| US10880298B2 (en) | Method for generating a key and access control method | |
| CN107612940A (en) | A kind of identity identifying method and authentication device | |
| CN100512201C (en) | Method for dealing inserted-requested message of business in groups | |
| CN107612889B (en) | Method for preventing user information leakage | |
| WO2013056601A1 (en) | Method and system for updating key | |
| MX2008015958A (en) | Biometric credential verification framework. | |
| CN106921640A (en) | Identity identifying method, authentication device and Verification System | |
| CN103107996A (en) | On-line download method and system of digital certificate and digital certificate issuing platform | |
| KR101858653B1 (en) | Method for certifying a user by using mobile id through blockchain database and merkle tree structure related thereto, and terminal and server using the same | |
| CN112437068B (en) | Authentication and key agreement method, device and system | |
| CN112396735B (en) | Internet automobile digital key safety authentication method and device | |
| WO2020035009A1 (en) | Authentication system and working method therefor | |
| CN101699820A (en) | Method and device for authenticating dynamic passwords | |
| CN111414608B (en) | Method for receiving registration by server | |
| CN112560009B (en) | Authentication method, terminal, client and computer storage medium | |
| CN114257376B (en) | Digital certificate updating method, device, computer equipment and storage medium | |
| KR20170066607A (en) | Security check method, device, terminal and server | |
| CN110943840B (en) | Signature verification method | |
| WO2013135170A1 (en) | Method, device, and system for identity authentication | |
| US20140223528A1 (en) | Certificate installation and delivery process, four factor authentication, and applications utilizing same | |
| WO2020024852A1 (en) | Authentication method and authentication device | |
| CN115514492A (en) | BIOS firmware verification method, device, server, storage medium and program product | |
| CN102281510B (en) | Multi-factor credible identity authenticating method and system for mobile mailbox |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |