CN114007218A - Authentication method, system, terminal and digital identity authentication functional entity - Google Patents
Authentication method, system, terminal and digital identity authentication functional entity Download PDFInfo
- Publication number
- CN114007218A CN114007218A CN202010737521.0A CN202010737521A CN114007218A CN 114007218 A CN114007218 A CN 114007218A CN 202010737521 A CN202010737521 A CN 202010737521A CN 114007218 A CN114007218 A CN 114007218A
- Authority
- CN
- China
- Prior art keywords
- information
- digital identity
- user
- terminal
- abstract
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000006870 function Effects 0.000 claims description 46
- 230000004044 response Effects 0.000 claims description 32
- 238000002360 preparation method Methods 0.000 claims description 24
- 238000012795 verification Methods 0.000 claims description 14
- 238000003860 storage Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 11
- 238000013507 mapping Methods 0.000 claims description 4
- 230000001960 triggered effect Effects 0.000 claims description 3
- 238000004891 communication Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 19
- 238000007726 management method Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008447 perception Effects 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
Abstract
The disclosure relates to an authentication method, an authentication system, a terminal and a digital identity authentication functional entity, and relates to the technical field of communication. The method of the present disclosure comprises: the terminal responds to an application started in the terminal by a user and sends a digital identity abstract acquisition request to a user card in the terminal, wherein the digital identity abstract acquisition request comprises local authentication information of the user; the terminal receives signature information of the digital identity abstract returned by the user card, wherein the information for generating the digital identity abstract comprises identity information of the user, and the signature information of the digital identity abstract indicates that the user card successfully authenticates the local user; the terminal sends an access request to an application server, wherein the access request comprises: signature information of the digital identity digest; and the terminal receives access information returned by the server of the application, and the access information shows that the server of the application successfully authenticates the user to the mobile network side according to the signature information of the digital identity abstract.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to an authentication method, system, terminal, and digital identity authentication function entity.
Background
At present, when a user accesses an internet application through a mobile terminal, identity authentication generally needs to input identity authentication information such as a user name, a password or a user mobile phone number, and the identity authentication information is sent to a server of the internet application for authentication.
Disclosure of Invention
The inventor finds that: the server applied to the internet authenticates the identity information of the user, the identity information of the user and the like are required to be stored by an application service provider, but the internet supervision is difficult, the identity information of the user is easy to leak, and the security is low. And the user needs to set different identity information for authentication aiming at different internet applications, so as to avoid the unsafe state of all applications caused by the leakage of the identity information corresponding to one application.
One technical problem to be solved by the present disclosure is: how to improve the authentication security of internet applications.
According to some embodiments of the present disclosure, there is provided an authentication method including: the terminal responds to an application started in the terminal by a user and sends a digital identity abstract acquisition request to a user card in the terminal, wherein the digital identity abstract acquisition request comprises local authentication information of the user; the terminal receives signature information of the digital identity abstract returned by the user card, wherein the information for generating the digital identity abstract comprises identity information of the user, and the signature information of the digital identity abstract indicates that the user card successfully authenticates the local user; the terminal sends an access request to an application server, wherein the access request comprises: signature information of the digital identity digest; and the terminal receives access information returned by the server of the application, and the access information shows that the server of the application successfully authenticates the user to the mobile network side according to the signature information of the digital identity abstract.
In some embodiments, the signature information of the digital identity digest is obtained by signing the digital identity digest stored in the user card with a private key of the terminal generated by the user card.
In some embodiments, the access request further includes identification information of the user card; whether the user authentication is successful is determined by a digital identity authentication functional entity at the mobile network side searching a public key of the terminal according to the identification information of the user card and verifying the signature information of the digital identity abstract by using the public key of the terminal.
In some embodiments, the method further comprises: the terminal responds to the digital identity abstract generation function triggered by the user and sends a preparation information generation request to the user card; the terminal receives a preparation information generation response returned by the user card, wherein the preparation information generation response comprises: encrypting information and a public key of a terminal, wherein the encrypting information comprises information obtained by encrypting identification information of a user card by using a preset public key at a mobile network side; the terminal sends a digital identity abstract generating request to a digital identity authentication functional entity at a mobile network side, wherein the digital identity abstract generating request comprises the following steps: encrypting information and a public key of the terminal; the terminal receives a digital identity abstract generating response returned by the digital identity authentication functional entity, wherein the digital identity abstract generating response comprises the following steps: and the digital identity abstract is generated after the identity information of the user is acquired according to the encrypted information.
In some embodiments, the digital identity digest generation request further comprises: identification information of the user card; the method further comprises the following steps: the digital identity authentication functional entity sends a decryption request to a core network element, wherein the decryption request comprises: encrypting information and identification information of the user card; the digital identity authentication functional entity receives the decrypted information returned by the network element of the core network, wherein the decrypted information comprises the identification information of the user card; the digital identity authentication functional entity compares the decrypted information with the identification information of the user card in the digital identity abstract generation request, and generates the digital identity abstract under the condition of consistent comparison.
In some embodiments, the encrypted information further includes information obtained by encrypting the public key of the terminal by using a preset public key on the mobile network side, and the request for generating the digital identity digest further includes: identification information of the user card; the method further comprises the following steps: the digital identity authentication functional entity sends a decryption request to a core network element, wherein the decryption request comprises: encrypting information and identification information of the user card; the digital identity authentication functional entity receives the decrypted information returned by the network element of the core network, wherein the decrypted information comprises the identification information of the user card and the public key of the terminal; and the digital identity authentication functional entity compares the decrypted information with the identification information of the user card and the public key of the terminal in the digital identity abstract generation request, and generates the digital identity abstract under the condition of consistent comparison.
In some embodiments, the method further comprises: the digital identity authentication functional entity receives the identification information of the user returned by the core network element, wherein the identification information of the user is determined by the core network element according to the identification information of the user card; the digital identity authentication functional entity inquires identity information of the user from the customer relationship management system according to the identification information of the user; generating the digital identity summary information comprises: and the digital identity authentication functional entity generates a digital identity abstract according to the identity information of the user.
In some embodiments, generating digital identity summary information from identity information of the user comprises: the digital identity authentication functional entity sends a user identity verification request to the terminal; and the digital identity authentication functional entity receives the verification information returned by the terminal, matches the verification information with the identity information of the user, and generates digital identity abstract information according to the identity information of the user under the condition of successful matching.
In some embodiments, the generating, by the digital identity authentication function entity, the digital identity digest according to the identity information of the user includes: the digital identity authentication functional entity generates a digital identity abstract according to the identity information of the user, the identification information of the user card and the public key of the terminal; the digital identity authentication functional entity establishes the mapping relation between the identity information of the user, the identification information of the user card, the public key of the terminal and the digital identity abstract, encrypts the digital identity abstract by adopting the public key of the terminal and sends the encrypted digital identity abstract to the terminal.
In some embodiments, the method further comprises: and the user card receives the encrypted digital identity abstract sent by the terminal, decrypts the encrypted digital identity abstract by using a private key of the terminal, and stores the digital identity abstract.
According to further embodiments of the present disclosure, there is provided a terminal including: the system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for responding to an application in a user starting terminal and sending a digital identity abstract obtaining request to a user card in the terminal, and the digital identity abstract obtaining request comprises local authentication information of a user; the first receiving module is used for receiving signature information of the digital identity abstract returned by the user card, wherein the information used for generating the digital identity abstract comprises identity information of the user, and the signature information of the digital identity abstract indicates that the user card successfully authenticates the local user; a second sending module, configured to send an access request to a server of the application, where the access request includes: signature information of the digital identity digest; and the second receiving module is used for receiving the access information returned by the server of the application, and the access information indicates that the server of the application successfully authenticates the user to the mobile network side according to the signature information of the digital identity abstract.
In some embodiments, the first sending module is further configured to send a preparation information generation request to the user card in response to a user triggering the digital identity digest generation function; the first receiving module is further configured to receive a preparation information generation response returned by the user card, where the preparation information generation response includes: encrypting information and a public key of a terminal, wherein the encrypting information comprises information obtained by encrypting identification information of a user card by using a preset public key at a mobile network side; the second sending module is further configured to send a digital identity digest generation request to a digital identity authentication functional entity on the mobile network side, where the digital identity digest generation request includes: encrypting information and a public key of the terminal; the second receiving module is further configured to receive a digital identity digest generation response returned by the digital identity authentication functional entity, where the digital identity digest generation response includes: and the digital identity abstract is generated after the identity information of the user is acquired according to the encrypted information.
In some embodiments, the terminal further comprises: and the user card is used for receiving the digital identity abstract acquisition request sent by the first sending module, authenticating the user according to the local authentication information of the user, and sending the signature information of the digital identity abstract to the first receiving module under the condition that the local authentication of the user is successful.
In some embodiments, the terminal further comprises: and the user card is used for receiving the preparation information generation request sent by the second sending module, generating a public key of the terminal, encrypting the identification information of the user card by using a preset public key at the mobile network side, and sending the encrypted identification information of the user card carrying the preparation information generation response to the second receiving module.
According to still other embodiments of the present disclosure, there is provided a terminal including: a processor; and a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the steps of the authentication method as performed by the terminal in any of the preceding embodiments.
According to still other embodiments of the present disclosure, there is provided a digital identity authentication function entity, including: a processor; and a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the steps of the authentication method performed by the digital identity authentication function entity in any of the embodiments described above.
According to still further embodiments of the present disclosure, there is provided an authentication system including: the terminal and the digital identity authentication function entity of any of the foregoing embodiments.
According to still further embodiments of the present disclosure, there is provided a non-transitory computer readable storage medium having stored thereon a computer program, wherein the program, when executed by a processor, implements the steps in the authentication method performed by the terminal in any of the foregoing embodiments.
According to still further embodiments of the present disclosure, there is provided a non-transitory computer readable storage medium having a computer program stored thereon, wherein the program, when executed by a processor, implements the steps in the authentication method performed by the digital identity authentication function entity in any of the foregoing embodiments.
According to the method, a user starts an application of a terminal, the terminal obtains a digital identity abstract from a user card, the user card returns signature information of the digital identity abstract to the terminal, the terminal sends an access request to a server of the application, the signature information of the digital identity abstract is carried, the server of the application authenticates the user to a mobile network side according to the signature information of the digital identity abstract, and sends access information to the terminal under the condition that the authentication is successful, and the user can access the application. The digital identity abstracts stored in the user card are used as the only identity certificate of the terminal, all servers applied to the Internet carry the digital identity abstracts to the mobile network side for authentication, the identity information of the user is stored in the mobile network side, the safety is improved, the safety is further improved through local authentication and remote authentication, the user only needs to set local authentication information to authenticate the user card, the subsequent authentication process is transparent to the user, and the user experience is improved.
Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 illustrates a flow diagram of an authentication method of some embodiments of the present disclosure.
Fig. 2 shows a flow diagram of an authentication method of further embodiments of the present disclosure.
Fig. 3 illustrates a schematic structural diagram of a terminal of some embodiments of the present disclosure.
Fig. 4 shows a schematic structural diagram of a digital identity authentication functional entity of some embodiments of the present disclosure.
Fig. 5 shows a schematic structural diagram of a digital identity authentication functional entity according to another embodiment of the present disclosure.
Fig. 6 shows a schematic structural diagram of an authentication system of some embodiments of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The present disclosure proposes an authentication method, which is described below with reference to fig. 1 to 2.
Fig. 1 is a flow chart of some embodiments of the authentication method of the present disclosure. As shown in fig. 1, the method of this embodiment includes: steps S102 to S116.
In step S102, the terminal sends a digital identity digest acquisition request to a user card in the terminal in response to the user starting an application in the terminal.
When a user starts an Application (APP) in a terminal, the application may send a digital identity digest acquisition request to a user card in the terminal through an SDK (software development kit).
The digital identity digest acquisition request includes, for example, local authentication information of the user. The local authentication information includes, for example, a user name, a password, or biometric information.
In step S104, the user card performs local authentication on the user according to the local authentication information of the user, and signs the digital identity digest stored in the user card by using the private key of the terminal under the condition that the local authentication of the user by the user card is successful, so as to obtain signature information of the digital identity digest.
The user card can store information such as a user name, a password or biological characteristic information in advance, and can perform local authentication on the user according to the matching between the local authentication information of the user and the stored information, wherein if the matching is successful, the authentication is successful, and otherwise, the authentication fails.
In step S106, the user card sends the signature information of the digital identity digest to the terminal, and accordingly, the terminal receives the signature information of the digital identity digest returned by the user card.
The user card may send signature information of the digital identity digest to the application.
In step S108, the terminal transmits an access request to the server of the application.
The access request includes: signature information of the digital identity digest. The access request may be sent by an application of the terminal to a server of the application.
In step S110, the server of the application sends an authentication request to the digital identity authentication function entity on the mobile network side.
The authentication request includes: signature information of the digital identity digest.
In step S112, the digital identity authentication function entity authenticates the user according to the signature information of the digital identity digest.
For example, the access request also includes identification information of the user card; whether the user authentication is successful is determined by the digital identity authentication functional entity searching the public key of the terminal according to the identification information of the user card and verifying the signature information of the digital identity abstract by using the public key of the terminal.
In step S114, the digital identity authentication function entity returns the authentication result to the server of the application.
In step S116, the application server determines whether the authentication is successful according to the authentication result, and sends access information to the terminal if the authentication is successful, and accordingly, the terminal receives the access information returned by the application server.
The access information indicates that the server of the application successfully authenticates the user to the mobile network side according to the signature information of the digital identity abstract.
In the method of the embodiment, the user starts the application of the terminal, the terminal acquires the digital identity abstract from the user card, the user card returns the signature information of the digital identity abstract to the terminal, the terminal sends an access request to the server of the application, the signature information of the digital identity abstract is carried, the server of the application authenticates the user to the mobile network side according to the signature information of the digital identity abstract, and the user can access the application by sending access information to the terminal under the condition of successful authentication. The digital identity abstracts stored in the user card are used as the only identity certificate of the terminal, all servers applied to the Internet carry the digital identity abstracts to the mobile network side for authentication, the identity information of the user is stored in the mobile network side, the safety is improved, the safety is further improved through local authentication and remote authentication, the user only needs to set local authentication information to authenticate the user card, the subsequent authentication process is transparent to the user, and the user experience is improved.
Some embodiments of the present disclosure for generating a digital identity digest are described below in conjunction with fig. 2.
Fig. 2 is a flow diagram of additional embodiments of an authentication method of the present disclosure. As shown in fig. 2, the method of this embodiment includes: steps S202 to S230.
In step S202, the terminal sends a preparation information generation request to the user card in response to the user triggering the digital identity digest generation function.
The user can be provided with a digital identity abstract generating function through an application, and the user can apply for generating the digital identity abstract through clicking the function. Or, when the user opens the application in the terminal, if the digital identity digest has already been generated, the digital identity digest is acquired through the foregoing embodiment to access the application, and if the user card does not yet have the digital identity digest, the digital identity digest generation function is triggered. The provisioning information generation request may be sent to the user card through the SDK.
In step S204, the user card generates a public-private key pair of the terminal.
The user card generates a public and private key pair Eph.public key and Eph.private key on the terminal side, the method for generating the public and private key pair can adopt an elliptic curve integrated encryption scheme, the terminal and the mobile network side both adopt the same elliptic curve, and the method has the characteristics that the private key of the terminal and the public key on the mobile network side are the private key of the mobile network side and the public key of the terminal (the multiplication between the keys is scalar multiplication on the elliptic curve).
In step S206, the user card generates encryption information using a preset public key on the mobile network side.
The encrypted information includes, for example, information obtained by encrypting the identification information of the user card with a preset public key on the mobile network side, or information obtained by encrypting the identification information of the user card and a public key of the terminal with a preset public key on the mobile network side. The identification information of the user Card is, for example, an ICCID (integrated Circuit Card Identity code).
In step S208, the user card sends a preparation information generation response to the terminal, and accordingly, the terminal receives the preparation information generation response returned by the user card.
The preparing information generation response includes: the encryption information and the public key of the terminal. The user card may send a provisioning information generation response to the application.
In step S210, the terminal sends a digital identity digest generation request to the digital identity authentication functional entity on the mobile network side, and correspondingly, the digital identity authentication functional entity receives the digital identity digest generation request sent by the terminal.
A digital identity digest generation request may be sent by the application to the word identity authentication function entity, the digital identity digest generation request including, for example: the encrypting information and the public key of the terminal may further include: identification information of the user card. The identification information of the user card may be obtained from the user card.
In step S212, the digital identity authentication functional entity sends a decryption request to a network element of the core network.
The decryption request may include: the encryption information and the identification information of the user card can also comprise an identification information acquisition request of the user. The core network elements are, for example, 5G core network elements, and include AUSF (Unified Data Management Function) and UDM (Authentication Server Function).
In step S214, the core network element decrypts the encrypted information by using the network-side private key, so as to obtain decrypted information.
The decrypted information includes the identification information of the user card and may also include the public key of the terminal.
In step S216, the core network element returns the decrypted information to the digital identity authentication function entity, and accordingly, the digital identity authentication function entity receives the decrypted information returned by the core network element.
The digital identity authentication functional entity can also receive the identification information of the user returned by the core network element, wherein the identification information of the user is determined by the core network element according to the identification information of the user card. The identification information of the user is, for example, a mobile phone number.
In step S218, the digital authentication function entity verifies the user according to the decrypted information.
In some embodiments, the decrypted information includes identification information of the user card, and the digital identity authentication functional entity compares the decrypted information with the identification information of the user card in the digital identity digest generation request, and if the comparison is consistent, the user is successfully verified.
In some embodiments, the decrypted information includes identification information of the user card and a public key of the terminal. And the digital identity authentication functional entity compares the decrypted information with the identification information of the user card and the public key of the terminal in the digital identity abstract generation request, and successfully verifies the user under the condition of consistent comparison.
And under the condition of successful verification, the digital identity authentication functional entity can acquire the identity information of the user to generate a digital identity abstract. The identity information of the user can be stored in a customer relationship management system (CRM), the digital identity authentication functional entity can acquire the identity information of the user from the CRM, and it is also possible that the digital identity authentication functional entity directly stores the identity information of the user, and the like.
In step S220, the digital identity authentication functional entity queries the identity information of the user from the customer relationship management system according to the identification information of the user.
The identification information of the user can be returned to the digital identity authentication function entity after the core network element is determined according to the identification information of the user card. The customer relation management system inquires the identity information of the user corresponding to the identification information of the user and returns the identity information to the digital identity authentication functional entity. The identity information of the user is, for example, identity card information of the user, including an identity card number, a picture, a name, and the like.
In step S222, the digital identity authentication function entity performs identity verification on the user through the terminal according to the identity information of the user.
In some embodiments, the digital identity authentication function entity sends a user identity verification request to the terminal; and receiving the verification information returned by the terminal, matching the verification information with the identity information of the user, and if the verification information is consistent with the identity information of the user, successfully matching. The verification information can be a face image of the user acquired by the terminal, an identification number input by the user and the like.
In step S224, the digital identity authentication function entity generates a digital identity digest.
In some embodiments, the digital identity authentication functional entity generates the digital identity digest according to the identity information of the user, the identification information of the user card and the public key of the terminal. The abstract generation algorithm can be SHA1, SHA256 and the like
In step S226, the digital identity authentication function entity establishes a mapping relationship between the user information and the digital identity digest, and stores the mapping relationship.
The information of the user may include identity information of the user, identification information of the user card, and a public key of the terminal.
In step S228, the digital identity authentication functional entity encrypts the digital identity digest by using the public key of the terminal, and sends the encrypted digital identity digest to the terminal, and accordingly, the user card receives the encrypted digital identity digest sent by the terminal.
The digital identity authentication functional entity can send the encrypted digital identity abstract to the user card through the APP and the SDK.
In step S230, the encrypted digital identity digest is decrypted using the private key of the terminal, and the digital identity digest is stored.
The method aims at the problems of poor user service experience, fragmentation of identity account information, easy leakage of identity information and the like of identity authentication when the existing mobile terminal accesses the internet application, provides a digital identity authentication functional entity to acquire user information (including but not limited to ICCID, mobile phone number, identity card information and the like) from a user card, a core network element of a 5G network and CRM, generates credible digital identity for a mobile terminal user through a cryptographic algorithm based on the user identity information by utilizing a powerful key system of the user card and the 5G network, and realizes the non-perception authentication capability based on the credible digital identity when the user accesses the internet application through the 5G network.
The method can provide a safe and convenient digital identity abstract generation method and an internet access authentication method based on the digital identity abstract for a user to access mobile internet application through a mobile terminal UE under a 5G network environment. The method not only protects the privacy and the safety of the user at the application end, but also realizes the non-perception identity authentication capability. The method comprises the steps of utilizing the asymmetric key pair capability of the user card to carry out secure transmission on the user digital identity digest between the digital identity authentication functional entity and the user card and carry out digital signature and signature verification on the user digital identity digest. The asymmetric key pair of the 5G core network can realize the encryption safe transmission of the user digital identity generation information, thereby ensuring the safety of the whole process.
The present disclosure also provides a terminal, described below in conjunction with fig. 3.
Fig. 3 is a block diagram of some embodiments of the terminal of the present disclosure. As shown in fig. 3, the terminal 30 of this embodiment includes: a first sending module 310, a first receiving module 320, a second sending module 330, and a second receiving module 340.
The first sending module 310 is configured to send a digital identity digest acquisition request to a user card in the terminal in response to a user starting an application in the terminal, where the digital identity digest acquisition request includes local authentication information of the user;
the first receiving module 320 is configured to receive signature information of a digital identity digest returned by a user card, where the information used to generate the digital identity digest includes identity information of the user, and the signature information of the digital identity digest indicates that the user card successfully authenticates the user locally;
the second sending module 330 is configured to send an access request to a server of an application, where the access request includes: signature information of the digital identity digest;
the second receiving module 340 is configured to receive access information returned by the server of the application, where the access information indicates that the server of the application successfully authenticates the user to the mobile network side according to the signature information of the digital identity digest.
In some embodiments, the first sending module 310 is further configured to send a preparation information generation request to the user card in response to the user triggering the digital identity digest generation function; the first receiving module 320 is further configured to receive a preparation information generation response returned by the user card, where the preparation information generation response includes: encrypting information and a public key of a terminal, wherein the encrypting information comprises information obtained by encrypting identification information of a user card by using a preset public key at a mobile network side; the second sending module 330 is further configured to send a digital identity digest generation request to a digital identity authentication functional entity on the mobile network side, where the digital identity digest generation request includes: encrypting information and a public key of the terminal; the second receiving module 340 is further configured to receive a digital identity digest generation response returned by the digital identity authentication functional entity, where the digital identity digest generation response includes: and the digital identity abstract is generated after the identity information of the user is acquired according to the encrypted information.
In some embodiments, the terminal 30 further comprises: the user card 350 is configured to receive the digital identity digest acquisition request sent by the first sending module 310, authenticate the user according to the local authentication information of the user, and send signature information of the digital identity digest to the first receiving module 320 when the local authentication of the user is successful.
In some embodiments, the user card 350 is further configured to receive the preparation information generation request sent by the second sending module 330, generate a public key of the terminal, encrypt the identification information of the user card by using a preset public key on the mobile network side, and send the encrypted identification information of the user card carrying the preparation information generation response to the second receiving module 340.
In the embodiments of the present disclosure, the terminal and the digital identity authentication functional entity may be implemented by various computing devices or computer systems, and the digital identity authentication functional entity is described below with reference to fig. 4 and 5.
Fig. 4 is a block diagram of some embodiments of a digital identity authentication function of the present disclosure. As shown in fig. 4, the digital identity authentication function entity 40 of this embodiment includes: a memory 410 and a processor 420 coupled to the memory 410, the processor 420 being configured to perform steps of an authentication method performed by a digital identity authentication function entity in any of some embodiments of the present disclosure based on instructions stored in the memory 410.
Fig. 5 is a block diagram of another embodiment of a digital identity authentication function according to the present disclosure. As shown in fig. 5, the digital identity authentication functional entity 50 of this embodiment includes: memory 510 and processor 520 are similar to memory 410 and processor 420, respectively. An input output interface 530, a network interface 540, a storage interface 550, and the like may also be included. These interfaces 530, 540, 550 and the connections between the memory 510 and the processor 520 may be, for example, via a bus 560. The input/output interface 530 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, and a touch screen. The network interface 540 provides a connection interface for various networking devices, such as a database server or a cloud storage server. The storage interface 550 provides a connection interface for external storage devices such as an SD card and a usb disk.
Embodiments in which the terminal is implemented by various computing devices or computer systems may refer to the embodiments of fig. 4 and 5, and are not described in detail. The user card in the terminal may also comprise a processor and a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the steps of the authentication method as performed by the user card in any of the embodiments described above.
The present disclosure also provides an authentication system, described below in conjunction with fig. 6.
Fig. 6 is a block diagram of some embodiments of the authentication system of the present disclosure. As shown in fig. 6, the system 6 of this embodiment includes: the terminal 30, the digital authentication function 40/50 of any of the previous embodiments.
The system 6 may also include core network elements 62, e.g., including AUSFs and UDMs. The core network element 62 is configured to receive the decryption request sent by the digital identity authentication function entity 40/50, decrypt the encrypted information, and return the decrypted information to the digital identity authentication function entity 40/50. The core network element 62 is further configured to determine identification information of the user according to the identification information of the user card, and send the identification information of the user to the digital identity authentication function 40/50.
The system 6 may further comprise a customer relationship management system 64 for receiving the identity query request sent by the digital identity authentication function 40/50 and returning the identity information of the user to the digital identity authentication function 40/50.
The digital identity authentication functional entity can be a capability open platform and provides corresponding capability for an internet application provider according to requirements.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only exemplary of the present disclosure and is not intended to limit the present disclosure, so that any modification, equivalent replacement, or improvement made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (19)
1. An authentication method, comprising:
the method comprises the steps that a terminal responds to an application started in the terminal by a user and sends a digital identity abstract acquisition request to a user card in the terminal, wherein the digital identity abstract acquisition request comprises local authentication information of the user;
the terminal receives signature information of a digital identity abstract returned by the user card, wherein the information for generating the digital identity abstract comprises the identity information of the user, and the signature information of the digital identity abstract indicates that the user card successfully authenticates the user locally;
the terminal sends an access request to the server of the application, wherein the access request comprises: signature information of the digital identity digest;
and the terminal receives access information returned by the server of the application, wherein the access information shows that the server of the application successfully authenticates the user to the mobile network side according to the signature information of the digital identity abstract.
2. The authentication method of claim 1,
the signature information of the digital identity abstract is obtained by signing the digital identity abstract stored in the user card by using a private key of the terminal generated by the user card.
3. The authentication method of claim 1, wherein the access request further includes identification information of the user card;
and whether the user authentication is successful or not is determined by searching the public key of the terminal by the digital identity authentication functional entity at the mobile network side according to the identification information of the user card and verifying the signature information of the digital identity abstract by using the public key of the terminal.
4. The authentication method of claim 1, further comprising:
the terminal responds to the user triggering digital identity abstract generation function and sends a preparation information generation request to the user card;
the terminal receives a preparation information generation response returned by the user card, wherein the preparation information generation response comprises: encrypting information and a public key of the terminal, wherein the encrypting information comprises information obtained by encrypting the identification information of the user card by using a preset public key at a mobile network side;
the terminal sends a digital identity abstract generating request to a digital identity authentication functional entity at the mobile network side, wherein the digital identity abstract generating request comprises the following steps: the encryption information and a public key of the terminal;
the terminal receives a digital identity abstract generating response returned by the digital identity authentication functional entity, wherein the digital identity abstract generating response comprises: and the digital identity abstract is generated after acquiring the identity information of the user according to the encrypted information.
5. The authentication method of claim 4, wherein the digital identity digest generation request further comprises: identification information of the user card;
the method further comprises the following steps:
the digital identity authentication functional entity sends a decryption request to a core network element, wherein the decryption request comprises: the encryption information and the identification information of the user card;
the digital identity authentication functional entity receives the decrypted information returned by the core network element, wherein the decrypted information comprises the identification information of the user card;
and the digital identity authentication functional entity compares the decrypted information with the identification information of the user card in the digital identity abstract generation request, and generates the digital identity abstract under the condition of consistent comparison.
6. The authentication method according to claim 4, wherein the encrypted information further includes information obtained by encrypting a public key of the terminal by using a preset public key on a mobile network side, and the digital identity digest generation request further includes: identification information of the user card;
the method further comprises the following steps:
the digital identity authentication functional entity sends a decryption request to a core network element, wherein the decryption request comprises: the encryption information and the identification information of the user card;
the digital identity authentication functional entity receives the decrypted information returned by the core network element, wherein the decrypted information comprises the identification information of the user card and the public key of the terminal;
and the digital identity authentication functional entity compares the decrypted information with the identification information of the user card and the public key of the terminal in the digital identity abstract generation request, and generates the digital identity abstract under the condition of consistent comparison.
7. The authentication method according to claim 5 or 6, further comprising:
the digital identity authentication functional entity receives the identification information of the user returned by the core network element, wherein the identification information of the user is determined by the core network element according to the identification information of the user card;
the digital identity authentication functional entity inquires identity information of the user from a customer relationship management system according to the identification information of the user;
the generating the digital identity summary information comprises:
and the digital identity authentication functional entity generates the digital identity abstract according to the identity information of the user.
8. The authentication method of claim 7, wherein the generating the digital identity digest information according to the identity information of the user comprises:
the digital identity authentication functional entity sends a user identity verification request to the terminal;
and the digital identity authentication functional entity receives verification information returned by the terminal, matches the verification information with the identity information of the user, and generates the digital identity abstract information according to the identity information of the user under the condition of successful matching.
9. The authentication method of claim 7, wherein the digital identity authentication function entity generating the digital identity digest according to the identity information of the user comprises:
the digital identity authentication functional entity generates the digital identity abstract according to the identity information of the user, the identification information of the user card and the public key of the terminal;
the digital identity authentication functional entity establishes the mapping relation among the identity information of the user, the identification information of the user card, the public key of the terminal and the digital identity abstract, encrypts the digital identity abstract by adopting the public key of the terminal and sends the encrypted digital identity abstract to the terminal.
10. The authentication method of claim 4, further comprising:
and the user card receives the encrypted digital identity abstract sent by the terminal, decrypts the encrypted digital identity abstract by using a private key of the terminal, and stores the digital identity abstract.
11. A terminal, comprising:
the terminal comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for responding to the application started in the terminal by a user and sending a digital identity abstract obtaining request to a user card in the terminal, and the digital identity abstract obtaining request comprises local authentication information of the user;
the first receiving module is used for receiving signature information of a digital identity abstract returned by the user card, wherein the information used for generating the digital identity abstract comprises the identity information of the user, and the signature information of the digital identity abstract indicates that the user card successfully authenticates the user locally;
a second sending module, configured to send an access request to the server of the application, where the access request includes: signature information of the digital identity digest;
and the second receiving module is used for receiving access information returned by the server of the application, wherein the access information shows that the server of the application successfully authenticates the user to a mobile network side according to the signature information of the digital identity abstract.
12. The terminal of claim 11, wherein,
the first sending module is further used for responding to the digital identity abstract generating function triggered by the user and sending a preparation information generating request to the user card;
the first receiving module is further configured to receive a preparation information generation response returned by the user card, where the preparation information generation response includes: encrypting information and a public key of the terminal, wherein the encrypting information comprises information obtained by encrypting the identification information of the user card by using a preset public key at a mobile network side;
the second sending module is further configured to send a digital identity digest generation request to the digital identity authentication functional entity on the mobile network side, where the digital identity digest generation request includes: the encryption information and a public key of the terminal;
the second receiving module is further configured to receive a digital identity digest generation response returned by the digital identity authentication functional entity, where the digital identity digest generation response includes: and the digital identity abstract is generated after acquiring the identity information of the user according to the encrypted information.
13. The terminal of claim 11, further comprising:
and the user card is used for receiving the digital identity abstract acquisition request sent by the first sending module, authenticating the user according to the local authentication information of the user, and sending the signature information of the digital identity abstract to the first receiving module under the condition that the local authentication of the user is successful.
14. The terminal of claim 12, further comprising:
and the user card is used for receiving the preparation information generation request sent by the second sending module, generating a public key of the terminal, encrypting the identification information of the user card by using a preset public key at a mobile network side, and sending the encrypted identification information of the user card carrying the preparation information generation response to the second receiving module.
15. A terminal, comprising:
a processor; and
a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the authentication method of claim 1 or 4.
16. A digital identity authentication function entity, comprising:
a processor; and
a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the authentication method of any one of claims 3, 5-9.
17. An authentication system comprising: a terminal as claimed in claim 11-14 or 15, and a digital identity authentication function as claimed in claim 16.
18. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the steps of the method of claim 1 or 4.
19. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the steps of the method of any of claims 3, 5-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010737521.0A CN114007218B (en) | 2020-07-28 | 2020-07-28 | Authentication method, authentication system, terminal and digital identity authentication functional entity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010737521.0A CN114007218B (en) | 2020-07-28 | 2020-07-28 | Authentication method, authentication system, terminal and digital identity authentication functional entity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114007218A true CN114007218A (en) | 2022-02-01 |
| CN114007218B CN114007218B (en) | 2024-01-26 |
Family
ID=79920389
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010737521.0A Active CN114007218B (en) | 2020-07-28 | 2020-07-28 | Authentication method, authentication system, terminal and digital identity authentication functional entity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114007218B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101945114A (en) * | 2010-09-20 | 2011-01-12 | 西安电子科技大学 | Identity authentication method based on fuzzy vault and digital certificate |
| WO2017076216A1 (en) * | 2015-11-03 | 2017-05-11 | 国民技术股份有限公司 | Server, mobile terminal, and internet real name authentication system and method |
| CN107995200A (en) * | 2017-12-07 | 2018-05-04 | 深圳市优友互联有限公司 | A kind of certificate issuance method, identity identifying method and system based on smart card |
| US20190273607A1 (en) * | 2017-11-15 | 2019-09-05 | Alexander J.M. VAN DER VELDEN | System for digital identity authentication and methods of use |
-
2020
- 2020-07-28 CN CN202010737521.0A patent/CN114007218B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101945114A (en) * | 2010-09-20 | 2011-01-12 | 西安电子科技大学 | Identity authentication method based on fuzzy vault and digital certificate |
| WO2017076216A1 (en) * | 2015-11-03 | 2017-05-11 | 国民技术股份有限公司 | Server, mobile terminal, and internet real name authentication system and method |
| US20190273607A1 (en) * | 2017-11-15 | 2019-09-05 | Alexander J.M. VAN DER VELDEN | System for digital identity authentication and methods of use |
| CN107995200A (en) * | 2017-12-07 | 2018-05-04 | 深圳市优友互联有限公司 | A kind of certificate issuance method, identity identifying method and system based on smart card |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114007218B (en) | 2024-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2022206349A1 (en) | Information verification method, related apparatus, device, and storage medium | |
| US11683187B2 (en) | User authentication with self-signed certificate and identity verification and migration | |
| US8495383B2 (en) | Method for the secure storing of program state data in an electronic device | |
| CN112737779B (en) | Cryptographic machine service method, device, cryptographic machine and storage medium | |
| US8977857B1 (en) | System and method for granting access to protected information on a remote server | |
| CN112398826B (en) | Data processing method and device based on national secret, storage medium and electronic equipment | |
| US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
| CN109145628B (en) | Data acquisition method and system based on trusted execution environment | |
| CN112800393B (en) | Authorization authentication method, software development kit generation method, device and electronic equipment | |
| CN111740824B (en) | Trusted application management method and device | |
| CN114584306B (en) | Data processing method and related device | |
| WO2023124958A1 (en) | Key update method, server, client and storage medium | |
| EP3133791B1 (en) | Double authentication system for electronically signed documents | |
| CN111460410A (en) | Server login method, device and system and computer readable storage medium | |
| CN114079921B (en) | Session key generation method, anchor point function network element and system | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| CN113434882A (en) | Communication protection method and device of application program, computer equipment and storage medium | |
| CN112632573A (en) | Intelligent contract execution method, device and system, storage medium and electronic equipment | |
| CN115801287A (en) | Signature authentication method and device | |
| CN114007218B (en) | Authentication method, authentication system, terminal and digital identity authentication functional entity | |
| CN112966287B (en) | Method, system, device and computer readable medium for acquiring user data | |
| CN111935122B (en) | Data security processing method and device | |
| CN114449515A (en) | Verification method, system, application platform and terminal | |
| CN111953495B (en) | Private-key-free signing method under electronic signature mixed cloud scene | |
| CN113194090B (en) | Authentication method, authentication device, terminal device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |