CN114007218B - Authentication method, authentication system, terminal and digital identity authentication functional entity - Google Patents
Authentication method, authentication system, terminal and digital identity authentication functional entity Download PDFInfo
- Publication number
- CN114007218B CN114007218B CN202010737521.0A CN202010737521A CN114007218B CN 114007218 B CN114007218 B CN 114007218B CN 202010737521 A CN202010737521 A CN 202010737521A CN 114007218 B CN114007218 B CN 114007218B
- Authority
- CN
- China
- Prior art keywords
- information
- digital identity
- user
- terminal
- abstract
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 230000004044 response Effects 0.000 claims description 32
- 238000002360 preparation method Methods 0.000 claims description 24
- 230000006870 function Effects 0.000 claims description 23
- 238000012795 verification Methods 0.000 claims description 14
- 238000003860 storage Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 11
- 238000013507 mapping Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 16
- 238000007726 management method Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The disclosure relates to an authentication method, an authentication system, a terminal and a digital identity authentication functional entity, and relates to the technical field of communication. The method of the present disclosure comprises: the terminal responds to the user to start the application in the terminal, and sends a digital identity abstract acquisition request to a user card in the terminal, wherein the digital identity abstract acquisition request comprises local authentication information of the user; the terminal receives signature information of a digital identity abstract returned by the user card, wherein the information for generating the digital identity abstract comprises the identity information of the user, and the signature information of the digital identity abstract indicates that the user card successfully authenticates the user locally; the terminal sends an access request to a server of the application, wherein the access request comprises: signature information of the digital identity abstract; the terminal receives access information returned by the application server, wherein the access information indicates that the application server successfully authenticates the user to the mobile network side according to the signature information of the digital identity abstract.
Description
Technical Field
The disclosure relates to the field of communication technologies, and in particular, to an authentication method, an authentication system, a terminal and a digital identity authentication functional entity.
Background
Currently, when a user accesses an internet application through a mobile terminal, identity authentication generally needs to input identity authentication information such as a user name, a password or a user mobile phone number, and the identity authentication information is sent to a server of the internet application for authentication.
Disclosure of Invention
The inventors found that: the server of the internet application authenticates the identity information of the user, and the identity information of the user and the like are required to be stored by the application server, but the internet supervision is difficult, the identity information of the user is easy to leak, and the safety is low. And the user needs to set different identity information for authentication aiming at different internet applications so as to avoid the unsafe state of all applications caused by the leakage of the corresponding identity information of one application.
One technical problem to be solved by the present disclosure is: how to improve the authentication security of internet applications.
According to some embodiments of the present disclosure, there is provided an authentication method including: the terminal responds to the user to start the application in the terminal, and sends a digital identity abstract acquisition request to a user card in the terminal, wherein the digital identity abstract acquisition request comprises local authentication information of the user; the terminal receives signature information of a digital identity abstract returned by the user card, wherein the information for generating the digital identity abstract comprises the identity information of the user, and the signature information of the digital identity abstract indicates that the user card successfully authenticates the user locally; the terminal sends an access request to a server of the application, wherein the access request comprises: signature information of the digital identity abstract; the terminal receives access information returned by the application server, wherein the access information indicates that the application server successfully authenticates the user to the mobile network side according to the signature information of the digital identity abstract.
In some embodiments, the signature information of the digital identity digest is obtained by signing the digital identity digest stored in the user card with a private key of the terminal generated by the user card.
In some embodiments, the access request further includes identification information of the user card; whether the user authentication is successful or not is determined by the digital identity authentication functional entity at the mobile network side by searching the public key of the terminal according to the identification information of the user card and verifying the signature information of the digital identity abstract by utilizing the public key of the terminal.
In some embodiments, the method further comprises: the terminal responds to the user triggering the digital identity abstract generating function and sends a preparation information generating request to the user card; the terminal receives a preparation information generation response returned by the user card, wherein the preparation information generation response comprises the following steps: the method comprises the steps of encrypting information and a public key of a terminal, wherein the encrypting information comprises information obtained by encrypting identification information of a user card by using a preset public key of a mobile network side; the terminal sends a digital identity abstract generating request to a digital identity authentication functional entity at a mobile network side, wherein the digital identity abstract generating request comprises: encrypting information and a public key of the terminal; the terminal receives a digital identity abstract generation response returned by the digital identity authentication functional entity, wherein the digital identity abstract generation response comprises the following steps: the digital identity abstract encrypted by the public key of the terminal is adopted, and the digital identity abstract is generated after the identity information of the user is obtained according to the encrypted information.
In some embodiments, the digital identity digest generation request further comprises: identification information of the user card; the method further comprises the steps of: the digital identity authentication functional entity sends a decryption request to a core network element, wherein the decryption request comprises: encryption information and identification information of the user card; the digital identity authentication functional entity receives decrypted information returned by the core network element, wherein the decrypted information comprises identification information of a user card; the digital identity authentication functional entity compares the decrypted information with the identification information of the user card in the digital identity abstract generation request, and generates the digital identity abstract under the condition of consistent comparison.
In some embodiments, the encrypted information further includes information obtained by encrypting a public key of the terminal with a preset public key of the mobile network side, and the digital identity digest generation request further includes: identification information of the user card; the method further comprises the steps of: the digital identity authentication functional entity sends a decryption request to a core network element, wherein the decryption request comprises: encryption information and identification information of the user card; the digital identity authentication functional entity receives decrypted information returned by the core network element, wherein the decrypted information comprises identification information of a user card and a public key of a terminal; the digital identity authentication functional entity compares the decrypted information with the identification information of the user card in the digital identity abstract generation request and the public key of the terminal, and generates the digital identity abstract under the condition of consistent comparison.
In some embodiments, the method further comprises: the digital identity authentication functional entity receives the identification information of the user returned by the core network element, wherein the identification information of the user is determined by the core network element according to the identification information of the user card; the digital identity authentication functional entity inquires the identity information of the user from the client relationship management system according to the identification information of the user; generating digital identity summary information includes: the digital identity authentication functional entity generates a digital identity abstract according to the identity information of the user.
In some embodiments, generating digital identity summary information from the identity information of the user includes: the digital identity authentication functional entity sends a user identity verification request to the terminal; the digital identity authentication functional entity receives the verification information returned by the terminal, matches the verification information with the identity information of the user, and generates digital identity abstract information according to the identity information of the user under the condition of successful matching.
In some embodiments, the digital identity authentication functional entity generating a digital identity digest from the identity information of the user comprises: the digital identity authentication functional entity generates a digital identity abstract according to the identity information of the user, the identification information of the user card and the public key of the terminal; the digital identity authentication functional entity establishes a mapping relation of the identity information of the user, the identification information of the user card, the public key of the terminal and the digital identity abstract, encrypts the digital identity abstract by adopting the public key of the terminal, and sends the encrypted digital identity abstract to the terminal.
In some embodiments, the method further comprises: the user card receives the encrypted digital identity abstract sent by the terminal, decrypts the encrypted digital identity abstract by using the private key of the terminal, and stores the digital identity abstract.
According to other embodiments of the present disclosure, there is provided a terminal including: the first sending module is used for responding to the application in the terminal started by the user and sending a digital identity abstract obtaining request to a user card in the terminal, wherein the digital identity abstract obtaining request comprises local authentication information of the user; the first receiving module is used for receiving signature information of the digital identity abstract returned by the user card, wherein the information used for generating the digital identity abstract comprises the identity information of the user, and the signature information of the digital identity abstract indicates that the user card is successful in local authentication of the user; the second sending module is configured to send an access request to the server of the application, where the access request includes: signature information of the digital identity abstract; the second receiving module is used for receiving access information returned by the application server, wherein the access information indicates that the application server successfully authenticates the user to the mobile network side according to the signature information of the digital identity abstract.
In some embodiments, the first sending module is further configured to send a provisioning information generation request to the user card in response to the user triggering the digital identity digest generation function; the first receiving module is further configured to receive a preparation information generation response returned by the user card, where the preparation information generation response includes: the method comprises the steps of encrypting information and a public key of a terminal, wherein the encrypting information comprises information obtained by encrypting identification information of a user card by using a preset public key of a mobile network side; the second sending module is further configured to send a digital identity abstract generating request to a digital identity authentication functional entity on the mobile network side, where the digital identity abstract generating request includes: encrypting information and a public key of the terminal; the second receiving module is further configured to receive a digital identity digest generation response returned by the digital identity authentication functional entity, where the digital identity digest generation response includes: the digital identity abstract encrypted by the public key of the terminal is adopted, and the digital identity abstract is generated after the identity information of the user is obtained according to the encrypted information.
In some embodiments, the terminal further comprises: and the user card is used for receiving the digital identity abstract acquisition request sent by the first sending module, authenticating the user according to the local authentication information of the user, and sending signature information of the digital identity abstract to the first receiving module under the condition that the local authentication of the user is successful.
In some embodiments, the terminal further comprises: the user card is used for receiving the preparation information generation request sent by the second sending module, generating a public key of the terminal, encrypting the identification information of the user card by using a preset public key of the mobile network side, and sending the encrypted identification information of the user card to the second receiving module along with the preparation information generation response.
According to still further embodiments of the present disclosure, there is provided a terminal including: a processor; and a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the steps of the authentication method performed by the terminal as in any of the embodiments described above.
According to still further embodiments of the present disclosure, there is provided a digital identity authentication functional entity comprising: a processor; and a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the steps of the authentication method performed by the digital authentication function entity in any of the embodiments described above.
According to still further embodiments of the present disclosure, there is provided an authentication system including: the terminal and the digital identity authentication functional entity of any of the foregoing embodiments.
According to still further embodiments of the present disclosure, there is provided a non-transitory computer-readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the steps in the authentication method performed by the terminal in any of the previous embodiments.
According to still further embodiments of the present disclosure, a non-transitory computer readable storage medium is provided, on which a computer program is stored, wherein the program, when executed by a processor, implements the steps of the authentication method performed by the digital identity authentication functional entity of any of the previous embodiments.
In the method, a user starts an application of the terminal, the terminal acquires a digital identity abstract from a user card, the user card returns signature information of the digital identity abstract to the terminal, the terminal sends an access request to an application server, the signature information of the digital identity abstract is carried, the application server authenticates the user to a mobile network side according to the signature information of the digital identity abstract, and under the condition that authentication is successful, the user sends the access information to the terminal, so that the user can access the application. The digital identity abstract stored in the user card is used as the unique identity credential of the terminal, all servers of the Internet application carry the digital identity abstract to the mobile network side for authentication, the identity information of the user is stored in the mobile network side, the security is further improved through local and remote authentication, the security is further improved, the user only needs to set local authentication information to authenticate the user card, the subsequent authentication process is transparent to the user, and the user experience is improved.
Other features of the present disclosure and its advantages will become apparent from the following detailed description of exemplary embodiments of the disclosure, which proceeds with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
Fig. 1 illustrates a flow diagram of an authentication method of some embodiments of the present disclosure.
Fig. 2 shows a flow diagram of an authentication method of other embodiments of the present disclosure.
Fig. 3 illustrates a schematic structural diagram of a terminal of some embodiments of the present disclosure.
Fig. 4 illustrates a schematic diagram of the structure of a digital authentication functional entity of some embodiments of the present disclosure.
Fig. 5 shows a schematic structural diagram of a digital identity authentication functional entity according to further embodiments of the present disclosure.
Fig. 6 illustrates a schematic diagram of an authentication system of some embodiments of the present disclosure.
Detailed Description
The following description of the technical solutions in the embodiments of the present disclosure will be made clearly and completely with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are only some embodiments of the present disclosure, not all embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. Based on the embodiments in this disclosure, all other embodiments that a person of ordinary skill in the art would obtain without making any inventive effort are within the scope of protection of this disclosure.
The present disclosure proposes an authentication method, which is described below with reference to fig. 1 to 2.
Fig. 1 is a flow chart of some embodiments of the authentication method of the present disclosure. As shown in fig. 1, the method of this embodiment includes: steps S102 to S116.
In step S102, the terminal transmits a digital identity digest acquisition request to a user card in the terminal in response to the user launching an application in the terminal.
When a user starts an Application (APP) in a terminal, the application may send a digital identity digest acquisition request to a user card in the terminal through an SDK (software development kit).
The digital identity digest acquisition request includes, for example, local authentication information of the user. The local authentication information includes, for example, a user name, a password, biometric information, or the like.
In step S104, the user card performs local authentication on the user according to the local authentication information of the user, and under the condition that the user card successfully performs local authentication on the user, the digital identity abstract stored in the user card is signed by using the private key of the terminal, so as to obtain the signature information of the digital identity abstract.
The user card can store information such as user name, password or biological characteristic information in advance, can be matched with the stored information according to the local authentication information of the user, and carries out local authentication on the user, if the matching is successful, the authentication is successful, otherwise, the authentication is failed.
In step S106, the user card sends the signature information of the digital identity abstract to the terminal, and correspondingly, the terminal receives the signature information of the digital identity abstract returned by the user card.
The user card may send the signature information of the digital identity digest to the application.
In step S108, the terminal transmits an access request to the server of the application.
The access request includes: signature information of the digital identity digest. The access request may be sent by an application of the terminal to a server of the application.
In step S110, the application server sends an authentication request to the digital identity authentication functional entity on the mobile network side.
The authentication request includes: signature information of the digital identity digest.
In step S112, the digital identity authentication functional entity authenticates the user according to the signature information of the digital identity digest.
For example, the access request also includes identification information of the user card; whether the user authentication is successful or not is determined by the digital identity authentication functional entity according to the identification information of the user card searching the public key of the terminal and verifying the signature information of the digital identity abstract by using the public key of the terminal.
In step S114, the digital identity authentication functional entity returns the authentication result to the server of the application.
In step S116, the application server determines whether the authentication is successful according to the authentication result, and if the authentication is successful, the application server sends access information to the terminal, and correspondingly, the terminal receives the access information returned by the application server.
The access information indicates that the server of the application successfully authenticates the user to the mobile network side according to the signature information of the digital identity abstract.
In the method of the embodiment, the user starts the application of the terminal, the terminal acquires the digital identity abstract from the user card, the user card returns the signature information of the digital identity abstract to the terminal, the terminal sends an access request to the server of the application, the signature information of the digital identity abstract is carried, the server of the application authenticates the user to the mobile network side according to the signature information of the digital identity abstract, and under the condition that the authentication is successful, the user sends the access information to the terminal, and the user can access the application. The digital identity abstract stored in the user card is used as the unique identity credential of the terminal, all servers of the Internet application carry the digital identity abstract to the mobile network side for authentication, the identity information of the user is stored in the mobile network side, the security is further improved through local and remote authentication, the security is further improved, the user only needs to set local authentication information to authenticate the user card, the subsequent authentication process is transparent to the user, and the user experience is improved.
Some embodiments of the present disclosure for generating a digital identity digest are described below in connection with fig. 2.
Fig. 2 is a flow chart of other embodiments of the authentication method of the present disclosure. As shown in fig. 2, the method of this embodiment includes: steps S202 to S230.
In step S202, the terminal transmits a preparation information generation request to the user card in response to the user triggering the digital identity digest generation function.
The digital identity digest generation function may be provided to the user by an application, which the user may apply for generating the digital identity digest by clicking on. Or when the user opens the application in the terminal, if the digital identity abstract is generated, the application is accessed by acquiring the digital identity abstract through the embodiment, and if the digital identity abstract is not generated in the user card, the digital identity abstract generating function is triggered. The provisioning information generation request may be sent to the user card through the SDK.
In step S204, the user card generates a public-private key pair of the terminal.
The method for generating the public-private key pair by the user card can adopt an elliptic curve integrated encryption scheme, the terminal and the mobile network side both adopt the same elliptic curve, and the characteristics of the private key of the terminal, the public key of the mobile network side = the private key of the mobile network side and the public key of the terminal are provided (the multiplication between the keys is scalar multiplication on the elliptic curve).
In step S206, the user card generates encryption information using a preset public key of the mobile network side.
The encryption information includes, for example, information obtained by encrypting identification information of the user card by using a preset public key of the mobile network side, or information obtained by encrypting identification information of the user card and a public key of the terminal by using a preset public key of the mobile network side. The identification information of the user card is, for example, ICCID (Integrate Circuit Card Identity integrated circuit card identification code).
In step S208, the user card sends a preparation information generation response to the terminal, and accordingly, the terminal receives the preparation information generation response returned by the user card.
The preparation information generation response includes: encryption information and a public key of the terminal. The user card may send a provisioning information generation response to the application.
In step S210, the terminal sends a digital identity abstract generation request to the digital identity authentication functional entity at the mobile network side, and the digital identity authentication functional entity receives the digital identity abstract generation request sent by the terminal.
A digital identity digest generation request may be sent by the application to the word identity authentication functional entity, the digital identity digest generation request including, for example: encrypting the information and the public key of the terminal may further include: identification information of the user card. The identification information of the user card may be acquired from the user card.
In step S212, the digital authentication functional entity sends a decryption request to the core network element.
The decryption request may include: the encryption information and the identification information of the user card may further include an identification information acquisition request of the user. The core network elements are, for example, 5G core network elements, including AUSF (Unified Data Management, unified data management function) and UDM (Authentication Server Function, authentication service function).
In step S214, the core network element decrypts the encrypted information by using the network side private key, and obtains decrypted information.
The decrypted information includes identification information of the user card and may also include a public key of the terminal.
In step S216, the core network element returns the decrypted information to the digital identity authentication functional entity, and the digital identity authentication functional entity receives the decrypted information returned by the core network element.
The digital identity authentication functional entity can also receive the identification information of the user returned by the core network element, wherein the identification information of the user is determined by the core network element according to the identification information of the user card. The identification information of the user is, for example, a mobile phone number or the like.
In step S218, the digital authentication functional entity verifies the user according to the decrypted information.
In some embodiments, the decrypted information includes identification information of the user card, and the digital identity authentication functional entity compares the decrypted information with the identification information of the user card in the digital identity abstract generation request, and if the comparison is consistent, the user authentication is successful.
In some embodiments, the decrypted information includes identification information of the user card and a public key of the terminal. The digital identity authentication functional entity compares the decrypted information with the identification information of the user card in the digital identity abstract generation request and the public key of the terminal, and if the comparison is consistent, the user authentication is successful.
Under the condition of successful verification, the digital identity authentication functional entity can acquire the identity information of the user to generate a digital identity abstract. The identity information of the user can be stored in a customer relationship management system (CRM), and the digital identity authentication functional entity can acquire the identity information of the user from the customer relationship management system, however, it is also possible that the digital identity authentication functional entity directly stores the identity information of the user, and the like.
In step S220, the digital identity authentication functional entity queries the customer relationship management system for the identity information of the user according to the identification information of the user.
The identification information of the user can be returned to the digital identity authentication functional entity after the core network element is determined according to the identification information of the user card. The customer relation management system inquires the identity information of the user corresponding to the identification information of the user, and returns to the digital identity authentication functional entity. The identity information of the user is, for example, identity card information of the user, including an identity card number, a picture, a name, and the like.
In step S222, the digital authentication functional entity performs identity verification on the user through the terminal according to the identity information of the user.
In some embodiments, the digital authentication function entity sends a user identity verification request to the terminal; and receiving verification information returned by the terminal, matching the verification information with the identity information of the user, and if the verification information is consistent with the identity information of the user, successfully matching. The verification information can be face images of the user acquired by the terminal, identification card numbers input by the user, and the like.
In step S224, the digital authentication function entity generates a digital identity digest.
In some embodiments, the digital identity authentication functional entity generates the digital identity digest based on the identity information of the user, the identification information of the user card, and the public key of the terminal. Digest generation algorithms such as SHA1, SHA256 and the like can be adopted
In step S226, the digital identity authentication functional entity establishes a mapping relationship between the user information and the digital identity digest, and stores the mapping relationship.
The information of the user may include identity information of the user, identification information of the user card, a public key of the terminal.
In step S228, the digital identity authentication functional entity encrypts the digital identity digest by using the public key of the terminal, and sends the encrypted digital identity digest to the terminal, and accordingly, the user card receives the encrypted digital identity digest sent by the terminal.
The digital identity authentication functional entity can send the encrypted digital identity abstract to the user card through the APP and the SDK.
In step S230, the encrypted digital identity digest is decrypted using the private key of the terminal and the digital identity digest is stored.
Aiming at the problems that the user service experience is poor, the identity account information is fragmented, the identity information is easy to leak and the like in the prior mobile terminal accessing the Internet application, the digital identity authentication functional entity acquires the information of the user (including but not limited to ICCID, mobile phone number, identity card information and the like) from a core network element of a user card and a 5G network and CRM, and generates a trusted digital identity for the mobile terminal user through a cryptography algorithm based on the user identity information by utilizing a strong key system of the user card and the 5G network, thereby realizing the non-perception authentication capability of the user based on the trusted digital identity when accessing the Internet application through the 5G network.
The method for generating the digital identity abstract and the method for authenticating the Internet access based on the digital identity abstract can provide a safe and convenient digital identity abstract generating method and an Internet access authentication method based on the digital identity abstract for a user to access mobile Internet applications through mobile terminal UE under a 5G network environment. The method not only protects the privacy security of the user at the application end, but also realizes the authentication capability of imperceptible identity authentication. The asymmetric key pair capability of the user card is utilized to carry out secure transmission of the user digital identity digest between the digital identity authentication functional entity and the user card, and carry out digital signature and signature verification on the user digital identity digest. The encryption security transmission of the user digital identity generation information is realized by utilizing the asymmetric key pair capability of the 5G core network, so that the security of the whole process is ensured.
The present disclosure also provides a terminal, described below in connection with fig. 3.
Fig. 3 is a block diagram of some embodiments of a terminal of the present disclosure. As shown in fig. 3, the terminal 30 of this embodiment includes: the device comprises a first transmitting module 310, a first receiving module 320, a second transmitting module 330 and a second receiving module 340.
The first sending module 310 is configured to send a digital identity digest acquisition request to a user card in the terminal in response to the user starting an application in the terminal, where the digital identity digest acquisition request includes local authentication information of the user;
the first receiving module 320 is configured to receive signature information of a digital identity digest returned by the user card, where the information for generating the digital identity digest includes identity information of the user, and the signature information of the digital identity digest indicates that local authentication of the user card on the user is successful;
the second sending module 330 is configured to send an access request to a server of the application, where the access request includes: signature information of the digital identity abstract;
the second receiving module 340 is configured to receive access information returned by the application server, where the access information indicates that the application server successfully authenticates the user to the mobile network side according to the signature information of the digital identity abstract.
In some embodiments, the first sending module 310 is further configured to send a preparation information generation request to the user card in response to the user triggering the digital identity digest generation function; the first receiving module 320 is further configured to receive a preparation information generation response returned by the user card, where the preparation information generation response includes: the method comprises the steps of encrypting information and a public key of a terminal, wherein the encrypting information comprises information obtained by encrypting identification information of a user card by using a preset public key of a mobile network side; the second sending module 330 is further configured to send a digital identity digest generation request to a digital identity authentication functional entity on the mobile network side, where the digital identity digest generation request includes: encrypting information and a public key of the terminal; the second receiving module 340 is further configured to receive a digital identity digest generation response returned by the digital identity authentication functional entity, where the digital identity digest generation response includes: the digital identity abstract encrypted by the public key of the terminal is adopted, and the digital identity abstract is generated after the identity information of the user is obtained according to the encrypted information.
In some embodiments, the terminal 30 further comprises: the user card 350 is configured to receive the digital identity digest acquisition request sent by the first sending module 310, authenticate the user according to the local authentication information of the user, and send signature information of the digital identity digest to the first receiving module 320 if the local authentication of the user is successful.
In some embodiments, the user card 350 is further configured to receive the preparation information generation request sent by the second sending module 330, generate a public key of the terminal, encrypt the identification information of the user card with a preset public key on the mobile network side, and send the encrypted identification information of the user card to the second receiving module 340 in a preparation information generation response.
The terminal in the embodiments of the present disclosure, the digital authentication functional entities may each be implemented by various computing devices or computer systems, and the digital authentication functional entities are described below in conjunction with fig. 4 and 5.
Fig. 4 is a block diagram of some embodiments of the digital authentication functional entity of the present disclosure. As shown in fig. 4, the digital authentication function entity 40 of this embodiment includes: a memory 410 and a processor 420 coupled to the memory 410, the processor 420 being configured to perform steps in an authentication method performed by a digital identity authentication functional entity in any of the embodiments of the present disclosure based on instructions stored in the memory 410.
The memory 410 may include, for example, system memory, fixed nonvolatile storage media, and the like. The system memory stores, for example, an operating system, application programs, boot Loader (Boot Loader), database, and other programs.
Fig. 5 is a block diagram of other embodiments of the digital authentication functional entity of the present disclosure. As shown in fig. 5, the digital authentication function entity 50 of this embodiment includes: memory 510 and processor 520 are similar to memory 410 and processor 420, respectively. Input/output interface 530, network interface 540, storage interface 550, and the like may also be included. These interfaces 530, 540, 550, as well as the memory 510 and the processor 520, may be connected by a bus 560, for example. The input/output interface 530 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, a touch screen, etc. The network interface 540 provides a connection interface for various networking devices, such as may be connected to a database server or cloud storage server, or the like. The storage interface 550 provides a connection interface for external storage devices such as SD cards, U discs, and the like.
Embodiments in which the terminal is implemented by various computing devices or computer systems may refer to the embodiments of fig. 4 and 5, and will not be described in detail. The user card in the terminal may also include a processor and a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the steps of the authentication method performed by the user card in any of the embodiments described above.
The present disclosure also provides an authentication system, described below in connection with fig. 6.
Fig. 6 is a block diagram of some embodiments of an authentication system of the present disclosure. As shown in fig. 6, the system 6 of this embodiment includes: the terminal 30 of any of the preceding embodiments, the digital authentication function 40/50.
The system 6 may further comprise a core network element 62, for example comprising AUSF and UDM. The core network element 62 is configured to receive a decryption request sent by the digital authentication functional entity 40/50, decrypt the encrypted information, and return the decrypted information to the digital authentication functional entity 40/50. The core network element 62 is further configured to determine identification information of the user according to the identification information of the user card, and send the identification information of the user to the digital identity authentication functional entity 40/50.
The system 6 may also include a customer relationship management system 64 for receiving an identity lookup request sent by the digital authentication function 40/50 and returning the identity information of the user to the digital authentication function 40/50.
The digital identity authentication functional entity can be a capability open platform, and provides corresponding capability for Internet application providers according to requirements.
It will be appreciated by those skilled in the art that embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flowchart and/or block of the flowchart illustrations and/or block diagrams, and combinations of flowcharts and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing description of the preferred embodiments of the present disclosure is not intended to limit the disclosure, but rather to enable any modification, equivalent replacement, improvement or the like, which fall within the spirit and principles of the present disclosure.
Claims (17)
1. An authentication method, comprising:
the terminal responds to the user triggering the digital identity abstract generating function and sends a preparation information generating request to the user card;
the terminal receives a preparation information generation response returned by the user card, wherein the preparation information generation response comprises the following steps: the terminal comprises encryption information and a public key of the terminal, wherein the encryption information comprises information obtained by encrypting identification information of the user card by using a preset public key of a mobile network side;
the terminal sends a digital identity abstract generation request to a digital identity authentication functional entity of the mobile network, wherein the digital identity abstract generation request comprises the following steps: the encryption information and the public key of the terminal;
the terminal receives a digital identity abstract generation response returned by the digital identity authentication functional entity, wherein the digital identity abstract generation response comprises the following steps: the digital identity abstract encrypted by the public key of the terminal is adopted, and the digital identity abstract is generated after the identity information of the user is obtained according to the encryption information;
the terminal responds to the user to start the application in the terminal, and sends a digital identity abstract acquisition request to a user card in the terminal, wherein the digital identity abstract acquisition request comprises local authentication information of the user;
the terminal receives signature information of a digital identity abstract returned by the user card, wherein the information for generating the digital identity abstract comprises the identity information of the user, and the signature information of the digital identity abstract indicates that the user card successfully authenticates the user locally;
the terminal sends an access request to a server of the application, wherein the access request comprises: signature information of the digital identity abstract;
and the terminal receives access information returned by the application server, wherein the access information indicates that the application server successfully authenticates the user to a mobile network side according to the signature information of the digital identity abstract.
2. The authentication method according to claim 1, wherein,
the signature information of the digital identity abstract is obtained by signing the digital identity abstract stored in the user card by utilizing a private key of the terminal generated by the user card.
3. The authentication method of claim 1, wherein the access request further includes identification information of the user card;
and whether the user authentication is successful or not is determined by the digital identity authentication functional entity at the mobile network side after searching the public key of the terminal according to the identification information of the user card and verifying the signature information of the digital identity abstract by utilizing the public key of the terminal.
4. The authentication method of claim 1, wherein the digital identity digest generation request further comprises: identification information of the user card;
the method further comprises the steps of:
the digital identity authentication functional entity sends a decryption request to a core network element, wherein the decryption request comprises: the encryption information and the identification information of the user card;
the digital identity authentication functional entity receives decrypted information returned by the core network element, wherein the decrypted information comprises identification information of the user card;
and the digital identity authentication functional entity compares the decrypted information with the identification information of the user card in the digital identity abstract generation request, and generates the digital identity abstract under the condition of consistent comparison.
5. The authentication method according to claim 1, wherein the encrypted information further includes information obtained by encrypting the public key of the terminal with a preset public key of a mobile network side, and the digital identity digest generation request further includes: identification information of the user card;
the method further comprises the steps of:
the digital identity authentication functional entity sends a decryption request to a core network element, wherein the decryption request comprises: the encryption information and the identification information of the user card;
the digital identity authentication functional entity receives decrypted information returned by the core network element, wherein the decrypted information comprises identification information of the user card and a public key of the terminal;
and the digital identity authentication functional entity compares the decrypted information with the identification information of the user card and the public key of the terminal in the digital identity abstract generation request, and generates the digital identity abstract under the condition of consistent comparison.
6. The authentication method according to claim 4 or 5, further comprising:
the digital identity authentication functional entity receives the identification information of the user returned by the core network element, wherein the identification information of the user is determined by the core network element according to the identification information of the user card;
the digital identity authentication functional entity inquires the identity information of the user from a client relationship management system according to the identification information of the user;
the generating the digital identity summary information includes:
the digital identity authentication functional entity generates the digital identity abstract according to the identity information of the user.
7. The authentication method of claim 6, wherein the generating the digital identity digest information from the identity information of the user comprises:
the digital identity authentication functional entity sends a user identity verification request to the terminal;
and the digital identity authentication functional entity receives the verification information returned by the terminal, matches the verification information with the identity information of the user, and generates the digital identity abstract information according to the identity information of the user under the condition that the matching is successful.
8. The authentication method of claim 6, wherein the digital identity authentication functional entity generating the digital identity digest from the identity information of the user comprises:
the digital identity authentication functional entity generates the digital identity abstract according to the identity information of the user, the identification information of the user card and the public key of the terminal;
the digital identity authentication functional entity establishes the mapping relation between the identity information of the user, the identification information of the user card, the public key of the terminal and the digital identity abstract, encrypts the digital identity abstract by adopting the public key of the terminal, and sends the encrypted digital identity abstract to the terminal.
9. The authentication method of claim 1, further comprising:
the user card receives the encrypted digital identity abstract sent by the terminal, decrypts the encrypted digital identity abstract by using a private key of the terminal, and stores the digital identity abstract.
10. A terminal, comprising:
the first sending module is used for responding to the starting of the application in the terminal by the user and sending a digital identity abstract obtaining request to a user card in the terminal, wherein the digital identity abstract obtaining request comprises local authentication information of the user;
the first receiving module is used for receiving signature information of the digital identity abstract returned by the user card, wherein the information used for generating the digital identity abstract comprises the identity information of the user, and the signature information of the digital identity abstract indicates that the user card is successful in local authentication of the user;
the second sending module is configured to send an access request to a server of the application, where the access request includes: signature information of the digital identity abstract;
the second receiving module is configured to receive access information returned by the application server, where the access information indicates that the application server successfully authenticates the user to the mobile network side according to the signature information of the digital identity abstract, and the second receiving module is configured to:
the first sending module is further used for responding to the user triggering a digital identity abstract generating function and sending a preparation information generating request to the user card;
the first receiving module is further configured to receive a preparation information generation response returned by the user card, where the preparation information generation response includes: the terminal comprises encryption information and a public key of the terminal, wherein the encryption information comprises information obtained by encrypting identification information of the user card by using a preset public key of a mobile network side;
the second sending module is further configured to send a digital identity abstract generating request to a digital identity authentication functional entity on the mobile network side, where the digital identity abstract generating request includes: the encryption information and the public key of the terminal;
the second receiving module is further configured to receive a digital identity digest generation response returned by the digital identity authentication functional entity, where the digital identity digest generation response includes: and the digital identity abstract encrypted by the public key of the terminal is adopted, and the digital identity abstract is generated after the identity information of the user is obtained according to the encryption information.
11. The terminal of claim 10, further comprising:
and the user card is used for receiving the digital identity abstract acquisition request sent by the first sending module, authenticating the user according to the local authentication information of the user, and sending signature information of the digital identity abstract to the first receiving module under the condition that the local authentication of the user is successful.
12. The terminal of claim 10, further comprising:
and the user card is used for receiving the preparation information generation request sent by the second sending module, generating the public key of the terminal, encrypting the identification information of the user card by utilizing the preset public key of the mobile network side, and sending the encrypted identification information of the user card to the second receiving module along with the preparation information generation response.
13. A terminal, comprising:
a processor; and
a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the authentication method of claim 1.
14. A digital identity authentication functional entity, comprising:
a processor; and
a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the authentication method of any of claims 3, 4-8.
15. An authentication system, comprising: the terminal of any of claims 10-12 or claim 13, and the digital authentication functional entity of claim 14.
16. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the steps of the method of claim 1.
17. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the steps of the method of any of claims 3, 4-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010737521.0A CN114007218B (en) | 2020-07-28 | 2020-07-28 | Authentication method, authentication system, terminal and digital identity authentication functional entity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010737521.0A CN114007218B (en) | 2020-07-28 | 2020-07-28 | Authentication method, authentication system, terminal and digital identity authentication functional entity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114007218A CN114007218A (en) | 2022-02-01 |
| CN114007218B true CN114007218B (en) | 2024-01-26 |
Family
ID=79920389
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010737521.0A Active CN114007218B (en) | 2020-07-28 | 2020-07-28 | Authentication method, authentication system, terminal and digital identity authentication functional entity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114007218B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101945114A (en) * | 2010-09-20 | 2011-01-12 | 西安电子科技大学 | Identity authentication method based on fuzzy vault and digital certificate |
| WO2017076216A1 (en) * | 2015-11-03 | 2017-05-11 | 国民技术股份有限公司 | Server, mobile terminal, and internet real name authentication system and method |
| CN107995200A (en) * | 2017-12-07 | 2018-05-04 | 深圳市优友互联有限公司 | A kind of certificate issuance method, identity identifying method and system based on smart card |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10887098B2 (en) * | 2017-11-15 | 2021-01-05 | Alexander J. M. Van Der Velden | System for digital identity authentication and methods of use |
-
2020
- 2020-07-28 CN CN202010737521.0A patent/CN114007218B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101945114A (en) * | 2010-09-20 | 2011-01-12 | 西安电子科技大学 | Identity authentication method based on fuzzy vault and digital certificate |
| WO2017076216A1 (en) * | 2015-11-03 | 2017-05-11 | 国民技术股份有限公司 | Server, mobile terminal, and internet real name authentication system and method |
| CN107995200A (en) * | 2017-12-07 | 2018-05-04 | 深圳市优友互联有限公司 | A kind of certificate issuance method, identity identifying method and system based on smart card |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114007218A (en) | 2022-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11683187B2 (en) | User authentication with self-signed certificate and identity verification and migration | |
| CN111147255B (en) | Data security service system, method and computer readable storage medium | |
| US10237270B2 (en) | Distributed storage of authentication data | |
| CN114788226B (en) | Unmanaged tool for building decentralized computer applications | |
| US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
| CN109145628B (en) | Data acquisition method and system based on trusted execution environment | |
| CN113691502A (en) | Communication method, communication device, gateway server, client and storage medium | |
| CN112800393B (en) | Authorization authentication method, software development kit generation method, device and electronic equipment | |
| WO2023124958A1 (en) | Key update method, server, client and storage medium | |
| CN111740824B (en) | Trusted application management method and device | |
| CN111917711B (en) | Data access method and device, computer equipment and storage medium | |
| CN111460410A (en) | Server login method, device and system and computer readable storage medium | |
| CN113301036A (en) | Communication encryption method and device, equipment and storage medium | |
| CN112632573A (en) | Intelligent contract execution method, device and system, storage medium and electronic equipment | |
| CN115037552A (en) | Authentication method, device, equipment and storage medium | |
| CN112966287A (en) | Method, system, device and computer readable medium for acquiring user data | |
| CN114079921B (en) | Session key generation method, anchor point function network element and system | |
| CN113434882A (en) | Communication protection method and device of application program, computer equipment and storage medium | |
| CN116346341A (en) | Private key protection and server access method, system, equipment and storage medium | |
| CN114007218B (en) | Authentication method, authentication system, terminal and digital identity authentication functional entity | |
| CN115801287A (en) | Signature authentication method and device | |
| CN111935122B (en) | Data security processing method and device | |
| CN114449515A (en) | Verification method, system, application platform and terminal | |
| CN111953495B (en) | Private-key-free signing method under electronic signature mixed cloud scene | |
| CN116647379A (en) | Service providing method and device for third party applet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |