CN113055182A - Authentication method and system, terminal, server, computer system, and medium - Google Patents

Authentication method and system, terminal, server, computer system, and medium Download PDF

Info

Publication number
CN113055182A
CN113055182A CN202110278229.1A CN202110278229A CN113055182A CN 113055182 A CN113055182 A CN 113055182A CN 202110278229 A CN202110278229 A CN 202110278229A CN 113055182 A CN113055182 A CN 113055182A
Authority
CN
China
Prior art keywords
authentication
trusted
sdk
component
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110278229.1A
Other languages
Chinese (zh)
Other versions
CN113055182B (en
Inventor
戎修凯
宿兵畅
任李哲
赵婧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202110278229.1A priority Critical patent/CN113055182B/en
Publication of CN113055182A publication Critical patent/CN113055182A/en
Application granted granted Critical
Publication of CN113055182B publication Critical patent/CN113055182B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an authentication method, which comprises the steps that when a terminal receives an authentication request, the terminal calls an authentication SDK to acquire authentication data from a credible authentication component and sends the authentication request carrying the authentication data to an authentication server, the authentication server receives the authentication request carrying the authentication data sent by the authentication SDK, verifies whether the authentication data is consistent with specified authentication data or not and returns an authentication result to the authentication SDK, and the terminal calls the authentication SDK to receive the authentication result returned by the authentication server and sends the authentication result to a first application program. By installing the trusted authentication component in the terminal and integrating the authentication SDK in the first application program, the user can initiate an authentication process through the authentication SDK in the first application program without waking up the application program corresponding to the authentication server, namely without authenticating through the application program corresponding to the authentication server. The present disclosure also provides an authentication method and system, a terminal, a server, a computer system and a medium.

Description

Authentication method and system, terminal, server, computer system, and medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an authentication method and system, a terminal, a server, a computer system, and a medium.
Background
Currently, security authentication services (such as a U shield, a scrambler and the like) of a bank can only be used in a mobile phone bank of the bank. When the third party uses the safety authentication service of the bank, the mobile phone bank must be started through the bank SDK, and safety authentication is carried out in the mobile phone bank.
The strong dependence of the security authentication service on the mobile phone bank causes complex security authentication steps, long time consumption and poor user experience.
Disclosure of Invention
A first aspect of the present disclosure provides an authentication method applied to a terminal, in which a first application and a trusted authentication component are installed, the method including:
receiving an authentication SDK issued by an authentication server to the first application program;
in the running process of the first application program, when an authentication request is received, the authentication SDK is called to acquire authentication data from the trusted authentication component;
calling the authentication SDK to send the authentication request carrying the authentication data to the authentication server;
and calling the authentication SDK to receive an authentication result returned by the authentication server and sending the authentication result to the first application program.
In an optional embodiment, the trusted authentication component has a unique serial number, the trusted authentication component runs in a trusted execution environment, and a hardware device providing the trusted execution environment has a unique identification.
In an optional embodiment, the authenticating request carries user information, and the invoking the authentication SDK to obtain authentication data from the trusted authentication component includes:
calling the authentication SDK, and analyzing the authentication request to obtain the user information;
calling the authentication SDK to acquire the serial number of the trusted authentication component and the unique identifier of the hardware equipment;
calling the authentication SDK, and sending an authentication parameter acquisition request to the authentication server, wherein the authentication parameter acquisition request carries the serial number of the trusted authentication component and the unique identifier of the hardware equipment;
calling the authentication SDK, and receiving an authentication identifier and a key generation factor returned by the authentication server based on the serial number of the trusted authentication component and the unique identifier of the hardware equipment;
calling the authentication SDK, and sending a user authentication request to the trusted authentication component, wherein the user authentication request carries the user information and the key generation factor;
and calling the authentication SDK, and receiving encrypted data and signature data returned by the trusted authentication component based on the user information and the key generation factor.
In an optional embodiment, the authentication data comprises a serial number of the trusted authentication component, a unique identifier of the hardware device, the authentication identifier, the encryption data, and the signature data.
In an optional embodiment, the invoking the authentication SDK and before receiving the encrypted data and the signed data returned by the trusted authentication component based on the user information and the key generation factor, comprises:
calling the trusted authentication component, and generating an encryption key according to the key generation factor;
calling the trusted authentication component, and encrypting the user information by using the encryption key to obtain the encrypted data;
calling the trusted authentication component to obtain an appointed private key, and signing the user information by using the private key to obtain the signature data;
and calling the trusted authentication component, and sending the encrypted data and the signature data to the authentication SDK.
In an optional embodiment, the invoking the authentication SDK, receiving an authentication identification and a key generation factor returned by the authentication server based on the serial number of the trusted authentication component and the unique identification of the hardware device, previously comprises:
and when the authentication SDK receives the user information returned by the authentication server and/or the prompt information that the unique identifier of the hardware equipment is illegal, calling the authentication SDK and returning the corresponding prompt information to the first application program.
In an optional embodiment, before the invoking the trusted authentication component and generating the encryption key according to the key generation factor, the method further includes:
calling the trusted authentication component, and receiving an authentication password input by the user;
calling the trusted authentication component to verify whether the authentication password is an authentication password pre-stored in the trusted authentication component by the user;
and if so, executing the operation of calling the trusted authentication component and generating an encryption key according to the key generation factor.
In an optional embodiment, after the first application receives the authentication result, the authentication identifier and the key generation factor are destroyed.
In an optional embodiment, the authentication SDK communicates with the trusted authentication component through authentication middleware.
A second aspect of the present disclosure provides an authentication method applied to an authentication server, the method including:
issuing an authentication SDK to a first application program;
receiving an authentication request carrying authentication data sent by the authentication SDK;
verifying whether the authentication data is consistent with the specified authentication data, if so, determining that the authentication result is authentication passing, and if not, determining that the authentication result is authentication failure;
and returning the authentication result to the authentication SDK.
In an optional embodiment, the authentication data includes a serial number of the trusted authentication component, a unique identifier of the hardware device, an authentication identifier, encrypted data, and signature data;
wherein the trusted authentication component operates in a trusted execution environment, the hardware device providing the trusted execution environment for the trusted authentication component.
In an optional embodiment, the authentication server stores a mapping relationship between an authentication identifier, a key generation factor, a public key, user information, a serial number of a trusted authentication component, and a unique identifier of a hardware device.
In an optional embodiment, before receiving the authentication request carrying the authentication data sent by the authentication SDK, the method includes:
receiving an authentication parameter acquisition request sent by the authentication SDK, wherein the authentication parameter acquisition request carries user information, a serial number of a trusted authentication component and a unique identifier of hardware equipment;
judging whether the unique identifier of the hardware equipment, the serial number of the trusted authentication component and the user information are legal or not;
if any one of the unique identifier of the hardware equipment, the serial number of the trusted authentication component and the user information is illegal, returning corresponding prompt information to the authentication SDK;
if the unique identifier of the hardware equipment, the serial number of the trusted authentication component and the user information are legal, generating an authentication identifier and a key generation factor;
and sending the authentication identification and the key generation factor to the authentication SDK.
In an optional embodiment, said verifying whether said authentication data is consistent with specified authentication data comprises:
in the mapping relation, a key generation factor, a public key, user information, a serial number of a trusted authentication component and a unique identifier of hardware equipment corresponding to an authentication identifier in the authentication data are searched;
generating a decryption key using the key generation factor;
decrypting the encrypted data by using the decryption key to obtain the user information;
comparing the searched user information with the user information in the authentication data, comparing the serial number of the searched trusted authentication assembly with the serial number of the trusted authentication assembly in the authentication data, comparing the unique identifier of the searched hardware equipment with the unique identifier of the hardware equipment in the authentication data, and verifying signature data in the authentication data sent by the authentication SDK by using the searched public key;
if the comparison is consistent and the verification is successful, the authentication result is that the authentication is passed;
and if the comparison is inconsistent or the verification is unsuccessful, the authentication result is authentication failure.
A third aspect of the present disclosure provides a terminal, in which a first application and a trusted authentication component are installed, the terminal including:
the receiving module is used for receiving an authentication SDK issued by an authentication server to the first application program;
the authentication SDK is used for acquiring authentication data from the trusted authentication component when an authentication request is received in the running process of the first application program;
the authentication SDK is used for sending the authentication request carrying the authentication data to the authentication server;
the authentication SDK is used for receiving an authentication result returned by the authentication server;
and the authentication SDK is used for sending the authentication result to the first application program.
A fourth aspect of the present disclosure provides a server comprising:
the issuing module is used for issuing the authentication SDK to the first application program;
the receiving module is used for receiving an authentication request which is sent by the authentication SDK and carries authentication data;
the verification module is used for verifying whether the authentication data is consistent with the specified authentication data, if so, the authentication result is authentication passing, and if not, the authentication result is authentication failure;
and the return module is used for returning the authentication result to the authentication SDK.
A fifth aspect of the present disclosure provides a computer system comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor when executing the computer program being adapted to implement the method according to the first or second aspect.
A sixth aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method of the first or second aspect above when executed.
A seventh aspect of the present disclosure provides an authentication system comprising a terminal that can implement the method according to the first aspect, and an authentication server that can implement the method according to the second aspect.
According to the embodiment of the disclosure, the authentication server sends the authentication SDK to the first application program, the terminal receives the authentication SDK sent by the authentication server to the first application program, in the running process of the first application program, when the terminal receives an authentication request, the terminal calls the authentication SDK to acquire authentication data from the credible authentication component, the terminal calls the authentication SDK to send the authentication request carrying the authentication data to the authentication server, the authentication server receives the authentication request carrying the authentication data sent by the authentication SDK, the authentication server verifies whether the authentication data is consistent with the specified authentication data, if so, and if the authentication result is passed, the authentication result is failed, the authentication server returns the authentication result to the authentication SDK, the terminal calls the authentication SDK to receive the authentication result returned by the authentication server, and the terminal calls the authentication SDK to send the authentication result to the first application program. The trusted authentication component is installed in the terminal, and the authentication SDK is integrated in the first application program, so that a user initiates an authentication process through the authentication SDK in the first application program, the trusted authentication component verifies a password input by the user and then generates authentication data, and finally the authentication data is authenticated by a bank background without waking up an application program corresponding to the authentication server, namely without authenticating through the application program corresponding to the authentication server.
Drawings
For a more complete understanding of the present disclosure and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
fig. 1 schematically illustrates an exemplary system architecture to which an authentication method may be applied, according to an embodiment of the present disclosure;
FIG. 2 schematically shows a flow diagram of an authentication method according to an embodiment of the present disclosure;
FIG. 3 schematically shows a flow chart of an authentication method according to an embodiment of the present disclosure;
FIG. 4 schematically shows a flow chart of an authentication method according to an embodiment of the present disclosure;
FIG. 5 schematically shows a flow chart of an authentication method according to an embodiment of the present disclosure;
FIG. 6 schematically shows a flow chart of an authentication method according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates a flow chart of an authentication data validation method according to an embodiment of the present disclosure;
fig. 8 schematically shows a block diagram of a terminal according to an embodiment of the present disclosure;
fig. 9 schematically shows a block diagram of an authentication server according to an embodiment of the present disclosure;
FIG. 10 schematically illustrates a block diagram of a computer system suitable for implementing the above-described method, according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Fig. 1 schematically illustrates an exemplary system architecture 100 to which an authentication method may be applied, according to an embodiment of the disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, a system architecture 100 according to this embodiment may include a terminal device 101, a network 102, and a server/server cluster 103. Network 102 serves as a medium for providing communication links between terminal devices 101 and server/server clusters 103. Network 102 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
Various client applications and corresponding components may be installed on the terminal device 101, for example, when the client application is a shopping APP, a takeaway APP, or the like, a trusted authentication component (for example only) may be installed, and a corresponding authentication SDK may be installed in the client application. The authentication SDK installed by the client application in the terminal device 101 interacts with the trusted authentication component and the server/server cluster 103 to send various requests to the server/server cluster 103 or receive results returned by the server/server cluster 103.
Terminal device 101 may be a variety of electronic devices including, but not limited to, a smart phone, a tablet computer, a laptop portable computer, a desktop computer, and the like.
Server/server cluster 103 is a background management server or server cluster (for example only) that may provide various service support. The backend management server may analyze and otherwise process data such as the received user request, and feed back a processing result (e.g., authentication result data obtained from the user authentication request, etc.) to the terminal device.
It should be understood that the number of end devices, networks, and server/server clusters in fig. 1 is illustrative only. There may be any number of end devices, networks, and server/server clusters, as desired.
Fig. 2 schematically shows a flowchart of an authentication method according to an embodiment of the present disclosure, which may be applied to a terminal in which a first application and a trusted authentication component are installed.
As shown in fig. 2, the authentication method may include operations S210 to S240.
In operation S210, an authentication SDK issued by the authentication server to the first application is received.
In operation S220, in the running process of the first application program, when the authentication request is received, the authentication SDK is invoked to obtain authentication data from the trusted authentication component.
In operation S230, the authentication SDK is called to send an authentication request carrying authentication data to the authentication server.
In operation S240, the calling authentication SDK receives the authentication result returned by the authentication server and sends the authentication result to the first application.
In the present disclosure, the authentication service is exported to the outside by the authentication SDK. Only third party applications that have a cooperative agreement with the authentication server can use the authentication SDK. In this disclosure, the third party application is represented as a first application.
In the present disclosure, the trusted authentication component has a unique serial number, the trusted authentication component runs in a trusted execution environment, and a hardware device providing the trusted execution environment has a unique identification. A Trusted Execution Environment (TEE) is an Environment that provides security services to RichOS on a terminal.
In the disclosure, the installed trusted authentication components of terminals of different brands and models are different, and different terminals can be normally used only by downloading the corresponding trusted authentication components.
Fig. 3 schematically shows a flowchart of an authentication method according to an embodiment of the present disclosure, which may be applied to a terminal in which a first application and a trusted authentication component are installed.
As shown in fig. 3, operation S220 includes:
in operation S310, invoking an authentication SDK, and analyzing the authentication request to obtain user information;
in operation S320, invoking an authentication SDK to obtain a serial number of the trusted authentication component and a unique identifier of the hardware device;
in operation S330, invoking an authentication SDK, and sending an authentication parameter acquisition request to an authentication server, where the authentication parameter acquisition request carries a serial number of a trusted authentication component and a unique identifier of a hardware device;
in operation S340, invoking an authentication SDK, and receiving an authentication identifier and a key generation factor returned by the authentication server based on the serial number of the trusted authentication component and the unique identifier of the hardware device;
in operation S350, invoking an authentication SDK, and sending a user verification request to the trusted authentication component, where the user verification request carries user information and a key generation factor;
in operation S360, the authentication SDK is invoked, and encrypted data and signature data returned by the trusted authentication component based on the user information and the key generation factor are received.
In the present disclosure, the authentication data includes a serial number of the trusted authentication component, a unique identifier of the hardware device, an authentication identifier, encrypted data, and signature data. In the present disclosure, the key generation factor and the authentication identification have a one-time characteristic, and are allowed to be used only once. And after receiving the authentication result, the first application program destroys the key generation factor and the authentication identifier. The authentication identifier is the only indication that the user initiates one-time authentication.
Fig. 4 schematically shows a flow chart of an authentication method according to an embodiment of the present disclosure.
The authentication method may include operations S210 to S240, S310 to S340, and operations S410 to S440, where operations S210 to S240 are the same as or similar to the operations described in fig. 2, and operations S310 to S340 are the same as or similar to the operations described in fig. 3, and are not repeated here.
In operation S410, the trusted authentication component is invoked to generate an encryption key according to the key generation factor.
In operation S420, the trusted authentication component is called, and the user information is encrypted by using the encryption key to obtain encrypted data.
In operation S430, the trusted authentication component is called to obtain the specified private key, and the private key is used to sign the user information, so as to obtain signature data.
In operation S440, the trusted authentication component is invoked to send the encrypted data and the signature data to the authentication SDK.
In this disclosure, the designated private key may be a private key of the user, and after the user sets the authentication password through the trusted authentication component, the trusted authentication component may generate a public key and a private key that are specific to the user, and the public key and the private key are stored in the trusted authentication component.
In one embodiment of the present disclosure, before operation S410, when the authentication SDK receives the prompt information that the user information and/or the unique identifier of the hardware device returned by the authentication server are/is not legal, the authentication SDK returns corresponding prompt information to the first application program.
In one embodiment of the present disclosure, before operation S410, a trusted authentication component is invoked, and an authentication password input by a user is received; calling the trusted authentication component to verify whether the authentication password is an authentication password pre-stored in the trusted authentication component by the user; if so, operation S410 is performed.
In the disclosure, an authentication password set by a user is stored in a trusted authentication component, when verification is performed, the authentication password input by the user is obtained, the authentication password input by the user is compared with the authentication password set by the user and stored in the trusted authentication component, if the authentication password input by the user is consistent with the authentication password stored in the trusted authentication component, verification is passed, if the authentication password is inconsistent with the authentication password stored in the trusted authentication component, verification is not passed, when the authentication password is not consistent with the authentication password stored in the trusted authentication component, the trusted authentication component returns prompt information of identity verification failure to an authentication SDK, and the authentication SDK returns prompt information of the identity verification.
In one embodiment of the present disclosure, the authentication SDK communicates with the trusted authentication component through authentication middleware. The communication data between the authentication middleware and the authentication SDK and the credible authentication component are encrypted through a specific algorithm so as to ensure the data security. The authentication SDK communicates with the trusted authentication component through authentication middleware, e.g., the authentication SDK sends an authentication request to the authentication middleware, which sends the authentication request to the trusted authentication component. For another example, the trusted authentication component sends the serial number of the trusted authentication component and the unique identifier of the hardware device to the authentication middleware, and the authentication middleware sends the serial number of the trusted authentication component and the unique identifier of the hardware device to the authentication SDK. For another example, the authentication SDK sends a user verification request carrying the user information and the key generation factor to the authentication middleware, and the authentication middleware sends the user verification request carrying the user information and the key generation factor to the trusted authentication component. The trusted authentication component sends the encrypted data and the signature data to the middleware, and the middleware sends the encrypted data and the signature data to the authentication SDK.
Fig. 5 schematically shows a flowchart of an authentication method according to an embodiment of the present disclosure, which may be applied to an authentication server.
As shown in fig. 5, the authentication method may include operations 510 to S540.
In operation S510, an authentication SDK is issued to the first application.
In operation S520, authentication data carrying authentication data sent by the authentication SDK is received.
In operation S530, it is verified whether the authentication data is consistent with the designated authentication data, and if so, the authentication result is authentication pass, and if not, the authentication result is authentication failure.
In operation S540, the authentication result is returned to the authentication SDK.
In the present disclosure, the authentication data includes a serial number of the trusted authentication component, a unique identifier of the hardware device, an authentication identifier, encrypted data, and signature data;
the trusted authentication component runs in a trusted execution environment, and the hardware device provides the trusted execution environment for the trusted authentication component.
In the present disclosure, the authentication server stores a mapping relationship between an authentication identifier, a key generation factor, a public key, user information, a serial number of a trusted authentication component, and a unique identifier of a hardware device.
Fig. 6 schematically shows a flowchart of an authentication method according to an embodiment of the present disclosure, which may be applied to an authentication server.
The authentication method may include operations 510 to S540, and operations S610 to S640, where the operations S510 to S540 are the same as or similar to the operations described in fig. 5, and are not described herein again. .
In operation S610, an authentication parameter acquisition request sent by an authentication SDK is received, where the authentication parameter acquisition request carries user information, a serial number of a trusted authentication component, and a unique identifier of a hardware device;
in operation S620, it is determined whether the unique identifier of the hardware device, the serial number of the trusted authentication component, and the user information are all valid;
in operation S630, if any one of the unique identifier of the hardware device, the serial number of the trusted authentication component, and the user information is illegal, returning corresponding prompt information to the authentication SDK;
in operation S640, if the unique identifier of the hardware device, the serial number of the trusted authentication component, and the user information are all valid, an authentication identifier and a key generation factor are generated, and the authentication identifier and the key generation factor are sent to the authentication SDK.
Fig. 7 schematically shows a flowchart of an authentication data verification method according to an embodiment of the present disclosure, which may be applied to an authentication server.
As shown in fig. 7, the authentication data verification method may include operations 710 to S740.
In operation S710, in the mapping relationship, a key generation factor, a public key, user information, a serial number of a trusted authentication component, and a unique identifier of a hardware device corresponding to an authentication identifier in the authentication data are searched;
generating a decryption key using the key generation factor in operation S720;
decrypting the encrypted data using the decryption key to obtain user information in operation S730;
in operation S740, comparing the found user information with the user information in the authentication data, comparing the found serial number of the trusted authentication component with the serial number of the trusted authentication component in the authentication data, comparing the found unique identifier of the hardware device with the unique identifier of the hardware device in the authentication data, and verifying signature data in the authentication data sent by the authentication SDK using the found public key;
if the comparison is consistent and the verification is successful, the authentication result is that the authentication is passed;
and if the comparison is inconsistent or the verification is unsuccessful, the authentication result is authentication failure.
Fig. 8 schematically shows a block diagram of a terminal in which a first application and a trusted authentication component are installed according to an embodiment of the present disclosure.
As shown in fig. 8, the terminal 800 may include: a receiving module 810, an authentication SDK820, and a trusted authentication component 830.
A receiving module 810, configured to receive an authentication SDK820 issued by an authentication server to a first application;
the authentication SDK820 is configured to, in an operation process of the first application program, obtain authentication data from the trusted authentication component 830 when an authentication request is received;
the authentication SDK820 is used for sending an authentication request carrying authentication data to an authentication server;
the authentication SDK820 is used for receiving an authentication result returned by the authentication server;
and the authentication SDK820 is used for sending the authentication result to the first application program.
In one embodiment of the present disclosure, the trusted authentication component 830 has a unique serial number, the trusted authentication component 830 runs in a trusted execution environment, and a hardware device providing the trusted execution environment has a unique identification.
In one embodiment of the present disclosure, the authentication SDK820 is configured to parse the authentication request to obtain the user information;
the authentication SDK820 is used for acquiring the serial number of the trusted authentication component 830 and the unique identifier of the hardware device;
the authentication SDK820 is configured to send an authentication parameter acquisition request to the authentication server, where the authentication parameter acquisition request carries a serial number of the trusted authentication component 830 and a unique identifier of the hardware device;
the authentication SDK820 is used for receiving an authentication identifier and a key generation factor returned by the authentication server based on the serial number of the trusted authentication component 830 and the unique identifier of the hardware device;
the authentication SDK820 is used for sending a user authentication request to the trusted authentication component, wherein the user authentication request carries user information and a key generation factor;
and the authentication SDK820 is used for receiving the encrypted data and the signature data returned by the trusted authentication component based on the user information and the key generation factor.
In one embodiment of the present disclosure, the authentication data includes a serial number of the trusted authentication component 830, a unique identifier of the hardware device, an authentication identifier, encrypted data, and signature data.
In one embodiment of the present disclosure, the authentication data includes a serial number of the trusted authentication component 830, a unique identifier of the hardware device, an authentication identifier, encrypted data, and signature data.
In one embodiment of the present disclosure, trusted authentication component 830 is configured to generate an encryption key according to a key generation factor;
the trusted authentication component 830 is configured to encrypt the user information by using the encryption key to obtain encrypted data;
the trusted authentication component 830 is configured to obtain an assigned private key, and sign user information by using the private key to obtain signature data;
a trusted authentication component 830 for sending the encrypted data and the signature data to the authentication SDK 820.
In one embodiment of the present disclosure, when the authentication SDK receives the prompt information that the user information and/or the unique identifier of the hardware device returned by the authentication server is not legal, the authentication SDK820 is configured to return the corresponding prompt information to the first application.
In one embodiment of the present disclosure, the trusted authentication component 830 is configured to receive an authentication password input by a user;
the trusted authentication component 830 is configured to verify whether the authentication password is an authentication password that is pre-stored in the trusted authentication component by the user;
and if so, the trusted authentication component 830 is configured to generate an encryption key according to the key generation factor.
In one embodiment of the present disclosure, the terminal 800 further includes a destruction module, configured to destroy the authentication identifier and the key generation factor after the first application receives the authentication result.
In one embodiment of the present disclosure, the terminal 800 further includes middleware through which the authentication SDK820 communicates with the trusted authentication component 830.
Fig. 9 schematically shows a block diagram of an authentication server according to an embodiment of the present disclosure.
As shown in fig. 9, the authentication server 900 may include: a issuing module 910, a receiving module 920, a verifying module 930, and a returning module 940.
The issuing module 910 is configured to issue an authentication SDK to a first application;
a receiving module 920, configured to receive an authentication request carrying authentication data sent by an authentication SDK;
a verification module 930, configured to verify whether the authentication data is consistent with the specified authentication data, if so, the authentication result is authentication pass, and if not, the authentication result is authentication failure;
a returning module 940 is configured to return the authentication result to the authentication SDK.
In one embodiment of the present disclosure, the authentication data includes a serial number of the trusted authentication component, a unique identifier of the hardware device, an authentication identifier, encrypted data, and signature data;
the trusted authentication component runs in a trusted execution environment, and the hardware device provides the trusted execution environment for the trusted authentication component.
In one embodiment of the present disclosure, the authentication server stores a mapping relationship between an authentication identifier, a key generation factor, a public key, user information, a serial number of a trusted authentication component, and a unique identifier of a hardware device.
In one embodiment of the present disclosure, the authentication server 900 may further include:
the request receiving module is used for receiving an authentication parameter obtaining request sent by the authentication SDK, wherein the authentication parameter obtaining request carries user information, a serial number of the trusted authentication component and a unique identifier of the hardware equipment;
the judging module is used for judging whether the unique identifier of the hardware equipment, the serial number of the trusted authentication component and the user information are legal or not;
the prompt information returning module is used for returning corresponding prompt information to the authentication SDK if any one of the unique identifier of the hardware equipment, the serial number of the trusted authentication component and the user information is illegal;
the generating module is used for generating an authentication identifier and a key generating factor if the unique identifier of the hardware equipment, the serial number of the trusted authentication component and the user information are legal;
and the sending module is used for sending the authentication identifier and the key generation factor to the authentication SDK.
In one embodiment of the present disclosure, the verification module 930 is specifically configured to search, in the mapping relationship, a key generation factor, a public key, user information, a serial number of a trusted authentication component, and a unique identifier of a hardware device, where the key generation factor corresponds to an authentication identifier in authentication data; generating a decryption key using the key generation factor; decrypting the encrypted data by using the decryption key to obtain user information; comparing the searched user information with the user information in the authentication data, comparing the serial number of the searched trusted authentication assembly with the serial number of the trusted authentication assembly in the authentication data, comparing the unique identifier of the searched hardware equipment with the unique identifier of the hardware equipment in the authentication data, and verifying signature data in the authentication data sent by the authentication SDK by using the searched public key; if the comparison is consistent and the verification is successful, the authentication result is that the authentication is passed; and if the comparison is inconsistent or the verification is unsuccessful, the authentication result is authentication failure.
It should be noted that the implementation, solved technical problems, implemented functions, and achieved technical effects of each module/unit/subunit and the like in the apparatus part embodiment are respectively the same as or similar to the implementation, solved technical problems, implemented functions, and achieved technical effects of each corresponding step in the method part embodiment, and are not described herein again.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any number of the issuing module 910, the receiving module 920, the verifying module 930, and the returning module 940 may be combined into one module to be implemented, or any one of the modules may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the issuing module 910, the receiving module 920, the verifying module 930, and the returning module 940 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or may be implemented by any one of three implementations of software, hardware, and firmware, or any suitable combination of any of them. Alternatively, at least one of the issuing module 910, the receiving module 920, the verifying module 930 and the returning module 940 may be at least partially implemented as a computer program module, which, when executed, may perform a corresponding function.
FIG. 10 schematically illustrates a block diagram of a computer system suitable for implementing the above-described method, according to an embodiment of the present disclosure. The computer system illustrated in FIG. 10 is only one example and should not impose any limitations on the scope of use or functionality of embodiments of the disclosure. The computer system may be the terminal shown in fig. 8 or the authentication server shown in fig. 9.
As shown in fig. 10, a computer system 1000 according to an embodiment of the present disclosure includes a processor 1001 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1002 or a program loaded from a storage section 1008 into a Random Access Memory (RAM) 1003. Processor 1001 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 1001 may also include onboard memory for caching purposes. The processor 1001 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the present disclosure.
In the RAM 1003, various programs and data necessary for the operation of the system 1000 are stored. The processor 1001, ROM 1002, and RAM 1003 are connected to each other by a bus 1004. The processor 1001 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1002 and/or the RAM 1003. Note that the program may also be stored in one or more memories other than the ROM 1002 and the RAM 1003. The processor 1001 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in one or more memories.
System 1000 may also include an input/output (I/O) interface 1005, the input/output (I/O) interface 1005 also being connected to bus 1004, according to an embodiment of the present disclosure. The system 1000 may also include one or more of the following components connected to the I/O interface 1005: an input section 1006 including a keyboard, a mouse, and the like; an output section 1007 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 1008 including a hard disk and the like; and a communication section 1009 including a network interface card such as a LAN card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the internet. The driver 1010 is also connected to the I/O interface 1005 as necessary. A removable medium 1011 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1010 as necessary, so that a computer program read out therefrom is mounted into the storage section 1008 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication part 1009 and/or installed from the removable medium 1011. The computer program performs the above-described functions defined in the system of the embodiment of the present disclosure when executed by the processor 1001. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
The present disclosure further provides an authentication system, which includes the above terminal and authentication server, and a first application program and a trusted authentication component are installed in the terminal. Illustratively, the process of completing authentication by using the authentication system is as follows: the authentication server issues an authentication SDK to the first application program, the terminal receives the authentication SDK issued by the authentication server to the first application program, in the running process of the first application program, when the terminal receives an authentication request, the terminal calls the authentication SDK to acquire authentication data from a trusted authentication component, the terminal calls the authentication SDK to send the authentication request carrying the authentication data to the authentication server, the authentication server receives the authentication request carrying the authentication data sent by the authentication SDK, the authentication server verifies whether the authentication data is consistent with the specified authentication data, if the authentication data is consistent, the authentication result is authentication pass, if the authentication data is inconsistent, the authentication result is authentication failure, the authentication server returns the authentication result to the authentication SDK, the terminal calls the authentication SDK to receive the authentication result returned by the authentication server, and the terminal calls the authentication SDK to send the authentication result to the first application program.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be understood by those skilled in the art that while the present disclosure has been shown and described with reference to certain exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present disclosure as defined by the appended claims and their equivalents. Accordingly, the scope of the present disclosure should not be limited to the above-described embodiments, but should be defined not only by the appended claims, but also by equivalents thereof.

Claims (19)

1. An authentication method is applied to a terminal, a first application program and a trusted authentication component are installed in the terminal, and the method comprises the following steps:
receiving an authentication SDK issued by an authentication server to the first application program;
in the running process of the first application program, when an authentication request is received, the authentication SDK is called to acquire authentication data from the trusted authentication component;
calling the authentication SDK to send the authentication request carrying the authentication data to the authentication server;
and calling the authentication SDK to receive an authentication result returned by the authentication server and sending the authentication result to the first application program.
2. The method of claim 1, wherein the trusted authentication component has a unique serial number, the trusted authentication component operating in a trusted execution environment, a hardware device providing the trusted execution environment having a unique identification.
3. The method of claim 2, wherein the authentication request carries user information, and the invoking the authentication SDK to obtain authentication data from the trusted authentication component comprises:
calling the authentication SDK, and analyzing the authentication request to obtain the user information;
calling the authentication SDK to acquire the serial number of the trusted authentication component and the unique identifier of the hardware equipment;
calling the authentication SDK, and sending an authentication parameter acquisition request to the authentication server, wherein the authentication parameter acquisition request carries the serial number of the trusted authentication component and the unique identifier of the hardware equipment;
calling the authentication SDK, and receiving an authentication identifier and a key generation factor returned by the authentication server based on the serial number of the trusted authentication component and the unique identifier of the hardware equipment;
calling the authentication SDK, and sending a user authentication request to the trusted authentication component, wherein the user authentication request carries the user information and the key generation factor;
and calling the authentication SDK, and receiving encrypted data and signature data returned by the trusted authentication component based on the user information and the key generation factor.
4. The method of claim 3, wherein the authentication data comprises a serial number of the trusted authentication component, a unique identification of the hardware device, the authentication identification, the encryption data, the signature data.
5. The method of claim 3, the invoking the authentication SDK, prior to receiving the encrypted data and the signed data returned by the trusted authentication component based on the user information and the key generation factor, comprising:
calling the trusted authentication component, and generating an encryption key according to the key generation factor;
calling the trusted authentication component, and encrypting the user information by using the encryption key to obtain the encrypted data;
calling the trusted authentication component to obtain an appointed private key, and signing the user information by using the private key to obtain the signature data;
and calling the trusted authentication component, and sending the encrypted data and the signature data to the authentication SDK.
6. The method of claim 3, the invoking the authentication SDK, receiving an authentication identification and a key generation factor returned by the authentication server based on a serial number of the trusted authentication component and a unique identification of the hardware device, previously comprising:
and when the authentication SDK receives the user information returned by the authentication server and/or the prompt information that the unique identifier of the hardware equipment is illegal, calling the authentication SDK and returning the corresponding prompt information to the first application program.
7. The method of claim 5, the invoking the trusted authentication component, prior to generating an encryption key from the key generation factor, further comprising:
calling the trusted authentication component, and receiving an authentication password input by the user;
calling the trusted authentication component to verify whether the authentication password is an authentication password pre-stored in the trusted authentication component by the user;
and if so, executing the operation of calling the trusted authentication component and generating an encryption key according to the key generation factor.
8. The method of claim 3, further comprising:
and when the first application program receives an authentication result, destroying the authentication identification and the key generation factor.
9. The method of any one of claims 1 to 8, wherein the authentication SDK communicates with the trusted authentication component through authentication middleware.
10. An authentication method applied to an authentication server, the method comprising:
issuing an authentication SDK to a first application program;
receiving an authentication request carrying authentication data sent by the authentication SDK;
verifying whether the authentication data is consistent with the specified authentication data, if so, determining that the authentication result is authentication passing, and if not, determining that the authentication result is authentication failure;
and returning the authentication result to the authentication SDK.
11. The method of claim 10, wherein the authentication data comprises a serial number of a trusted authentication component, a unique identification of a hardware device, an authentication identification, encryption data, signature data;
wherein the trusted authentication component operates in a trusted execution environment, the hardware device providing the trusted execution environment for the trusted authentication component.
12. The method according to claim 11, wherein the authentication server stores a mapping relationship among an authentication identifier, a key generation factor, a public key, user information, a serial number of a trusted authentication component, and a unique identifier of a hardware device.
13. The method according to claim 10, before receiving the authentication request carrying the authentication data sent by the authentication SDK, comprising:
receiving an authentication parameter acquisition request sent by the authentication SDK, wherein the authentication parameter acquisition request carries user information, a serial number of a trusted authentication component and a unique identifier of hardware equipment;
judging whether the unique identifier of the hardware equipment, the serial number of the trusted authentication component and the user information are legal or not;
if any one of the unique identifier of the hardware equipment, the serial number of the trusted authentication component and the user information is illegal, returning corresponding prompt information to the authentication SDK;
if the unique identifier of the hardware equipment, the serial number of the trusted authentication component and the user information are legal, generating an authentication identifier and a key generation factor;
and sending the authentication identification and the key generation factor to the authentication SDK.
14. The method of claim 12, the verifying whether the authentication data is consistent with specified authentication data comprising:
in the mapping relation, a key generation factor, a public key, user information, a serial number of a trusted authentication component and a unique identifier of hardware equipment corresponding to an authentication identifier in the authentication data are searched;
generating a decryption key using the key generation factor;
decrypting the encrypted data by using the decryption key to obtain the user information;
comparing the searched user information with the user information in the authentication data, comparing the serial number of the searched trusted authentication assembly with the serial number of the trusted authentication assembly in the authentication data, comparing the unique identifier of the searched hardware equipment with the unique identifier of the hardware equipment in the authentication data, and verifying signature data in the authentication data sent by the authentication SDK by using the searched public key;
if the comparison is consistent and the verification is successful, the authentication result is that the authentication is passed;
and if the comparison is inconsistent or the verification is unsuccessful, the authentication result is authentication failure.
15. A terminal having a first application and a trusted authentication component installed therein, the terminal comprising:
the receiving module is used for receiving an authentication SDK issued by an authentication server to the first application program;
the authentication SDK is used for acquiring authentication data from the trusted authentication component when an authentication request is received in the running process of the first application program;
the authentication SDK is used for sending the authentication request carrying the authentication data to the authentication server;
the authentication SDK is used for receiving an authentication result returned by the authentication server;
and the authentication SDK is used for sending the authentication result to the first application program.
16. A server, comprising:
the issuing module is used for issuing the authentication SDK to the first application program;
the receiving module is used for receiving an authentication request which is sent by the authentication SDK and carries authentication data;
the verification module is used for verifying whether the authentication data is consistent with the specified authentication data, if so, the authentication result is authentication passing, and if not, the authentication result is authentication failure;
and the return module is used for returning the authentication result to the authentication SDK.
17. A computer system, comprising: memory, processor and computer program stored on the memory and executable on the processor, the processor being configured to implement the method according to any of claims 1 to 9 when executing the computer program or being configured to implement the method according to any of claims 10 to 14 when executing the computer program.
18. A computer-readable storage medium storing computer-executable instructions for implementing the method of any one of claims 1 to 9 when executed or for implementing the method of any one of claims 10 to 14 when executed.
19. An authentication system comprising a terminal capable of implementing the method according to any one of claims 1 to 9, and a server capable of implementing the method according to any one of claims 10 to 14.
CN202110278229.1A 2021-03-15 2021-03-15 Authentication method and system, terminal, server, computer system, and medium Active CN113055182B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110278229.1A CN113055182B (en) 2021-03-15 2021-03-15 Authentication method and system, terminal, server, computer system, and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110278229.1A CN113055182B (en) 2021-03-15 2021-03-15 Authentication method and system, terminal, server, computer system, and medium

Publications (2)

Publication Number Publication Date
CN113055182A true CN113055182A (en) 2021-06-29
CN113055182B CN113055182B (en) 2022-11-08

Family

ID=76512587

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110278229.1A Active CN113055182B (en) 2021-03-15 2021-03-15 Authentication method and system, terminal, server, computer system, and medium

Country Status (1)

Country Link
CN (1) CN113055182B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826654A (en) * 2022-03-11 2022-07-29 中国互联网络信息中心 Client authentication method and system based on domain name system naming
CN115277082A (en) * 2022-06-23 2022-11-01 支付宝(杭州)信息技术有限公司 Third-party application verification method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104579657A (en) * 2013-10-11 2015-04-29 北大方正集团有限公司 Method and device for identity authentication
US20160080326A1 (en) * 2014-09-16 2016-03-17 Entersekt, LLC System and method for secure authentication
CN110417797A (en) * 2015-04-02 2019-11-05 阿里巴巴集团控股有限公司 Authenticate the method and device of user
WO2019233204A1 (en) * 2018-06-06 2019-12-12 腾讯科技(深圳)有限公司 Method, apparatus and system for key management, storage medium, and computer device
CN111580882A (en) * 2020-04-30 2020-08-25 中国工商银行股份有限公司 Application program starting method, device, computer system and medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104579657A (en) * 2013-10-11 2015-04-29 北大方正集团有限公司 Method and device for identity authentication
US20160080326A1 (en) * 2014-09-16 2016-03-17 Entersekt, LLC System and method for secure authentication
CN110417797A (en) * 2015-04-02 2019-11-05 阿里巴巴集团控股有限公司 Authenticate the method and device of user
WO2019233204A1 (en) * 2018-06-06 2019-12-12 腾讯科技(深圳)有限公司 Method, apparatus and system for key management, storage medium, and computer device
CN111580882A (en) * 2020-04-30 2020-08-25 中国工商银行股份有限公司 Application program starting method, device, computer system and medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826654A (en) * 2022-03-11 2022-07-29 中国互联网络信息中心 Client authentication method and system based on domain name system naming
CN114826654B (en) * 2022-03-11 2023-09-12 中国互联网络信息中心 Client authentication method and system based on domain name system naming
CN115277082A (en) * 2022-06-23 2022-11-01 支付宝(杭州)信息技术有限公司 Third-party application verification method and device
CN115277082B (en) * 2022-06-23 2024-01-12 支付宝(杭州)信息技术有限公司 Verification method and device for third party application

Also Published As

Publication number Publication date
CN113055182B (en) 2022-11-08

Similar Documents

Publication Publication Date Title
CN112019493B (en) Identity authentication method, identity authentication device, computer equipment and medium
US11501294B2 (en) Method and device for providing and obtaining graphic code information, and terminal
US20160080157A1 (en) Network authentication method for secure electronic transactions
CN109194625B (en) Client application protection method and device based on cloud server and storage medium
CN112131021B (en) Access request processing method and device
CN108243188B (en) Interface access, interface call and interface verification processing method and device
US10536271B1 (en) Silicon key attestation
CN110414190B (en) Signature method of application installation package, related device, storage medium and electronic equipment
CN108200078B (en) Downloading and installing method of signature authentication tool and terminal equipment
CN108322416B (en) Security authentication implementation method, device and system
CN113055182B (en) Authentication method and system, terminal, server, computer system, and medium
WO2017050147A1 (en) Information registration and authentication method and device
CN107920060B (en) Data access method and device based on account
CN113094190B (en) Micro-service calling method, micro-service calling device, electronic equipment and storage medium
CN113282951B (en) Application program security verification method, device and equipment
CN108574658B (en) Application login method and device
CN110399706B (en) Authorization authentication method, device and computer system
CN110602700B (en) Seed key processing method and device and electronic equipment
CN114584324B (en) Identity authorization method and system based on block chain
CN107241341B (en) Access control method and device
CN112819469B (en) Payment method and system, terminal, server, computer system and medium
CN112150151B (en) Secure payment method, apparatus, electronic device and storage medium
CN112149134A (en) Trusted application management method and device
CN114553570B (en) Method, device, electronic equipment and storage medium for generating token
CN115277082B (en) Verification method and device for third party application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant