CN114629713A

CN114629713A - Identity verification method, device and system

Info

Publication number: CN114629713A
Application number: CN202210300792.9A
Authority: CN
Inventors: 赵浩然
Original assignee: Alibaba Cloud Computing Ltd
Current assignee: Alibaba Cloud Computing Ltd
Priority date: 2022-03-25
Filing date: 2022-03-25
Publication date: 2022-06-14

Abstract

The application discloses an identity authentication method and system. The method comprises the following steps: storing a first login information ciphertext generated based on the user privacy data into a block chain, wherein the service end does not store the user privacy data; generating a second login information ciphertext in a user block chain local domain based on the login information plaintext, detecting whether the second login information ciphertext is consistent with the first login information ciphertext, generating a one-time login password under the condition of consistency, and storing the one-time login password to the block chain; sending login user information and a one-time login password to a server side across a public network; and the local domain of the server performs identity authentication on the login user according to the login user information and the one-time login password received by the server and the first login information ciphertext and the one-time login password stored in the block link point of the local domain of the server. By adopting the processing mode, the plaintext of the login information does not enter the public network, and the server side does not sense the private data of the user any more; therefore, the safety of the user privacy data can be effectively improved.

Description

Identity verification method, device and system

Technical Field

The present application relates to the field of information security technologies, and in particular, to an identity authentication method, apparatus, and system, a user registration method and apparatus, and an electronic device.

Background

In the internet era, the leakage of the user password can cause huge influence on the user. For the maintenance of user Password information, such as account Password (Password) and user privacy data AK/SK of a cloud computing platform, it is necessary to ensure that user Password data is not leaked through a Password storage system.

At present, a typical password storage system is a password storage system of a server, and the following three schemes are mainly adopted in specific implementation: 1) storing the cipher plaintext: storing the user password in a back-end server cluster; 2) storing an irreversible cryptographic hash value: storing the hash value of the user password through MD5/SHA 256; 3) storing a reversible cipher text: and storing the ciphertext of the user password in the database after the user password is encrypted by the specific key. Taking the login password as an example, the server calculates and stores the hash value of the account password during the user registration so as to be used for identity authentication when the user logs in next time. For some service platforms which need to use the user AK/SK to call other cloud products in the cloud computing platform, the SK is usually stored in the platform database by the service end in a ciphertext mode, when the user accesses the cloud products, the platform decrypts the ciphertext in the database to obtain the real SK, the real SK is compared with the actual SK sent in the request body to verify the user identity, and then calling is initiated to the specified cloud products through the AK/SK.

However, in the process of implementing the present invention, the inventors found that the above technical solutions all have the following problems: 1) the user password can enter the public network, and the risk of user password leakage exists in the transmission process: 2) the server can sense the private data of the user, and the leakage risk exists inside the server. For example, the first solution described above employs plaintext storage in the database, so that it is easy for the application developer or database administrator DBA to expose the user password inadvertently; the password in the second scheme is often stored in an application configuration file or a database and is easily obtained by others to be cracked into the user password; although the third scheme avoids the above risks, the domain names of partial products may not have TLS encryption capability, that is, the user registration message may be stolen into the key in the requesting party during the public network transmission process.

In summary, the existing server password storage system has the risk of user password leakage, and how to improve the security of user password storage becomes a problem that needs to be solved urgently by technical personnel in the field.

Disclosure of Invention

The application provides an identity authentication method to solve the problem that password storage safety is low in the prior art. The application additionally provides an identity verification device and system, a user registration method and device and electronic equipment.

The application provides an identity authentication method, which comprises the following steps:

storing a first login information ciphertext set of a network service registered user in a block chain, wherein the first login information ciphertext is a ciphertext obtained by encrypting registration privacy information related to identity verification, and storing registered user information without user privacy data in a server;

acquiring a login user name and a login password;

generating a second login information ciphertext according to the login user name and the login password;

in the client local network, performing identity authentication on a login user according to the second login information ciphertext and a first login information ciphertext set stored by a first block chain link point of the client local network;

if the identity authentication is judged to pass in the client local network, distributing a one-time login password for the login user, and storing the one-time login password to the block chain; sending a user login request to a server through a public network, wherein the user login request comprises login user information and a one-time login password;

and in the server-side local network, performing identity authentication on the login user according to the login user information and the one-time login password received by the server side and the one-time login password which is stored in the second block link node of the server-side local network and corresponds to the registered user.

Optionally, the login information ciphertext is a ciphertext obtained by encrypting a combined character string of a user name and a password;

the login user information comprises a second login information ciphertext;

the authentication of the login user according to the second login information ciphertext and the first login information ciphertext set stored by the link point of the first block of the local network of the client comprises the following steps:

judging whether a first login information ciphertext set stored by a first block chain link point comprises a second login information ciphertext or not; if the judgment result is yes, the identity authentication is judged to be passed;

the authentication of the login user is performed according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the registered user and stored by the link point of the second block of the local network of the server, and the authentication method comprises the following steps:

acquiring a one-time login password which is stored in a second block link point and corresponds to a login information ciphertext received by a server side, and taking the one-time login password as a target login password;

judging whether the target login password is the same as the one-time login password received by the server side; if the judgment result is yes, the server side judges that the identity authentication is passed.

Optionally, the method further includes:

a registration password ciphertext corresponding to the first login information ciphertext is also stored in the block chain, and a key for decrypting the registration password ciphertext into a plaintext is also stored in the first block chain node;

judging whether a first login information ciphertext set stored by a first block chain node point comprises a second login information ciphertext or not; if the judgment result is yes, decrypting the registration password ciphertext corresponding to the second login information ciphertext into a registration password plaintext through the key;

and if the login password plaintext is the same as the registration password plaintext, judging that the identity authentication is passed.

Optionally, the login information ciphertext is a ciphertext obtained by encrypting a combined character string of a user name and a password or a password;

the user name corresponding to the first login information ciphertext is also stored in the block chain;

the login user information comprises a login user name;

judging whether a first login information ciphertext and a second login information ciphertext which are stored in the first block link point and correspond to the login user name are consistent; if the judgment result is yes, the identity authentication is judged to be passed;

acquiring a one-time login password which is stored in a second block link point and corresponds to a login user name received by a server, and taking the one-time login password as a target login password;

judging whether the target login password is the same as the one-time login password received by the server side or not; if the judgment result is yes, the server side judges that the identity authentication is passed.

Optionally, the first login information ciphertext includes: encrypting a first user name ciphertext obtained by encrypting the user name and a first password ciphertext obtained by encrypting the password;

generating a second login information ciphertext according to the login user name and the login password, wherein the generating of the second login information ciphertext comprises:

encrypting a second user name ciphertext obtained by encrypting the login user name and a second password ciphertext obtained by encrypting the login password;

the login user information comprises a second user name ciphertext and a second password ciphertext;

judging whether a corresponding relation set between a first username ciphertext and a first password ciphertext stored by a first block chain node point comprises a corresponding relation between a second username ciphertext and a second password ciphertext; if the judgment result is yes, the identity authentication is judged to be passed;

acquiring a one-time login password stored by a second block link point and corresponding to a user name ciphertext and a password ciphertext received by the server, and taking the one-time login password as a target login password;

Optionally, the server includes a cloud platform server, and the password includes a key SK used by the user to encrypt the authentication string and used by the cloud vendor to verify the authentication string.

The method further comprises the following steps:

if the cloud platform server judges that the identity authentication is passed, the cloud platform server sends a user login request to a cloud product server, wherein the user login request comprises login user information and a one-time login password;

and in the local network of the cloud product server, according to the login user information and the one-time login password received by the cloud product server and the one-time login password corresponding to the registered user and stored by a third block chain node of the local network of the cloud product server, carrying out identity authentication on the login user.

Optionally, the method further includes:

setting the effective duration and the generation time of the one-time login password;

the authentication of the login user is performed according to the login user information and the one-time login password received by the server and the one-time login password stored in the link point of the second block and corresponding to the registered user, and the authentication method comprises the following steps:

acquiring a one-time login password which is stored in a second block link point and corresponds to login user information received by a server, and taking the one-time login password as a target login password;

judging whether the target login password is valid or not according to the generation time and the valid duration of the target login password;

if the target login password is judged to be valid, judging whether the target login password is the same as the one-time login password received by the server side; if the judgment result is yes, the server side judges that the identity authentication is passed.

The application also provides a user registration method, which is used for a client and comprises the following steps:

acquiring user registration information of network service, wherein the user registration information comprises a registration user name and a registration password;

sending the registered user name and the registered password to a first block chain node of a local network of the client, and generating a first login information ciphertext according to the registered user name and the registered password through the first block chain node; and storing the first login information ciphertext into the block chain, and storing the information of the registered user except the registered password into the network server.

The present application further provides a user registration method, which is applied to a first blockchain node of a client local network, and includes:

receiving a user name and a password of a network service registered user sent by a client;

generating a first login information ciphertext according to the user name and the password;

and storing the first login information ciphertext into the block chain, and storing the information of the registered user except the registered password into the network server.

The application also provides an identity authentication method, which is used for a client and comprises the following steps:

acquiring a login user name and a login password;

sending the login user name and the login password to a first block chain node of a local network of the client, and generating a second login information ciphertext according to the login user name and the login password through the first block chain node; according to the second login information ciphertext and the first login information ciphertext set stored in the first block chain link point, performing identity verification on a login user; if the first block chain link point is judged to pass the identity authentication, distributing a one-time login password for the login user, and storing the one-time login password to the block chain; sending a user login request to a server through a public network, wherein the user login request comprises login user information and a one-time login password; and in a second block chain node of the local network of the server, performing identity authentication on the login user according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the registered user and stored in the second block chain node.

The application also provides an identity authentication method, which is used for a server and comprises the following steps:

receiving a user login request, wherein the user login request comprises login user information and a one-time login password;

and sending the login user information and the one-time login password received by the server to a second block chain node of the server local network, and carrying out identity authentication on the login user according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the registered user and stored in a second block chain node of the server local network through the second block chain node.

The present application further provides an identity authentication method for a second blockchain node of a server-side local network, where the method includes:

receiving login user information and a one-time login password sent by a server;

and according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the registered user and stored in the second block link point, performing identity authentication on the login user.

The present application also provides a computer-readable storage medium having stored therein instructions, which when run on a computer, cause the computer to perform the various methods described above.

The present application also provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the various methods described above.

Compared with the prior art, the method has the following advantages:

according to the identity authentication method provided by the embodiment of the application, the first login information ciphertext of the network service registered user is stored in the block chain, and the registered user information which does not include the user privacy data is stored in the server; after the user submits a login request, a login user name and a login password are obtained, and a second login information ciphertext is generated; in the client local network, performing identity authentication on a login user according to the second login information ciphertext and a first login information ciphertext set stored by a first block chain link point of the client local network; if the identity authentication is judged to pass in the client local network, distributing a one-time login password for the login user, and storing the one-time login password to the block chain; sending a user login request to a server through a public network, wherein the user login request comprises login user information and a one-time login password; and in the server-side local network, performing identity authentication on the login user according to the login user information and the one-time login password received by the server side and the one-time login password which is stored in the second block link node of the server-side local network and corresponds to the registered user. By adopting the processing mode, the plaintext of the user login information is only transmitted in the local domain of the login client, the user login information does not enter the public network, and the server does not sense the user privacy data any more, so that the user privacy data are prevented from being leaked in the public network transmission process, and the risk of leakage in the server is eliminated; therefore, the safety of the user privacy data can be effectively improved.

Drawings

FIG. 1 is a schematic flow chart diagram of an embodiment of an identity verification method provided herein;

fig. 2 is a schematic view of a scenario of an embodiment of an authentication method provided in the present application;

FIG. 3 is an interaction diagram of an embodiment of an authentication method provided by the present application;

fig. 4 is a schematic diagram of another scenario of an embodiment of an identity authentication method provided in the present application.

Detailed Description

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application. This application is capable of implementation in many different ways than those herein set forth and of similar import by those skilled in the art without departing from the spirit of this application and is therefore not limited to the specific implementations disclosed below.

In the application, an identity verification method, an identity verification device and an identity verification system, a user registration method and a user registration device, and electronic equipment are provided. Each of the schemes is described in detail in the following examples.

First embodiment

Please refer to fig. 1, which is a flowchart illustrating an authentication method according to the present application. In this embodiment, the method may include the steps of:

step S101: storing a first login information ciphertext set of the network service registered user in the blockchain, and storing the registered user information which does not comprise the user privacy data in the service end.

The network service may be a WEB application service (such as an online shopping service, a mailbox service, etc.), an API interface service, a cloud platform service, etc. The server provides network service for the registered user, for example, the server is a shopping website, and provides online shopping service for the buyer user.

The first login information ciphertext is a ciphertext obtained by encrypting registration privacy information related to identity authentication. The registration privacy information at least comprises a user password and a user name. The first login information ciphertext may be a ciphertext generated based on private data input by the user during registration, or may be a ciphertext generated when the user modifies a password.

According to the method provided by the embodiment of the application, the first login information ciphertext of the network service registered user is stored in the block chain, and the first login information ciphertexts of a plurality of registered users of at least one network service can be stored in the block chain. The server side does not store the user privacy data, and only stores other information which does not relate to the user privacy. Therefore, the server side does not sense the user privacy data any more, and the risk of internal leakage of the server side is eliminated.

The block chain is a decentralized distributed database, and the first login information ciphertext of the network service registered user stored in the distributed database has the characteristics of being incapable of being forged, leaving marks in the whole process, being traceable, being public and transparent, being maintained collectively and the like. The block chain is independent of a centralized server and consists of millions of nodes. As shown in fig. 2, the authentication system using the method provided in this embodiment includes a client (e.g., ClientA, ClientB, etc.), a Server (Server), and a plurality of block chain nodes (BC Node). Each block link point is located in a different private network, which may be a local area network, referred to as a private network or an intranet. All the block chain nodes store first login information ciphertexts of the network service registered user, and the first login information ciphertexts are synchronized among the block chain nodes through a block chain (Blockchain). The client and the server communicate through a public network (Internet), such as sending a user login request, transmitting network service data, and the like.

A server with a blockchain client installed is a blockchain node. The blockchain node needs to have the following characteristics: 1) computing power, such as being able to encrypt/hash user private data, while also needing to participate in consistent consensus of blockchains; 2) the system comprises a storage space, a network service module and a data processing module, wherein the storage space is used for maintaining ciphertext of user privacy data of a plurality of registered users of the network service, maintaining full account book data and tracing historical records; 3) the method has public network capability, is used for connecting all block chain nodes of the whole network, and ensures data consistency through a consensus mechanism.

The login information ciphertext may be a reversible ciphertext, such as a ciphertext obtained by an encryption algorithm, such as shift encryption, permutation encryption, and the like. The login information ciphertext can also be an irreversible ciphertext, so that the block chain does not have the risk of leakage of user privacy data. For example, an irreversible login information cipher may be generated by a message digest algorithm. The message digest algorithm does not need a secret key in the encryption process, the problems of management and distribution of the secret key do not exist, the encrypted data cannot be decrypted, and the same ciphertext can be obtained by inputting the same plaintext data and through the same message digest algorithm.

Since the reversible ciphertext may be cracked, and the reversible ciphertext with different lengths may occupy more storage space and have slower retrieval speed, the embodiment uses the irreversible login information ciphertext. In the present embodiment, the login information ciphertext is a Hash value (Hash value) of the login information, and the Hash Algorithm may be SHA (Secure Hash Algorithm), MD5 (mesh-Digest Algorithm), or the like.

The login information ciphertext may be obtained by encrypting a combined string composed of a user name and a password, for example, encrypting a connection string of the user name and the password. The login information ciphertext may also include a user name ciphertext and a password ciphertext that are obtained by encrypting the user name and the password, respectively. The login information ciphertext may be a password ciphertext obtained by encrypting only a password.

In specific implementation, different private networks can adopt the same encryption algorithm to generate login information ciphertext, so that a user can login a server through any private network. Different private networks can also adopt different encryption algorithms to generate login information ciphertexts, so that a user can only login the server through the private network used during registration. For example, the private network 1 calculates a hash value of a combined character string composed of a user name and a password; the private network 2 calculates a cipher ciphertext by adopting a shift encryption algorithm; the private network 3 calculates the cipher text by using a shift encryption algorithm and calculates the hash value of the user name.

In one example, the first login information ciphertext is a hash value generated by a block link node of a local network where the registered client is located according to a combined character string of a user name and a password, and the hash value can be written into a block chain account book of the node and is synchronized to all block chain nodes of the whole network through the block chain by adopting a distributed consensus mechanism. The block link node may store first login information ciphertexts of all users of at least one network service, as shown in table 1 below.

TABLE 1 user privacy data stored by Block Link dots

As can be seen from table 1, when the user name and the password are stored in the block link point adopting the processing method, the user name and the password are not recorded, only the irreversible ciphertext (hash value) of the connection character string of the user name and the password is recorded, only the user knows the plaintext of the user name and the password, and even if the database is stolen, the plaintext of the user name and the password cannot be deduced from the ciphertext, so that the user privacy data can be stored more safely. The processing mode can reduce the leakage risk of the user password and the leakage risk of the user name.

In another example, the first login information ciphertext is a hash value generated according to a combined character string of a user name and a password, and the blockchain node of the local network where the registered client is located further stores a registration password ciphertext corresponding to the first login information ciphertext and a private key for decrypting the registration password ciphertext into a plaintext, and writes the hash value and the corresponding registration password ciphertext into a blockchain account book of the node, and synchronizes to all blockchain nodes of the whole network by adopting a distributed consensus mechanism through the blockchain, but the private key is not stored in other blockchain nodes, as shown in table 2 below.

TABLE 2 first Login information ciphertext and corresponding REGISTER ciphertext

As can be seen from table 2, when storing the user name and the password, the block link point in this processing manner does not record the password user name and itself, but only records the hash value of the connection character string of the user name and the password, and records the reversible ciphertext of the password, and only the user knows the plaintext of the user name and the password, so that even if the database is stolen, the plaintext of the user name and the password cannot be deduced from the ciphertext, and the user privacy data can be stored more safely. Similarly, the processing mode can reduce the leakage risk of the user password and the leakage risk of the user name.

In yet another example, the first login information ciphertext is also a hash value generated according to a combined character string of a user name and a password, the hash value and a corresponding user name are written into a block chain account of the node, and the hash value and the corresponding user name are synchronized to all block chain nodes of the whole network by adopting a distributed consensus mechanism through the block chain, as shown in table 3 below.

TABLE 3 first Login information ciphertext and corresponding username

As can be seen from table 3, when storing the password, the block link point in this processing method records not the password itself, but the hash value of the user name and the password connection character string, and records the plaintext of the user name, only the user knows the plaintext of the password, and even if the database is stolen, the ciphertext cannot be deduced back to what the plaintext of the password is, so that the user privacy data can be stored safely.

In yet another example, the first login information ciphertext is a hash value of a password, and the hash value and a corresponding user name are written into a blockchain account of the node, and are synchronized to all blockchain nodes of the whole network by adopting a distributed consensus mechanism through the blockchain, as shown in table 4 below.

Table 4, first login information ciphertext and corresponding user name

As can be seen from table 4, when the block link point of this processing method stores the password, the password itself is not recorded, only the hash value of the password and the user name plaintext are recorded, and only the user knows the plaintext of the password, and even if the database is stolen, the ciphertext cannot be deduced back to what the plaintext of the password is, so that the user privacy data can be stored safely.

In yet another example, the first login information ciphertext comprises: the hash value of the password (the first password ciphertext obtained by encrypting the password) and the hash value of the user name (the first user name ciphertext obtained by encrypting the user name) are written into the block chain account of the node, and are synchronized to all block chain nodes of the whole network by adopting a distributed consensus mechanism through the block chain, as shown in the following table 5.

TABLE 5 user name ciphertext and password ciphertext

As can be seen from table 5, when storing the user name and the password, the block link point in this processing method does not record the user name and the password itself, but only records the hash value of the user name and the hash value of the password, and only the user knows the plaintext of the password, so that even if the database is stolen, the ciphertext cannot be deduced back to what the plaintext of the user name and the password is, so that the user privacy data can be stored more safely.

In this embodiment, each network server stores the information of the registered user, and only includes the basic information of the registered user, and does not include the user privacy data, at least the user password, in the registered user information table, as shown in tables 6-1 and 6-2 below.

User name	Mailbox	Region of land	…
				A001
A002
				…

TABLE 6-1, registered user information Table of shopping platform A

TABLE 6-2 registered user information Table of shopping platform B

As shown in fig. 3, in the present embodiment, in the user registration phase, the client acquires the plaintext of the registration user name (username) and the registration password (password), and sends the plaintext of the registration user name and the registration password to the block link point of the local network; the method comprises the steps that block chain link points of a local network of a client generate a connection character string of a registered user name and a registered password, a hash value (hash) is generated, a plaintext of the registered password is encrypted by using a user key to obtain a ciphertext (code) of the registered password, a one-time password (number) is generated, the hash value (first login information ciphertext) and the ciphertext of the registered password are sent to other block chain nodes, and the hash value and the one-time password are returned to the client; the client sends a user registration request to the server, wherein the request comprises a hash value and a one-time password; the server side sends the hash value and the one-time password to the block chain link points of the local network, and inquires whether the hash value stored in the block chain link points of the local domain of the server side includes the hash value received by the server side or not so as to prove the existence of the registered user; if the registered user exists, the authenticity of the user registration request is verified according to the one-time password, if the one-time passwords are consistent, the block link node of the local network of the server side returns the verification result (success or failure) to the server side, and the server side can store the basic information of the registered user to the server side, as shown in the above tables 6-1 and 6-2. By adopting the processing mode, the life cycle of the user password only exists in the local network where the registered client side is located, and the user password is not propagated to the server side through the public network and is not submitted to the block chain. At this time, the server no longer senses the user key, and only needs to verify whether the registration request is from a real user (on the premise that a network where the user is located needs to deploy a BC Node); meanwhile, the risk that the user key is intercepted and leaked in the process of transmitting and circulating the public network is eliminated. Moreover, the hash value and the password ciphertext of the user privacy data are stored through the block chain, so that the user password is prevented from being tampered, and the record can be traced.

Step S103: and acquiring a login user name and a login password.

In this embodiment, the user inputs a login user name and a login password on the login client, and after obtaining the login user name and the login password, the login user name and the login password may be sent to the blockchain node of the local network of the login client.

The login client includes but is not limited to a mobile communication device, namely: the mobile phone or the smart phone also includes terminal devices such as a personal computer, a PAD, and an iPad. The login client and the registration client can be located in the same private network or different private networks, and block chain nodes are deployed in each private network.

Step S105: and generating a second login information ciphertext according to the login user name and the login password.

In this embodiment, the block link point of the local network of the login client generates the second login information ciphertext according to the login user name and the login password in the same manner as the first login information ciphertext is generated. For example, the second login information ciphertext may be a ciphertext obtained by encrypting a combined string of a user name and a password, or the second login information ciphertext may include a user name ciphertext and a password ciphertext obtained by encrypting a user name and a password, respectively, or the second login information ciphertext may include only a password ciphertext obtained by encrypting a password.

Step S107: and in the client local network, performing identity authentication on the login user according to the second login information ciphertext and a first login information ciphertext set stored by a first block chain link point of the client local network.

According to the method provided by the embodiment of the application, on the basis of storing the user privacy data ciphertext through the block chain (replacing the existing server to maintain the user privacy data plaintext), the verification mode of the user block chain local domain is adopted to replace the cross-public-network server verification, so that the user privacy data is not accessed into the public network. Specifically, the user block chain local domain may detect whether a second login information ciphertext generated during login and a first login information ciphertext generated during registration are consistent, and in the case of consistency, the user block chain local domain may determine that the user block chain local domain passes the identity authentication; if not, the domain judges that the identity authentication is not passed in the user block chain.

In one example, the login information ciphertext is a ciphertext obtained by encrypting a combined string of a username and a password, as shown in table 1 above. In this case, step S107 can be implemented as follows: judging whether a first login information ciphertext set stored by a first block chain link point comprises a second login information ciphertext or not; if the judgment result is yes, the identity authentication is judged to be passed; if the judgment result is no, the identity authentication is judged not to be passed. By adopting the processing mode, the block chain does not store the user name plaintext, and the risk of user name leakage can be effectively eliminated.

However, in implementing the present invention, the inventors found that generating the login information ciphertext by using the hash function has a hash collision problem, that is, if two input strings have the same hash function value, the two strings are said to be a collision. In practical applications, there may be a case where the same hash value is obtained based on the same user name but different passwords, such as the hash values obtained from the user name a + password 1 (correct password) and the user name a + password 2 (wrong password) are the same. In this case, if an incorrect password is input during login, but the hash value obtained based on the incorrect password is the same as the first login information ciphertext due to hash collision, only whether the login information ciphertext is consistent is used as the basis for authentication determination, which may result in an incorrect authentication result.

To solve the above problem, in one example, the login information ciphertext is a hash value generated from a combined string of the user name and the password, and a registration password ciphertext corresponding to the first login information ciphertext is also stored in the block chain, as shown in table 2 above. The first block chain node also stores a key for decrypting the registration password ciphertext into a plaintext, and block chain link points in other networks do not have a block chain link point encryption key of the user local domain, so that the user password cannot be decrypted by broadcasting the received hash value and the registration password ciphertext, and the login client and the registration client are required to be in the same network. In this case, step S107 can be implemented as follows: judging whether a first login information ciphertext set stored by a first block chain link point comprises a second login information ciphertext or not; if the judgment result is yes, decrypting the registration password ciphertext corresponding to the second login information ciphertext into a registration password plaintext through the key; if the login password plaintext is the same as the registration password plaintext, the identity authentication is judged to be passed; and if the first login information ciphertext set does not comprise the second login information ciphertext or the login password plaintext is different from the login password plaintext, judging that the identity authentication is not passed. By adopting the processing mode of double verification of the login information ciphertext and the password ciphertext, the user name plaintext is not stored in the block chain, the risk of user name leakage can be effectively eliminated, and the password plaintext can be further used for verification when the login password is wrong but the hash value obtained due to hash collision is the same as the first login information ciphertext so as to find the problem of login password error, so that the accuracy of identity verification can be effectively improved.

In the process of implementing the present invention, the inventor also finds that there may be a case where hash values of the aforementioned combined character strings corresponding to different user names are the same, or hash values of passwords corresponding to different user names are the same, such as hash values obtained from the user name a + password 1 and the user name B + password 2, respectively, are the same. Therefore, if the first login information ciphertexts of different users are the same due to hash collision, only whether the login information ciphertexts are consistent or not is taken as a judgment basis for identity verification, and an incorrect identity verification result can also be caused.

In order to solve the above problem, in one example, the login information ciphertext is a ciphertext obtained by encrypting a combination string of a user name and a password or a password; the user name corresponding to the first login information ciphertext is also stored in the blockchain, as shown in table 4 above. In this case, step S107 can be implemented as follows: judging whether a first login information ciphertext and a second login information ciphertext which are stored in the first block link point and correspond to the login user name are consistent; and if the judgment result is yes, the identity authentication is judged to be passed. By adopting the processing mode, the login user name and the second login information ciphertext are jointly used as the query condition, and the matched record is searched in the login information ciphertext data table stored in the block chain node, so that even if the login information ciphertexts corresponding to different user names have Hash collision, the specific login user can be accurately identified, and the accurate identity authentication result is obtained. Moreover, the processing mode has no private key problem, so that the registered client and the login client can be in different networks.

In another example, the login information ciphertext comprises: the user name ciphertext resulting from encrypting the user name and the password ciphertext resulting from encrypting the password are shown in table 5 above. In this case, the first login information ciphertext includes: encrypting a first user name ciphertext obtained by encrypting the registered user name and a first password ciphertext obtained by encrypting the registered password; the second login information ciphertext comprises: encrypting a second user name ciphertext obtained by encrypting the login user name and a second password ciphertext obtained by encrypting the login password; accordingly, step S107 can be implemented as follows: judging whether a corresponding relation set between a first username ciphertext and a first password ciphertext stored by a first block chain node point comprises a corresponding relation between a second username ciphertext and a second password ciphertext; and if the judgment result is yes, the identity authentication is judged to be passed. By adopting the processing mode, the authentication can be judged to be passed only when the user name ciphertext and the password ciphertext are matched at the same time. Because the possibility that two ciphertexts obtained by respective encryption simultaneously generate hash collision is extremely low, the login user can be determined more accurately. The processing mode solves the problem that the wrong login password caused by Hash collision can also pass the authentication, and also solves the problem that the wrong login user name caused by Hash collision can also pass the authentication. In addition, as the block chain does not store the user name plaintext, the risk of user name leakage can be effectively eliminated. Furthermore, this approach allows the registration client to be in a different network than the login client.

In specific implementation, the client may send the login user name and the login password to the first blockchain node of the local network, and perform steps S105 and S107 through the first blockchain node; or the first registration information ciphertext set may be obtained from the first blockchain node of the local network through the client, and then steps S105 and S107 are executed at the client, and the determination result is returned to the first blockchain node. The local authentication result obtained by executing steps S105 and S107 through the first block link point has higher reliability.

Step S109: if the identity authentication is judged to pass in the client local network, distributing a one-time login password for the login user, and storing the one-time login password to the block chain; and sending a user login request to a server through a public network, wherein the user login request comprises login user information and a one-time login password.

The method provided by the embodiment of the application carries out identity authentication on the user based on the login information ciphertext in the user block chain domain, and sends the user login request to the server across the public network after the user passes the identity authentication. The server side adopts a token authentication mechanism, whether the received request is a login request of a real user passing the block chain verification needs to be identified, and the server side can only judge that the identity verification is passed when the received user login request is determined to be the request of the real user. Therefore, a user login request sent by a user block chain local domain to a server side comprises a one-time login password set for a login user who passes identity authentication of the user block chain local domain, and login user information corresponding to the one-time login password is stored in the block chain.

The one-time login password is also called a one-time password or a token (temporary) and is used for distinguishing whether a user login request is a login request of a real user passing through the user block chain domain authentication or an illegal request initiated by an illegal user not passing through the user block chain domain authentication. In specific implementation, a random number generation mode can be adopted to obtain a one-time login password, and the password is only effective for the login user passing the identity authentication in the user block chain domain.

Taking the foregoing table 2 as an example, in one example, the user data stored in the blockchain node may further include a one-time login password and state data thereof, as shown in the following table 7-1.

TABLE 7-1 user privacy data stored by Block Link Point

As can be seen from table 7-1, in this embodiment, after a one-time login password is set for the login user who passes the authentication this time by the first blockchain node of the user blockchain local domain, the state of the one-time login password may also be set, the state of the one-time login password is an active state before the server is not authenticated, and the state of the one-time login password is an inactive state after the server is authenticated.

In another example, the method may further include the steps of: and setting the effective time length and the generation time of the one-time login password, wherein the effective time length is 10 seconds, so that if the server side does not verify the one-time login password after 10 seconds, the one-time login password is invalid. By adopting the processing mode, even if a malicious user steals the one-time login password stored in the block chain, the password is limited in effective duration, so that the malicious user cannot use the password to successfully pass the identity authentication of the server. Taking the foregoing table 2 as an example, the user data stored in the blockchain node may further include a one-time login password and a generation time, as shown in table 7-2 below.

TABLE 7-2 user privacy data stored by Block Link Point

The login user information is information capable of determining a login user, and specifically may be a login user name, a second login information ciphertext, and a user name ciphertext. If the second login information ciphertext or the user name ciphertext is adopted, the user login name does not enter the public network, the user name is prevented from being leaked in the transmission process of the public network, and the risk of user name leakage can be effectively eliminated.

In specific implementation, the first block chain node of the client local network can send the user login request to the server; or the first block link point sends the one-time login password to the client, and the client sends the user login request to the server.

Step S111: and in the server-side local network, performing identity authentication on the login user according to the login user information and the one-time login password received by the server side and the one-time login password which is stored in the second block link node of the server-side local network and corresponds to the registered user.

According to the method provided by the embodiment of the application, a token authentication mode is adopted in the server side local network, the one-time login password of the login user received by the server side is compared with the one-time login password corresponding to the user and stored in the second block link point of the server side local network, only if the two passwords are consistent, the request received by the server side is represented as the login request of the real user, and the fact that the identity authentication is passed is judged. If the passwords are inconsistent, the password is an illegal request from a malicious user, and the authentication cannot be passed.

Specifically, when a user login request which passes identity authentication through a user block chain local domain is transmitted in a public network, even if a malicious user intercepts the request, the password carried by the request is a one-time password, so that even if the malicious user initiates a request to a server according to login user information and the one-time login password included in the request, the malicious user cannot pass identity authentication at the server, and replay attack can be effectively prevented.

In addition, based on the block chain characteristics, a malicious user cannot tamper with the first login information ciphertext stored in the area chain, so that even if the malicious user tampers with login user information carried in a user login request, the malicious user cannot pass identity authentication at the server.

In one example, in the local network of the server, whether the logged-in user exists or not may be first queried in the user data stored in the link point of the block of the local domain of the server according to the logged-in user information received by the server; if the login user exists, the authenticity of the login request of the user is proved according to the one-time login password, and if the one-time login password is consistent, the client can use the service provided by the server through identity authentication.

In specific implementation, the server may send the received login user information and the one-time login password to a second blockchain node of the local network, and execute step S111 through the second blockchain node; alternatively, the server may first obtain the one-time login password corresponding to the login user from the second tile link point of the local network, and then execute step S111 at the server.

In one example, the login user information includes a second login information ciphertext, and step S111 may be implemented as follows: acquiring a one-time login password which is stored in a second block link point and corresponds to a login information ciphertext received by a server side, and taking the one-time login password as a target login password; judging whether the target login password is the same as the one-time login password received by the server side; if the judgment result is yes, the server side judges that the identity authentication is passed.

In specific implementation, in the local network of the server, whether a first login information ciphertext set stored by a block link point in the local domain of the server comprises a login information ciphertext received by the server or not can be firstly inquired to prove the existence of a login user; if the login user exists, the authenticity of the login request of the user is proved according to the one-time login password, and if the one-time login password is consistent, the authentication is passed.

In this embodiment, a registration password ciphertext corresponding to the first login information ciphertext is further stored in the blockchain, and the first blockchain node further stores a key for decrypting the registration password ciphertext into a plaintext. Corresponding to the user registration processing method shown in fig. 3, the following registration processing flow may be adopted in the registration stage. The client acquires the plaintext of the login user name and the login password and sends the plaintext of the login user name and the login password to the block link points of the local network; the method comprises the steps that block chain link points of a local network of a client generate a connection character string of a login user name and a login password, a hash value (second login information ciphertext) is generated, a user key stored only in the local is used for decoding a registration password ciphertext corresponding to the hash value to obtain a registration password plaintext, if the registration password plaintext is consistent with the login password plaintext, a one-time login password is generated and sent to other block chain nodes, and the hash value and the one-time login password are returned to the client; the client sends a user login request to the server, wherein the request comprises a hash value and a one-time login password; the server side sends the hash value and the one-time login password to the block link points of the local network, the block link points of the local network of the server side carry out identity verification, and identity verification results are sent back to the server side. By adopting the processing mode, the user login request transmitted to the server only comprises the hash value and the one-time login password, so that the private data of the user can not enter the public network and can only be transmitted in the internal network, and therefore, the leakage can not be caused in the transmission process.

In another example, the login user information includes a login user name, and step S111 may be implemented as follows: acquiring a one-time login password which is stored in a second block link point and corresponds to a login user name received by a server, and taking the one-time login password as a target login password; judging whether the target login password is the same as the one-time login password received by the server side; if the judgment result is yes, the server side judges that the identity authentication is passed.

In yet another example, the login user information includes a second username ciphertext and a second password ciphertext; step S111 can be implemented as follows: acquiring a one-time login password stored by the second block link point and corresponding to the user name ciphertext and the password ciphertext received by the server side as a target login password; judging whether the target login password is the same as the one-time login password received by the server side; if the judgment result is yes, the server side judges that the identity authentication is passed.

In one example, the server is a cloud platform server, as shown in fig. 4, the cloud platform server is a platform for providing user management services for a plurality of cloud product services, and different cloud product services are deployed at different servers. The method comprises the steps that registered user information of various cloud product services is stored in a cloud platform server, when a user uses the cloud product services, a login request is sent to the cloud platform server, the cloud platform server carries out user identity authentication processing, after the user passes the identity authentication, the cloud platform server recursively calls the cloud product services to be used by the user, and the user login request is sent to the cloud product server. In this case, the password of the registered user includes a key SK used by the user to encrypt the authentication string and by the cloud product vendor to verify the authentication string; the method may further comprise the steps of: if the cloud platform server judges that the identity authentication is passed, the cloud platform server sends a user login request to a cloud product server, wherein the user login request comprises login user information and a one-time login password; and in the cloud product server local network, according to the login user information and the one-time login password received by the cloud product server and the one-time login password corresponding to the registered user and stored by a third block chain node of the cloud product server local network, performing identity authentication on the login user.

In specific implementation, after the cloud platform server side verifies that the login user is a legal user, the cloud platform server side can generate a one-time login password and synchronize the one-time login password to all nodes of the block chain, the one-time login password is carried in a user login request sent by the cloud platform server side to the cloud product server side, and the one-time login password generated by the block chain node of the local network of the client side is invalid.

For example, for a platform which needs to store a user AK/SK and then calls other cloud product services in the Alice cloud, the method provided by the embodiment of the application can enable the platform side to call the cloud product under the condition that the user SK is not sensed at all, and when other cloud products are accessed recursively, unnecessary propagation of the user SK is avoided, so that privacy data is protected in a real sense.

As can be seen from the foregoing embodiments, in the identity authentication method provided in the embodiments of the present application, the first login information ciphertext of the network service registered user is stored in the blockchain, and the registered user information that does not include the user privacy data is stored in the server; after the user submits a login request, a login user name and a login password are obtained, and a second login information ciphertext is generated; in the client local network, performing identity authentication on a login user according to the second login information ciphertext and a first login information ciphertext set stored by a first block chain link point of the client local network; if the identity authentication is judged to pass in the client local network, distributing a one-time login password for the login user, and storing the one-time login password to the block chain; sending a user login request to a server through a public network, wherein the user login request comprises login user information and a one-time login password; and in the server-side local network, performing identity authentication on the login user according to the login user information and the one-time login password received by the server side and the one-time login password which is stored in the second block link node of the server-side local network and corresponds to the registered user. By adopting the processing mode, the plaintext of the user login information is only transmitted in the local domain of the login client, the user login information does not enter the public network, and the server does not sense the user privacy data any more, so that the user privacy data are prevented from being leaked in the public network transmission process, and the risk of leakage in the server is eliminated; therefore, the safety of the user privacy data can be effectively improved.

Second embodiment

In the above embodiment, an identity authentication method is provided, and correspondingly, an identity authentication device is also provided in the present application. The apparatus corresponds to an embodiment of the method described above. Since the apparatus embodiments are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for relevant points. The device embodiments described below are merely illustrative.

The present application additionally provides an authentication device comprising:

the information storage unit is used for storing a first login information ciphertext set of a network service registered user in a block chain, wherein the first login information ciphertext is a ciphertext obtained by encrypting registered privacy information related to identity authentication, and the registered user information without user privacy data is stored in the server;

the login information acquisition unit is used for acquiring a login user name and a login password;

the login information encryption unit is used for generating a second login information ciphertext according to the login user name and the login password;

the first verification unit is used for verifying the identity of the login user in the client local network according to the second login information ciphertext and a first login information ciphertext set stored in a first block chain link point of the client local network;

the first authentication passing unit is used for distributing a one-time login password for the login user and storing the one-time login password to the block chain if the identity authentication is judged to pass in the client local network; sending a user login request to a server through a public network, wherein the user login request comprises login user information and a one-time login password;

and the second verification unit is used for verifying the identity of the login user in the server local network according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the registered user and stored in the second block link point of the server local network.

Third embodiment

In the foregoing embodiment, an identity authentication method is provided, and accordingly, the present application also provides an electronic device. The apparatus corresponds to an embodiment of the method described above. Since the apparatus embodiments are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for relevant points. The device embodiments described below are merely illustrative.

An electronic device of the present embodiment includes: a processor and a memory; a memory for storing a program for implementing the authentication method, the device being powered on and the program for the method being executed by the processor to perform the steps of: storing a first login information ciphertext set of a network service registered user in a block chain, wherein the first login information ciphertext is a ciphertext obtained by encrypting registration privacy information related to identity authentication, and storing registered user information without user privacy data in a server; acquiring a login user name and a login password; generating a second login information ciphertext according to the login user name and the login password; in the client local network, performing identity authentication on a login user according to the second login information ciphertext and a first login information ciphertext set stored by a first block chain link point of the client local network; if the identity authentication is judged to pass in the client local network, distributing a one-time login password for the login user, and storing the one-time login password to the block chain; sending a user login request to a server through a public network, wherein the user login request comprises login user information and a one-time login password; and in the server-side local network, performing identity authentication on the login user according to the login user information and the one-time login password received by the server side and the one-time login password which is stored in the second block link node of the server-side local network and corresponds to the registered user.

Fourth embodiment

Corresponding to the identity authentication method, the application also provides a user registration method, and the execution main body of the method is equipment used by the registered user and also becomes a registration client. Parts of this embodiment that are the same as the first embodiment are not described again, please refer to corresponding parts in the first embodiment.

In this embodiment, the user registration method may include the following steps:

step 1: acquiring user registration information of network service, wherein the user registration information comprises a registration user name and a registration password;

and 2, step: sending the registered user name and the registered password to a first block chain node of a local network of the client, and generating a first login information ciphertext according to the registered user name and the registered password through the first block chain node; and storing the first login information ciphertext into the block chain, and storing the information of the registered user except the registered password into the network server.

Fifth embodiment

Corresponding to the above identity authentication method, the present application also provides a user registration method, where an execution subject of the method is a first block chain node of a client local network. Parts of this embodiment that are the same as the first embodiment are not described again, please refer to corresponding parts in the first embodiment.

step 1: receiving a user name and a password of a network service registered user sent by a client;

step 2: generating a first login information ciphertext according to the user name and the password;

and step 3: and storing the first login information ciphertext into the block chain, and storing the information of the registered user except the registered password into the network server.

Sixth embodiment

Corresponding to the identity authentication method, the application also provides an identity authentication method, and the execution main body of the method is a login client. Parts of this embodiment that are the same as the first embodiment are not described again, please refer to corresponding parts in the first embodiment.

In this embodiment, the identity authentication method may include the following steps:

step 1: acquiring a login user name and a login password;

step 2: sending the login user name and the login password to a first block chain node of a local network of the client, and generating a second login information ciphertext according to the login user name and the login password through the first block chain node; according to the second login information ciphertext and the first login information ciphertext set stored in the first block chain link point, performing identity verification on a login user; if the first block chain link point is judged to pass the identity authentication, distributing a one-time login password for the login user, and storing the one-time login password to the block chain; sending a user login request to a server through a public network, wherein the user login request comprises login user information and a one-time login password; and in a second block chain node of the local network of the server, performing identity authentication on the login user according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the registered user and stored in the second block chain node.

Seventh embodiment

Corresponding to the identity authentication method, the application also provides an identity authentication method, and the execution subject of the method is the server side. Parts of this embodiment that are the same as the first embodiment are not repeated, and please refer to corresponding parts in the first embodiment.

step 1: receiving a user login request, wherein the user login request comprises login user information and a one-time login password;

step 2: and sending the login user information and the one-time login password received by the server to a second block chain node of the server local network, and carrying out identity authentication on the login user according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the registered user and stored in a second block chain node of the server local network through the second block chain node.

Eighth embodiment

Corresponding to the above identity authentication method, the present application also provides an identity authentication method, where an execution subject of the method is a second blockchain node of the server-side local network. Parts of this embodiment that are the same as the first embodiment are not repeated, and please refer to corresponding parts in the first embodiment.

step 1: receiving login user information and a one-time login password sent by a server;

step 2: and according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the registered user and stored in the second block link point, performing identity authentication on the login user.

Ninth embodiment

Corresponding to the identity authentication method, the application also provides an identity authentication system. Parts of this embodiment that are the same as the first embodiment are not described again, please refer to corresponding parts in the first embodiment.

In this embodiment, the identity verification system may include: the system comprises a register client, a first block link node of a client local network, a login client, a server and a second block link node of a server local network. Wherein, the registration client and the login client can be deployed on the same device.

The system comprises a registration client, a registration server and a server, wherein the registration client is used for acquiring user registration information of network service, and the user registration information comprises a registration user name and a registration password; and sending the registration user name and the registration password to a first blockchain node of the local network of the client.

The first block chain node is used for receiving a registration user name and a registration password sent by a registration client; generating a first login information ciphertext according to the login user name and the login password; and storing the first login information ciphertext into the block chain, and storing the information of the registered user except the registered password into the network server.

The login client is used for acquiring a login user name and a login password; and sending the login user name and the login password to a first block chain node of the local network of the client.

The first block link node is also used for receiving a login user name and a login password sent by a login client; generating a second login information ciphertext according to the login user name and the login password; according to the second login information ciphertext and the first login information ciphertext set stored in the first block chain link point, performing identity verification on a login user; if the first block chain link point is judged to pass the identity authentication, distributing a one-time login password for the login user, and storing the one-time login password to the block chain; and sending a user login request to a server through a public network, wherein the user login request comprises login user information and a one-time login password.

The server is used for receiving a user login request, wherein the user login request comprises login user information and a one-time login password; and sending the login user information and the one-time login password received by the server to a second block chain node of the server local network.

The second block link node is used for receiving login user information and a one-time login password sent by the server; and according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the registered user and stored in the second block link point, performing identity authentication on the login user.

Although the present application has been described with reference to the preferred embodiments, it is not intended to limit the present application, and those skilled in the art can make variations and modifications without departing from the spirit and scope of the present application, therefore, the scope of the present application should be determined by the claims that follow.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

1. Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.

2. As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Claims

1. An identity verification method, comprising:

acquiring a login user name and a login password;

2. The method of claim 1,

the login information ciphertext is a ciphertext obtained by encrypting a combined character string of a user name and a password;

the login user information comprises a second login information ciphertext;

judging whether a first login information ciphertext set stored by a first block chain node point comprises a second login information ciphertext or not; if the judgment result is yes, the identity authentication is judged to be passed;

3. The method of claim 2, further comprising:

judging whether a first login information ciphertext set stored by a first block chain link point comprises a second login information ciphertext or not; if the judgment result is yes, decrypting the registration password ciphertext corresponding to the second login information ciphertext into a registration password plaintext through the key;

4. The method of claim 1,

the login information ciphertext is a ciphertext obtained by encrypting a combined character string of a user name and a password or the password;

a user name corresponding to the first login information ciphertext is also stored in the block chain;

the login user information comprises a login user name;

5. The method of claim 1,

the first login information ciphertext comprises: encrypting a first user name ciphertext obtained by encrypting the user name and a first password ciphertext obtained by encrypting the password;

6. The method of claim 1,

the server comprises a cloud platform server, and the password comprises a user encryption authentication string and a secret key SK used by a cloud manufacturer to verify the authentication string.

The method further comprises the following steps:

and in the cloud product server local network, according to the login user information and the one-time login password received by the cloud product server and the one-time login password corresponding to the registered user and stored by a third block chain node of the cloud product server local network, performing identity authentication on the login user.

7. The method of claim 1, further comprising:

8. A user registration method, used for a client, includes:

9. A user registration method, for a first blockchain node of a client local network, comprising:

10. An identity authentication method, used for a client, includes:

acquiring a login user name and a login password;

sending the login user name and the login password to a first block chain node of a local network of the client, and generating a second login information ciphertext according to the login user name and the login password through the first block chain node; according to the second login information ciphertext and a first login information ciphertext set stored by the first block chain node point, performing identity verification on a login user; if the first block chain link point is judged to pass the identity authentication, distributing a one-time login password for the login user, and storing the one-time login password to the block chain; sending a user login request to a server through a public network, wherein the user login request comprises login user information and a one-time login password; and in a second block chain node of the local network of the server, performing identity authentication on the login user according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the registered user and stored in the second block chain node.

11. An identity authentication method, used for a server, includes:

12. An identity verification method for a second blockchain node of a server-side local network, the method comprising:

and according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the registered user and stored by the link point of the second block, performing identity authentication on the login user.

13. A computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the method according to any one of claims 1-12.

14. An electronic device, comprising:

a processor and a memory;

a memory for storing a program implementing the method of any one of claims 1-12, the device being powered on and the program for executing the method by the processor.