CN112597458B

CN112597458B - Method, device and related product for identity authentication based on trusted authentication

Info

Publication number: CN112597458B
Application number: CN202011533184.XA
Authority: CN
Inventors: 魏明; 阮安邦; 王佳帅; 陈旭明; 翟东雪
Original assignee: Beijing Octa Innovations Information Technology Co Ltd
Current assignee: Beijing Octa Innovations Information Technology Co Ltd
Priority date: 2020-12-22
Filing date: 2020-12-22
Publication date: 2023-12-01
Anticipated expiration: 2040-12-22
Also published as: CN112597458A

Abstract

The embodiment of the application provides a method, a device and related products for identity authentication based on trusted authentication. The method for identity authentication based on trusted authentication comprises the following steps: loading the encrypted object to be loaded into a loader, and generating a key certificate aiming at the object to be loaded, wherein the object to be loaded comprises user identity data; decrypting the encrypted object to be loaded read from the loader by using the key certificate of the object to be loaded to obtain a decryption result; performing trusted authentication on the decryption result, and loading the decryption result passing the trusted authentication into a protected content container; a key voucher is generated for the content container to authenticate the user identity information by authenticating the content container. Therefore, the user identity data is not easy to tamper or leak, the potential safety hazard is reduced, the safety of identity verification is ensured, and the verification process is simpler.

Description

Method, device and related product for identity authentication based on trusted authentication

Technical Field

The present application relates to the field of security analysis technologies, and in particular, to a method and apparatus for identity authentication based on trusted authentication, and related products.

Background

The applications of the internet (social, searching, electronic commerce), the mobile internet (microblog), the internet of things (sensor, smart earth), the internet of vehicles, GPS, medical images, security monitoring, finance (banking, stock market, insurance), telecommunications (conversation, short message) are mostly dependent on interaction with the APP program and the user, and the process thereof requires user registration, logging in APP during subsequent use, and authenticating user identity information.

However, in the authentication process, the user identity data is easily tampered or revealed, which causes a potential safety hazard. In addition, in the authentication process, in order to secure security, a plurality of levels of authentication are provided, thereby complicating the authentication process.

Disclosure of Invention

Based on the problems, the embodiment of the application provides a method, a device and related products for identity authentication based on trusted authentication.

The embodiment of the application discloses the following technical scheme:

in a first aspect, an embodiment of the present application provides a method for performing identity authentication based on trusted authentication, including:

loading the encrypted object to be loaded into a loader, and generating a key certificate aiming at the object to be loaded, wherein the object to be loaded comprises user identity data;

Decrypting the encrypted object to be loaded read from the loader by using the key certificate of the object to be loaded to obtain a decryption result;

performing trusted authentication on the decryption result, and loading the decryption result passing the trusted authentication into a protected content container;

a key voucher is generated for the content container to authenticate the user identity information by authenticating the content container.

Optionally, in a specific embodiment, generating the key credential for the object to be loaded includes: a key credential for the object to be loaded is generated from the platform key of the key platform, the CPU machine key, and the key assigned to the user.

Optionally, in a specific embodiment, the content container has a trusted execution environment TEE to hardware isolate the decrypted results of the trusted authentication pass.

Optionally, in a specific embodiment, the object to be loaded further includes a program code of an application program, and the application program can be started after the user identity information passes the authentication;

correspondingly, loading the encrypted object to be loaded into a loader, and generating a key credential for the object to be loaded, including: and loading the user identity data to be encrypted and the code object to be loaded of the application program into a loader, and generating a unified key credential for the user identity data to be encrypted and the code of the application program.

Optionally, in a specific embodiment, generating the key voucher for the content container to authenticate the user identity information by authenticating the content container includes: and generating a key voucher aiming at the content container, encrypting the key voucher of the content container, and storing the key voucher of the content container into a thread control structure corresponding to the content container so as to authenticate the user identity information through the content container.

In a second aspect, an embodiment of the present application provides an apparatus for performing identity authentication based on trusted authentication, including:

the loading unit is used for loading the encrypted object to be loaded into the loader and generating a key certificate aiming at the object to be loaded, wherein the object to be loaded comprises user identity data;

the reading unit is used for decrypting the encrypted object to be loaded read from the loader by utilizing the key certificate of the object to be loaded to obtain a decryption result;

the trusted unit is used for carrying out trusted authentication on the decryption result and loading the decryption result passing the trusted authentication into the protected content container;

and an authentication unit for generating a key voucher for the content container to authenticate the user identity information by authenticating the content container.

In a third aspect, an embodiment of the present application provides an electronic device, including: a memory having stored thereon computer executable instructions and a processor for executing the computer executable instructions to perform the steps of:

In a fourth aspect, embodiments of the present application provide a computer storage medium having stored thereon computer-executable instructions that, when executed, implement the method of identity authentication based on trusted authentication of the first aspect.

In the technical scheme of the embodiment of the application, the encrypted object to be loaded is loaded into a loader, and a key certificate aiming at the object to be loaded is generated, wherein the object to be loaded comprises user identity data; decrypting the encrypted object to be loaded read from the loader by using the key certificate of the object to be loaded to obtain a decryption result; performing trusted authentication on the decryption result, and loading the decryption result passing the trusted authentication into a protected content container; the key certificate aiming at the content container is generated so as to authenticate the user identity information through the content container, so that the user identity data is not easy to tamper or leak, the potential safety hazard is reduced, the safety of identity authentication is ensured, and the authentication process is simpler.

Drawings

In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the application, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.

FIG. 1 is a flow chart of a method for identity authentication based on trusted authentication in a first embodiment of the application;

FIG. 2 is a schematic diagram of an apparatus for identity authentication based on trusted authentication in a second embodiment of the present application;

fig. 3 is a schematic structural diagram of an electronic device according to a third embodiment of the present application;

FIG. 4 is a schematic diagram of a computer storage medium according to a fourth embodiment of the present application;

fig. 5 is a schematic diagram of a hardware structure of an electronic device in a fifth embodiment of the present application.

Detailed Description

It is not necessary for any of the embodiments of the application to be practiced with all of the advantages described above.

In order to make the present application better understood by those skilled in the art, the following description will clearly and completely describe the technical solutions in the embodiments of the present application with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

Example 1

Referring to fig. 1, an embodiment of the present application provides a method for identity authentication based on trusted authentication, including:

S101: loading the encrypted object to be loaded into a loader, and generating a key certificate aiming at the object to be loaded, wherein the object to be loaded comprises user identity data;

specifically, the encryption processing performed on the object to be loaded may be a hash processing, the hash processing may be performing encryption processing on the object to be loaded through a hash function (hash function), and the corresponding encrypted object to be loaded may be a binary sequence. The user identity data may include the user's ID, date of birth, address, phone number, mailbox, etc., although this is merely illustrative and not representative of the application.

Alternatively, in one particular embodiment, the encrypted object to be loaded may be loaded into the loader in a mirrored fashion.

Specifically, the encrypted object to be loaded may be loaded into the loader by invoking a CPU instruction.

Specifically, the key certificate can be generated by using a random function, an elliptic algorithm, RSA, elGamal, a knapsack algorithm, rabin (special case of RSA), a public key encryption algorithm in diffie-hellman key exchange protocol, an elliptic curve encryption algorithm (Elliptic Curve Cryptography, ECC), and the like, so that the uniqueness of the generated key certificate can be ensured, thereby ensuring the security of identity authentication.

In addition, the platform keys, CPU machine keys, and keys assigned to users of the key platform may be generated according to different random functions, as the application is not limited in this regard. The platform key of the key platform, the CPU machine key, and the key assigned to the user are hashed to obtain a key credential, which may be a character credential to facilitate identification.

In detail, the legitimacy of the code and the data can be specified, and the code and the user identity authentication data are loaded into the loader to protect the loader from being attacked by malicious software, so that the privileged or non-privileged software cannot be accessed, that is, once the code and the data are located in the loader, even an operating system or a VMM (Hypervisor) cannot influence the code and the data in the loader. Therefore, the safety of the codes and the user identity authentication data can be ensured, and the safety and the reliability of the identity authentication process are ensured.

S102: decrypting the encrypted object to be loaded read from the loader by using the key certificate of the object to be loaded to obtain a decryption result;

specifically, decryption may be performed in accordance with a decryption algorithm corresponding to an algorithm used at the time of encryption.

S103: performing trusted authentication on the decryption result, and loading the decryption result passing the trusted authentication into a protected content container;

in detail, the trusted authentication can be that on unmodified Hadoop, a Map function and a reduce function written by a user are utilized to realize fast trusted authentication on a decryption result. The decryption result is mapped into a group of key value pairs through Map function, and each of the mapped key value pairs is ensured to share the same key group through Reduce function, thereby completing quick trusted authentication.

In addition, the trusted token can be issued after the trusted authentication is passed, the decrypted result passing the trusted authentication is screened out by judging whether the decrypted result is issued with the signalable card, and the decrypted result passing the trusted authentication is loaded into the protected content container.

Specifically, the content container may be a parallel content container, and multiple different user identity information may be authenticated by the parallel content container at the same time, so that the efficiency of identity authentication is improved. Since TEE (Trusted Execution Environment), the trusted execution environment is a running environment that coexist with the Rich OS (typically Android, etc.) on the device, and provides security services to the Rich OS. It has its own execution space, which is higher than the security level of the Rich OS. The trusted execution environment TEE is used for carrying out hardware isolation on the decryption result passing the trusted authentication, so that the security of the decryption result can be ensured, and the security and the reliability of the identity authentication process are ensured.

S104: a key voucher is generated for the content container to authenticate the user identity information by authenticating the content container.

In detail, the key certificates for the content container may be used as a random function, an elliptic algorithm, RSA, elGamal, a knapsack algorithm, rabin (a special case of RSA), a public key encryption algorithm in diffie-hellman key exchange protocol, an elliptic curve encryption algorithm (Elliptic Curve Cryptography, ECC), etc., so that the uniqueness of the generated key certificates may be ensured, thereby ensuring the security of identity authentication. In addition, the encryption processing of the key certificate of the content container may specifically be hash processing of the key certificate of the content container, which is not limited in the present application.

Optionally, in a specific embodiment, the encryption of the key certificate of the content container is stored in the thread control structure corresponding to the content container, which includes: and taking the key certificate of the content container as the mark of the content container, encrypting the mark of the content container, and storing the encrypted mark of the content container into a thread control structure corresponding to the content container.

In this way, confidentiality and integrity of the key certificate can be ensured.

Optionally, in one specific embodiment, the content container is disposed in a protected physical memory area of the system memory and locks the protected physical memory area such that the decryption result is stored in the protected physical memory area and is not accessible to requests outside the content container.

Specifically, the external access request can be regarded as referring to the non-existing memory, so that the external entity (direct memory access, image engine, etc.) cannot access, only the access of the data is realized in the content container, and the security of the identity authentication process is ensured.

Optionally, in a specific embodiment, the protected physical memory area is managed in units of pages, and a virtual address and a physical address are allocated to each page; one page corresponds to a container page cache table entry, and the container page cache table entry comprises an address mapping relation of an access page. Thus, a dual protection mechanism is provided: the page protection mechanism and the address mapping protection mechanism further enhance the security of data access, and ensure that the data used in identity authentication is as reliable as possible and is not tampered or illegal.

Optionally, in a specific embodiment, the address mapping relationship of the access page is determined by the configured page miss processing module querying the container page cache entry to map the request to access the virtual address to the access physical address based on the address mapping relationship. Therefore, when the data is accessed, the speculative and out-of-order emission of the read-memory operation and the access operation is allowed, and the correct data is ensured when the read-memory operation and the access operation are retired, so that the speed and the accuracy of the data access are ensured.

In addition, the virtual address and the physical address are limited in the effective range, so that the decryption result is effectively put in a separate area, and the correctness of the address is checked for the read-write access of the data in the area, and the decryption result can be really accessed only through the check.

Example two

Referring to fig. 2, an embodiment of the present application provides an apparatus 20 for identity authentication based on trusted authentication, including:

a loading unit 201, configured to load an encrypted object to be loaded into a loader, and generate a key credential for the object to be loaded, where the object to be loaded includes user identity data;

Specifically, the secret key certificate can be generated by using a random function, an elliptic algorithm, RSA, elGamal, a knapsack algorithm, rabin (special case of RSA), a public key encryption algorithm in diffie-hellman key exchange protocol, an elliptic curve encryption algorithm (Elliptic Curve Cryptography, ECC) and the like, so that the uniqueness of the generated secret key certificate can be ensured, and the security of identity authentication is ensured.

A reading unit 202, configured to decrypt the encrypted object to be loaded read from the loader by using the key credential of the object to be loaded to obtain a decryption result;

A trusted unit 203, configured to perform trusted authentication on the decryption result, and load the decryption result that passes the trusted authentication into a protected content container;

Specifically, the content container may be a parallel content container, and multiple different user identity information may be authenticated by the parallel content container at the same time, so that the efficiency of identity authentication is improved. The TEE (Trusted Execution Environment), which is a trusted execution environment, is an execution environment that coexist with a Rich OS (typically Android, etc.) on a device, and provides security services to the Rich OS. It has its own execution space, which is higher than the security level of the Rich OS. The trusted execution environment TEE is used for carrying out hardware isolation on the decryption result passing the trusted authentication, so that the security of the decryption result can be ensured, and the security and the reliability of the identity authentication process are ensured.

An authentication unit 204 for generating a key voucher for the content container to authenticate the user identity information by authenticating the content container.

Optionally, in a specific embodiment, the protected physical memory area is managed in units of pages, and a virtual address and a physical address are allocated to each page; one page corresponds to a container page cache table entry, and the container page cache table entry comprises an address mapping relation of an access page.

Thus, a dual protection mechanism is provided: the page protection mechanism and the address mapping protection mechanism further enhance the security of data access, and ensure that the data used in identity authentication is as reliable as possible and is not tampered or illegal.

Optionally, in a specific embodiment, the address mapping relationship of the access page is determined by the configured page miss processing module querying the container page cache entry to map the request to access the virtual address to the access physical address based on the address mapping relationship.

Therefore, when the data is accessed, the speculative and out-of-order emission of the read-memory operation and the access operation is allowed, and the correct data is ensured when the read-memory operation and the access operation are retired, so that the speed and the accuracy of the data access are ensured.

Example III

Referring to fig. 3, an embodiment of the present application provides an electronic device 30, including: a memory 301 having stored thereon computer executable instructions and a processor 302 for executing the computer executable instructions to perform the steps of:

The following is a detailed description:

in detail, the trusted authentication can be that on unmodified Hadoop, the user-written Map and Reduce code are utilized to realize the fast trusted authentication of the decryption result. In particular, hadoop is a distributed system infrastructure developed by the Apache foundation, which is a software framework that enables distributed processing of large amounts of data. The method has the characteristics of high reliability, high expansibility, high efficiency, high fault tolerance, low cost and the like. User-written Map and Reduce code can be a programming model based on MapReduce, mapReduce for parallel operations on large-scale data sets (greater than 1 TB). The concepts Map and Reduce are their main ideas, both from functional programming languages and from vector programming languages. The method greatly facilitates programmers to run own programs on the distributed system under the condition of not carrying out distributed parallel programming. Current software implementations specify a Map function to Map a set of key-value pairs to a new set of key-value pairs, and a concurrent Reduce function to ensure that each of all mapped key-value pairs share the same key-set.

Example IV

Referring to fig. 4, an embodiment of the present application provides a computer storage medium, on which computer executable instructions are stored, and when the computer executable instructions are executed, the method for performing identity authentication based on trusted authentication according to the embodiment includes the following specific steps:

The following is a detailed description:

The embodiment of the application provides a method, a device and related products for identity authentication based on trusted authentication, which are characterized in that an encrypted object to be loaded is loaded into a loader, a key credential aiming at the object to be loaded is generated, and the object to be loaded comprises user identity data; decrypting the encrypted object to be loaded read from the loader by using the key certificate of the object to be loaded to obtain a decryption result; performing trusted authentication on the decryption result, and loading the decryption result passing the trusted authentication into a protected content container; a key voucher is generated for the content container to authenticate the user identity information by authenticating the content container. Therefore, the user identity data is not easy to tamper or leak, the potential safety hazard is reduced, the safety of identity verification is ensured, and the verification process is simpler.

Referring to fig. 5, fig. 5 is a schematic diagram of a hardware structure of an electronic device according to a fifth embodiment of the present application; as shown in fig. 5, the hardware structure of the electronic device may include: a processor 501, a communication interface 502, a computer readable medium 503 and a communication bus 504;

wherein the processor 501, the communication interface 502, and the computer readable medium 503 perform communication with each other via a communication bus 504;

alternatively, the communication interface 502 may be an interface of a communication module, such as an interface of a GSM module;

wherein the processor 501 may be specifically configured to run an executable program stored on a memory, thereby performing all or part of the processing steps of any of the method embodiments described above.

The processor 501 may be a general-purpose processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The electronic device of the embodiments of the present application exists in a variety of forms including, but not limited to:

(1) Mobile communication devices-such devices are characterized by mobile communication capabilities and are primarily targeted to provide voice, sample data communications. Such terminals include smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, among others.

(2) Ultra mobile personal computer equipment, which belongs to the category of personal computers, has the functions of calculation and processing and generally has the characteristic of mobile internet surfing. Such terminals include PDA, MID and UMPC devices, etc., such as iPad.

(3) Portable entertainment devices such devices can display and play multimedia content. Such devices include audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.

(4) The server, which is a device for providing computing services, is composed of a processor 710, a hard disk, a memory, a system bus, etc., and is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing power, stability, reliability, security, scalability, manageability, etc.

(5) Other electronic devices with sample data interaction function.

It should be noted that, in the present specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment is mainly described in a different point from other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, with reference to the description of the method embodiments in part. The above-described embodiments of the apparatus and system are merely illustrative, in which the modules illustrated as separate components may or may not be physically separate, and the components illustrated as modules may or may not be physical, i.e., may be located in one place, or may be distributed over multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present application without undue burden.

The foregoing is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the technical scope of the present application should be included in the scope of the present application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims

1. A method for identity authentication based on trusted authentication, comprising:

loading an encrypted object to be loaded into a loader, and generating a key certificate aiming at the object to be loaded, wherein the object to be loaded comprises user identity data;

generating a key certificate aiming at the content container, taking the key certificate of the content container as a mark of the content container, encrypting the mark of the content container, and storing the mark of the content container into a thread control structure corresponding to the content container so as to authenticate the user identity information through the content container;

the content container is arranged in a protected physical memory area of the system memory and locks the protected physical memory area so that a decryption result is stored in the protected physical memory area and cannot be accessed by a request outside the content container; the protected physical memory area is managed by taking pages as units, and a virtual address and a physical address are allocated for each page; one page corresponds to a container page cache table entry, and the container page cache table entry comprises an address mapping relation of an access page so as to provide a double protection mechanism: the page protection mechanism and the address mapping protection mechanism further enhance the security of data access, and ensure that the data used in identity authentication is as reliable as possible and is not tampered or illegal.

2. The method of authenticating identity based on trusted authentication of claim 1, wherein the generating key credentials for the object to be loaded comprises: and generating a key credential for the object to be loaded according to the platform key of the key platform, the CPU machine key and the key distributed to the user.

3. The method of authenticating identity based on trusted authentication of claim 1, wherein the content container has a trusted execution environment TEE to hardware isolate decryption results of trusted authentication passing.

4. The method for identity authentication based on trusted authentication of claim 1, wherein the object to be loaded further comprises program code of an application program, the application program being bootable after the user identity information authentication is passed; correspondingly, the loading the encrypted object to be loaded into the loader and generating the key certificate for the object to be loaded comprises the following steps: and loading the user identity data to be encrypted and the code object to be loaded of the application program into a loader, and generating a unified key credential for the user identity data to be encrypted and the code of the application program.

5. An apparatus for identity authentication based on trusted authentication, comprising:

the trusted unit is used for carrying out trusted authentication on the decryption result and loading the decryption result passing the trusted authentication into a protected content container;

the authentication unit is used for generating a key certificate aiming at the content container, taking the key certificate of the content container as a mark of the content container, encrypting the mark of the content container and storing the mark into a thread control structure corresponding to the content container so as to authenticate the user identity information through the content container;

6. The apparatus for authenticating an identity based on trusted authentication of claim 5, wherein the generating key credentials for the object to be loaded comprises: and generating a key credential for the object to be loaded according to the platform key of the key platform, the CPU machine key and the key distributed to the user.

7. The apparatus for authenticating identity based on trusted authentication of claim 5, wherein the content container has a trusted execution environment TEE to hardware isolate decryption results of trusted authentication passing.

8. An electronic device, comprising: a memory having stored thereon computer executable instructions for executing the computer executable instructions to perform the steps of:

9. A computer storage medium having stored thereon computer executable instructions which when executed perform the method of authenticating identity based on trusted authentication of any one of claims 1 to 4.