CN114520735B - User identity authentication method, system and medium based on trusted execution environment - Google Patents
User identity authentication method, system and medium based on trusted execution environment Download PDFInfo
- Publication number
- CN114520735B CN114520735B CN202210052719.4A CN202210052719A CN114520735B CN 114520735 B CN114520735 B CN 114520735B CN 202210052719 A CN202210052719 A CN 202210052719A CN 114520735 B CN114520735 B CN 114520735B
- Authority
- CN
- China
- Prior art keywords
- instance
- tee
- user
- user identity
- identity authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 81
- 238000012795 verification Methods 0.000 claims description 11
- 238000004806 packaging method and process Methods 0.000 claims description 6
- 238000005538 encapsulation Methods 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims description 3
- 238000004422 calculation algorithm Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 101150027108 Hspbap1 gene Proteins 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a user identity authentication method, system and medium based on a trusted execution environment, and relates to the technical field of information management. The method comprises an instance initialization process, an access right authentication process and a user identity authentication process. The technical method of the application loads the system user identity authentication program into the trusted execution environment TEE instance, divides the safe and feasible processor and the protection area in the memory, and can effectively improve the user authority authentication of the service system by using the new application layer trusted execution environment, thereby ensuring that the login entrance of the system is not hijacked by a malicious program. The user identity authentication method, the system and the medium based on the trusted execution environment, which are provided by the application, authenticate the user identity based on the hardware trusted execution environment, thereby greatly improving the security and effectively guaranteeing the system data security.
Description
Technical Field
The present application relates to the field of information management technologies, and in particular, to a user identity authentication method, system, and medium based on a trusted execution environment.
Background
It is well known that user identification is a particularly important link in the construction of business systems in various industries.
The user identity authentication process of the current service system involves an encryption password and an authentication algorithm, the password is stored in a database after being encrypted, the encryption algorithm ensures that the password is not decrypted into a plaintext, the authentication algorithm is generally not encrypted and is easy to expose or decompile, even the algorithm is hijacked and utilized, the risk of being attacked or utilized maliciously occurs, and information security is revealed.
There is a significant security risk during authentication due to the exposure of the algorithm. The passwords in the database have security risks, such as vulnerability of an attacker by using a service system program or security vulnerability of the database, and password data are illegally stolen in the process of acquiring and transmitting the user passwords by using the program; the security risk exists in the aspect of the authentication algorithm, such as code leakage, and the information security leakage is caused by the fact that a code vulnerability is utilized by an attacker to acquire authentication process data. Due to the above security risks, it becomes critical how to guarantee secure identity authentication.
Disclosure of Invention
The application aims to solve the technical problem of providing a user identity authentication method and a system based on a trusted execution environment, which are used for authenticating the user identity based on a hardware trusted computing technology, so that the safety is greatly improved, and the system data safety is effectively ensured.
In a first aspect, the present application provides a user identity authentication method based on a trusted execution environment, including: an instance initialization process, an access right authentication process and a user identity authentication process;
the instance initialization process includes: loading a user identity authentication program into a trusted execution environment Trusted Execution Environment (TEE) instance, defining access right information, and generating at least two groups of asymmetric secret keys according to requirements after the TEE instance is started, wherein a first private key and a second private key are stored in independent execution spaces distributed by the TEE instance, the first public key is sent to a user client and used for encrypting session content of the user client, and the second public key is sent to a service system and used for encrypting appointed data and then storing the encrypted data in a service system database;
the access right authentication process comprises the following steps: when a client needs to access a TEE instance, verifying the authenticity of the TEE instance through remote assertion, accessing the TEE instance after verification is passed, packaging access information, encrypting the access information through the first public key, and submitting the access information to the TEE instance, wherein the TEE instance decrypts the access information through the first private key, then compares the access information with the access authority information, and automatically creates a secure session with the client after authority authentication is passed for calling a TEE instance execution program; if the authority identification is not passed, the TEE instance refuses the access request of the client;
the user identity authentication process comprises the following steps: after a user submits login information at a client, the login information is submitted to a Trusted Execution Environment (TEE) instance for user identity authentication, the TEE instance executes an authentication method of a user identity authentication program after receiving a request through a secure session, and then an authentication result is returned to complete user identity authentication.
Further, in the access right authentication process, the client verifies the authenticity of the TEE instance through remote assertion, specifically including: the client requests the TEE instance to acquire instance information, submits the instance information to the service center, and acquires a verification result returned after the service center verifies the authenticity of the TEE instance.
Further, in the user identity authentication process, the login information comprises a user name and an input password; executing an authentication method of a user identity authentication program, and then returning an authentication result, wherein the authentication method specifically comprises the following steps:
firstly, decrypting login information submitted by a client through a first private key, requesting a service system database through a user name, acquiring an encrypted user password in the database, decrypting by applying a second private key, and finally inputting decrypted data of the input password and the encrypted user password into a user identity authentication function for comparison, wherein the data is True and False.
Further, in the user identity authentication process, after the user submits login information at the client, the login information is firstly subjected to encryption coding encapsulation locally, and then submitted to a Trusted Execution Environment (TEE) instance for user identity authentication.
In a second aspect, the present application provides a user identity authentication system based on a trusted execution environment, including: an instance initialization module, an access right authentication module and a user identity authentication module;
the system comprises an instance initialization module, a service system database, a user client and a service system database, wherein the instance initialization module is used for loading a user identity authentication program into a Trusted Execution Environment (TEE) instance, then defining access right information, generating at least two groups of asymmetric secret keys according to requirements after the TEE instance is started, wherein a first private key and a second private key are stored in independent execution spaces distributed by the TEE instance, the first public key is sent to the user client and used for encrypting session content of the user client, and the second public key is sent to the service system and used for encrypting appointed data and then storing the encrypted appointed data into the service system database;
the access right identification module is used for firstly verifying the authenticity of the TEE instance through remote assertion when a client needs to access the TEE instance, accessing the TEE instance after verification, packaging access information, encrypting the access information through the first public key, and then submitting the access information to the TEE instance, wherein the TEE instance decrypts the access information through the first private key, then compares the access information with the access right information, and automatically creates a secure session with the client after right identification is passed, and is used for calling a TEE instance execution program; if the authority identification is not passed, the TEE instance refuses the access request of the client;
the user identity authentication module is used for submitting login information to a Trusted Execution Environment (TEE) instance to perform user identity authentication after the user submits the login information at the client, the TEE instance receives a request through a secure session, executes an authentication method of a user identity authentication program, and then returns an authentication result to complete user identity authentication.
Further, in the access right authentication module, the client verifies the authenticity of the TEE instance through remote assertion, specifically including: the client requests the TEE instance to acquire instance information, submits the instance information to the service center, and acquires a verification result returned after the service center verifies the authenticity of the TEE instance.
Further, in the user identity authentication module, the login information comprises a user name and an input password; executing an authentication method of a user identity authentication program, and then returning an authentication result, wherein the authentication method specifically comprises the following steps:
firstly, decrypting login information submitted by a client through a first private key, requesting a service system database through a user name, acquiring an encrypted user password in the database, decrypting by applying a second private key, and finally inputting decrypted data of the input password and the encrypted user password into a user identity authentication function for comparison, wherein the data is True and False.
In the user identity authentication module, after the user submits login information at the client, the login information is firstly subjected to encryption coding encapsulation locally, and then submitted to a Trusted Execution Environment (TEE) instance for user identity authentication.
In a third aspect, the present application provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements the method of the first aspect.
The technical scheme provided by the embodiment of the application has the following technical effects or advantages:
1. based on a trusted execution environment (Trusted Execution Environment, TEE for short), performing security calculation and data processing in a closed and secure area, so that the login entrance of the system is prevented from being hijacked by malicious programs, and the security authentication result is informed to a service system, thereby realizing high-level security identity authentication and improving the overall security of the service system;
2. by encrypting the session content of the user client and encrypting the appointed data (such as the user password) in the service system database, the leakage risk of the database password is effectively increased, compared with the traditional technical route, the security level of user identity authentication is obviously improved, the system data security is effectively ensured, and the support is provided for improving the core competitiveness of enterprises.
The foregoing description is only an overview of the present application, and is intended to be implemented in accordance with the teachings of the present application in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present application more readily apparent.
Drawings
The application will be further described with reference to examples of embodiments with reference to the accompanying drawings.
FIG. 1 is a flow chart of a method according to a first embodiment of the application;
FIG. 2 is a schematic diagram of an example initialization process according to an embodiment of the application;
FIG. 3 is a schematic diagram of an access right authentication flow in accordance with a first embodiment of the present application;
FIG. 4 is a schematic diagram of a user identification process according to a first embodiment of the present application;
FIG. 5 is a schematic diagram of a device according to a second embodiment of the present application;
fig. 6 is a schematic structural diagram of a medium in a third embodiment of the present application.
Detailed Description
The embodiment of the application provides the user identity authentication method and the system based on the trusted execution environment, which are used for authenticating the user identity based on the hardware trusted computing technology, so that the safety is greatly improved, and the system data safety is effectively ensured.
The technical scheme in the embodiment of the application has the following overall thought:
TEE (Trusted Execution Environment) the trusted execution environment is a "region" that is divided separately at the chip level, and this region does not necessarily occupy the physical location of the chip, and may only occupy a certain execution space logically. This space is called enclaspe in Intel SGX and Secure World in ARM trust zone. This area is responsible for providing a more secure place for code execution and data storage, thereby ensuring confidentiality and non-tamper ability.
According to the technical scheme provided by the embodiment of the application, the safety and the credibility of the identity authentication process are realized in the system user identity authentication process introduced by the TEE technology. The system user identification program is loaded into a trusted execution environment TEE instance, a safe and feasible processor and a protection area in a memory are divided, and the new application layer trusted execution environment can effectively improve the user authority identification of a service system and ensure that a system login entry is not hijacked by a malicious program.
Example 1
The embodiment provides a user identity authentication method based on a trusted execution environment, as shown in fig. 1, including: an instance initialization process, an access right authentication process and a user identity authentication process;
the instance initialization process includes: loading a user identity authentication program into a Trusted Execution Environment (TEE) instance, defining access authority information (for example, comprising an IP address accessed by a user and a Mac address of a terminal), and generating at least two groups of asymmetric keys according to requirements after the TEE instance is started, wherein a first private key and a second private key are stored in independent execution spaces distributed by the TEE instance (the independent execution spaces cannot be seen by an external system comprising an operating system) and are sent to a user client for session content encryption of the user client, and a second public key is sent to a service system for storing appointed data in a service system database after encryption;
the access right authentication process comprises the following steps: when a client needs to access a TEE instance, verifying the authenticity of the TEE instance through remote assertion, accessing the TEE instance after verification is passed, packaging access information (such as client IP and machine Mac address) and encrypting the access information through the first public key, and then submitting the access information to the TEE instance, wherein the TEE instance decrypts the access information through the first private key and then compares the access information with the access authority information, and automatically creates a secure session with the client after authority authentication is passed for calling a TEE instance execution program; if the authority identification is not passed, the TEE instance refuses the access request of the client;
the user identity authentication process comprises the following steps: after a user submits login information at a client, the login information is submitted to a Trusted Execution Environment (TEE) instance for user identity authentication, the TEE instance executes an authentication method of a user identity authentication program after receiving a request through a secure session, and then an authentication result is returned to complete user identity authentication.
Based on a trusted execution environment, performing security calculation and data processing in a closed and secure area, so that a system login entry is prevented from being hijacked by a malicious program, and notifying a service system of a security identification result, thereby realizing high-level security identity identification and improving the overall security of the service system; by encrypting session content of the user client and encrypting appointed data (such as user passwords) in the service system database, the leakage risk of the database passwords is effectively handled, compared with a traditional technical route, the security level of user identity authentication is obviously improved, the system data security is effectively ensured, and support is provided for improving the core competitiveness of enterprises.
A specific implementation mode of the embodiment of the application is as follows:
the system user identification program is loaded into a trusted execution environment TEE instance, a safe and feasible processor and a protection area in a memory are divided, and the new application layer trusted execution environment can effectively improve the user authority identification of a service system and ensure that a system login entry is not hijacked by a malicious program.
(1) The application program operates a Trusted Execution Environment (TEE) through a command, loads a user identity authentication program, defines access authority information (such as information of a user accessing an IP address, a terminal Mac address and the like) to be initialized in a TEE instance, automatically enters a starting stage after initialization is completed, and generates two groups of secret keys as required after the TEE instance is started: the k1 group (comprising the private key sk1 and the public key pk 1) and the k2 group (comprising the private key sk2 and the public key pk 2) are stored in independent execution spaces allocated by the TEE examples, the hardware cannot be left under any conditions, the public key pk1 is published to a designated user client for encrypting and decrypting session content, the public key pk2 is published to a designated service system for encrypting important data (such as a user password) and storing the encrypted important data in a service system database, and the flow is shown in fig. 2.
(2) The user client needs to conduct remote assertion firstly, the purpose of the remote assertion is to prove that the requested TEE instance is not disguised, the remote assertion is executed inside the TEE instance, the client requests the TEE instance to acquire instance information and submit the instance information to the service center, and the service center is responsible for verifying the authenticity of the TEE instance. And then the user client accesses the TEE instance, packages the IP and machine Mac address information of the client, encrypts the IP and machine Mac address information through a trusted public key pk1 issued by the TEE instance, submits the encrypted IP and machine Mac address information to the TEE instance, decrypts the IP and machine Mac address information by using a private key sk1 in the TEE instance, compares the decrypted plain text IP and Mac address information with access authority control (authority list) set during initializing the TEE instance, passes authentication in an access control range, and is performed in the TEE instance in the whole authentication process, the authority authentication can successfully call a TEE instance execution program by automatically creating a security session, and refuses the client request when the access is failed, so that the security of the access process is ensured. The service system accesses the TEE instance similarly to the user client, except that the encryption is performed by using the public key pk2, and the flow is shown in fig. 3.
(3) The user accesses a login page through a browser at a client, inputs user information such as user ID, user password information and the like, clicks and logs in, and submits the user information to a Trusted Execution Environment (TEE) instance for user identity authentication after being locally encrypted and packaged through a public key pk 1; after receiving the request through the secure session, the TEE instance executes the authentication method Func, in the execution process of Func, firstly decrypts the user ID (UserId) submitted by the client and inputs the password (Pass 1), meanwhile requests the service system database through UserId, obtains the encrypted user password Pass2 in the database and applies sk2 for decryption, finally inputs the decrypted data of the two groups of passwords of Pass1 and Pass2 into the user identity authentication function for the most contrast, the data is True consistent, the inconsistency is False, the login process of the user client controls whether the user login is successful or not through the return state, and the user identity authentication is completed, and the flow is shown in fig. 4.
Through the technology of user identity authentication based on the trusted execution environment TEE, the security of a business system can be greatly improved, the data security of the system is effectively ensured, and support is provided for improving the core competitiveness of enterprises.
Based on the same inventive concept, the application also provides a device corresponding to the method in the first embodiment, and the details of the second embodiment are shown.
Example two
In this embodiment, a user identity authentication system based on a trusted execution environment is provided, as shown in fig. 5, including: an instance initialization module, an access right authentication module and a user identity authentication module;
the system comprises an instance initialization module, a service system database, a user client and a service system database, wherein the instance initialization module is used for loading a user identity authentication program into a Trusted Execution Environment (TEE) instance, then defining access right information, generating at least two groups of asymmetric secret keys according to requirements after the TEE instance is started, wherein a first private key and a second private key are stored in independent execution spaces distributed by the TEE instance, the first public key is sent to the user client and used for encrypting session content of the user client, and the second public key is sent to the service system and used for encrypting appointed data and then storing the encrypted appointed data into the service system database;
the access right identification module is used for firstly verifying the authenticity of the TEE instance through remote assertion when a client needs to access the TEE instance, accessing the TEE instance after verification, packaging access information, encrypting the access information through the first public key, and then submitting the access information to the TEE instance, wherein the TEE instance decrypts the access information through the first private key, then compares the access information with the access right information, and automatically creates a secure session with the client after right identification is passed, and is used for calling a TEE instance execution program; if the authority identification is not passed, the TEE instance refuses the access request of the client;
the user identity authentication module is used for submitting login information to a Trusted Execution Environment (TEE) instance to perform user identity authentication after the user submits the login information at the client, the TEE instance receives a request through a secure session, executes an authentication method of a user identity authentication program, and then returns an authentication result to complete user identity authentication.
Preferably, in the access right authentication module, the client verifies the authenticity of the TEE instance through remote assertion, specifically including: the client requests the TEE instance to acquire instance information, submits the instance information to the service center, and acquires a verification result returned after the service center verifies the authenticity of the TEE instance.
Preferably, in the user identity authentication module, the login information includes a user name and an input password; executing an authentication method of a user identity authentication program, and then returning an authentication result, wherein the authentication method specifically comprises the following steps:
firstly, decrypting login information submitted by a client through a first private key, requesting a service system database through a user name, acquiring an encrypted user password in the database, decrypting by applying a second private key, and finally inputting decrypted data of the input password and the encrypted user password into a user identity authentication function for comparison, wherein the data is True and False.
Preferably, in the user identity authentication module, after the user submits login information at the client, the login information is firstly encrypted and coded and packaged locally, and then submitted to a trusted execution environment TEE instance for user identity authentication.
Since the system described in the second embodiment of the present application is a system for implementing the method in the first embodiment of the present application, based on the method described in the first embodiment of the present application, a person skilled in the art can understand the specific structure and the modification of the system, and therefore, the description thereof is omitted herein. All devices used in the method according to the first embodiment of the present application are within the scope of the present application.
Based on the same inventive concept, the application also provides a storage medium corresponding to the first embodiment, and the detail is seen in the third embodiment.
Example III
The present embodiment provides a computer readable storage medium, as shown in fig. 6, on which a computer program is stored, which when executed by a processor, can implement any implementation of the first embodiment.
Since the computer readable storage medium described in this embodiment is a computer readable storage medium used to implement the method in the first embodiment of the present application, those skilled in the art can understand the specific implementation of the computer readable storage medium and various modifications thereof according to the method described in the first embodiment of the present application, so how the computer readable storage medium implements the method in the embodiment of the present application will not be described in detail herein. As long as the computer-readable storage medium employed by one skilled in the art to implement the methods of embodiments of the present application is within the intended scope of the present application.
Based on a trusted execution environment (Trusted Execution Environment, TEE for short), the embodiment of the application performs security calculation and data processing in a closed and safe area, can ensure that a system login entry is not hijacked by a malicious program, informs a service system of a security identification result, realizes high-level security identity identification and improves the overall security of the service system; by encrypting the session content of the user client and encrypting the appointed data (such as the user password) in the service system database, the leakage risk of the database password is effectively increased, compared with the traditional technical route, the security level of user identity authentication is obviously improved, the system data security is effectively ensured, and the support is provided for improving the core competitiveness of enterprises.
While specific embodiments of the application have been described above, it will be appreciated by those skilled in the art that the specific embodiments described are illustrative only and not intended to limit the scope of the application, and that equivalent modifications and variations of the application in light of the spirit of the application will be covered by the claims of the present application.
Claims (9)
1. A user identification method based on a trusted execution environment, comprising: an instance initialization process, an access right authentication process and a user identity authentication process;
the instance initialization process includes: loading a user identity authentication program into a Trusted Execution Environment (TEE) instance, defining access right information, and generating at least two groups of asymmetric secret keys according to requirements after the TEE instance is started, wherein a first secret key and a second secret key are stored in independent execution spaces distributed by the TEE instance, the first public key is sent to a user client and used for encrypting session content of the user client, and the second public key is sent to a service system and used for encrypting appointed data and then storing the encrypted data in a service system database;
the access right authentication process comprises the following steps: when a client needs to access a TEE instance, verifying the authenticity of the TEE instance through remote assertion, accessing the TEE instance after verification is passed, packaging access information, encrypting the access information through the first public key, and submitting the access information to the TEE instance, wherein the TEE instance decrypts the access information through the first private key, then compares the access information with the access authority information, and automatically creates a secure session with the client after authority authentication is passed for calling a TEE instance execution program; if the authority identification is not passed, the TEE instance refuses the access request of the client;
the user identity authentication process comprises the following steps: after a user submits login information at a client, the login information is submitted to a Trusted Execution Environment (TEE) instance for user identity authentication, the TEE instance executes an authentication method of a user identity authentication program after receiving a request through a secure session, and then an authentication result is returned to complete user identity authentication.
2. The method according to claim 1, characterized in that: in the access right authentication process, the client verifies the authenticity of the TEE instance through remote assertion, and specifically includes: the client requests the TEE instance to acquire instance information, submits the instance information to the service center, and acquires a verification result returned after the service center verifies the authenticity of the TEE instance.
3. The method according to claim 1, characterized in that: in the user identity authentication process, the login information comprises a user name and an input password; executing an authentication method of a user identity authentication program, and then returning an authentication result, wherein the authentication method specifically comprises the following steps:
firstly, decrypting login information submitted by a client through a first private key, requesting a service system database through a user name, acquiring an encrypted user password in the database, decrypting by applying a second private key, and finally inputting decrypted data of the input password and the encrypted user password into a user identity authentication function for comparison, wherein the data is True and False.
4. A method according to any one of claims 1 to 3, characterized in that: in the user identity authentication process, after a user submits login information at a client, the login information is firstly subjected to encryption coding encapsulation locally and then submitted to a Trusted Execution Environment (TEE) instance for user identity authentication.
5. A user identification system based on a trusted execution environment, comprising: an instance initialization module, an access right authentication module and a user identity authentication module;
the system comprises an instance initialization module, a service system database, a user client and a service system database, wherein the instance initialization module is used for loading a user identity authentication program into a Trusted Execution Environment (TEE) instance, then defining access right information, generating at least two groups of asymmetric secret keys according to requirements after the TEE instance is started, wherein a first private key and a second private key are stored in independent execution spaces distributed by the TEE instance, the first public key is sent to the user client and used for encrypting session content of the user client, and the second public key is sent to the service system and used for encrypting appointed data and then storing the encrypted appointed data into the service system database;
the access right identification module is used for firstly verifying the authenticity of the TEE instance through remote assertion when a client needs to access the TEE instance, accessing the TEE instance after verification, packaging access information, encrypting the access information through the first public key, and then submitting the access information to the TEE instance, wherein the TEE instance decrypts the access information through the first private key, then compares the access information with the access right information, and automatically creates a secure session with the client after right identification is passed, and is used for calling a TEE instance execution program; if the authority identification is not passed, the TEE instance refuses the access request of the client;
the user identity authentication module is used for submitting login information to a Trusted Execution Environment (TEE) instance to perform user identity authentication after the user submits the login information at the client, the TEE instance receives a request through a secure session, executes an authentication method of a user identity authentication program, and then returns an authentication result to complete user identity authentication.
6. The system according to claim 5, wherein: in the access right authentication module, the client verifies the authenticity of the TEE instance through remote assertion, specifically including: the client requests the TEE instance to acquire instance information, submits the instance information to the service center, and acquires a verification result returned after the service center verifies the authenticity of the TEE instance.
7. The system according to claim 5, wherein: in the user identity authentication module, the login information comprises a user name and an input password; executing an authentication method of a user identity authentication program, and then returning an authentication result, wherein the authentication method specifically comprises the following steps:
firstly, decrypting login information submitted by a client through a first private key, requesting a service system database through a user name, acquiring an encrypted user password in the database, decrypting by applying a second private key, and finally inputting decrypted data of the input password and the encrypted user password into a user identity authentication function for comparison, wherein the data is True and False.
8. The system according to any one of claims 5 to 7, wherein: in the user identity authentication module, after a user submits login information at a client, the login information is firstly subjected to encryption coding encapsulation locally and then submitted to a Trusted Execution Environment (TEE) instance for user identity authentication.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any one of claims 1 to 4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210052719.4A CN114520735B (en) | 2022-01-18 | 2022-01-18 | User identity authentication method, system and medium based on trusted execution environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210052719.4A CN114520735B (en) | 2022-01-18 | 2022-01-18 | User identity authentication method, system and medium based on trusted execution environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114520735A CN114520735A (en) | 2022-05-20 |
CN114520735B true CN114520735B (en) | 2023-10-31 |
Family
ID=81597554
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210052719.4A Active CN114520735B (en) | 2022-01-18 | 2022-01-18 | User identity authentication method, system and medium based on trusted execution environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114520735B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115378677A (en) * | 2022-08-16 | 2022-11-22 | 上海交通大学 | Personal data collection method and system suitable for user side and use method and system thereof |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107612940A (en) * | 2017-10-31 | 2018-01-19 | 飞天诚信科技股份有限公司 | A kind of identity identifying method and authentication device |
CN109787988A (en) * | 2019-01-30 | 2019-05-21 | 杭州恩牛网络技术有限公司 | A kind of identity reinforces certification and method for authenticating and device |
US10764752B1 (en) * | 2018-08-21 | 2020-09-01 | HYPR Corp. | Secure mobile initiated authentication |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11080380B2 (en) * | 2016-11-08 | 2021-08-03 | Aware, Inc. | Decentralized biometric identity authentication |
US11178148B2 (en) * | 2018-08-21 | 2021-11-16 | HYPR Corp. | Out-of-band authentication to access web-service with indication of physical access to client device |
-
2022
- 2022-01-18 CN CN202210052719.4A patent/CN114520735B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107612940A (en) * | 2017-10-31 | 2018-01-19 | 飞天诚信科技股份有限公司 | A kind of identity identifying method and authentication device |
US10764752B1 (en) * | 2018-08-21 | 2020-09-01 | HYPR Corp. | Secure mobile initiated authentication |
CN109787988A (en) * | 2019-01-30 | 2019-05-21 | 杭州恩牛网络技术有限公司 | A kind of identity reinforces certification and method for authenticating and device |
Also Published As
Publication number | Publication date |
---|---|
CN114520735A (en) | 2022-05-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10489574B2 (en) | Method and system for enterprise network single-sign-on by a manageability engine | |
US8402508B2 (en) | Delegated authentication for web services | |
CN112513857A (en) | Personalized cryptographic security access control in a trusted execution environment | |
CN101176103B (en) | Computer security system | |
US20040098591A1 (en) | Secure hardware device authentication method | |
US8788808B2 (en) | Authenticating digitally encoded products without private key sharing | |
CN109981665B (en) | Resource providing method and device, and resource access method, device and system | |
CN110750791B (en) | Method and system for guaranteeing physical attack resistance of trusted execution environment based on memory encryption | |
US20090064273A1 (en) | Methods and systems for secure data entry and maintenance | |
WO2015117523A1 (en) | Access control method and device | |
CN106992978B (en) | Network security management method and server | |
CN114520735B (en) | User identity authentication method, system and medium based on trusted execution environment | |
CN111563279A (en) | Cloud data privacy protection system based on block chain | |
CN109474431B (en) | Client authentication method and computer readable storage medium | |
CN110990853B (en) | Dynamic heterogeneous redundant data access protection method and device | |
CN112699404A (en) | Method, device and equipment for verifying authority and storage medium | |
CN116996305A (en) | Multi-level security authentication method, system, equipment, storage medium and entry gateway | |
CN117040857A (en) | User identity verification method for enhancing authorization code security | |
CN111538973A (en) | Personal authorization access control system based on state cryptographic algorithm | |
AU2022218907A1 (en) | Secure module and method for app-to-app mutual trust through app-based identity | |
US11977647B2 (en) | Method, server and system for securing an access to data managed by at least one virtual payload | |
US20150058621A1 (en) | Proof of possession for web browser cookie based security tokens | |
CN115987636B (en) | Information security implementation method, device and storage medium | |
WO2024120636A1 (en) | Managing authorisations for local object sharing and integrity protection | |
CN118337519A (en) | Authentication method, authentication device, server, medium and product |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |