CN112559993B

CN112559993B - Identity authentication method, device and system and electronic equipment

Info

Publication number: CN112559993B
Application number: CN202011551761.8A
Authority: CN
Inventors: 何嘉全
Original assignee: Realme Chongqing Mobile Communications Co Ltd
Current assignee: Realme Chongqing Mobile Communications Co Ltd
Priority date: 2020-12-24
Filing date: 2020-12-24
Publication date: 2024-02-02
Anticipated expiration: 2040-12-24
Also published as: CN112559993A

Abstract

The embodiment of the application discloses an identity authentication method, an identity authentication device, an identity authentication system and electronic equipment. The method is applied to a cloud server and can comprise the following steps: receiving an identity authentication request initiated by a cloud application, wherein the cloud application operates on the cloud server; sending an authentication instruction to the terminal equipment according to the identity authentication request, wherein the authentication instruction is used for indicating the terminal equipment to perform user identity authentication and generating target information according to an authentication result; receiving the target information sent by the terminal equipment; and processing the target information to obtain the authentication result, and returning the authentication result to the cloud application. The identity authentication method, the identity authentication device, the identity authentication system and the electronic equipment can improve the safety of using cloud applications by the terminal equipment.

Description

Identity authentication method, device and system and electronic equipment

Technical Field

The present application relates to the field of network technologies, and in particular, to an identity authentication method, device, system, and electronic device.

Background

The cloud terminal is a novel terminal technology, and refers to terminal equipment which applies a cloud computing technology to network terminal services and realizes cloud services through a cloud server. When the cloud terminal is used, the cloud terminal does not need to download cloud application programs, the application programs can directly run in the cloud server, and the cloud terminal can use the functions of all the cloud application programs through a network. How to improve the security of the terminal device in using the cloud application becomes a popular research direction.

Disclosure of Invention

The embodiment of the application discloses an identity authentication method, an identity authentication device, an identity authentication system and electronic equipment, which can improve the safety of using cloud applications by terminal equipment.

The embodiment of the application discloses an identity authentication method, which is applied to a cloud server and comprises the following steps:

receiving an identity authentication request initiated by a cloud application, wherein the cloud application operates on the cloud server;

sending an authentication instruction to the terminal equipment according to the identity authentication request, wherein the authentication instruction is used for indicating the terminal equipment to perform user identity authentication and generating target information according to an authentication result;

receiving the target information sent by the terminal equipment;

and processing the target information to obtain the authentication result, and returning the authentication result to the cloud application.

The embodiment of the application discloses an identity authentication method, which is applied to terminal equipment and comprises the following steps:

receiving an authentication instruction sent by a cloud server, wherein the authentication instruction is generated by the cloud server according to an identity authentication request initiated by a cloud application, and the cloud application operates on the cloud server;

user identity authentication is carried out on the collected user identity information according to the authentication instruction, and target information is generated according to an authentication result;

And sending the target information to the cloud server, wherein the target information is used for processing at the cloud server to obtain the authentication result, and returning the authentication result to the cloud application through the cloud server.

The embodiment of the application discloses identity authentication device is applied to high in the clouds server, and the device includes:

the request receiving module is used for receiving an identity authentication request initiated by a cloud application, and the cloud application operates on the cloud server;

the sending module is used for sending an authentication instruction to the terminal equipment according to the identity authentication request, wherein the authentication instruction is used for indicating the terminal equipment to carry out user identity authentication and generating target information according to an authentication result;

the information receiving module is used for receiving the target information sent by the terminal equipment;

and the result return module is used for processing the target information to obtain the authentication result and returning the authentication result to the cloud application.

The embodiment of the application discloses an identity authentication system, which comprises a cloud server and terminal equipment, wherein,

the cloud server is used for receiving an identity authentication request initiated by a cloud application and sending an authentication instruction to the terminal equipment according to the identity authentication request, and the cloud application runs on the cloud server;

The terminal equipment is used for carrying out user identity authentication on the collected user identity information according to the authentication instruction, generating target information according to an authentication result and sending the target information to the cloud server;

the cloud server is further configured to receive the target information sent by the terminal device, process the target information to obtain the authentication result, and return the authentication result to the cloud application.

The embodiment of the application discloses electronic equipment, which comprises a memory and a processor, wherein a computer program is stored in the memory, and when the computer program is executed by the processor, the processor realizes the method applied to a cloud server as described above.

The embodiment of the application discloses a terminal device, which comprises a memory and a processor, wherein the memory stores a computer program, and the computer program, when executed by the processor, causes the processor to realize the method applied to the terminal device.

According to the identity authentication method, the device, the system and the electronic equipment disclosed by the embodiment of the application, the cloud server receives an identity authentication request initiated by the cloud application, an authentication instruction is sent to the terminal equipment according to the identity authentication request, the terminal equipment can conduct user identity authentication according to the authentication instruction, target information is generated according to an authentication result and then sent to the cloud server, the cloud server can process the target information sent by the terminal equipment to obtain an authentication result and return the authentication result to the cloud application, the cloud application running on the cloud server can normally complete user identity authentication through the terminal equipment, the whole user identity authentication process is conducted on the terminal equipment, the problem of user identity information leakage can be prevented, and the safety of the cloud application used by the terminal equipment is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is an application scenario diagram of an identity authentication method in one embodiment;

FIG. 2 is a timing diagram of an identity authentication method in one embodiment;

FIG. 3 is a flow chart of an identity authentication method in one embodiment;

FIG. 4 is a flow chart of an identity authentication method in another embodiment;

FIG. 5 is an application scenario diagram of an authentication method according to another embodiment;

FIG. 6 is a schematic diagram of a terminal device outputting a prompt message in one embodiment;

FIG. 7 is a flow chart of an identity authentication method in another embodiment;

FIG. 8 is a block diagram of an identity authentication device in one embodiment;

FIG. 9 is a block diagram of an authentication device in another embodiment;

fig. 10 is a block diagram of an electronic device in one embodiment.

Detailed Description

The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

It should be noted that the terms "comprising" and "having" and any variations thereof in the embodiments and figures herein are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.

In the related art, for a general terminal device, it is necessary to download an installation package of an application program and install the application program locally before the application program can be normally used. Because the application program is installed in the local of the terminal equipment, when the application program needs to carry out identity authentication in the running process, the corresponding interface provided by the operating system on the terminal equipment is directly called, so that the user identity information can be acquired and the identity authentication can be completed. For the cloud terminal, since the cloud terminal does not need to download the application program, all the application programs and functions are realized through the cloud server, namely, the application program is separated from the cloud terminal, so that identity authentication cannot be realized.

The embodiment of the application provides an identity authentication method, an identity authentication device, an identity authentication system and an electronic device, wherein a cloud application running on a cloud server can normally finish user identity authentication through a terminal device, the whole user identity authentication process is performed on the terminal device, the problem of user identity information leakage can be prevented, and the safety of the terminal device in using the cloud application is improved.

Fig. 1 is an application scenario diagram of an identity authentication method in one embodiment. As shown in fig. 1, the cloud server 10 may establish a communication connection with the terminal device 20, and the terminal device 20 may include, but is not limited to, a mobile phone, a smart wearable device, a tablet computer, a PC (Personal Computer, a personal computer), a vehicle-mounted terminal, etc., and the cloud server 10 may be a distributed server cluster composed of a plurality of server devices. In this embodiment of the present application, the terminal device 20 may be a cloud terminal, all application programs and functions on the terminal device 20 may be implemented by the cloud server 10, the terminal device 20 does not need to download the application programs, but logs into the cloud server 10 through a cloud account, and the cloud server 10 allocates a corresponding resource space to the terminal device 20, so that the application programs may be run at the cloud server 10, and the functions of the terminal device 20 are implemented, and meanwhile, the terminal device 20 may also store all data such as images, files and the like in the cloud server 10.

When the cloud application needs to perform identity authentication, the cloud server 10 may acquire an identity authentication request initiated by the cloud application, and send an authentication instruction to the terminal device 20 according to the identity authentication request. The terminal device 20 receives the authentication instruction sent by the cloud server 10, and can collect user identity information according to the authentication instruction, perform user identity authentication according to the user identity information, generate target information according to an authentication result, and send the generated target information to the cloud server 10. The cloud server 10 receives the target information sent by the terminal device 20, can process the target information to obtain an authentication result, and returns the authentication result to the cloud application, so that user identity authentication of the cloud application running on the cloud server in the using process can be realized, and the safety of using the cloud application is ensured.

FIG. 2 is a timing diagram of an identity authentication method according to one embodiment. As shown in fig. 2, the identity authentication method processing method may include the following steps according to the processing sequence:

1. the cloud server 10 receives an identity authentication request initiated by a cloud application.

2. The cloud server 10 sends an authentication instruction to the terminal device 20 according to an identity authentication request initiated by the cloud application.

3. The terminal device 20 receives the authentication instruction sent by the cloud server 10, performs user identity authentication on the collected user identity information according to the authentication instruction, and generates target information according to an authentication result.

4. The terminal device 20 transmits the target information to the cloud server 10.

5. The cloud server 10 receives the target information sent by the terminal device 20, processes the target information to obtain an authentication result, and returns the authentication result to the cloud application.

As shown in fig. 3, in one embodiment, an identity authentication method is provided, which can be applied to the cloud server, and the method may include the following steps:

step 310, an identity authentication request initiated by a cloud application is received.

The cloud application may refer to an application program running on a cloud server, and the cloud application may be packaged and used in a virtualized environment provided by the cloud server by using an application virtualization technology. The terminal equipment can establish communication connection with the cloud server through a wireless network without downloading and installing application programs locally, and subscribe the services of each cloud application in the cloud server, so that the cloud application can be used. Alternatively, the wireless network may include, but is not limited to, 4G (4 th generation mobile networks, fourth generation mobile communication technology), 5G (5 th generation mobile networks, fifth generation mobile communication technology), wiFi (Wireless Fidelity ) networks, and the like. The terminal equipment can display an application interface of the used cloud application, and data processing of the cloud application in the using process is realized in the cloud server.

The cloud application may need to perform identity authentication during the use process, for example, when a user needs to use the cloud application to perform operations with high security requirements such as payment and transfer when using the cloud application, the cloud application needs to perform authentication on the identity of the user, or when logging in a platform with high security (such as tax platform and social security platform) by using the cloud application, the cloud application also needs to perform authentication on the identity of the user. The scenario in which the cloud application performs identity authentication on the user is not limited in the embodiment of the present application.

In some embodiments, the cloud application may initiate an identity authentication request, which may carry information about the authentication type, authentication item, etc. The authentication type may refer to an authentication mode for performing identity authentication, and optionally, the authentication type may include, but is not limited to, a biometric authentication mode such as face authentication, fingerprint authentication, pupil authentication, and the like, and may also be a mode such as password authentication, voice authentication, and the like. Authentication items may refer to operations items such as payment items, transfer items, login items, etc. that the cloud application needs to authenticate, but are not limited to.

Step 320, an authentication instruction is sent to the terminal device according to the identity authentication request, the authentication instruction is used for instructing the terminal device to perform user identity authentication, and target information is generated according to the authentication result.

The cloud server can generate an authentication instruction according to the authentication type, the authentication items and other information carried in the identity authentication request, and sends the authentication instruction to the terminal equipment.

In some embodiments, the terminal device may log in to the cloud server through account information allocated by the cloud server or account information registered in advance, and the cloud server may store the account information of the terminal device and the customized cloud application correspondingly, where the account information corresponding to different terminal devices is different. Optionally, the cloud server may allocate a corresponding storage space for each account information, and store, in the storage space corresponding to the account information, data of each cloud application, service, and the like subscribed by the terminal device. After receiving an identity authentication request initiated by a cloud application, the cloud server can acquire account information corresponding to the cloud application, and acquire identification information of the terminal equipment according to the account information, so as to send an authentication instruction to the terminal equipment according to the identification information. Alternatively, the identification information of the terminal device may include, but is not limited to, an IP (Internet Protocol ) address, a MAC (Media Access Control, media access control layer) address, etc. of the terminal device.

After receiving the authentication instruction, the terminal device can analyze the authentication instruction to obtain the authentication type required to be performed, the corresponding authentication items and other information. The terminal equipment can start a corresponding user information acquisition module according to the authentication type so as to acquire user information through the user information acquisition module and perform user identity authentication according to the acquired user information. If the collected user information is matched with the user information stored in the terminal equipment in advance, namely, the collected user information is consistent with the user information stored in advance, the authentication result can be determined to be successful in authentication, and if the collected user information is not matched with the user information stored in the terminal equipment in advance, the authentication result can be determined to be failed in authentication.

For example, if the authentication type is face authentication, the terminal device may start the camera, collect a face image of the user through the camera, and perform face recognition authentication through the face image. The terminal equipment can compare the collected face image with the pre-stored face image, and judge whether the collected face image is matched with the pre-stored face image or not so as to obtain a face recognition authentication result.

The terminal device may start the fingerprint acquisition module to acquire fingerprint information of the user, compare the fingerprint information with the pre-input fingerprint information, and determine whether the acquired fingerprint information is matched with the pre-input fingerprint information to obtain a fingerprint authentication result.

In some embodiments, the terminal device may generate a prompt message according to the authentication type and the authentication item, and output the prompt message to prompt the user that identity authentication is currently required, where the prompt message may be an interface prompt displayed on a screen, or may be a voice prompt mode played through a speaker, and the like, which is not limited herein.

User identity authentication is carried out on the terminal equipment, user identity information acquired by the terminal equipment does not need to be uploaded to a cloud server, the situation that the user identity information is stolen in the transmission process can be prevented, and the information safety of a user is ensured.

After obtaining the authentication result of user identity authentication, the terminal device can process the authentication result to obtain target information. Optionally, the terminal device may encapsulate the authentication result according to a preset data packet format to obtain target information, and send the target information to the cloud server.

The authentication result may be represented by a contracted character, for example, but not limited to, Y for authentication success, N for authentication failure, 1 for authentication success, 0 for authentication failure, etc. Further, when the cloud server sends an authentication instruction to the terminal device, the authentication instruction can carry character representation modes, each character representation mode can be different and can be selected randomly, and the terminal device can represent an authentication result according to the character representation mode carried in the received authentication instruction. After receiving the target information, if the cloud server detects that the authentication result is not represented according to the character representation mode, the cloud server can discard the authentication result and send an authentication instruction to the terminal equipment again, so that the probability of falsifying the authentication result can be reduced, and the safety is further improved.

And 330, receiving target information sent by the terminal equipment.

And step 340, processing the target information to obtain an authentication result, and returning the authentication result to the cloud application.

After receiving the target information, the cloud server can analyze the target information to obtain an authentication result, and returns the authentication result to the cloud application which sends the identity authentication request, and the cloud application can perform the next operation according to the authentication result. For example, if the authentication result is authentication success, the cloud application may execute the authentication item requiring identity authentication, if the authentication result is authentication failure, the cloud application may stop executing the authentication item requiring identity authentication, and determine whether to re-initiate the identity authentication request, if so, may re-initiate the identity authentication request to re-authenticate the identity of the user of the terminal device.

In the embodiment of the application, the cloud server receives an identity authentication request initiated by the cloud application, sends an authentication instruction to the terminal equipment according to the identity authentication request, the terminal equipment can perform user identity authentication according to the authentication instruction, generates target information according to an authentication result and sends the target information to the cloud server, the cloud server can process the target information sent by the terminal equipment to obtain an authentication result, the authentication result is returned to the cloud application, the cloud application running on the cloud server can normally complete user identity authentication through the terminal equipment, the whole user identity authentication process is performed on the terminal equipment, the problem of user identity information leakage can be prevented, and the safety of the terminal equipment in using the cloud application is improved.

As shown in fig. 4, in one embodiment, another identity authentication method is provided, and the method may be applied to the cloud server, and the method may include the following steps:

step 402, when receiving a login request of a terminal device, obtaining a device identifier of the terminal device according to the login request.

In order to improve the security of the cloud application in identity authentication, the authentication result can be processed in an encryption mode and then transmitted. The cloud server and the terminal equipment can realize the safe transmission of the authentication result according to the set encryption and decryption mode. Before the terminal equipment uses the cloud application, the terminal equipment can log in a cloud server through account information, the cloud server receives a login request of the terminal equipment, and the login request can carry information such as the account information and equipment identification of the terminal equipment. Alternatively, the device identification of the terminal device may include, but is not limited to, a MAC address, IMEI (International Mobile Equipment Identity ), etc. The device identification may be used to uniquely identify the terminal device and is generally not easily changed.

In some embodiments, after obtaining account information and device identification of the terminal device carried in the login request, the cloud server may verify the account information and the device identification. The cloud server can search whether the prestored account information matched with the account information exists in the database, and if the prestored account information matched with the account information exists, the account information is proved to be correct. The account information may include information such as account identifier and password, when the database has a prestored account identifier consistent with the acquired account identifier, the cloud server may determine whether the acquired password is consistent with the password corresponding to the consistent prestored account identifier, and if the passwords are also consistent, the account information is proved to be correct. If the pre-stored account identification consistent with the acquired account identification does not exist or the acquired password is inconsistent with the password corresponding to the consistent pre-stored account identification, the account information is indicated to be wrong, and the login of the terminal equipment fails.

Further, the cloud server can correspondingly store the account information and the equipment identifier. When the cloud server determines that the acquired account information is correct, whether the acquired equipment identifier is consistent with the equipment identifier corresponding to the matched pre-stored account information can be further judged, if so, the success of the login of the terminal equipment can be determined, and the safety and accuracy of the terminal equipment in the process of logging in the cloud server can be further improved.

Step 404, inquiring the public key corresponding to the terminal device in the key management server according to the device identification.

The cloud server can acquire a public key corresponding to the terminal equipment according to the equipment identifier of the terminal equipment for sending the login request, and the public key can be used for decrypting the encrypted information sent by the terminal equipment. Different terminal devices can respectively correspond to different public keys so as to ensure the security. The key management server may be separately provided for managing key data of the respective terminal apparatuses.

As an embodiment, before each terminal device leaves the factory, a set of key pairs may be generated, where the key pairs include a public key and a private key, where the private key may be stored in the terminal device, the public key and a device identifier of the terminal device may be sent to the key management server together, and the key management server stores the public key and the device identifier correspondingly.

Further, the private Key may include a root Key (attystation Key, ATTK), each terminal device may generate a unique root Key, and the root Key may be stored in a trusted execution environment (TEE, trust Execution Environment) of the terminal device after being generated, where the TEE may be a parallel running environment with a main operating system on the terminal device, and may provide security services for the main operating system, which may have an own execution space, and may have a higher security level than the main operating system. The public key may be a symmetric key corresponding to the root key, or may be an asymmetric key corresponding to the root key, and the like, and is not limited thereto. The private key is generated and stored in the TEE of the terminal equipment, so that the private key can be prevented from being revealed, and the safety of the key is ensured.

As another embodiment, when the terminal device registers in the cloud server, the cloud server may generate a set of key pairs, send the private key corresponding to the key to the terminal device, store the private key by the terminal device, send the public key corresponding to the key and the device information of the terminal device to the key management server, and store the public key and the device identifier by the key management server.

Fig. 5 is an application scenario diagram of an identity authentication method in another embodiment. As shown in fig. 5, the cloud server 10 may establish a communication connection with the terminal device 20, and the cloud server 10 may also establish a communication connection with the key management server 50. When the cloud server 10 receives the login request of the terminal device 20, it can generate a query instruction according to the equipment identifier such as IMEI carried in the login request, and send the query instruction to the key management server 50. After receiving the query instruction, the key management server 50 may query the corresponding public key according to the device identifier carried in the query instruction, and send the queried public key to the cloud server 20.

Step 406, receiving an identity authentication request initiated by the cloud application.

Step 408, an authentication instruction is sent to the terminal device according to the identity authentication request, the authentication instruction is used for instructing the terminal device to perform user identity authentication, and the authentication result is encrypted to obtain target information.

The descriptions of steps 406 to 408 may refer to the descriptions of steps 310 to 320 in the above embodiments, and are not repeated here.

After receiving the authentication instruction sent by the cloud server, the terminal equipment can perform user identity authentication according to the collected user information to obtain an authentication result, and can encrypt the authentication result according to the stored private key to obtain target information. Optionally, the terminal device may encrypt the authentication result by using a symmetric encryption algorithm, an asymmetric encryption algorithm, or the like, which is not limited in the embodiment of the present application.

In some embodiments, after user identity authentication, the terminal device may encrypt the authentication result according to the root key corresponding to the terminal device to obtain the target information. The terminal device can sign the authentication result according to the stored root key to obtain the authentication result with signature information, namely the target information.

Optionally, after the terminal device starts the user information acquisition module and acquires the user information through the user information acquisition module, the user information acquisition module may transmit the acquired user information to the TEE, the TEE may store the user information entered in advance, and match the acquired user information with the user information entered in advance, if the matching is successful, the authentication result may be obtained as authentication success, and if the matching fails, the authentication result may be obtained as authentication failure.

The root key of the terminal equipment can be stored in the TEE at the same time, and after the authentication result is obtained in the TEE, the authentication result can be encrypted according to the root key to obtain the target information. The TEE can send the target information to a wireless communication module of the terminal device, and then the wireless communication module sends the target information to the cloud server. The terminal equipment performs the user identity authentication process and the authentication result encryption process in the TEE, so that the safety of the whole identity authentication process can be ensured.

In some embodiments, when receiving an identity authentication request initiated by a cloud application, the cloud server may obtain an application identifier of the cloud application that initiates the identity authentication request, where the application identifier may be used to uniquely identify the cloud application, for example, the application identifier may include an application number, an application name, a version number when the application is published, and the like, and is not limited thereto. The cloud server can match the application identifier with the interface image displayed by the terminal device and judge whether the application identifier corresponds to the displayed interface image.

In the embodiment of the application, the terminal equipment is a cloud terminal, and the interface image displayed on the terminal equipment can be sent to the terminal equipment for display after being rendered by the cloud server, so that the requirement on the rendering capability of the terminal equipment can be reduced, and the smoothness of display is ensured. Therefore, the cloud server can acquire the interface image being displayed on the terminal device in real time, and when the cloud application initiates the identity authentication request, the cloud server can judge whether the interface image displayed on the terminal device belongs to the cloud application, namely, whether the terminal device is using the cloud application in the foreground can be judged through the displayed interface image.

If the application identifier of the cloud application initiating the identity authentication request is matched with the interface image displayed by the terminal equipment, which indicates that the terminal equipment is using the cloud application in the foreground, the cloud server can send an authentication instruction to the terminal equipment according to the identity authentication request. If the application identifier of the cloud application initiating the identity authentication request is not matched with the interface image displayed by the terminal device, that is, the interface image displayed by the terminal device does not belong to the cloud application, the cloud application can be determined to be in a background running state, and the cloud server can generate prompt information according to the identity authentication request and send the prompt information to the terminal device. The prompt information can be used for prompting the cloud application to perform identity authentication.

After receiving the prompt message, the terminal device may output the prompt message, for example, the prompt message may be displayed on a screen, or the prompt message may be played through a speaker, etc., and the mode of outputting the prompt message is not limited herein. Optionally, the prompt information may include application information, authentication type, authentication item and the like of the cloud application that initiates the identity authentication request, and the user can accurately and completely obtain the identity authentication request sent by the cloud application through the prompt information. If the terminal equipment receives the confirmation response information input by the user, the confirmation response information can be used for representing that the user agrees to carry out identity authentication, and the confirmation response information can be sent to the cloud server. After receiving the confirmation response information sent by the terminal equipment, the cloud server can send an authentication instruction to the terminal equipment according to the identity authentication request.

Fig. 6 is a schematic diagram of a terminal device outputting a prompt message in an embodiment. As shown in fig. 6, a prompt 504 may be displayed on the screen of the terminal device, where the prompt 504 is "application a is performing payment operation, and needs to perform face recognition on you. If the user clicks the 'agree' button, the terminal device receives the confirmation response information input by the user, and can send the confirmation response information to the cloud server. If the user clicks the reject button, the terminal device receives reject response information input by the user, the terminal device may not return a message to the cloud server, and if the cloud server does not receive confirmation response information sent by the terminal device within a certain period of time, the terminal device may reject an identity authentication request initiated by the cloud application. Or the terminal equipment can directly return rejection response information to the cloud server, and the cloud server can reject the identity authentication request initiated by the cloud application when receiving the rejection response information.

It should be noted that fig. 6 only shows a mode of outputting the prompt information by the terminal device, which is only used to illustrate the embodiment of the present application, and is not limited to the mode of outputting the prompt information by the terminal device and the content of the prompt information, and the terminal device may output the prompt information in other modes, and the prompt information may also include other contents.

The cloud server can prevent the cloud application running in the background from carrying out identity authentication under the condition that a user does not know, and further improves the identity authentication safety of the cloud application by matching the cloud application initiating the identity authentication request with the cloud application currently used in the foreground by the terminal equipment.

And step 410, receiving target information sent by the terminal equipment.

And step 412, decrypting the target information according to the public key corresponding to the terminal equipment to obtain an authentication result, and returning the authentication result to the cloud application.

After receiving the target information sent by the terminal equipment, the cloud server can decrypt the target information according to the public key corresponding to the terminal equipment, which is queried from the key management server, and the authentication result can be successfully obtained after decrypting the target information because the private key is a group of key pairs when the public key and the target information are encrypted.

Because the private key, the public key and the terminal equipment in the embodiment of the application are all corresponding, the situation that the same terminal equipment corresponds to a plurality of public keys or one public key corresponds to a plurality of terminal equipment does not exist. If the cloud server fails to decrypt the target information according to the public key corresponding to the terminal equipment, the cloud server can determine that the target information is not the target information sent by the terminal equipment, can determine the target information as unsafe information and discard the unsafe information, and can acquire the encrypted target information from the terminal equipment again. The security and the accuracy of the cloud application in identity authentication can be improved.

In some embodiments, when the terminal device logs out from the cloud server, the cloud server may delete the public key corresponding to the terminal device, and re-acquire the public key from the key management server when the terminal device next sends a login request. The key management server can be a server with extremely high security, the cloud server deletes the public key when the terminal equipment logs out, the condition that the public key is revealed when the cloud server is illegally attacked can be prevented, and the key security is ensured.

In the embodiment of the application, the terminal equipment can encrypt the authentication result of user identity authentication to obtain the target information, the cloud server can decrypt the received target information according to the public key corresponding to the terminal equipment, so that the target information is ensured to be accurately from the terminal equipment, the accuracy and the safety of the authentication result are ensured, and the safety of the cloud application in identity authentication can be improved.

As shown in fig. 7, in one embodiment, an identity authentication method is provided, which may be applied to the terminal device described above, and the method may include the following steps:

step 710, receiving an authentication instruction sent by a cloud server, wherein the authentication instruction is generated by the cloud server according to an identity authentication request initiated by a cloud application.

Step 720, user identity authentication is performed on the collected user identity information according to the authentication instruction, and target information is generated according to the authentication result.

Step 730, sending the target information to the cloud server, where the target information is used for processing at the cloud server to obtain an authentication result, and returning the authentication result to the cloud application through the cloud server.

In one embodiment, the step of generating the target information according to the authentication result includes: and encrypting the authentication result to obtain the target information.

In one embodiment, the step of encrypting the authentication result to obtain the target information includes: and encrypting according to the root key authentication result corresponding to the terminal equipment to obtain target information, wherein the target information is also used for decrypting the target information by the cloud server according to the public key corresponding to the terminal equipment to obtain a certification result.

In one embodiment, before receiving the authentication instruction sent by the cloud server, the method further includes: receiving prompt information sent by a cloud server, and outputting the prompt information, wherein the prompt information is used for prompting the cloud application to perform identity authentication, and the prompt information is generated when the cloud device detects that the cloud application initiating an identity authentication request is not matched with an interface image displayed by the terminal device; after receiving confirmation response information input by a user, the cloud server sends the confirmation response information to the cloud server, wherein the confirmation response information is used for triggering the cloud server to send an authentication instruction to the terminal equipment according to an identity authentication request. The cloud server can prevent the cloud application running in the background from carrying out identity authentication under the condition that a user does not know, and further improves the identity authentication safety of the cloud application by matching the cloud application initiating the identity authentication request with the cloud application currently used in the foreground by the terminal equipment.

It should be noted that, the identity authentication method applied to the terminal device provided in the embodiment of the present application may refer to the description in the identity authentication method applied to the cloud server provided in the foregoing embodiments, and will not be described in detail herein.

In an embodiment, the embodiment of the application further provides an identity authentication system, where the identity authentication system may include a cloud server and a terminal device, and a communication connection may be established between the cloud server and the terminal device.

The cloud server is used for receiving an identity authentication request initiated by the cloud application, sending an authentication instruction to the terminal equipment according to the identity authentication request, and running the cloud application on the cloud server.

And the terminal equipment is used for carrying out user identity authentication on the acquired user identity information according to the authentication instruction, generating target information according to the authentication result and sending the target information to the cloud server.

The cloud server is also used for receiving the target information sent by the terminal equipment, processing the target information to obtain the authentication result, and returning the authentication result to the cloud application.

In the embodiment of the application, the cloud application running on the cloud server can normally finish user identity authentication through the terminal equipment, and the whole user identity authentication process is performed on the terminal equipment, so that the problem of user identity information leakage can be prevented, and the safety of using the cloud application by the terminal equipment is improved.

In one embodiment, the identity authentication system further comprises a key management server for storing public keys corresponding to the device identifications of the respective terminal devices.

The terminal device is further configured to send a login request to the cloud server, where the login request carries a device identifier of the terminal device.

The cloud server is further used for acquiring the equipment identification of the terminal equipment according to the login request when the login request of the terminal equipment is received, and inquiring the public key corresponding to the terminal equipment in the key management server according to the equipment identification.

In one embodiment, the terminal device is further configured to encrypt the authentication result after performing user identity authentication, so as to obtain the target information.

Optionally, the terminal device is further configured to encrypt the authentication result according to the root key corresponding to the terminal device after user identity authentication is performed, so as to obtain the target information.

The cloud server is further used for decrypting the target information according to the public key corresponding to the terminal equipment to obtain an authentication result.

In an embodiment, the cloud server is further configured to obtain an application identifier of the cloud application after receiving an identity authentication request initiated by the cloud application, and match the application identifier with an interface image displayed by the terminal device, if the application identifier matches the interface image displayed by the terminal device, send an authentication instruction to the terminal device according to the identity authentication request, and if the application identifier does not match the interface image displayed by the terminal device, send prompt information to the terminal device, where the prompt information is used to prompt the cloud application to perform identity authentication.

The terminal equipment is also used for receiving the prompt information sent by the cloud server, outputting the prompt information, and sending the confirmation response information to the cloud server if the confirmation response information input by the user aiming at the prompt information is received.

The cloud server is further used for sending an authentication instruction to the terminal equipment according to the identity authentication request after receiving the confirmation response information of the terminal equipment.

In the embodiment of the application, the cloud server can prevent the cloud application running in the background from carrying out identity authentication under the condition that a user does not know by matching the cloud application initiating the identity authentication request with the cloud application currently used in the foreground by the terminal equipment, so that the identity authentication safety of the cloud application is further improved.

As shown in fig. 8, in one embodiment, an identity authentication device 800 is provided and can be applied to the cloud server. The identity authentication device 800 may include a request receiving module 810, a sending module 820, an information receiving module 830, and a result returning module 840.

The request receiving module 810 is configured to receive an identity authentication request initiated by a cloud application, where the cloud application runs on a cloud server.

And the sending module 820 is configured to send an authentication instruction to the terminal device according to the identity authentication request, where the authentication instruction is used to instruct the terminal device to perform user identity authentication, and generate target information according to an authentication result.

The information receiving module 830 is configured to receive target information sent by the terminal device.

The result returning module 840 is configured to process the target information to obtain an authentication result, and return the authentication result to the cloud application.

In one embodiment, the authentication instruction is further configured to instruct the terminal device to perform user identity authentication, and encrypt the authentication result to obtain the target information.

In one embodiment, the authentication instruction is further configured to instruct the terminal device to perform user identity authentication, and encrypt the authentication result according to the root key corresponding to the terminal device, so as to obtain the target information.

The result returning module 840 is further configured to decrypt the target information according to the public key corresponding to the terminal device, obtain an authentication result, and return the authentication result to the cloud application.

In one embodiment, the identity authentication device 800 includes an identifier obtaining module and a query module in addition to the request receiving module 810, the sending module 820, the information receiving module 830, and the result returning module 840.

The identification acquisition module is used for acquiring the equipment identification of the terminal equipment according to the login request when the login request of the terminal equipment is received.

And the inquiring module is used for inquiring the public key corresponding to the terminal equipment in the key management server according to the equipment identifier.

In one embodiment, the identity authentication device 800 further includes a matching module.

The matching module is used for acquiring the application identification of the cloud application and matching the application identification with the interface image displayed by the terminal equipment.

The sending module 820 is further configured to send an authentication instruction to the terminal device according to the identity authentication request if the application identifier is matched with the interface image displayed by the terminal device; and if the application identifier is not matched with the interface image displayed by the terminal device, sending prompt information to the terminal device, wherein the prompt information is used for prompting the cloud application to perform identity authentication, and sending an authentication instruction to the terminal device according to the identity authentication request after the information receiving module 830 receives the confirmation response information of the terminal device.

As shown in fig. 9, in one embodiment, another identity authentication device 900 is provided and may be applied to the terminal device described above. The identity authentication device 900 may include a receiving module 910, an authentication module 920, and a sending module 930.

The receiving module 910 is configured to receive an authentication instruction sent by a cloud server, where the authentication instruction is generated by the cloud server according to an identity authentication request initiated by a cloud application, and the cloud application runs on the cloud server.

The authentication module 920 is configured to perform user identity authentication on the collected user identity information according to the authentication instruction, and generate target information according to an authentication result.

The sending module 930 is configured to send the target information to the cloud server, where the target information is used to process at the cloud server to obtain an authentication result, and return the authentication result to the cloud application through the cloud server.

In one embodiment, the authentication module 920 is further configured to perform user identity authentication on the collected user identity information according to the authentication instruction, and encrypt the authentication result to obtain the target information.

In one embodiment, the authentication module 920 is further configured to perform user identity authentication on the collected user identity information according to the authentication instruction, encrypt the collected user identity information according to a root key authentication result corresponding to the terminal device, and obtain target information, where the target information is further configured to decrypt, by the cloud server, the target information according to a public key corresponding to the terminal device, so as to obtain a certification result.

In one embodiment, the receiving module 910 is further configured to receive a prompt message sent by the cloud server, and output the prompt message, where the prompt message is used to prompt the cloud application to perform identity authentication, and the prompt message is generated when the cloud device detects that the cloud application that initiates the identity authentication request is not matched with an interface image displayed by the terminal device.

The sending module 930 is further configured to send acknowledgement response information to the cloud server after receiving the acknowledgement response information input by the user, where the acknowledgement response information is used to trigger the cloud server to send an authentication instruction to the terminal device according to the identity authentication request.

Fig. 10 is a block diagram of an electronic device in one embodiment. The electronic device may be the cloud server described above, and as shown in fig. 10, the electronic device 1000 may include one or more of the following components: the system comprises a processor 1010, a memory 1020 coupled to the processor 1010, wherein the memory 1020 may store one or more computer programs that, when executed by the one or more processors 1010, may be configured to implement an identity authentication method as described in the above embodiments as applied to a cloud server.

Processor 1010 may include one or more processing cores. The processor 1010 utilizes various interfaces and lines to connect various portions of the overall electronic device 1000, perform various functions of the electronic device 1000, and process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 1020, and invoking data stored in the memory 1020. Alternatively, the processor 1010 may be implemented in hardware in at least one of digital signal processing (Digital Signal Processing, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 1010 may integrate one or a combination of several of a central processing unit (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for being responsible for rendering and drawing of display content; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 1010 and may be implemented solely by a single communication chip.

The Memory 1020 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (ROM). Memory 1020 may be used to store instructions, programs, code, sets of codes, or instruction sets. The memory 1020 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for implementing at least one function (e.g., a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the various method embodiments described above, and the like. The storage data area may also store data created by the electronic device 1000 in use, and the like.

It will be appreciated that the electronic device 1000 may include more or fewer structural elements than those described in the above structural block diagrams, including for example wireless communication modules, etc., and may not be limited thereto.

In one embodiment, the embodiment of the application provides a terminal device, including a memory and a processor, where the memory stores a computer program, and the computer program when executed by the processor causes the processor to implement the identity authentication method applied to the terminal device as described in the foregoing embodiments.

The embodiment of the application discloses a computer readable storage medium storing a computer program, wherein the computer program realizes the identity authentication method applied to a cloud server as described in the above embodiment when being executed by a processor.

The embodiment of the application discloses a computer readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the identity authentication method applied to a terminal device as described in the above embodiment.

The embodiments of the present application disclose a computer program product comprising a non-transitory computer readable storage medium storing a computer program, which when executed by a processor implements an identity authentication method applied to a cloud server as described in the above embodiments.

The embodiments of the present application disclose a computer program product comprising a non-transitory computer readable storage medium storing a computer program, which when executed by a processor, implements an identity authentication method applied to a terminal device as described in the above embodiments.

Those skilled in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, where the program may be stored in a non-volatile computer readable storage medium, and where the program, when executed, may include processes in the embodiments of the methods described above. Wherein the storage medium may be a magnetic disk, an optical disk, a ROM, etc.

Any reference to memory, storage, database, or other medium as used herein may include non-volatile and/or volatile memory. Suitable nonvolatile memory can include ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically Erasable PROM (Electrically Erasable PROM, EEPROM), or flash memory. Volatile memory can include random access memory (random access memory, RAM), which acts as external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (Dynamic Random Access Memory, DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDR SDRAM), enhanced SDRAM (Enhanced Synchronous DRAM, ESDRAM), synchronous Link DRAM (SLDRAM), memory bus Direct RAM (Rambus DRAM), and Direct memory bus dynamic RAM (DRDRAM).

It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. Those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments and that the acts and modules referred to are not necessarily required in the present application.

In various embodiments of the present application, it should be understood that the size of the sequence numbers of the above processes does not mean that the execution sequence of the processes is necessarily sequential, and the execution sequence of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.

The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units described above, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer-accessible memory. Based on such understanding, the technical solution of the present application, or a part contributing to the prior art or all or part of the technical solution, may be embodied in the form of a software product stored in a memory, including several requests for a computer device (which may be a personal computer, a server or a network device, etc., in particular may be a processor in the computer device) to perform part or all of the steps of the above-mentioned method of the various embodiments of the present application.

The foregoing describes in detail an identity authentication method, apparatus, system and electronic device disclosed in the embodiments of the present application, and specific examples are applied to illustrate the principles and embodiments of the present application, where the foregoing description of the embodiments is only used to help understand the method and core idea of the present application. Meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims

1. An identity authentication method, which is applied to a cloud server, comprises the following steps:

receiving an identity authentication request initiated by a cloud application, wherein the cloud application runs on the cloud server, and the cloud application is packaged and used in a virtualized environment provided by the cloud server by adopting an application virtualization technology;

receiving the target information sent by the terminal equipment;

Processing the target information to obtain the authentication result, and returning the authentication result to the cloud application;

after the receiving the identity authentication request initiated by the cloud application, the method further comprises the following steps:

acquiring an application identifier of the cloud application, and matching the application identifier with an interface image displayed by the terminal equipment, wherein the application identifier is used for uniquely identifying the cloud application;

if the application identifier is matched with the interface image displayed by the terminal equipment, executing the step of sending an authentication instruction to the terminal equipment according to the identity authentication request;

if the application identifier is not matched with the interface image displayed by the terminal equipment, sending prompt information to the terminal equipment, wherein the prompt information is used for prompting that the cloud application is in identity authentication, executing the step of sending an authentication instruction to the terminal equipment according to the identity authentication request after receiving confirmation response information of the terminal equipment, and the prompt information comprises application information, authentication type and authentication item of the cloud application initiating the identity authentication request.

2. The method of claim 1, wherein the authentication instruction is further configured to instruct the terminal device to perform user identity authentication, and encrypt the authentication result to obtain target information;

The processing the target information to obtain the authentication result includes:

and decrypting the target information according to the public key corresponding to the terminal equipment to obtain the authentication result.

3. The method of claim 2, wherein the authentication instruction is further configured to instruct the terminal device to perform user identity authentication, and encrypt the authentication result according to a root key corresponding to the terminal device to obtain the target information.

4. A method according to claim 2 or 3, wherein prior to said receiving a cloud application initiated authentication request, the method further comprises:

when a login request of a terminal device is received, acquiring a device identifier of the terminal device according to the login request;

and inquiring a public key corresponding to the terminal equipment in a key management server according to the equipment identifier.

5. An identity authentication method, applied to a terminal device, comprising:

receiving an authentication instruction sent by a cloud server, wherein the authentication instruction is generated by the cloud server according to an identity authentication request initiated by a cloud application, the cloud application runs on the cloud server, and the cloud application is packaged and used in a virtualized environment provided by the cloud server by adopting an application virtualization technology;

the target information is sent to the cloud server and is used for being processed by the cloud server to obtain the authentication result, and the authentication result is returned to the cloud application through the cloud server;

before the authentication instruction sent by the cloud server is received, the method further comprises the following steps:

receiving prompt information sent by the cloud server, and outputting the prompt information, wherein the prompt information is used for prompting the cloud application to perform identity authentication, the prompt information is generated when cloud equipment detects that the cloud application initiating the identity authentication request is not matched with an interface image displayed by the terminal equipment, and the prompt information comprises application information, authentication type and authentication item of the cloud application initiating the identity authentication request; after receiving confirmation response information input by a user, sending the confirmation response information to the cloud server, wherein the confirmation response information is used for triggering the cloud server to send an authentication instruction to the terminal equipment according to the identity authentication request.

6. The method of claim 5, wherein generating the target information based on the authentication result comprises:

encrypting according to the authentication result of the root key corresponding to the terminal equipment to obtain target information;

the target information is also used for decrypting the target information by the cloud server according to the public key corresponding to the terminal equipment so as to obtain the authentication result.

7. An identity authentication device, applied to a cloud server, the device comprising:

the cloud application is packaged and used in a virtualized environment provided by the cloud server by adopting an application virtualization technology;

the result return module is used for processing the target information to obtain the authentication result and returning the authentication result to the cloud application;

The device further comprises a matching module, wherein the matching module is used for acquiring an application identifier of the cloud application and matching the application identifier with an interface image displayed by the terminal equipment, and the application identifier is used for uniquely identifying the cloud application;

the sending module is further configured to send an authentication instruction to the terminal device according to the identity authentication request if the application identifier is matched with the interface image displayed by the terminal device; and if the application identifier is not matched with the interface image displayed by the terminal equipment, sending prompt information to the terminal equipment, wherein the prompt information is used for prompting that the cloud application is in identity authentication, and sending an authentication instruction to the terminal equipment according to the identity authentication request after the information receiving module receives the confirmation response information of the terminal equipment, and the prompt information comprises application information, authentication type and authentication item of the cloud application initiating the identity authentication request.

8. An identity authentication system is characterized by comprising a cloud server and terminal equipment, wherein,

the cloud server is used for receiving an identity authentication request initiated by a cloud application and sending an authentication instruction to the terminal equipment according to the identity authentication request, the cloud application runs on the cloud server, and the cloud application is packaged and used in a virtualized environment provided by the cloud server by adopting an application virtualization technology;

the cloud server is further configured to receive the target information sent by the terminal device, process the target information to obtain the authentication result, and return the authentication result to the cloud application;

the cloud server is further configured to obtain an application identifier of the cloud application after receiving an identity authentication request initiated by the cloud application, and match the application identifier with an interface image displayed by the terminal device, if the application identifier is matched with the interface image displayed by the terminal device, send an authentication instruction to the terminal device according to the identity authentication request, and if the application identifier is not matched with the interface image displayed by the terminal device, send prompt information to the terminal device, where the application identifier is used for uniquely identifying the cloud application, the prompt information is used for prompting the cloud application to perform identity authentication, and the prompt information includes application information, authentication type and authentication item of the cloud application initiating the identity authentication request;

The terminal equipment is also used for receiving the prompt information sent by the cloud server, outputting the prompt information and sending the confirmation response information to the cloud server if the confirmation response information input by the user aiming at the prompt information is received;

the cloud server is further configured to send an authentication instruction to the terminal device according to the identity authentication request after receiving the confirmation response information of the terminal device.

9. An electronic device comprising a memory and a processor, the memory having stored therein a computer program which, when executed by the processor, causes the processor to implement the method of any of claims 1 to 4.

10. A terminal device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to implement the method of claim 5 or 6.