CN114520735A - User identity authentication method, system and medium based on trusted execution environment - Google Patents
User identity authentication method, system and medium based on trusted execution environment Download PDFInfo
- Publication number
- CN114520735A CN114520735A CN202210052719.4A CN202210052719A CN114520735A CN 114520735 A CN114520735 A CN 114520735A CN 202210052719 A CN202210052719 A CN 202210052719A CN 114520735 A CN114520735 A CN 114520735A
- Authority
- CN
- China
- Prior art keywords
- instance
- tee
- user
- user identity
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 93
- 238000012795 verification Methods 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 4
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 238000004422 calculation algorithm Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 101150027108 Hspbap1 gene Proteins 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a user identity authentication method, a system and a medium based on a trusted execution environment, and relates to the technical field of information management. The method comprises an instance initialization process, an access right authentication process and a user identity authentication process. The technical method of the invention loads the system user identity authentication program into the TEE example, divides the safe and feasible processor and the protection area in the memory, and uses the new application layer trusted execution environment, thereby effectively improving the user authority authentication of the service system and ensuring that the system login entrance is not hijacked by the malicious program. According to the user identity authentication method, system and medium based on the trusted execution environment, the user identity is authenticated based on the hardware trusted execution environment, so that the security is greatly improved, and the data security of the system is effectively guaranteed.
Description
Technical Field
The invention relates to the technical field of information management, in particular to a user identity authentication method, a user identity authentication system and a user identity authentication medium based on a trusted execution environment.
Background
As is well known, user identification is an especially important link in the process of building business systems in various industries.
The user identity authentication process of the current service system relates to an encrypted password and an authentication algorithm, the password is stored in a database after being encrypted, the encrypted password is guaranteed not to be decrypted into a plaintext by the encryption algorithm, the authentication algorithm is generally not encrypted and is easy to expose or decompile, even the algorithm is hijacked and utilized, so that the risk of malicious attack or utilization is caused, and information security is leaked.
There is a significant security risk during the authentication process due to the exposure of the algorithm. The password in the database has security risk, for example, an attacker illegally steals password data in the process of acquiring and transmitting the user password by using the vulnerability of a service system program or the security vulnerability of the database; security risks exist in the aspect of the authentication algorithm, such as code leakage, and information security leakage is caused by the fact that attackers of code bugs acquire authentication process data. Because of the above security risks, how to guarantee secure identity authentication becomes crucial.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a user identity authentication method and system based on a trusted execution environment, and the user identity is authenticated based on a hardware trusted computing technology, so that the security is greatly improved, and the data security of the system is effectively guaranteed.
In a first aspect, the present invention provides a method for authenticating a user identity based on a trusted execution environment, including: an instance initialization process, an access authority identification process and a user identity identification process;
the instance initialization process includes: loading a user identity authentication program into a Trusted Execution Environment (TEE) instance, then defining access right information, and generating at least two groups of asymmetric secret keys as required after the TEE instance is started, wherein a first private key and a second private key are stored in an independent Execution space distributed by the TEE instance, the first public key is sent to a user client for encrypting session content of the user client, and the second public key is sent to a service system for encrypting specified data and then storing the encrypted data in a service system database;
the access right authentication process includes: when a client needs to access a TEE instance, the authenticity of the TEE instance is verified through remote assertion, the TEE instance is accessed after the verification is passed, access information is packaged and encrypted through the first public key and then submitted to the TEE instance, the TEE instance decrypts the access information through the first private key and then is compared with the access authority information, and a security session is automatically established with the client after the authority authentication is passed for calling a TEE instance execution program; if the authority identification is not passed, the TEE instance refuses the access request of the client;
the user identification process comprises the following steps: after a user submits login information at a client, the login information is submitted to a trusted execution environment TEE instance to be used for user identity authentication, the TEE instance receives a request through a secure session, an authentication method of a user identity authentication program is executed, then an authentication result is returned, and user identity authentication is completed.
Further, in the access right authentication process, the client verifies the authenticity of the TEE instance through remote assertion, which specifically includes: the client requests the TEE instance to acquire instance information and submits the instance information to the service center, and then acquires a verification result returned after the service center verifies the authenticity of the TEE instance.
Further, in the user identity authentication process, the login information includes a user name and an input password; executing an authentication method of a user identity authentication program, and then returning an authentication result, wherein the method specifically comprises the following steps:
firstly, login information submitted by a client is decrypted through a first private key, an encrypted user password in a database is obtained through a user name request service system database and decrypted through a second private key, and finally, the decrypted data of the input password and the encrypted user password are input to a user identity authentication function for comparison, wherein the data is True and False.
Further, in the user identity authentication process, after the user submits login information at the client, the login information is encrypted, encoded and packaged locally, and then submitted to the trusted execution environment TEE instance for user identity authentication.
In a second aspect, the present invention provides a trusted execution environment-based user authentication system, including: the system comprises an instance initialization module, an access authority identification module and a user identity identification module;
the system comprises an instance initialization module, a Trusted Execution Environment (TEE) instance and a service system database, wherein the instance initialization module is used for loading a user identity authentication program into the TEE instance, then defining access authority information, and generating at least two groups of asymmetric secret keys as required after the TEE instance is started, wherein a first private key and a second private key are stored in an independent execution space distributed by the TEE instance, the first public key is sent to the user client and used for encrypting session content of the user client, and the second public key is sent to the service system and used for encrypting designated data and then storing the encrypted data into the service system database;
the access authority authentication module is used for verifying the authenticity of the TEE instance through remote assertion when a client needs to access the TEE instance, accessing the TEE instance after the authentication is passed, packaging access information, encrypting the access information through the first public key, submitting the access information to the TEE instance, decrypting the access information through the first private key by the TEE instance, comparing the access information with the access authority information, and automatically creating a security session with the client after the authority authentication is passed for calling a TEE instance executive program; if the authority identification is not passed, the TEE instance refuses the access request of the client;
the user identity authentication module is used for submitting login information to a trusted execution environment TEE instance for user identity authentication after a user submits the login information at a client, the TEE instance executes an authentication method of a user identity authentication program after receiving a request through a secure session, and then returns an authentication result to finish user identity authentication.
Further, in the access right authentication module, the client verifies the authenticity of the TEE instance through remote assertion, which specifically includes: the client requests the TEE instance to acquire instance information and submits the instance information to the service center, and then acquires a verification result returned after the service center verifies the authenticity of the TEE instance.
Further, in the user identity authentication module, the login information includes a user name and an input password; executing an authentication method of a user identity authentication program, and then returning an authentication result, wherein the method specifically comprises the following steps:
firstly, login information submitted by a client is decrypted through a first private key, an encrypted user password in a database is obtained through a user name request service system database and decrypted through a second private key, and finally, the decrypted data of the input password and the encrypted user password are input to a user identity authentication function for comparison, wherein the data is True and False.
Further, in the user identity authentication module, after the user submits login information at the client, the login information is encrypted, encoded and packaged locally, and then submitted to the trusted execution environment TEE instance for user identity authentication.
In a third aspect, the invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the method of the first aspect.
The technical scheme provided by the embodiment of the invention has the following technical effects or advantages:
1. based on a Trusted Execution Environment (TEE), security calculation and data processing are carried out in a closed and secure area, a system login entrance can be ensured not to be hijacked by a malicious program, a security identification result is informed to a service system, high-level security identity identification is realized, and the overall security of the service system is improved;
2. by encrypting the session content of the user client and encrypting the specified data (such as the user password) in the service system database, the method effectively deals with the leakage risk of the database password, remarkably improves the security level of user identity authentication compared with the traditional technical route, effectively ensures the system data security, and provides support for improving the core competitiveness of enterprises.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
The invention will be further described with reference to the following examples with reference to the accompanying drawings.
FIG. 1 is a flow chart of a method according to one embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating an example initialization process according to a first embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating an access right authentication process according to an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating a user identity authentication process according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of an apparatus according to a second embodiment of the present invention;
fig. 6 is a schematic structural diagram of a medium according to a third embodiment of the present invention.
Detailed Description
The embodiment of the application provides a user identity authentication method and system based on a trusted execution environment, and the user identity is authenticated based on a hardware trusted computing technology, so that the security is greatly improved, and the data security of the system is effectively guaranteed.
The technical scheme in the embodiment of the application has the following general idea:
the tee (trusted Execution environment) trusted Execution environment is a "region" separately divided at the chip level, and the region does not necessarily occupy the physical position of the chip, and may only logically occupy a certain Execution space. This piece of space is called Enclave in Intel SGX and Secure World in ARM TrustZone. This region is responsible for providing a more secure place for code execution and data storage, thereby ensuring confidentiality and tamper-resistance.
According to the technical scheme in the embodiment of the application, the TEE technology is introduced into the identity authentication process of the system user, so that the identity authentication process is safe and credible. The method loads the system user identity authentication program into a TEE (trusted execution environment), divides a safe and feasible processor and a protection area in a memory, and uses the new application layer trusted execution environment, so that the user authority authentication of a service system can be effectively improved, and a system login entrance is ensured not to be hijacked by a malicious program.
Example one
The embodiment provides a user identity authentication method based on a trusted execution environment, as shown in fig. 1, including: an instance initialization process, an access authority identification process and a user identity identification process;
the example initialization process includes: loading a user identity authentication program into a Trusted Execution Environment (TEE) instance, and then defining access authority information (for example, including a user access IP address and a terminal Mac address), wherein the TEE instance generates at least two groups of asymmetric secret keys as required after being started, a first private key and a second private key are stored in an independent execution space distributed by the TEE instance (the independent execution space cannot be seen by an external system including an operating system), the first public key is sent to a user client for encrypting session content of the user client, and the second public key is sent to a service system for encrypting specified data and storing the encrypted data in a service system database;
the access right authentication process includes: when a client needs to access a TEE instance, the authenticity of the TEE instance is verified through remote assertion, the TEE instance is accessed after the verification is passed, access information (such as a client IP and a machine Mac address) is packaged and encrypted through the first public key and then submitted to the TEE instance, the TEE instance decrypts the access information through the first private key and then is compared with the access authority information, and a security session is automatically established with the client after the authority authentication is passed for calling a TEE instance executive program; if the authority identification is not passed, the TEE instance refuses the access request of the client;
the user identification process comprises the following steps: after a user submits login information at a client, the login information is submitted to a trusted execution environment TEE instance to be used for user identity authentication, the TEE instance receives a request through a secure session, an authentication method of a user identity authentication program is executed, then an authentication result is returned, and user identity authentication is completed.
Based on a trusted execution environment, security calculation and data processing are carried out in a closed and secure area, a system login entrance can be prevented from being hijacked by a malicious program, a security identification result is informed to a service system, high-level security identity identification is realized, and the overall security of the service system is improved; by encrypting the session content of the user client and encrypting the specified data (such as the user password) in the service system database, the method effectively deals with the leakage risk of the database password, remarkably improves the security level of user identity authentication compared with the traditional technical route, effectively ensures the system data security, and provides support for improving the core competitiveness of enterprises.
One specific implementation of the embodiment of the invention is as follows:
the method loads the system user identity authentication program into a TEE (trusted execution environment), divides a safe and feasible processor and a protection area in a memory, and uses the new application layer trusted execution environment, so that the user authority authentication of a service system can be effectively improved, and a system login entrance is ensured not to be hijacked by a malicious program.
(1) The application program operates a Trusted Execution Environment (TEE) through a command, loads a user identity authentication program, defines access authority information (such as information of a user accessing an IP address, a terminal Mac address and the like) to a TEE instance for initialization, automatically enters a starting stage after the initialization is completed, and generates two groups of secret keys according to requirements after the TEE instance is started: the process is as shown in fig. 2, where the key group k1 (including private key sk1 and public key pk1) and the key group k2 (including private key sk2 and public key pk2), the two private keys are stored in an independent execution space allocated by the TEE instance, and do not leave the hardware under any circumstances, the public key pk1 is published to a specified user client for encryption and decryption of session content, and the public key pk2 is published to a specified service system for storing important data (such as user password) after encryption in a service system database.
(2) The method comprises the steps that a user client needs to conduct remote assertion firstly, the purpose of the remote assertion is to prove that a requested TEE instance is not disguised and is executed in the TEE instance, the client requests the TEE instance to obtain instance information and submits the instance information to a service center, and the service center is responsible for verifying authenticity of the TEE instance. Then a user client accesses the TEE example, the IP and machine Mac address information of the client is packaged, the encrypted IP and machine Mac address information is encrypted through a trusted public key pk1 issued by the TEE example and submitted to the TEE example, a private key sk1 is used for decryption inside the TEE example, the decrypted plaintext IP and Mac address are obtained, the plaintext IP and Mac address are compared with access authority control (authority list) set when the TEE example is initialized, authentication is passed when the TEE example is within an access control range, the authentication is performed inside the TEE example in the whole authentication process, the authority authentication is performed through automatically creating a safety session, a TEE example execution program can be successfully called, the TEE example rejects a client request when the TEE example does not pass, and the safety of an access process is guaranteed. The service system accesses the TEE instance similarly to the user client, but encrypts it using the public key pk2, and the flow is shown in fig. 3.
(3) A user accesses a login page through a browser at a client, user information such as user ID (identity) and user password information is input, and after the login is clicked, the user information is encrypted and packaged locally through a public key pk1 and then submitted to a trusted execution environment TEE (trusted execution environment) instance to be used for user identity authentication; after receiving the request through the secure session, the TEE instance executes an authentication method Func, in the execution process of the Func, a user id (UserId) and an input password (Pass1) submitted by the client are decrypted through sk1, meanwhile, a service system database is requested through the UserId, an encrypted user password Pass2 in the database is obtained and decrypted by sk2, finally, the decrypted data of two groups of passwords, namely Pass1 and Pass2, are input to a user identity authentication function for the most comparison, the data are consistent to True and inconsistent to False, the login process of the user client controls whether the user login is successful or not through the returned state, the user identity authentication is completed, and the flow is shown in fig. 4.
Through the technology of user identity authentication based on the trusted execution environment TEE, the safety of a service system can be greatly improved, the data safety of the system is effectively guaranteed, and support is provided for improving the core competitiveness of an enterprise.
Based on the same inventive concept, the application also provides a device corresponding to the method in the first embodiment, which is detailed in the second embodiment.
Example two
In this embodiment, a system for authenticating a user based on a trusted execution environment is provided, as shown in fig. 5, including: the system comprises an instance initialization module, an access authority identification module and a user identity identification module;
the system comprises an instance initialization module, a Trusted Execution Environment (TEE) instance and a service system database, wherein the instance initialization module is used for loading a user identity authentication program into the TEE instance, then defining access authority information, and generating at least two groups of asymmetric secret keys as required after the TEE instance is started, wherein a first private key and a second private key are stored in an independent execution space distributed by the TEE instance, the first public key is sent to the user client and used for encrypting session content of the user client, and the second public key is sent to the service system and used for encrypting designated data and then storing the encrypted data into the service system database;
the access authority authentication module is used for verifying the authenticity of the TEE instance through remote assertion when a client needs to access the TEE instance, accessing the TEE instance after the authentication is passed, packaging access information, encrypting the access information through the first public key, submitting the access information to the TEE instance, decrypting the access information through the first private key by the TEE instance, comparing the access information with the access authority information, and automatically creating a security session with the client after the authority authentication is passed for calling a TEE instance executive program; if the authority identification is not passed, the TEE instance refuses the access request of the client;
the user identity authentication module is used for submitting login information to a trusted execution environment TEE instance for user identity authentication after a user submits the login information at a client, the TEE instance executes an authentication method of a user identity authentication program after receiving a request through a secure session, and then returns an authentication result to finish user identity authentication.
Preferably, in the access right authentication module, the client verifies the authenticity of the TEE instance through remote assertion, and specifically includes: the client requests the TEE instance to acquire instance information and submits the instance information to the service center, and then acquires a verification result returned after the service center verifies the authenticity of the TEE instance.
Preferably, in the user identity authentication module, the login information includes a user name and an input password; executing an authentication method of a user identity authentication program, and then returning an authentication result, wherein the method specifically comprises the following steps:
firstly, login information submitted by a client is decrypted through a first private key, an encrypted user password in a database is obtained through a user name request service system database and decrypted through a second private key, and finally, the decrypted data of the input password and the encrypted user password are input to a user identity authentication function for comparison, wherein the data is True and False.
Preferably, in the user identity authentication module, after the user submits login information at the client, the login information is encrypted, encoded and encapsulated locally, and then submitted to the TEE instance in the trusted execution environment for user identity authentication.
Since the system described in the second embodiment of the present invention is a system used for implementing the method of the first embodiment of the present invention, based on the method described in the first embodiment of the present invention, a person skilled in the art can understand the specific structure and the deformation of the system, and thus the detailed description is omitted here. All the devices adopted in the method of the first embodiment of the present invention belong to the protection scope of the present invention.
Based on the same inventive concept, the application also provides a storage medium corresponding to the third embodiment.
EXAMPLE III
The present embodiment provides a computer-readable storage medium, as shown in fig. 6, on which a computer program is stored, and when the computer program is executed by a processor, any one of the embodiments can be implemented.
Since the computer-readable storage medium described in this embodiment is a computer-readable storage medium used for implementing the method in the first embodiment of the present application, a person skilled in the art can understand a specific implementation manner of the computer-readable storage medium and various modifications thereof based on the method described in the first embodiment of the present application, and therefore, how to implement the method in the embodiment of the present application by using the computer-readable storage medium is not described in detail herein. Computer-readable storage media that can be used by those skilled in the art to implement the methods of the embodiments of the present application are all within the scope of the present application.
The embodiment of the invention is based on a Trusted Execution Environment (TEE) and performs security calculation and data processing in a closed and safe area, thereby ensuring that a system login entrance is not hijacked by a malicious program, informing a security identification result to a service system, realizing high-level security identity identification and improving the overall security of the service system; by encrypting the session content of the user client and encrypting the specified data (such as the user password) in the service system database, the method effectively deals with the leakage risk of the database password, remarkably improves the security level of user identity authentication compared with the traditional technical route, effectively ensures the system data security, and provides support for improving the core competitiveness of enterprises.
Although specific embodiments of the invention have been described above, it will be understood by those skilled in the art that the specific embodiments described are illustrative only and are not limiting upon the scope of the invention, and that equivalent modifications and variations can be made by those skilled in the art without departing from the spirit of the invention, which is to be limited only by the appended claims.
Claims (9)
1. A user identity authentication method based on a trusted execution environment is characterized by comprising the following steps: an instance initialization process, an access authority identification process and a user identity identification process;
the example initialization process includes: the method comprises the steps that a user identity authentication program is loaded into a TEE example of a trusted execution environment, then access authority information is defined, at least two groups of asymmetric secret keys are generated as required after the TEE example is started, wherein a first private key and a second private key are stored in an independent execution space distributed by the TEE example, the first public key is sent to a user client and used for encrypting session content of the user client, and the second public key is sent to a service system and used for encrypting designated data and then storing the encrypted data into a service system database;
the access right authentication process includes: when a client needs to access a TEE instance, the authenticity of the TEE instance is verified through remote assertion, the TEE instance is accessed after the verification is passed, access information is packaged and encrypted through the first public key and then submitted to the TEE instance, the TEE instance decrypts the access information through the first private key and then is compared with the access authority information, and a security session is automatically established with the client after the authority authentication is passed for calling a TEE instance execution program; if the authority identification is not passed, the TEE instance refuses the access request of the client;
the user identification process comprises the following steps: after a user submits login information at a client, the login information is submitted to a trusted execution environment TEE instance to be used for user identity authentication, the TEE instance receives a request through a secure session, an authentication method of a user identity authentication program is executed, then an authentication result is returned, and user identity authentication is completed.
2. The method of claim 1, wherein: in the access right authentication process, the client verifies the authenticity of the TEE instance through remote assertion, and the method specifically comprises the following steps: the client requests the TEE instance to acquire instance information and submits the instance information to the service center, and then acquires a verification result returned after the service center verifies the authenticity of the TEE instance.
3. The method of claim 1, wherein: in the user identity authentication process, the login information comprises a user name and an input password; executing an authentication method of a user identity authentication program, and then returning an authentication result, wherein the method specifically comprises the following steps:
firstly, login information submitted by a client is decrypted through a first private key, an encrypted user password in a database is obtained through a user name request service system database and decrypted through a second private key, and finally, the decrypted data of the input password and the encrypted user password are input to a user identity authentication function for comparison, wherein the data is True and False.
4. A method according to any one of claims 1 to 3, characterized in that: in the user identity authentication process, after a user submits login information at a client, the login information is encrypted, coded and packaged locally and then submitted to a Trusted Execution Environment (TEE) instance for user identity authentication.
5. A trusted execution environment based user authentication system, comprising: the system comprises an instance initialization module, an access authority identification module and a user identity identification module;
the system comprises an instance initialization module, a Trusted Execution Environment (TEE) instance and a service system database, wherein the instance initialization module is used for loading a user identity authentication program into the TEE instance, then defining access authority information, and generating at least two groups of asymmetric secret keys as required after the TEE instance is started, wherein a first private key and a second private key are stored in an independent execution space distributed by the TEE instance, the first public key is sent to the user client and used for encrypting session content of the user client, and the second public key is sent to the service system and used for encrypting designated data and then storing the encrypted data into the service system database;
the access authority authentication module is used for verifying the authenticity of the TEE instance through remote assertion when a client needs to access the TEE instance, accessing the TEE instance after the authentication is passed, packaging access information, encrypting the access information through the first public key, submitting the access information to the TEE instance, decrypting the access information through the first private key by the TEE instance, comparing the access information with the access authority information, and automatically creating a security session with the client after the authority authentication is passed for calling a TEE instance executive program; if the authority identification is not passed, the TEE instance refuses the access request of the client;
the user identity authentication module is used for submitting login information to a trusted execution environment TEE instance for user identity authentication after a user submits the login information at a client, the TEE instance executes an authentication method of a user identity authentication program after receiving a request through a secure session, and then returns an authentication result to finish user identity authentication.
6. The system of claim 5, wherein: in the access right authentication module, the client verifies the authenticity of the TEE instance through remote assertion, and specifically includes: the client requests the TEE instance to acquire instance information and submits the instance information to the service center, and then acquires a verification result returned after the service center verifies the authenticity of the TEE instance.
7. The system of claim 5, wherein: in the user identity authentication module, the login information comprises a user name and an input password; executing an authentication method of a user identity authentication program, and then returning an authentication result, wherein the method specifically comprises the following steps:
firstly, login information submitted by a client is decrypted through a first private key, an encrypted user password in a database is obtained through a user name request service system database and decrypted through a second private key, and finally, the decrypted data of the input password and the encrypted user password are input to a user identity authentication function for comparison, wherein the data is True and False.
8. The system according to any one of claims 5 to 7, wherein: in the user identity authentication module, after a user submits login information at a client, the login information is encrypted, coded and packaged locally, and then submitted to a Trusted Execution Environment (TEE) instance for user identity authentication.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210052719.4A CN114520735B (en) | 2022-01-18 | 2022-01-18 | User identity authentication method, system and medium based on trusted execution environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210052719.4A CN114520735B (en) | 2022-01-18 | 2022-01-18 | User identity authentication method, system and medium based on trusted execution environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114520735A true CN114520735A (en) | 2022-05-20 |
| CN114520735B CN114520735B (en) | 2023-10-31 |
Family
ID=81597554
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210052719.4A Active CN114520735B (en) | 2022-01-18 | 2022-01-18 | User identity authentication method, system and medium based on trusted execution environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114520735B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115378677A (en) * | 2022-08-16 | 2022-11-22 | 上海交通大学 | Personal data collection method and system suitable for user side and use method and system thereof |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107612940A (en) * | 2017-10-31 | 2018-01-19 | 飞天诚信科技股份有限公司 | A kind of identity identifying method and authentication device |
| CN109787988A (en) * | 2019-01-30 | 2019-05-21 | 杭州恩牛网络技术有限公司 | A kind of identity reinforces certification and method for authenticating and device |
| US20200145219A1 (en) * | 2016-11-08 | 2020-05-07 | Aware, Inc. | Decentralized biometric identity authentication |
| US10764752B1 (en) * | 2018-08-21 | 2020-09-01 | HYPR Corp. | Secure mobile initiated authentication |
| US20210258308A1 (en) * | 2018-08-21 | 2021-08-19 | HYPR Corp. | Out-of-band authentication to access web-service with indication of physical access to client device |
-
2022
- 2022-01-18 CN CN202210052719.4A patent/CN114520735B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200145219A1 (en) * | 2016-11-08 | 2020-05-07 | Aware, Inc. | Decentralized biometric identity authentication |
| CN107612940A (en) * | 2017-10-31 | 2018-01-19 | 飞天诚信科技股份有限公司 | A kind of identity identifying method and authentication device |
| US10764752B1 (en) * | 2018-08-21 | 2020-09-01 | HYPR Corp. | Secure mobile initiated authentication |
| US20210258308A1 (en) * | 2018-08-21 | 2021-08-19 | HYPR Corp. | Out-of-band authentication to access web-service with indication of physical access to client device |
| CN109787988A (en) * | 2019-01-30 | 2019-05-21 | 杭州恩牛网络技术有限公司 | A kind of identity reinforces certification and method for authenticating and device |
Non-Patent Citations (1)
| Title |
|---|
| 刘亚强;李晓宇;: "利用基于身份的密码算法+短信验证码的移动安全支付方案", 计算机科学, no. 01 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115378677A (en) * | 2022-08-16 | 2022-11-22 | 上海交通大学 | Personal data collection method and system suitable for user side and use method and system thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114520735B (en) | 2023-10-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10489574B2 (en) | Method and system for enterprise network single-sign-on by a manageability engine | |
| US8402508B2 (en) | Delegated authentication for web services | |
| CN112513857A (en) | Personalized cryptographic security access control in a trusted execution environment | |
| US20180082050A1 (en) | Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device | |
| US20040098591A1 (en) | Secure hardware device authentication method | |
| CN113168476A (en) | Access control for personalized cryptography security in operating systems | |
| US20080072066A1 (en) | Method and apparatus for authenticating applications to secure services | |
| KR20180026508A (en) | A security verification method based on biometric characteristics, a client terminal, and a server | |
| JPH1185622A (en) | Protection memory for core data secret item | |
| WO2021190197A1 (en) | Method and apparatus for authenticating biometric payment device, computer device and storage medium | |
| US20090064273A1 (en) | Methods and systems for secure data entry and maintenance | |
| WO2015117523A1 (en) | Access control method and device | |
| US20150264047A1 (en) | Method and system for providing secure communication between multiple operating systems in a communication device | |
| CN112765637A (en) | Data processing method, password service device and electronic equipment | |
| CN107277017A (en) | Purview certification method, apparatus and system based on encryption key and device-fingerprint | |
| EP3651048A1 (en) | Sfs access control method and system, sfs and terminal device | |
| CN106992978B (en) | Network security management method and server | |
| CN118260264A (en) | User-friendly encrypted storage system and method for distributed file system | |
| CN109474431B (en) | Client authentication method and computer readable storage medium | |
| CN114520735B (en) | User identity authentication method, system and medium based on trusted execution environment | |
| CN111538973A (en) | Personal authorization access control system based on state cryptographic algorithm | |
| US20240113898A1 (en) | Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity | |
| CN116450281A (en) | Access processing method, virtual machine identifier configuration method, chip and computer equipment | |
| CN112507302B (en) | Calling party identity authentication method and device based on execution of cryptographic module | |
| CN113468610A (en) | Decentralized trusted access control framework and operation method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |