CN111628867A - Identity management method, device and related components - Google Patents
Identity management method, device and related components Download PDFInfo
- Publication number
- CN111628867A CN111628867A CN202010455067.XA CN202010455067A CN111628867A CN 111628867 A CN111628867 A CN 111628867A CN 202010455067 A CN202010455067 A CN 202010455067A CN 111628867 A CN111628867 A CN 111628867A
- Authority
- CN
- China
- Prior art keywords
- identity
- logged
- web site
- user
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 73
- 238000000034 method Methods 0.000 claims abstract description 34
- 230000008569 process Effects 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 6
- 230000009286 beneficial effect Effects 0.000 abstract description 3
- 230000006854 communication Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000012797 qualification Methods 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses an identity management method, which comprises the following steps: selecting a virtual card corresponding to the identity attribute of the Web site to be logged in; acquiring a first identity token and demand information corresponding to the identity attribute through the IdP; obtaining identity information according to the first identity token and the requirement information so that the Web site to be logged in can generate a UserID according to the identity information; and associating the UserID with the virtual card so that a user can access the Web site to be logged in through the virtual card. The method and the system can solve the problems of dependence of internet identity authentication on the identity card and the password mode and password fatigue, phishing attack and the like caused by the dependence, improve the reliability and safety of identity management, manage and use the identity information of the user through the virtual card, and have good usability on multiple products and platforms. The application also discloses an identity management device, electronic equipment and a computer readable storage medium, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of internet medical technology, and in particular, to an identity management method, device, and related components.
Background
In the field of internet medical treatment, the problems that the identity of a signing doctor cannot be confirmed, multiple products and multiple platforms lack effective unified identity login management, the identity qualification information of the doctor cannot be shared across platforms and the like exist at present. Wherein, the multi-product multi-platform unified identity management comprises two layers of meanings: firstly, the user identity can cross-product and cross-platform login and management, and the use of the user identity information must be authorized by the user, namely, the user identity management is autonomous and controllable; and secondly, the identity information of the user is stored by the user or a trusted third party identity provider instead of the Web site, so that the identity information of the user is prevented from being leaked by the Web site. At present, the unified identity login and management of multiple products are realized by adopting distributed digital identities with users as centers, and the users are required to input identity cards and passwords for identity authentication when logging in a certain Web site, so that the privacy of the users is revealed to a certain extent, and the safety is low.
Therefore, how to provide a solution to the above technical problem is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The invention aims to provide an identity management method, an identity management device, electronic equipment and a computer readable storage medium, which can solve the problems of dependence of the existing internet identity authentication on an identity card and a password mode and security problems caused by the dependence of the existing internet identity authentication on password fatigue, phishing attack and the like, improve the reliability and the security of identity management, manage and use identity information of a user through a virtual card and have good usability on a multi-product and a platform.
In order to solve the above technical problem, the present application provides an identity management method, including:
selecting a virtual card corresponding to the identity attribute of the Web site to be logged in;
acquiring a first identity token and demand information corresponding to the identity attribute through the IdP;
obtaining identity information according to the first identity token and the requirement information so that the Web site to be logged in can generate a UserID according to the identity information;
and associating the UserID with the virtual card so that a user can access the Web site to be logged in through the virtual card.
Preferably, before the virtual card corresponding to the identity attribute of the to-be-logged-in Web site is selected, the identity management method further includes:
acquiring a strategy file of a Web site to be logged in;
and determining the identity attribute corresponding to the Web site to be logged in through the policy file.
Preferably, the process of obtaining identity information according to the first identity token and the requirement information specifically includes:
when receiving the first random number sent by the Web site to be logged in, generating a second random number, a session key and a second identity token;
encrypting the session key through a public key of the Web site to be logged in;
performing digest operation on the first identity token, the identifier of the Web site to be logged in, the second random number, the second identity token, the user public key and the demand information to obtain a hash value;
obtaining a digital signature through a user private key and the hash value;
and encrypting the digital signature, the public key of the user side and the demand information through the session key to obtain identity information.
Preferably, the process of generating the UserID by the to-be-logged Web site according to the identity information specifically includes:
the Web site to be logged in verifies the digital signature through the user public key;
and when the signature verification is successful, the to-be-logged Web site acquires and stores the requirement information and generates a UserID.
Preferably, after the generating the UserID, the identity management method further includes:
encrypting the UserID and the second random number by the Web site to be logged in by using the session key;
correspondingly, the process of associating the UserID with the virtual card specifically includes:
and when the received second random number is consistent with the second random number generated by the user, associating the UserID with the virtual card.
Preferably, the process of obtaining identity information according to the first identity token and the requirement information specifically includes:
when receiving the first random number sent by the Web site to be logged in, generating a second random number and a session key;
acquiring the public key of the IdP;
and encrypting the first identity token, the public key of the IdP, the second random number and the demand information through the session key to obtain identity information.
Preferably, the identity management method further comprises:
setting a validity period of the first identity token;
and if the current moment is not in the validity period, acquiring a new first identity token.
In order to solve the above technical problem, the present application further provides an identity management apparatus, including:
the card selecting module is used for selecting a virtual card corresponding to the identity attribute of the Web site to be logged in;
the acquisition module is used for acquiring the first identity token and the demand information corresponding to the identity attribute through the IdP;
the processing module is used for obtaining identity information according to the first identity token and the requirement information so that the Web site to be logged in can generate a UserID according to the identity information;
and the access module is used for associating the UserID with the virtual card so as to enable a user to access the Web site to be logged in through the virtual card.
In order to solve the above technical problem, the present application further provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the identity management method as claimed in any one of the above when executing the computer program.
To solve the above technical problem, the present application further provides a computer-readable storage medium, having a computer program stored thereon, where the computer program is executed by a processor to implement the steps of the identity management method according to any one of the above.
The application provides an identity management method, in the identity authentication process, identity authentication is carried out on a Web site to be logged in through an identity token issued by IdP, the mode of identity card and password authentication is avoided, the problems of dependence of the existing Internet identity authentication on the identity card and the password mode and safety problems of password fatigue, phishing attack and the like caused by the dependence are solved, the reliability and the safety of identity management are improved, identity information of a user is managed and used through a virtual card, login can be carried out through the virtual card in the subsequent process of accessing the Web site, and the identity management method has good usability on multiple products and platforms. The application also provides an identity management device, electronic equipment and a computer readable storage medium, which have the same beneficial effects as the identity management method.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a schematic structural diagram of an identity management system provided in the present application;
fig. 2 is a schematic structural diagram of another identity management system provided in the present application;
FIG. 3 is a flowchart illustrating steps of a method for identity management provided herein;
fig. 4 is a schematic structural diagram of an identity management apparatus provided in the present application;
fig. 5 is a schematic structural diagram of an electronic device provided in the present application.
Detailed Description
The core of the application is to provide an identity management method, an identity management device, electronic equipment and a computer readable storage medium, which can solve the dependence of the existing internet identity authentication on an identity card and a password mode and the safety problems caused by the dependence of the existing internet identity authentication on the password mode, the password fatigue, the phishing attack and the like, improve the reliability and the safety of identity management, manage and use the identity information of a user through a virtual card, and have good usability on a multi-product and a platform.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, the problems that the identity of a signed doctor cannot be confirmed, multiple products and multiple platforms lack effective unified identity login management, the identity qualification information of the doctor cannot be shared across platforms and the like exist in the field of internet medical treatment, and the existing user-centered identity management mechanism can provide a part of solutions, but still has some problems. Based on the identity management scheme provided in the present application, in order to facilitate understanding of an identity management method provided in the present application, an identity management system to which an identity management method of the present application is applied is described, please refer to fig. 1 and fig. 2, and fig. 1 and fig. 2 are two identity management systems provided in the present application.
As shown in fig. 1 and fig. 2, the Identity management system provided in this embodiment includes a user side, an IdP (Identity Provider, IdP), and a Web site (leaving party) to which a user logs in, where the user side includes a user side application (Client application) and an Identity management agent (Selector), where the user Identity management agent Selector is responsible for managing a user digital certificate and Identity information, including establishment, acquisition, authorization, usage and maintenance of the user Identity information. The user can create an own identity information card (self-established certificate) through the identity management agent Selector and also can manage identity information issued by the IdP (third party identity) in a virtual card form. The RP represents a website to which the user logs in, and the website needs to support a Vcard identity authentication mode. IdP, a trusted identity provider, may issue an identity information card (third party identity or escrow card) to a user, who may log in at a Web site using the third party identity. At this time, the identity management agent Selector acquires the identity attribute token from the IdP, forwards the identity attribute token to the RP, and performs identity authentication. When the system communication process and the protocol are implemented specifically, the identity information of the user is managed in two forms: identity information created by the user himself (user self-established identity) and identity information issued by a third party (third party identity). The identity certificate created by the user contains various identity information of the user, and can be used for logging in different websites, and the identity authentication mode mainly utilizes a public key/private key mode. When a user installs a Selector, the Selector can automatically generate a pair of public and private keys for the user for later identity authentication; an identity certificate issued by a third party, such as a bank card, an electronic identity card, etc. The card mainly records the URL of the identity issuer, and the user can log in the Web site to be logged in by using the identity information issued by the third party.
The identity management methods corresponding to the user self-established identity certificate and the third party issued identity certificate are described in detail below.
Referring to fig. 3, fig. 3 is a flowchart illustrating steps of an identity management method according to the present application, where the identity management method includes:
s101: selecting a virtual card corresponding to the identity attribute of the Web site to be logged in;
specifically, the to-be-logged-in Web site is a Web site supporting virtual card (Vcard) login, a user accesses a certain to-be-logged-in Web site and selects Vcard login, at this time, the browser triggers the Selector, the Selector first acquires a policy file of the to-be-logged-in Web site, so that an identity attribute required by the to-be-logged-in Web site is obtained, and the identity attribute is obtained according to a preset address when the policy file of the to-be-logged-in Web site is obtained, for example, the website address of the to-be-logged-in Web site is www.baidu.com, the acquisition address is www.baidu.com/polar. After acquiring the identity attribute required by the website to be logged in, the Selector pops up a card selection interface, and the user selects a suitable virtual card according to the identity attribute required by the website to be logged in. It can be understood that, by adopting the scheme of the application, the doctor users in the internet medical field manage and use the identity information of the doctor users in the form of the virtual card, and the usability on products and platforms is good.
S102: acquiring a first identity token and demand information corresponding to identity attributes through the IdP;
specifically, after card selection and user authorization, the Selector calls the corresponding IdP interface to direct the user to the corresponding IdP, so that the user performs identity authentication on the IdP, and after the identity authentication is successful, the IdP sends a Token (first identity Token) signed by an IdP private key, a public key of the IdP and required information corresponding to identity attributes to the user. And the Selector displays the requirement information sent by the IdP to the Web site to be logged on to the user, and the user authorizes to submit the requirement information. It can be understood that in the identity authentication process, the identity token issued by the IdP is used for identity authentication on the to-be-logged Web site, so that the way of identity card and password authentication is avoided, the problems of dependence of the existing internet identity authentication on the identity card and the password way and safety problems of password fatigue, phishing attack and the like caused by the dependence are solved, and the reliability and the safety of identity management are improved.
S103: obtaining identity information according to the first identity token and the requirement information so that the Web site to be logged in can generate a UserID according to the identity information;
s104: and associating the UserID with the virtual card so that the user can access the Web site to be logged in through the virtual card.
Specifically, before executing this step, an operation of establishing an SSL secure connection between the Selector and the website to be logged in may be further included, so that the subsequent communication process will be encrypted in an SSL manner.
The process of the user self-establishing the identity certificate is explained as follows: after the Selector receives a first random number nonce1 generated by the to-be-logged-on website, the Selector generates a second random number nonce2, a session key and a second identity token, and encrypts the session key by using a public key of the to-be-logged-on website, wherein the public key of the to-be-logged-on website is obtained when SSL communication is established. Then, the website to be logged in performs digest operation on the user and the identifier of the website to be logged in, the nonce2, the user public key and the requirement information, the first identity token and the second identity token to obtain a hash value, signing is carried out through a user private key, the digital signature, a public key of a Selector and identity information obtained after the requirement information is encrypted through a session key are sent to the Web site to be logged in, after the Web site to be logged in receives the identity information sent by the user, the digital signature is verified through the user public key, if the signature verification is successful, acquiring the requirement information sent by the user, generating a user ID for the user, meanwhile, the UserID and the nonce2 are encrypted by using the session key, and after decrypting information for the Selecturer by an SSL method, the nonce value is compared whether to be consistent with the nonce2 created by the user, and if the user ID is consistent with the CardID, recording the UserID, and establishing association between the UserID and the CardID, so that the user browser can access the authorized resources of the Web site to be logged in. The digital signature can be verified by a signature verification method of an asymmetric encryption algorithm, and the user ID and the nonce2 are encrypted by using a session key and then returned to the Selector for interception and interception prevention, so that the security of data transmission is improved.
And then, the user logs in the website again, the Selector automatically displays the certificate of the user for identity authentication for the first time, namely the virtual card, and the user can log in the website to be logged in after confirming the certificate. At this time, the authentication information sent by the user to the Web site to be logged in is different from the first login of the user. After the website to be logged in is logged in for the first time, the website to be logged in already allocates an ID to the user, and stores the ID and the public key of the user, so that the Selector does not need to obtain policy of the website to be logged in when the website to be logged in is logged in again. At this time, the Selector only needs to generate a random number, signs the user ID, the random number and the identification of the Web site to be logged which are distributed to the user by the Web site to be logged through a user private key, encrypts through a session key, and sends to the Web site to be logged through an SSL (secure socket layer) mode.
The process of issuing an identity certificate by a third party is explained as follows: after the Selector receives a first random number nonce1 generated by the to-be-logged-on Web site, the Selector generates a second random number nonce2 and a session key, encrypts the first identity token issued by the IdP, the public key of the IdP and the second random number by the session key to obtain identity information, and sends the identity information to the to-be-logged-on Web site. After receiving the identity information sent by the user, the Web site to be logged in verifies the digital signature by using the public key of the IdP, if the signature verification is successful, the required information sent by the user is obtained, the user can access the authorized resource of the Web site to be logged in, a UserID is generated for the user, the UserID and the nonce2 are encrypted by using the session key, and the encrypted UserID and the nonce2 are sent to the Selector in an SSL mode. And after the Selector decrypts the information, comparing whether the nonce value is consistent with the nonce2 created by the Selector, if so, recording the UserID, and establishing association between the UserID and the CardID. The method is characterized in that a user logs in a website by using a third-party identity for the first time, then the user logs in the website again, a Selector automatically displays a virtual card for the first identity authentication of the user, the user communicates with an IdP after confirming the virtual card, a first identity Token issued by the IdP is obtained, and the identity of the user is identified by the website to be logged in through a Token. As a preferred embodiment, an expiration date may be set for the first identity token, during the expiration date, the user may directly log in the to-be-logged Web site by using the first identity token stored by the Selector, and after the first identity token expires, the Selector needs to communicate with the IdP to obtain a new first identity token again.
It will be appreciated that the primary function of IdP is to issue third party certificates to users and to generate digital certificates for users during their login to the Web site to be logged in. The third party identity authentication mainly includes a URL (uniform resource Locator) of the IdP, and the Selector obtains the identity certificate by removing the IdP according to the URL in the certificate. The identity certificate is generated by adopting a 1024-bit RSA asymmetric algorithm and is transmitted through an http protocol. And after receiving the reply message, the Selector analyzes the text part of the http message to obtain the identity certificate issued by the IdP. The Web site to be logged in adopts JSP/Servlet technology, tomcat is used as an application server, a digital certificate conforming to X509v3 standard specification is adopted, and a digital signature technology is realized based on 1024-bit RSA asymmetric algorithm and 160-bit SHA1 message digest algorithm. In addition, after the user logs in the Web site to be logged in for the first time, the Web site to be logged in stores the public key of the user and the requirement information in a database, automatically generates a UserID for the user and returns the UserID to the user.
Therefore, in the identity authentication process, the identity token issued by the IdP is used for identity authentication on the to-be-logged Web site, so that the way of identity card and password authentication is avoided, the problems of dependence of the existing internet identity authentication on the identity card and the password way and safety problems caused by password fatigue, phishing attack and the like are solved, the reliability and safety of identity management are improved, the identity information of the user is managed and used through the virtual card, login can be performed through the virtual card in the subsequent process of accessing the Web site, and the usability of the method and the system on multi-product and platforms is good.
Referring to fig. 4, fig. 4 is a schematic structural diagram of an identity management apparatus provided in the present application, where the identity management apparatus includes:
the card selecting module 1 is used for selecting a virtual card corresponding to the identity attribute of the Web site to be logged in;
the acquisition module 2 is used for acquiring the first identity token and the demand information corresponding to the identity attribute through the IdP;
the processing module 3 is used for obtaining identity information according to the first identity token and the requirement information so that the Web site to be logged in can generate a UserID according to the identity information;
and the access module 4 is used for associating the UserID with the virtual card so as to enable a user to access the Web site to be logged in through the virtual card.
Therefore, in the identity authentication process, the identity token issued by the IdP is used for identity authentication on the to-be-logged Web site, so that the way of identity card and password authentication is avoided, the problems of dependence of the existing internet identity authentication on the identity card and the password way and safety problems caused by password fatigue, phishing attack and the like are solved, the reliability and safety of identity management are improved, the identity information of the user is managed and used through the virtual card, login can be performed through the virtual card in the subsequent process of accessing the Web site, and the usability of the method and the system on multi-product and platforms is good.
As a preferred embodiment, the identity management device further comprises:
the acquisition module 2 is used for acquiring a policy file of the Web site to be logged in;
and the determining module is used for determining the identity attribute corresponding to the Web site to be logged in through the policy file.
As a preferred embodiment, the processing module 3 specifically includes:
the first generation unit is used for generating a second random number, a session key and a second identity token when receiving the first random number sent by the to-be-logged Web site;
the first encryption unit is used for encrypting the session key through the public key of the Web site to be logged in;
the computing unit is used for performing summary operation on the first identity token, the identification of the Web site to be logged in, the second random number, the second identity token, the user public key and the demand information to obtain a hash value;
the first signature unit is used for obtaining a digital signature through a user private key and a hash value;
and the second encryption unit is used for encrypting the digital signature, the public key of the user side and the demand information through the session key to obtain the identity information.
As a preferred embodiment, the process of generating the UserID by the to-be-logged-in Web site according to the identity information specifically includes:
verifying the digital signature by the Web site to be logged in through a user public key;
and when the signature verification is successful, the Web site to be logged in acquires and stores the required information and generates a UserID.
As a preferred embodiment, the identity management device further comprises:
the encryption module is used for encrypting the UserID and the second random number by using the session key through the Web site to be logged in;
correspondingly, the access module 4 is specifically configured to:
and when the received second random number is consistent with the second random number generated by the user, associating the UserID with the virtual card.
As a preferred embodiment, the processing module 3 specifically includes:
the second generation unit is used for generating a second random number and a session key when receiving the first random number sent by the to-be-logged Web site;
an obtaining unit, configured to obtain a public key of the IdP;
and the third encryption unit is used for encrypting the first identity token, the public key of the IdP, the second random number and the demand information through the session key to obtain the identity information.
As a preferred embodiment, the identity management device further comprises:
and the monitoring module is used for setting the validity period of the first identity token, and acquiring a new first identity token if the current time is not in the last validity period.
On the other hand, the present application also provides an electronic device, as shown in fig. 5, which shows a schematic structural diagram of an electronic device according to an embodiment of the present application, where the electronic device 2100 according to the embodiment may include: a processor 2101 and a memory 2102.
Optionally, the electronic device may further comprise a communication interface 2103, an input unit 2104 and a display 2105 and a communication bus 2106.
The processor 2101, the memory 2102, the communication interface 2103, the input unit 2104, the display 2105, and the like communicate with each other via the communication bus 2106.
In the embodiment of the present application, the processor 2101 may be a Central Processing Unit (CPU), an application specific integrated circuit (asic), a digital signal processor, an off-the-shelf programmable gate array (fpga) or other programmable logic device.
The processor may call a program stored in the memory 2102. Specifically, the processor may perform operations performed on the electronic device side in the following embodiments of the identity management method.
The memory 2102 stores one or more programs, which may include program code including computer operating instructions, and in this embodiment, at least one program for implementing the following functions is stored in the memory:
selecting a virtual card corresponding to the identity attribute of the Web site to be logged in;
acquiring a first identity token and demand information corresponding to identity attributes through the IdP;
obtaining identity information according to the first identity token and the requirement information so that the Web site to be logged in can generate a UserID according to the identity information;
and associating the UserID with the virtual card so that the user can access the Web site to be logged in through the virtual card.
Therefore, in the identity authentication process, the identity token issued by the IdP is used for identity authentication on the to-be-logged Web site, so that the way of identity card and password authentication is avoided, the problems of dependence of the existing internet identity authentication on the identity card and the password way and safety problems caused by password fatigue, phishing attack and the like are solved, the reliability and safety of identity management are improved, the identity information of the user is managed and used through the virtual card, login can be performed through the virtual card in the subsequent process of accessing the Web site, and the usability of the method and the system on multi-product and platforms is good.
In one possible implementation, the memory 2102 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a topic detection function, etc.), and the like; the storage data area may store data created according to the use of the computer.
Further, the memory 2102 may include high speed random access memory, and may also include non-volatile memory, such as at least one disk storage device or other volatile solid state storage device.
The communication interface 2103 may be an interface of a communication module, such as an interface of a GSM module.
The present application may also include a display 2104 and an input unit 2105, among others.
Of course, the structure of the internet of things device shown in fig. 5 does not constitute a limitation on the internet of things device in the embodiment of the present application, and in practical applications, the electronic device may include more or less components than those shown in fig. 5, or some components in combination.
In another aspect, the present application further provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the identity management method as described in any one of the above embodiments.
For the introduction of a computer-readable storage medium provided in the present application, please refer to the above embodiments, which are not described herein again.
The computer-readable storage medium provided by the application has the same beneficial effects as the identity management method.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. An identity management method, comprising:
selecting a virtual card corresponding to the identity attribute of the Web site to be logged in;
acquiring a first identity token and demand information corresponding to the identity attribute through the IdP;
obtaining identity information according to the first identity token and the requirement information so that the Web site to be logged in can generate a UserID according to the identity information;
and associating the UserID with the virtual card so that a user can access the Web site to be logged in through the virtual card.
2. The identity management method of claim 1, wherein before the selecting the virtual card corresponding to the identity attribute of the website to be logged in, the identity management method further comprises:
acquiring a strategy file of a Web site to be logged in;
and determining the identity attribute corresponding to the Web site to be logged in through the policy file.
3. The identity management method according to claim 1, wherein the process of obtaining identity information according to the first identity token and the requirement information specifically comprises:
when receiving the first random number sent by the Web site to be logged in, generating a second random number, a session key and a second identity token;
encrypting the session key through a public key of the Web site to be logged in;
performing digest operation on the first identity token, the identifier of the Web site to be logged in, the second random number, the second identity token, the user public key and the demand information to obtain a hash value;
obtaining a digital signature through a user private key and the hash value;
and encrypting the digital signature, the public key of the user side and the demand information through the session key to obtain identity information.
4. The identity management method according to claim 3, wherein the process of generating the UserID by the to-be-logged-in website according to the identity information specifically comprises:
the Web site to be logged in verifies the digital signature through the user public key;
and when the signature verification is successful, the to-be-logged Web site acquires and stores the requirement information and generates a UserID.
5. The identity management method of claim 4, wherein after the generating the UserID, the identity management method further comprises:
encrypting the UserID and the second random number by the Web site to be logged in by using the session key;
correspondingly, the process of associating the UserID with the virtual card specifically includes:
and when the received second random number is consistent with the second random number generated by the user, associating the UserID with the virtual card.
6. The identity management method according to claim 1, wherein the process of obtaining identity information according to the first identity token and the requirement information specifically comprises:
when receiving the first random number sent by the Web site to be logged in, generating a second random number and a session key;
acquiring the public key of the IdP;
and encrypting the first identity token, the public key of the IdP, the second random number and the demand information through the session key to obtain identity information.
7. The identity management method according to any one of claims 1 to 6, wherein the identity management method further comprises:
setting a validity period of the first identity token;
and if the current moment is not in the validity period, acquiring a new first identity token.
8. An identity management device, comprising:
the card selecting module is used for selecting a virtual card corresponding to the identity attribute of the Web site to be logged in;
the acquisition module is used for acquiring the first identity token and the demand information corresponding to the identity attribute through the IdP;
the processing module is used for obtaining identity information according to the first identity token and the requirement information so that the Web site to be logged in can generate a UserID according to the identity information;
and the access module is used for associating the UserID with the virtual card so as to enable a user to access the Web site to be logged in through the virtual card.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the identity management method as claimed in any one of claims 1 to 7 when executing said computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the identity management method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010455067.XA CN111628867A (en) | 2020-05-26 | 2020-05-26 | Identity management method, device and related components |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010455067.XA CN111628867A (en) | 2020-05-26 | 2020-05-26 | Identity management method, device and related components |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111628867A true CN111628867A (en) | 2020-09-04 |
Family
ID=72259987
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010455067.XA Pending CN111628867A (en) | 2020-05-26 | 2020-05-26 | Identity management method, device and related components |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111628867A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230353531A1 (en) * | 2017-10-04 | 2023-11-02 | The Dun & Bradstreet Corporation | System and method for identity resolution across disparate distributed immutable ledger networks |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050124320A1 (en) * | 2003-12-09 | 2005-06-09 | Johannes Ernst | System and method for the light-weight management of identity and related information |
| US20090300742A1 (en) * | 2008-05-27 | 2009-12-03 | Open Invention Network Llc | Identity selector for use with a user-portable device and method of use in a user-centric identity management system |
| CN102811210A (en) * | 2011-06-03 | 2012-12-05 | 北京邮电大学 | Information card authenticating method and system based on WS protocol |
| CN102984127A (en) * | 2012-11-05 | 2013-03-20 | 武汉大学 | User-centered mobile internet identity managing and identifying method |
-
2020
- 2020-05-26 CN CN202010455067.XA patent/CN111628867A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050124320A1 (en) * | 2003-12-09 | 2005-06-09 | Johannes Ernst | System and method for the light-weight management of identity and related information |
| US20090300742A1 (en) * | 2008-05-27 | 2009-12-03 | Open Invention Network Llc | Identity selector for use with a user-portable device and method of use in a user-centric identity management system |
| CN102811210A (en) * | 2011-06-03 | 2012-12-05 | 北京邮电大学 | Information card authenticating method and system based on WS protocol |
| CN102984127A (en) * | 2012-11-05 | 2013-03-20 | 武汉大学 | User-centered mobile internet identity managing and identifying method |
Non-Patent Citations (1)
| Title |
|---|
| 王鹃等: "一种以用户为中心的移动互联网身份管理及认证系统", 《山东大学学报(理学版)》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230353531A1 (en) * | 2017-10-04 | 2023-11-02 | The Dun & Bradstreet Corporation | System and method for identity resolution across disparate distributed immutable ledger networks |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11223614B2 (en) | Single sign on with multiple authentication factors | |
| US8719572B2 (en) | System and method for managing authentication cookie encryption keys | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| US8812838B2 (en) | Configuring a valid duration period for a digital certificate | |
| US8595142B2 (en) | Maintaining privacy for transactions performable by a user device having a security module | |
| CN102201915B (en) | Terminal authentication method and device based on single sign-on | |
| CN103220303B (en) | The login method of server and server, authenticating device | |
| WO2007073603A1 (en) | Session-based public key infrastructure | |
| DK2414983T3 (en) | Secure computer system | |
| CN111641615A (en) | Distributed identity authentication method and system based on certificate | |
| CA2799936A1 (en) | System and method for protecting access to authentication systems | |
| Alqubaisi et al. | Should we rush to implement password-less single factor FIDO2 based authentication? | |
| CN111786996A (en) | Cross-domain synchronous login state method and device and cross-domain synchronous login system | |
| CN111614458A (en) | Method, system and storage medium for generating gateway JWT | |
| CN111628867A (en) | Identity management method, device and related components | |
| KR102062851B1 (en) | Single sign on service authentication method and system using token management demon | |
| Alecu et al. | OpenID, a single sign-on solution for e-learning applications | |
| Corella et al. | Strong and convenient multi-factor authentication on mobile devices | |
| CN115150831A (en) | Processing method, device, server and medium for network access request | |
| CN118041642A (en) | Web authentication method and device | |
| TW202230258A (en) | Digital certificate processing method newly increases digital certificate in block chain through processing node | |
| CN116781366A (en) | Data transmission method and device | |
| Akhras | BACHELOR PAPER | |
| CN113271306A (en) | Data request and transmission method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200904 |
|
| RJ01 | Rejection of invention patent application after publication |