CN114666052A

CN114666052A - Identity authentication system and method

Info

Publication number: CN114666052A
Application number: CN202210381280.XA
Authority: CN
Inventors: 米拉德·塔利比-阿瓦努埃; 张静
Original assignee: Yutianshou Jiangsu Information Technology Co ltd
Current assignee: Yutianshou Jiangsu Information Technology Co ltd
Priority date: 2022-04-12
Filing date: 2022-04-12
Publication date: 2022-06-24
Also published as: WO2023197379A1

Abstract

The invention discloses an identity authentication system and method, wherein the identity authentication system comprises a storage module, an input module, a verification module, an algorithm rule module and a rule analysis module. The storage module is used for storing a first password set by a user; the input module is used for receiving a second password sent by a user; the algorithm rule module comprises an algorithm rule for mutual conversion of the first password and the second password; the rule analysis module is used for analyzing the second password according to the algorithm rule to obtain a third password; the verification module is used for verifying the third password and the first password stored in the storage module to obtain a verification result; if the verification results are the same, the verification is passed, and if the verification results are different, the verification is not passed. The system and the method simplify the difficulty of memorizing the long combined password by the user, do not use the original password form in the authentication process, but use the dynamic combined password, cannot be cracked by video recording or shoulder surfing attack, and have higher safety performance.

Description

Identity authentication system and method

Technical Field

The invention relates to the technical field of information security, in particular to an identity authentication system and method.

Background

Authentication schemes are used to verify user identity or content authenticity of information in websites, software, any general digital media, or on devices in an IT environment. Generally, considering information that an end user authenticates his identity in a machine to grant access rights, authentication schemes can be divided into five types: a text authentication scheme that operates based on hard-to-forget answers or text, a graphical authentication scheme that operates based on end-users having selected as mode remembering, a biometric-based authentication scheme, a network authentication scheme that functions based on online-generated codes, and a hardware authentication scheme that functions based on additional keys (e.g., smart cards or USB tokens), where the first two authentication schemes are susceptible to reuse, shoulder surfing, and camera recording attacks, the third authentication scheme is susceptible to being hacked by attackers using forgeries with authentic features, the fourth authentication scheme is susceptible to replay and man-in-the-middle attacks, and the fifth authentication scheme entails additional costs, such as difficulty in carrying hardware keys, the possibility of theft, and any other damage that may affect the performance of the system authentication process.

The authentication schemes described above are all easily broken by knowledgeable attackers. Even a common malicious intruder can perform at least one of the above attacks to steal the password credentials of the target user.

Disclosure of Invention

The purpose of the invention is as follows: the invention aims to solve the technical problem of providing an identity authentication system and method aiming at the defects of the prior art.

In order to solve the above technical problem, a first aspect discloses an identity authentication system, comprising a storage module, an input module, a verification module, an algorithm rule module and a rule parsing module,

the storage module is used for storing a first password set by a user; the user comprises a real natural person and intelligent equipment needing identity authentication.

The input module is used for receiving a second password sent by a user;

the algorithm rule module comprises an algorithm rule for mutual conversion of a first password and a second password;

the rule analysis module is used for analyzing the second password according to the algorithm rule to obtain a third password;

the verification module is used for verifying the third password and the first password stored in the storage module to obtain a verification result; if the verification results are the same, the verification is passed, and if the verification results are different, the verification is not passed.

In a possible implementation manner, the algorithm rule module includes a rule prompting unit, and the rule prompting unit is configured to prompt a user about the algorithm rule.

In a possible implementation manner, the rule prompting unit includes a ciphertext prompting subunit, and the ciphertext prompting subunit includes a prompt for indirectly prompting the user about the algorithm rule.

The second aspect also discloses an identity authentication system, which comprises a storage module, an input module, a verification module, an algorithm rule module and a rule calculation module,

The input module is used for receiving a second password sent by a user;

the rule calculation module is used for calculating the first password stored in the storage module according to the algorithm rule to obtain a fourth password;

the verification module is used for verifying the second password and the fourth password to obtain a verification result; if the verification results are the same, the verification is passed, and if the verification results are different, the verification is not passed.

A third aspect discloses an identity authentication method, including:

storing a first password set by a user; the user comprises a real natural person and intelligent equipment needing identity authentication.

Obtaining an algorithm rule of mutual conversion of a first password and a second password, wherein the second password is a password sent by a user;

receiving a second password sent by a user;

analyzing the second password according to the algorithm rule to obtain a third password;

verifying the third password and the first password to obtain a verification result; if the verification results are the same, the verification is passed, and if the verification results are different, the verification is not passed.

The fourth aspect also discloses an identity authentication method, which comprises the following steps:

receiving a second password sent by a user;

calculating the first password according to the algorithm rule to obtain a fourth password;

verifying the second password and the fourth password to obtain a verification result; if the verification results are the same, the verification is passed, and if the verification results are different, the verification is not passed.

A fifth aspect discloses a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of the third or fourth aspect.

A sixth aspect discloses a terminal device, comprising: a processor and a memory for storing processor-executable instructions; wherein the processor is configured to execute the instructions to implement the method of the third or fourth aspect.

Has the advantages that:

1) the identity authentication system provided by the embodiment of the application simplifies the password use on an online/offline system. The user does not need to remember very long (6-8 symbols) and complex passwords (characters, numbers, punctuation, etc.). The user is only required to remember (3-6) numbers, much easier than the 6-8 lengthy complex combinations of the prior art schemes. Note that the user cannot apply the fixed combination directly on the smart device. The difficulty of the user in memorizing long combinations is simplified, and even the inventor cannot crack the combination, because the user defines hidden password combinations and does not use the original form in the authentication process.

2) The identity authentication system provided by the embodiment of the application cannot be cracked by video recording or shoulder surfing attacks, and is dynamic as long as the user inputs an effective combination on the terminal.

3) Since the identity authentication system provided by the embodiment of the application limits wrong password attempts (e.g. 1-3) in consideration of the security level selected by the user, the identity authentication system cannot be cracked by dictionaries and brute force attacks.

4) The invention can provide higher security for bank payment systems such as payment treasures, WeChat payment and the like by providing the indestructible authentication system.

5) The identity authentication system provided by the embodiment of the application uses a very secure policy to reset the password combination to prevent the user from forgetting it. For example, during the first registration, the user may add some email address/phone number to request a one-time valid reset code. The user must then verify the face/fingerprint to prove his/her presence, and the previous passcode is only valid for 1 minute.

6) Since the identity authentication system provided by the embodiment of the application does not need high computational complexity, the identity authentication system can be applied to any digital device without limitation. Furthermore, password reset policies for devices that are not equipped with cameras and fingerprint scanners are only email or phone number verification.

Drawings

The foregoing and/or other advantages of the invention will become further apparent from the following detailed description of the invention when taken in conjunction with the accompanying drawings.

Fig. 1 is a schematic diagram of an authentication system considering a network attack scenario in the prior art.

Fig. 2 is a schematic diagram of a network attack that may occur when a user inputs a password combination in the prior art.

Fig. 3 is a schematic structural diagram of an identity authentication system according to a first embodiment of the present application.

Fig. 4 is a second schematic structural diagram of an identity authentication system according to the first embodiment of the present application.

Fig. 5 is a third schematic structural diagram of an identity authentication system according to a first embodiment of the present application.

Fig. 6 is a fourth schematic structural diagram of an identity authentication system according to a first embodiment of the present application.

Fig. 7 is a schematic structural diagram of an identity authentication system according to a second embodiment of the present application.

Fig. 8 is a flowchart of a user registration phase in an identity authentication method according to a third embodiment of the present application.

Fig. 9 is a flowchart of a user verification stage in an identity authentication method according to a third embodiment of the present application.

Detailed Description

Embodiments of the present invention will be described below with reference to the accompanying drawings.

The user authentication mechanism is a primary concern for the security system to authenticate the password credentials of the access device. As shown in fig. 1, in the authentication scheme in the prior art,

1) text-based schemes operate based on answers or text that are difficult to forget. This is a knowledge-based combination that the user chooses to remember as a username/password or in response to a reset/recovery question. Unfortunately, current text-based schemes suffer from fixed text combinations, and are vulnerable to reuse, shoulder surfing, and camera recording attacks.

2) The graph-based approach works based on gestures, symbols, or fixed patterns that the end user has selected to remember as a pattern. Unfortunately, current graphics-based schemes suffer from a fixed pattern and are vulnerable to reuse, shoulder surfing, and camera recording attacks.

3) Biometric-based schemes identify biometric features, such as fingerprints and irises, that are uniquely possessed by the end user on the fingers, eyes, and face. However, current biometric-based schemes suffer from public access to user features, such as facial photographs on social media profiles and fingerprints around the living environment, which can be used by attackers to create counterfeits with authentic features and to break the security of the system.

4) Web-based solutions work based on code generated online. This code is a verification code that the end user has requested to verify his credentials through the online service. These schemes require the system to exchange some encrypted messages to a central server, which may expose the exchanged data packets containing the cryptographic credentials to some network attacks, such as replay attacks and man-in-the-middle (MitM) attacks.

5) The hardware-based solution works based on an additional secret key (e.g. a smart card or a USB token) that has to be connected to the system. In fact, these schemes work based on U2F (a two-factor authentication scheme), which considers a combination of textual/graphical soft credentials and an additional hardware key. These methods are called the most secure authentication systems. For example, since 11 months 2017, the strategy was used by google's software engineers to protect their sensitive items. However, these schemes provide higher security performance than other schemes. Nevertheless, they suffer additional costs, such as the difficulty of carrying the hardware key, the possibility of theft, and any other damage that may affect the performance of the system authentication process.

The "password" (also known as "password" in apple products) is sensitive data, in particular a string of letters, numbers, symbols, etc. If the allowed characters are numbers, the corresponding combination is sometimes referred to as a Personal Identification Number (PIN). As one of the most common authentication systems, it is commonly used to confirm the identity of a user through a smart device. Under the terminology of the NIST digital identity guide, secret combinations are maintained by a party called a claimant, and a party verifying the identity of the claimant is called a verifier. The rightful person actively provides knowledge of the combination of the passwords to a verifier in an established authentication system, from which the verifier infers the rightful person's identity. The password need not be a meaningful word; just the contrary, non-words (in a dictionary sense) may be harder to guess, which is an attribute of complex passwords, including all forms of uppercase and/or lowercase letters, numbers, punctuation, and the like. In some cases, a memory combination consisting of a series of words or other text separated by spaces is referred to as a pass phrase. The passphrase is similar in use to a password, but the former is typically longer to improve security. In fact, for security reasons, passwords should be remembered and cannot be shared with anyone. Due to the large demand for online/offline password protection services in our daily lives, normal users have to access different personal data, such as bank account access, computer/smart phone, etc., and therefore many combinations of difficulties have to be dealt with, which makes it impractical to remember a unique password for each service.

Because of the difficulty in remembering several unique combinations of passwords, network security experts have proposed other types of schemes, such as biometric-based, graphics-based, web-based, and hardware-based schemes, all of which have different limitations and vulnerabilities as described in the above section. As shown in fig. 2, a text-based authentication system is the most common solution in all smart devices in the digital world today. Various types of network attacks against authentication schemes are discussed below in conjunction with a real-world scenario.

1) External network attack: such attacks involve an attacker collecting information around the user when the user enters a password using a device in a public place (university, airport, subway, etc.) to break the password combination of the authentication system. For example, suppose Alice and Bob are queuing to pay a bill for grocery bills to a cashier, there is exactly a monitoring camera on site. In this case, Bob intends to rob Alice's smartphone and breach the security of her authentication system, stealing funds from her bank account. Bob camcorders the activity of Alice opening the smartphone and paying the bill using the payment application. If Alice uses different combinations of text passwords on the smartphone and payment application, Bob will capture both combinations; then, the mobile phone of Alice can be robbed by the user to finish other illegal paths. In addition, the same scene of the intelligent door can lead the neighbor to have the opportunity to open the intelligent door with the password through similar social engineering actions. These examples demonstrate that current text-based schemes are still vulnerable, no matter how long the password combination is, and can be easily broken by camera recording and shoulder surfing attacks.

2) Counterfeit biometric object generation: in such an attack, an adversary collects his biometrics by placing a particular user in a trap. For example, an attacker may give a victim a glass of water and then use the fingerprint features on the glass to create a fake finger object with the original features. He can then apply this artificial object to a biometric authentication system that uses the fingerprint to crack it. For other features such as voice and facial photos, an attacker may also record a user's video when entering the authentication system, or download facial images from personal data on social media. He may then use these functions to hack the system. These examples demonstrate that current biometric-based solutions are still vulnerable to camera recording and shoulder surfing attacks, regardless of the type of biometric.

3) Network-based cyber-spatial attacks: when the authentication system on the device verifies the user's password credentials using the online network, it must send some encrypted data packets to the centralized server for further verification analysis, especially in internet of things based systems (e.g., smart buildings, payment systems, and smart cities). In this case, the hacker may perform network-based cyber-space attacks, such as replay and man-in-the-middle attacks, capturing the user's password combination through phishing traps.

4) Guessing the attack: since the user must remember the password combination characters, the attacker performs a guessing attack by evaluating the various combinations using a dictionary or brute force attempts that may match the original password. Finally, most modern authentication schemes limit the number of inputs of passwords (up to three attempts) in new devices and systems. Nonetheless, older internet of things devices, such as wireless routers, often operate based on unlimited password attempts and are vulnerable to distributed denial of service (DDoS) attacks (e.g., dictionary-based malware Mirai).

The embodiment of the application provides an identity authentication system and method, the system cannot be damaged by any one or more of external network attack, fake biometric object generation, network-based cyber space attack, guess attack and the like, and the system is easy to use and remember by users. The users mentioned in all embodiments of the present application include real natural persons and smart devices that need to perform identity authentication, for example, smart devices in the internet of things (e.g., smart robots, smart cars, and smart doors authenticated by a central controller in smart buildings) and any kind of authentication that can be understood and implemented by those skilled in the art, more specifically, in the internet of vehicles, the smart cars need to perform identity authentication before entering a target area, and can enter the target area smoothly after passing the authentication.

A first embodiment of the present application provides an identity authentication system, as shown in fig. 3, including: a storage module, an input module and a verification module, and also comprises an algorithm rule module and a rule analysis module,

the storage module is used for storing a first password set by a user; the first password is a password which can be identified by a terminal set by a user, and the terminal is used for authenticating the identity of the user and comprises but is not limited to intelligent equipment such as a computer, a mobile phone, wearable equipment, a camera, an intelligent door lock, a printer, a safe box and intelligent household equipment. For example, the first password may be a combination of one or more of numbers, letters or symbols, and may also be a representation form that can be recognized by other terminals, such as characters, words, expressions, and the like; the length of the first password is not limited in this embodiment, and may be set by the user, for example, for convenience of memory, the user may set a password of one or more combinations of 3 digits, letters, or symbols. The user can also set multiple security levels for setting first passwords with different complexities, which are applied to different scenes, for example, each element (value corresponding to different bits in the password) in the first password is set to be different and not sequentially arranged; as another example, the elements in the first password may be arranged in the same or in a sequential manner. The storage form of the first password in the storage module uses the prior art, and this embodiment is not limited herein.

The input module is used for receiving a second password sent by a user;

the algorithm rule module comprises an algorithm rule for mutual conversion of a first password and a second password; the second password is obtained by dynamic calculation of the user according to the first password memorized or stored by the user and the algorithm rule. The algorithm rule is a rule which can be identified by the terminal and can be used for mutual conversion between passwords, namely, an intermediate bridge for converting a single element or a plurality of elements in the passwords from one expression form to another expression form can be preset by a system or set by a user. The algorithm rule module can ensure that the algorithm rule is reasonably set so that the first password can be converted and a proper second password can be obtained. The algorithm rule module can also ensure that the algorithm rule is effective in one-time use in the identity authentication process, and ensure that the second password input in each identity authentication is different from the historical input, so that the second password cannot be cracked by video recording or shoulder surfing attack. If the user only sees the prompt corresponding to the algorithm rule during the authentication, and the input module receives the second password (the algorithm rule is not effectively used) because the operation is not executed, the algorithm rule of the algorithm rule module can be consistent with the algorithm rule of the last time when the user performs the authentication next time.

For example, the algorithm rule may be a mathematical operation on a numerical element, an alphabetic operation such as shift, case conversion, and the like on an alphabetic element, and may also be a convention for converting an element into other symbols or other expressions, and the like. Specifically, if an element in the first password set by the user is a number, the algorithm rule may be that the element performs a corresponding mathematical operation, that is, addition, subtraction, multiplication, division, and the like, and it is ensured that each element in the first password can perform an effective mathematical operation, for example, the division by 0 does not occur; an algorithmic rule may also be a convention to convert the element to another symbol or other representation, such as if there is a 1 in the first password, the algorithmic rule is an exclamation mark! According to convention, 1 is converted into letter q, the first password has 2, the algorithm rule is symbol @, and according to convention, 2 is converted into letter w. If an element in the first password set by the user is a letter, the algorithm rule may be that the element performs corresponding letter operations such as shifting or case-to-case conversion. If an element in the first password set by the user is a symbol, the algorithm rule may be an agreement to convert the element into other symbols or other expression forms, for example, if there is a question mark in the first password, the algorithm rule is 1, the question mark is converted into a percentile according to the agreement, the algorithm rule is a symbol @, the question mark is converted into an exclamation mark according to the agreement, and the like.

In a specific implementation, at least two operations can be set, and at least one operation is randomly selected from the at least two operations to form an algorithm rule; the operation is that the terminal can recognize and can be used for element interconversion between passwords.

The rule analysis module is used for analyzing the second password according to the algorithm rule to obtain a third password; firstly, obtaining a corresponding inverse rule according to the algorithm rule, for example, if the algorithm rule is a mathematical operation for a numerical element, such as +1, then deducing that the obtained corresponding inverse rule is a mathematical operation-1; the algorithm rule is directed at the displacement of the letter elements, for example, the +1 indicates that the letter elements are moved backwards by one bit according to the sequence of the alphabets a to z, and the derivation to obtain the corresponding inverse rule is to move forwards by one bit according to the sequence of the alphabets a to z; the algorithm rule is a convention for converting an element into another symbol or another expression form, for example, if the element appearing in the second password is an exclamation mark and the algorithm rule is a symbol @, the exclamation mark is to be resolved into a question mark during the resolving, and the like. Then, according to the obtained inverse rule, the second password is converted into a third password, which is in the form of the third password, using the prior art, which is not limited herein.

The verification module is used for verifying the third password and the first password stored in the storage module to obtain a verification result; if the verification results are the same, the verification is passed, and if the verification results are different, the verification is not passed. The verification method uses the prior art, and the embodiment is not limited herein.

The algorithm rule can remind the user in an explicit mode or an implicit mode, and when the algorithm rule is in the implicit mode, the user needs to remember the presetting of the algorithm rule module or the setting of the user. In order to reduce the memory of the user, the algorithm rule may explicitly prompt the user to convert the remembered first password, in this embodiment, as shown in fig. 4, the algorithm rule module includes a rule prompting unit, and the rule prompting unit is configured to prompt the user of the algorithm rule.

When the rule prompting unit prompts the algorithm rule for the user, the rule prompting unit can prompt the algorithm rule through a plain text or a dark text, the plain text prompt directly prompts the algorithm rule, and the user converts the memorized or stored first password according to the algorithm rule to obtain a second password; the ciphertext prompt indirectly prompts the algorithm rule, so that the safety of the identity authentication system is enhanced, and an attacker cannot acquire the first password even if the attacker is attacked by reuse, shoulder surfing or camera recording. In this embodiment, as shown in fig. 5, the rule prompting unit includes a ciphertext prompting subunit, and the ciphertext prompting subunit includes a prompt for indirectly prompting the user about the algorithm rule. The prompt is an expression form that can be recognized by the terminal, and may be preset by the system or set by the user, specifically, the expression form may be a symbol, an expression, a word, or the like. For example, the prompter smiling face is used for expressing +1, the prompter crying face is used for expressing-1 and the like, after the ciphertext prompting subunit outputs the prompter corresponding to the indirect prompting algorithm rule, a user can convert the prompter into the corresponding algorithm rule according to the system preset or own setting, and the first password memorized or stored is calculated to obtain the second password.

In a first exemplary embodiment:

the user is a real natural person, and assuming that the first password set by the user is the combination of numbers 213, the storage module stores the first password encrypted using the encryption algorithm.

The arithmetic rule set by the arithmetic rule module is a mathematical operation of +1+1-1, in order to improve the safety of the system and reduce the memory of a user, the user presets a dark text prompt item corresponding to each operation, the dark text prompt item corresponding to +1 is an expression smiling face, the dark text prompt item corresponding to-1 is an expression crying face, therefore, the prompt included by the dark text prompt subunit is an expression smiling face expression crying face, the dark text prompt subunit further comprises a wake-up key, the user triggers the wake-up key to see the prompt corresponding to the arithmetic rule, the first password memorized by the user is 213, and the prompt corresponding to the arithmetic rule is combined to dynamically calculate and obtain the second password 322. The wake-up key can be a key on the terminal device or a key on the keyboard, and on the smart phone, the user can also define the number of times of waving actions in front of the light sensor to display the prompt, for example, waving two hands to display the prompt.

The input module receives the second password 322 sent (entered) by the user.

And the rule analysis module is used for obtaining a corresponding inverse rule of-1-1 +1 according to the algorithm rule, converting the second password 322 into a third password 213 according to the inverse rule, and encrypting the third password 213 by using the same encryption algorithm as the storage module.

And the verification module verifies the encrypted third password and the encrypted first password stored in the storage module, and if the verification results are the same, the user can perform subsequent operation through verification.

In a second exemplary embodiment:

the user is an intelligent device (intelligent automobile) needing identity verification, the intelligent automobile needs to enter a target area, such as an important intelligent warehouse, and the intelligent warehouse is provided with the identity authentication system. Assuming that the first password set by the smart car is the combination of numbers 213, the storage module may store the first password of the smart car according to the license plate number, and the storage is encrypted and stored by using an encryption algorithm.

The algorithm rule set by the algorithm rule module is a mathematical operation of +1+1-1, the algorithm rule module presets a dark text prompt item corresponding to each operation, the dark text prompt item corresponding to +1 is an expression smiling face, and the dark text prompt item corresponding to-1 is an expression crying face, so that the prompt included in the dark text prompt subunit is an expression smiling face expression crying face, the intelligent automobile receives the prompt corresponding to the algorithm rule, the first password stored in the intelligent automobile is 213, and the intelligent automobile dynamically calculates to obtain the second password 322 by combining with the prompt corresponding to the algorithm rule.

The input module receives a second password 322 sent by the smart car.

And the verification module verifies the encrypted third password and the encrypted first password stored by the storage module, and if the verification result is the same, the intelligent automobile smoothly enters the important intelligent warehouse through verification.

In this embodiment, as shown in fig. 6, the rule hint unit further includes a text-to-text subunit, where the text-to-text subunit is configured to convert the text hint of the algorithm rule into a text hint. When the user does not remember the algorithm rule represented by the dark text prompt, the dark text-to-clear text subunit can convert the dark text prompt into the clear text prompt, so that the user can conveniently convert the memorized or stored first password according to the clear text prompt to obtain the second password.

In the third exemplary embodiment, the dark text to plaintext sub-unit further includes a dark text to plaintext hint key, and if the user does not remember what the operation corresponding to the hint output by the dark text hint sub-unit is, the dark text to plaintext hint key may be triggered (for example, click the hint output by the dark text hint sub-unit three times, press a volume button, or press a preset series of keys), the dark text to plaintext sub-unit converts the dark text hint "expression smiley face expression crying face" into a plaintext hint +1+1-1, and the user dynamically calculates the memorized first password 213 according to the plaintext hint to obtain the second password 322, which is the same as the first exemplary embodiment in the following steps.

The identity authentication system in this embodiment further includes a password resetting module, where the password resetting module is configured to reset the first password when the user forgets the first password.

Further, the password resetting module comprises an email restoring unit, wherein the email restoring unit is used for setting an email address list, such as a main email address and a standby email address, and when the user forgets the first password and the terminal can be connected to a network, the first password is reset through the email address. For example, a one-time passcode is sent to the email address of the email address list, by which the first password is reset. The verification code may be set to be valid for only one minute. Real-time faces or fingerprints need to be verified simultaneously when necessary.

Further, the password resetting module comprises a local restoring unit, the local restoring unit is used for setting a long password combination (at least 8 symbols) or setting a security question and a security question answer, and when the user forgets the first password and the terminal cannot be connected with the network, the password is reset by verifying the long password combination or verifying the security question answer. Real-time faces or fingerprints need to be verified simultaneously when necessary.

The identity authentication system in this embodiment further includes a keyboard module, where the keyboard module is configured to set a keyboard on the terminal device.

Further, the keyboard module includes a keyboard customization unit for customizing the positions of numbers, letters or symbols on the keyboard, for example, the positions of the keys 1 to 9 may be defined on a 3 × 3 keyboard, etc.

Further, the keyboard module comprises a scout text keyboard unit for hiding numbers, letters or symbols on the keyboard, the keyboard only displaying transparent point positions, for example, only displaying 3 × 3 circular transparent point positions on the number keys.

In the fourth exemplary embodiment, the user defines the positions of the keys 1 to 9 on the 3 × 3 keyboard and hides the numbers on the numeric keyboard, after the user calculates the second password 322, the keyboard module only displays the positions of the 3 × 3 circular transparent points, the user inputs the second password 322 according to the position settings of the keys 1 to 9, the input module receives the second password 322 output by the user, and the subsequent steps are the same as those in the first exemplary embodiment.

An identity authentication system in this embodiment further includes an error attempt module, where the error attempt module is configured to request a security problem according to past activities after the number of times of failure in verification exceeds a first attempt threshold (for example, a user has recently read a patent on a device, and then the problem may be "what was read by a device last time by you on the device) [ patent, novel, picture, movie ], where the security problem is used to assist verification, and when the auxiliary verification is successful, the user is allowed to re-input a second password, and the identity authentication system parses and verifies the second password. When the number of authentication failures exceeds a second attempt threshold, the error attempt module prevents the user from accessing and requests the password reset module to reset the first password. The first attempt threshold is preferably less than or equal to 3 to reduce the likelihood of guessing an attack through a dictionary and brute force.

In the fifth exemplary embodiment, the first attempt threshold is set to 3 times, and the second attempt threshold is set to 1 time; when the user makes 3 false attempts, the false attempt module requests a security issue based on past activities: what was you read at this device last? If the user answers correctly, the auxiliary verification is successful, the user inputs the second password again, the identity authentication system analyzes and verifies the second password, if the second password does not pass the verification, the error attempt module prevents the user from accessing, and the password resetting module is requested to reset the first password.

In this embodiment, the verification module further includes a biometric verification unit, and the biometric verification unit is configured to perform identity verification using biometric features such as fingerprint recognition and face recognition. If the user (real natural person) intends to keep higher security, the face recognition/fingerprint analysis based on the real-time deep learning can be activated to improve the security by using a multi-factor authentication strategy, namely, the third password and the first password stored in the storage module are authenticated, and then the biometric authentication is carried out after the authentication is passed. Fingerprint identification can be applied to a high-efficiency open-source biological characteristic analysis library, such as RxFigerrpint; face recognition can be implemented using code that is already available in OpenCV.

The identity authentication system described in this embodiment is applied to a secure mode environment, which is an optional manner, and a user may set a fast identity authentication manner used in a secure environment (for example, no one exists around the user), in the authentication manner, the algorithm rule included in the algorithm rule module makes the first password and the second password not to be converted into each other, and the third password obtained by the rule analysis module is the same as the second password. For example, four security levels are set, a security mode refers to a mode defined by security level C or D, in which a user must use two factors for authentication, typically a simple password + a biometric authentication, the difference between security level C and security level D is at a first password setting, the first password setting of security level C cannot be ordered sequentially (e.g., 234) or repeated multiple times (e.g., 333), security level D may have lower security, the first password may be set to 234 or 333, etc. The security level A and the security level B are higher security levels, and the algorithm rule module comprises algorithm rules under the level to enable the first password and the second password to be mutually converted, and one or more biometric authentication modes can be optionally added.

In this embodiment, when performing identity authentication based on a centralized server, the storage module, the input module, the algorithm rule module, the rule parsing module, and the authentication module are at a server side, a first password set by a user, a ciphertext prompt item, a wakeup key, a ciphertext-to-plaintext prompt key corresponding to each element in an algorithm rule, an e-mail list of a password resetting module, a long password combination or a security question and answer, a keyboard setting of the keyboard module on a terminal device, and the like are encrypted using a timestamp and sent to the server, and the terminal sends an encrypted timestamp data packet to the server in an identity authentication process, where the encrypted timestamp data packet includes the algorithm rule (plaintext or ciphertext) and a second password sent by the user. On the other hand, the server must authenticate the user within a limited time (e.g., 2 minutes) in view of the received credentials. Since the algorithm rule and the second password will be different in the next attempt. In the next attempt, since the identity authentication system displays a new algorithm rule, the second password calculated by the user will be different, and if the attacker performs interception attacks such as man-in-the-middle or replay, the attacker cannot use the captured credentials to make the next attempt.

In this embodiment, the storage module includes a biometric key, the biometric key is a hardware fingerprint token, and the first password set by the user is stored in the biometric key in the form of a hash value generated using SHA-3. The authentication system with high security is provided by executing a hardware fingerprint token (biometric key), and can be applied to very sensitive terminals such as a safe box and the like. The user must connect the biological secret key to set a first password, a dark text prompt item corresponding to each element in the algorithm rule, a wake-up key, a dark text-to-clear text prompt key, an e-mail list of a password resetting module, a long password combination or a security question and answer, and the keyboard setting of a keyboard module on the terminal equipment. When the terminal is locked, the user must connect the biometric key, attempting to perform an operation to pass the security authentication.

A second embodiment of the present application further provides an identity authentication system, as shown in fig. 7, including: a storage module, an input module and a verification module, and also comprises an algorithm rule module and a rule calculation module,

the storage module is used for storing a first password set by a user; the first password is the same as the first password in the first embodiment, and is not described again here.

The input module is used for receiving a second password sent by a user;

the algorithm rule module comprises an algorithm rule for mutual conversion of a first password and a second password; the second password is obtained by the user through dynamic calculation according to the first password memorized or stored by the user and the algorithm rule. The algorithm rule is the same as the description of the algorithm rule in the first embodiment, and is not described herein again.

The rule calculation module is used for calculating the first password stored by the storage module according to the algorithm rule to obtain a fourth password;

In this embodiment, the algorithm rule module includes a rule prompting unit, and the rule prompting unit is configured to prompt the user about the algorithm rule.

In this embodiment, the rule prompting unit includes a ciphertext prompting subunit, and the ciphertext prompting subunit includes a prompt for indirectly prompting the user about the algorithm rule. Other descriptions of the prompt are the same as those in the first embodiment, and are not described herein again.

In a sixth exemplary embodiment:

assuming that the first password set by the user is the combination of numbers 213, the storage module stores the first password encrypted using the encryption algorithm.

The input module receives the second password 322 input by the user.

And the rule calculation module is used for decrypting the first password stored in the storage module and calculating the decrypted first password according to the algorithm rule +1+1-1 to obtain a fourth password 322.

And the verification module verifies the second password and the fourth password, and if the verification results are the same, the user can perform subsequent operation through verification.

In this embodiment, the rule prompting unit further includes a text-to-text subunit, and the text-to-text subunit is configured to convert the text prompt of the algorithm rule into a text prompt. Other descriptions of the ciphertext-to-plaintext subunit are the same as those in the first embodiment, and are not repeated here.

In this embodiment, the verification module further includes a biometric verification unit, and the biometric verification unit is configured to perform identity verification using biometric features such as fingerprint recognition and face recognition. If the user (real natural person) intends to keep higher security, the face recognition/fingerprint analysis based on the real-time deep learning can be activated to improve the security by using a multi-factor authentication strategy, namely, the third password and the first password stored in the storage module are authenticated, and then the biometric authentication is carried out after the authentication is passed.

The identity authentication system described in this embodiment is applied to a secure mode environment, which is an optional method, and a user may set a fast identity authentication method used in a secure environment (for example, no one exists around the user), in the authentication method, an algorithm rule included in an algorithm rule module makes a first password and a second password not to be converted into each other, and a third password obtained by a rule analysis module is the same as the second password. The same example as in the first embodiment is omitted here for brevity.

In this embodiment, when performing identity authentication based on a centralized server, the storage module, the input module, the algorithm rule module, the rule parsing module, and the authentication module are at a server side, a first password set by a user, a ciphertext prompt item, a wakeup key, a ciphertext-to-plaintext prompt key corresponding to each element in an algorithm rule, an email list of a password resetting module, a long password combination or a security question and answer, and a keyboard setting of the keyboard module on a terminal device, etc. are encrypted using a timestamp and sent to the server, and the terminal sends an encrypted timestamp data packet to the server in an identity authentication process, where the encrypted timestamp data packet includes the algorithm rule (plaintext or ciphertext) and a second password sent by the user. On the other hand, the server must authenticate the user within a limited time (e.g., 2 minutes) in view of the received credentials.

A third embodiment of the present application provides an identity authentication method, including:

step S100, storing a first password set by a user; the first password is a password which can be identified by a terminal set by a user, and the terminal is used for authenticating the identity of the user and comprises but is not limited to intelligent equipment such as a computer, a mobile phone, wearable equipment, a camera, an intelligent door lock, a printer, a safe box and intelligent household equipment. For example, the first password may be a combination of one or more of numbers, letters or symbols, and may also be a representation form that can be recognized by other terminals, such as characters, words, expressions, and the like; the length of the first password is not limited in this embodiment, and may be set by the user, for example, for convenience of memory, the user may set a password of one or more combinations of 3 digits, letters, or symbols. The user may also set multiple security levels for setting first passwords with different complexities, which are applied to different scenarios, for example, each element (value corresponding to different bits in the password) in the first password is set to be different and not sequentially arranged; as another example, the elements in the first password may be arranged to be the same or in a sequential order. The storage form of the first password in the storage module uses the prior art, and this embodiment is not limited herein.

Step S200, obtaining an algorithm rule of interconversion of the first password and the second password; the second password is obtained by the user through dynamic calculation according to the first password memorized or stored by the user and the algorithm rule. The algorithm rule is a rule which can be identified by the terminal and can be used for mutual conversion between passwords, namely, an intermediate bridge for converting a single element or a plurality of elements in the passwords from one expression form to another expression form can be preset by a system or set by a user. The algorithm rule module can ensure that the algorithm rule is reasonably set so that the first password can be converted and a proper second password can be obtained. The algorithm rule module can also ensure that the algorithm rule is effective in one-time use in the identity authentication process, and ensure that the second password input in each identity authentication is different from the historical input, so that the second password cannot be cracked by video recording or shoulder surfing attack. If the user only sees the prompt corresponding to the algorithm rule during authentication, and the input module receives the second password (the algorithm rule is not used effectively) without executing operation, the algorithm rule of the algorithm rule module can be consistent with the last time when the user performs the next authentication.

Step S300, receiving a second password sent by a user;

step S400, analyzing the second password according to the algorithm rule to obtain a third password; firstly, obtaining a corresponding inverse rule according to the algorithm rule, for example, if the algorithm rule is a mathematical operation for a numerical element, such as +1, then deducing that the obtained corresponding inverse rule is a mathematical operation-1; the algorithm rule is directed at the displacement of the letter elements, for example, the +1 indicates that the letter elements are moved backwards by one bit according to the sequence of the alphabets a to z, and the derivation to obtain the corresponding inverse rule is to move forwards by one bit according to the sequence of the alphabets a to z; the algorithm rule is a convention for converting an element into another symbol or another expression form, for example, if the element appearing in the second password is an exclamation mark and the algorithm rule is a symbol @, the exclamation mark is to be resolved into a question mark during the resolving, and the like. Then, according to the obtained inverse rule, the second password is converted into a third password, which is in the form of the third password, using the prior art, which is not limited herein.

Step S500, verifying the third password and the first password to obtain a verification result; if the verification results are the same, the verification is passed, and if the verification results are different, the verification is not passed. The verification method uses the prior art, and the embodiment is not limited herein.

In this embodiment, step S200 further includes:

step S210, after the algorithm rule of the mutual conversion of the first password and the second password is obtained, the user is prompted to the algorithm rule.

In this embodiment, step S210 includes:

step S211, setting a corresponding secret text prompt item of each operation, wherein the secret text prompt item is an expression form which can be identified by the terminal; specifically, the expression form may be a symbol, expression, word, or the like, and for example, the +1 may be represented by a smiling face, and the-1 may be represented by a crying face.

And step S212, obtaining the ciphertext prompt of the algorithm rule according to the algorithm rule and the corresponding ciphertext prompt item of each operation. And after the user sees or receives the dark text prompt, the user converts the dark text prompt into a corresponding algorithm rule, and calculates the memorized or stored first password to obtain a second password.

In a seventh exemplary embodiment:

step S100, storing a first password set by the user, where the first password is a combination 213 and is stored by using an encryption algorithm.

And step S200, obtaining the mathematical operation with the algorithm rule of +1+ 1-1.

Step S211, in order to improve the security of the system and reduce the memory of the user, the user presets a corresponding dark text prompt item for each operation, the dark text prompt item corresponding to +1 is an expressive smiling face, the dark text prompt item corresponding to-1 is an expressive crying face,

step S212, according to the algorithm rule +1+1-1 and the corresponding dark text prompt item of each operation, the dark text prompt of the algorithm rule is 'smiling face expression crying face'.

Step S300, receiving a second password 322 sent by a user;

before inputting the second password, the user triggers the wake-up key to see the dark text prompt 'smiley face expression crying face' corresponding to the algorithm rule, the first password memorized by the user is 213, and the second password is obtained by dynamic calculation in combination with the dark text prompt corresponding to the algorithm rule and is 322. The wake-up key can be a key on the terminal device or a key on the keyboard, and on the smart phone, the user can also define the number of times of waving actions in front of the light sensor to display the prompt, for example, waving two hands to display the prompt.

And S400, acquiring a corresponding inverse rule of-1-1 +1 according to the algorithm rule, converting the second password 322 into a third password 213 according to the inverse rule, and encrypting the third password 213 by using the same encryption algorithm as that in the S100.

And step S500, verifying the encrypted third password and the encrypted first password, wherein the verification results are the same, and the user can perform subsequent operations after verification.

In this embodiment, step S200 further includes:

step S220, when the user does not remember the algorithm rule represented by the dark text hint, the dark text hint of the algorithm rule is converted into a clear text hint.

Before executing step S220, the user may convert the dark text prompt of the algorithm rule into a clear text prompt by triggering a dark text to clear text prompt key. The text-to-text prompt key can be used for clicking the text prompt three times, pressing a volume button or pressing a preset series of keys.

In the eighth exemplary embodiment of the present invention,

And step S210, after the algorithm rule of the mutual conversion of the first password and the second password is obtained, prompting the user of the algorithm rule.

Step S211, the user presets a corresponding dark text prompt item for each operation, the dark text prompt item corresponding to +1 is an expression smiling face, the dark text prompt item corresponding to-1 is an expression crying face,

Step S220, when the user does not remember the algorithm rule represented by the dark text prompt, the user can convert the dark text prompt of the algorithm rule into the clear text prompt +1+1-1 by triggering the dark text to clear text prompt key. The first password memorized by the user is 213, and the second password is 322 by dynamic calculation in combination with the plaintext prompt corresponding to the algorithm rule.

Step S300, receiving a second password 322 input by a user;

In this embodiment, before step S300 or after step S500, the method further includes:

step S600, resetting the first password, including:

step S610, setting an email address list, such as a master/standby email address, and when the user forgets the first password and the terminal can connect to the network, resetting the first password through the email address. For example, a one-time passcode is sent to the email address of the email address list, by which the first password is reset. The verification code may be set to be valid for only one minute. Real-time faces or fingerprints need to be verified simultaneously when necessary.

In parallel with step S610, step S600 includes:

step S620, setting a long password combination (at least 8 symbols) or setting a security question and a security question answer, and resetting the password by verifying the long password combination or the security question answer when the terminal cannot connect to the network because the user forgets the first password. Real-time faces or fingerprints need to be verified simultaneously when necessary.

In this embodiment, before step S300, the method further includes:

step S700, setting a keyboard on the terminal equipment, including:

in step S710, the positions of the numbers, letters or symbols on the keypad are customized, for example, the positions of the keys 1 to 9 may be defined on a 3 × 3 keypad.

Step S720, hiding the numbers, letters or symbols on the keyboard, and displaying only the positions of the transparent points on the keyboard, for example, displaying only 3 × 3 circular transparent points on the number keys.

In the ninth exemplary embodiment of the present invention,

Step S700, setting a keyboard on the terminal equipment, including:

step S710, self-defining the positions of the keys 1 to 9 on the 3 × 3 numeric keyboard.

Step S720, hide the 3 × 3 numeric keyboard, and only display the positions of the 3 × 3 circular transparent points. The user enters the second password 322 according to the position of the numeric keys on the keypad.

Step S300, receiving a second password 322 input by a user;

In this embodiment, after step S500, the method further includes:

step S800, after the number of times of non-passing verification exceeds the first attempt threshold, requesting a security problem according to past activities (for example, if the user recently read a patent on the device, the problem may be "what you read on the device last time" [ patent, novel, picture, movie ]), where the security problem is used for assisting verification, and when the assisting verification succeeds, allowing the user to re-input the second password, and the authentication system parses and verifies the second password. When the number of authentication failures exceeds a second attempt threshold, the error attempt module prevents the user from accessing and requests the first password to be reset. The first attempt threshold is preferably less than or equal to 3 to reduce the likelihood of guessing an attack through a dictionary and brute force.

In the tenth exemplary embodiment of the present invention,

Step S700, setting a keyboard on the terminal equipment, including:

Step S720, a hidden 3 × 3 numeric keyboard is set, and only 3 × 3 circular transparent point positions are displayed. The user enters the second password 322 according to the position of the numeric keys on the keypad.

Step S300, receiving a second password 322 input by a user;

And step S500, verifying the encrypted third password and the encrypted first password, wherein if the verification results are different, the verification fails.

Step S800, when the user makes 3 false attempts, a security issue is requested based on past activities: what was you read at this device last? And if the user answers correctly, the auxiliary verification is successful, the user inputs the second password again, the identity authentication system analyzes and verifies the second password, if the verification is not passed, the user is prevented from accessing, and the user requests to reset the first password.

In this embodiment, when the user is a real natural person, step 500 includes:

and 510, verifying the third password and the first password, and performing biometric verification after the third password and the first password are verified. The biometric authentication includes fingerprint identification, face recognition and the like.

The identity authentication method described in this embodiment is supported to be applied to a secure mode environment, which is an optional method, and a user may set a fast identity authentication method used in a secure environment (for example, no one exists around the user), in the authentication method, the algorithm rule in step S200 makes the first password and the second password not to be converted into each other, and the third password and the second password in step S400 are the same. For example, four security levels are set, a security mode refers to a mode defined by security level C or D, in which a user must use two factors for authentication, typically a simple password + a biometric authentication, the difference between security level C and security level D is at a first password setting, the first password setting of security level C cannot be ordered sequentially (e.g., 234) or repeated multiple times (e.g., 333), security level D may have lower security, the first password may be arranged sequentially (e.g., 234) or repeated multiple times (e.g., 333), etc. The security level a and the security level B are higher security levels at which the algorithm rule of step S200 transforms the first password and the second password into each other, optionally with the addition of one or more biometric authentication methods.

In this embodiment, when performing identity authentication based on a centralized server, a first password set by a user, a ciphertext prompt item, a wakeup key, a ciphertext-to-plaintext prompt key corresponding to each element in an algorithm rule, an email list of a password reset module, a long password combination, or a security question and answer, and a keyboard setting on a terminal device by a keyboard module, and the like are encrypted using a timestamp and sent to the server, and the terminal sends an encrypted timestamp data packet to the server in an identity authentication process, where the encrypted timestamp data packet includes the algorithm rule (plaintext or ciphertext) and a second password sent by the user. On the other hand, the server must authenticate the user within a limited time (e.g., 2 minutes) in view of the received credentials. Since the algorithm rule and the second password will be different in the next attempt. In the next attempt, the user calculates a different second password due to the display of a new algorithm rule, and if the attacker performs an interception attack such as man-in-the-middle or replay, he will not be able to use the captured credentials for the next attempt.

In this embodiment, in step S100, the first password set by the user is stored in the biometric key in the form of a hash value generated using SHA-3, where the biometric key is a hardware fingerprint token. The authentication system with high security is provided by executing a hardware fingerprint token (biometric key), and can be applied to very sensitive terminals such as a safe box and the like. The user must connect the first password set by the biological secret key, the corresponding hidden text prompt item of each element in the algorithm rule, the wake-up key, the hidden text-to-clear text prompt key, the e-mail list of the password resetting module, the long password combination or the keyboard setting of the security question and answer and the keyboard module on the terminal device, etc. When the terminal is locked, the user must connect to the biometric key in an attempt to perform an operation to pass the security authentication.

The identity authentication method described in this embodiment may be divided into a user registration stage and a user verification stage in terms of specific implementation, as shown in fig. 8, the user registration stage includes:

setting security levels, for example, setting security levels A, B, C and D, security levels a and B being used in higher security modes, such as in public places, and algorithm rules at these two levels enabling the first password and the second password to be converted into each other; the security levels C and D are used for security modes, such as application to non-public places, and algorithm rules at the two levels enable the first password and the second password not to be mutually converted;

based on different security levels, limiting the first password combination strategy, for example, limiting the first password to be 3-digit combination, setting the first passwords of security levels A and C not to be ordered in sequence or repeated for multiple times, setting the first passwords of security levels B and D to be ordered in sequence or repeated for multiple times;

setting a first password, analyzing the validity of the first password, resetting if the password is invalid, and executing the following steps if the password is valid;

setting a wake-up key and a dark text-to-plaintext prompt key;

setting at least two operations and a corresponding dark text prompt item of each operation;

the quick mode combination is selected, i.e. the user decides whether to enter a secure mode in which the user can authenticate by simply entering a password plus a biometric verification (optional).

When the user selects the rapid mode, setting whether the corresponding security level uses the biological characteristic verification mode and which biological characteristic verification mode is used;

the reset first password option is set, including setting up a list of email addresses by email or answering a security question, setting up a list of email addresses accordingly, and setting up a long password combination (at least 8 symbols) or setting up a security question and a security question answer.

And setting the keyboard arrangement mode on the terminal and whether to display the keyboard.

The settings are stored using a security policy that means that the settings are stored in a secure manner (e.g., encrypted).

The above settings for each security level are stored on the device or on the server based on whether it is a centralized server authentication approach.

The above settings may be modified after the initial settings.

As shown in fig. 9, the user authentication phase includes:

arranging keyboard keys according to the setting of the registration stage;

triggering a wakeup key, randomly selecting at least one operation from the at least two operations to form an algorithm rule, and obtaining a ciphertext prompt of the algorithm rule according to a ciphertext prompt item corresponding to each operation;

and judging whether the user triggers a dark text-to-plaintext prompt key, and if so, converting the dark text prompt of the algorithm rule into a plaintext prompt.

The user inputs a second password;

analyzing and obtaining a third password based on the stored first password and the algorithm rule, verifying whether the second password is consistent with the third password, if so, passing the verification, and if not, executing the following steps;

when the verification failure times do not exceed the first attempt threshold, continuing to attempt; and after the verification failure times exceed a first attempt threshold, analyzing a reset first password option set in the registration stage, requesting a security problem according to the past activities, allowing the user to input a second password again after the auxiliary verification is successful, and analyzing and verifying the second password by the identity authentication system. When the number of authentication failures exceeds a second attempt threshold, the error attempt module prevents the user from accessing and requests the first password to be reset.

And after the first password is reset, re-authentication is carried out.

And if the user selects the security level of the security mode and needs to perform the biometric authentication after the second password passes the authentication, performing the real-time biometric authentication to identify the liveness of the user.

The fourth embodiment of the present application further provides an identity authentication method, including:

step P100, storing a first password set by a user; the first password is the same as the first password in the third embodiment, and is not described again here.

Obtaining an algorithm rule for mutual conversion of the first password and the second password; the second password is obtained by the user through dynamic calculation according to the first password memorized or stored by the user and the algorithm rule. The algorithm rule is the same as the description of the algorithm rule in the third embodiment, and is not described herein again.

Step P300, receiving a second password sent by a user;

step P400, calculating the first password according to the algorithm rule to obtain a fourth password;

step P500, verifying the second password and the fourth password to obtain a verification result; if the verification results are the same, the verification is passed, and if the verification results are different, the verification is not passed.

In this embodiment, step P200 further includes:

and P210, after the algorithm rule of the mutual conversion of the first password and the second password is obtained, prompting the user of the algorithm rule.

In this embodiment, step P210 includes:

step P211, setting a corresponding dark text prompt item for each operation, wherein the dark text prompt item is an expression form which can be identified by the terminal; specifically, the expression form may be a symbol, expression, word, or the like, and for example, the +1 may be represented by a smiling face, and the-1 may be represented by a crying face.

And P212, obtaining the ciphertext prompt of the algorithm rule according to the algorithm rule and the corresponding ciphertext prompt item of each operation. And the user converts the ciphertext prompt into a corresponding algorithm rule, and calculates the first password memorized or stored to obtain a second password.

In an eleventh exemplary embodiment:

step P100, storing a first password set by the user, where the first password is a combination 213 and is stored by using an encryption algorithm.

And P200, obtaining the mathematical operation with the algorithm rule of +1+ 1-1.

Step P211, the user presets a corresponding dark text prompt item for each operation, the dark text prompt item corresponding to +1 is an expression smiling face, the dark text prompt item corresponding to-1 is an expression crying face,

and step P212, obtaining the dark text prompt of the algorithm rule as 'smiling face expression crying face' according to the algorithm rule +1+1-1 and the dark text prompt item corresponding to each operation.

Step P300, receiving a second password 322 sent by the user;

before inputting the second password, the user triggers the wake-up key to see the dark text prompt 'smiley face expression crying face' corresponding to the algorithm rule, the first password memorized by the user is 213, and the second password is obtained by dynamic calculation in combination with the dark text prompt corresponding to the algorithm rule and is 322. The wake-up key can be a key on the terminal device or a key on the keyboard, and on the smart phone, the user can also define the number of times of waving actions in front of the light sensor to display the prompt, for example, waving twice the hand, the prompt can be displayed.

And P400, decrypting the encrypted and stored first password, and calculating the first password 213 according to the algorithm rule +1+1-1 to obtain the fourth password 322.

Step P500, the second password 322 and the fourth password 322 are verified, and if the verification results are the same, the user can perform subsequent operations through verification.

In this embodiment, step P200 further includes:

and step P220, when the user does not remember the algorithm rule represented by the dark text prompt, converting the dark text prompt of the algorithm rule into a clear text prompt.

Before performing step P220, the user may convert the dark text prompt of the algorithm rule into a clear text prompt by triggering a dark text to clear text prompt key. The said cipher text-to-plaintext cue key can be to click the output prompt three times from the cipher text cue subunit, press the volume button, or press a preset series of keys.

In this embodiment, before step P300 or after step P500, the method further includes:

step P600, resetting the first password, comprises:

step P610, setting an email address list, such as a master email address and a standby email address, and when the user forgets the first password and the terminal can connect to the network, resetting the first password through the email address. For example, a one-time passcode is sent to the email address of the email address list, by which the first password is reset. The verification code may be set to be valid for only one minute. Real-time faces or fingerprints need to be verified simultaneously when necessary.

In parallel with step P610, step P600 includes:

and step P620, setting a long password combination (at least 8 symbols) or setting a security question and a security question answer, and resetting the password by verifying the long password combination or the security question answer when the terminal cannot be connected with the network because the user forgets the first password. Real-time faces or fingerprints need to be verified simultaneously when necessary.

In this embodiment, before step P300, the method further includes:

step P700, setting a keyboard on the terminal device, including:

in step P710, the positions of the numbers, letters or symbols on the keyboard are customized, for example, the positions of the keys 1 to 9 can be defined on a 3 × 3 keyboard.

Step P720, hiding the numbers, letters or symbols on the keyboard, and the keyboard only displays the positions of the transparent points, for example, only displays 3 × 3 circular transparent points on the number keys.

In this embodiment, after step P500, the method further includes:

step P800, after the number of times of non-passing verification exceeds the first attempt threshold, a security problem is requested according to past activities (for example, if the user recently read a patent on the device, the problem may be "what you read on the device last time" [ patent, novel, picture, movie ]), the security problem is used for assisting verification, and when the assisting verification succeeds, the user is allowed to re-input the second password, and the authentication system parses and verifies the second password. When the number of authentication failures exceeds a second attempt threshold, the error attempt module prevents the user from accessing and requests the first password to be reset. The first attempt threshold is preferably less than or equal to 3 to reduce the likelihood of guessing an attack through a dictionary and brute force.

In this embodiment, when the user is a real natural person, step 500 includes:

The identity authentication method described in this embodiment is supported to be applied to a secure mode environment, which is an optional method, and a user may set a fast identity authentication method used in a secure environment (for example, no one exists around the user), in the authentication method, the algorithm rule in step P200 makes the first password and the second password not to be converted into each other, and the third password and the second password in step P400 are the same. Examples are the same as those of the third embodiment, and are not described in detail here.

In this embodiment, when performing identity authentication based on a centralized server, a first password set by a user, a ciphertext prompt item, a wakeup key, a ciphertext-to-plaintext prompt key corresponding to each element in an algorithm rule, an email list of a password reset module, a long password combination, or a security question and answer, and a keyboard setting of a keyboard module on a terminal device, and the like are encrypted using a timestamp and sent to the server, and the terminal sends an encrypted timestamp data packet to the server in an identity authentication process, where the encrypted timestamp data packet includes the algorithm rule (plaintext or ciphertext) and a second password sent by the user. On the other hand, the server must authenticate the user within a limited time (e.g., 2 minutes) in view of the received credentials. Since the algorithm rule and the second password will be different in the next attempt. In the next attempt, the user calculates a different second password due to the display of a new algorithm rule, and if the attacker performs an interception attack such as man-in-the-middle or replay, he will not be able to use the captured credentials for the next attempt.

In this embodiment, in step P100, the first password set by the user is stored in the biometric key in the form of a hash value generated by using SHA-3, where the biometric key is a hardware fingerprint token. The authentication system with high security is provided by executing a hardware fingerprint token (biometric key), and can be applied to very sensitive terminals such as a safe box and the like. The user must connect the first password set by the biological secret key, the corresponding hidden text prompt item of each element in the algorithm rule, the wake-up key, the hidden text-to-clear text prompt key, the e-mail list of the password resetting module, the long password combination or the keyboard setting of the security question and answer and the keyboard module on the terminal device, etc. When the terminal is locked, the user must connect the biometric key, attempting to perform an operation to pass the security authentication.

The identity authentication method described in this embodiment may be divided into a user registration stage and a user verification stage in specific implementation, which are similar to those in the third embodiment and are not described here again.

A fifth embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the method of the third or fourth embodiment.

A sixth embodiment of the present application provides a terminal device, a processor and a memory for storing executable instructions of the processor; wherein the processor is configured to execute the instructions to implement the method of the third or fourth embodiment.

The present invention provides an identity authentication system and method, and a number of methods and ways for implementing the technical solution, and the above description is only a specific embodiment of the present invention, and it should be noted that, for those skilled in the art, a number of improvements and modifications can be made without departing from the principle of the present invention, and these improvements and modifications should also be regarded as the protection scope of the present invention. All the components not specified in the present embodiment can be realized by the prior art.

Claims

1. An identity authentication system comprises a storage module, an input module and a verification module, and is characterized by also comprising an algorithm rule module and a rule analysis module,

the storage module is used for storing a first password set by a user;

the input module is used for receiving a second password sent by a user;

2. The identity authentication system of claim 1, wherein the algorithm rule module comprises a rule prompting unit, and the rule prompting unit is configured to prompt the user for the algorithm rule.

3. An identity authentication system according to claim 2, wherein the rule prompting unit comprises a ciphertext prompting subunit, the ciphertext prompting subunit comprising a prompt for indirectly prompting the user for the algorithm rule.

4. An identity authentication system comprises a storage module, an input module and a verification module, and is characterized by also comprising an algorithm rule module and a rule calculation module,

the storage module is used for storing a first password set by a user;

the input module is used for receiving a second password sent by a user;

5. The identity authentication system of claim 4, wherein the algorithm rule module comprises a rule prompting unit, and the rule prompting unit is configured to prompt the user for the algorithm rule.

6. An identity authentication system according to claim 5, wherein the rule prompting unit comprises a ciphertext prompting subunit, the ciphertext prompting subunit comprising a prompt for indirectly prompting the user for the algorithm rule.

7. An identity authentication method, comprising:

storing a first password set by a user;

receiving a second password sent by a user;

8. An identity authentication method, comprising:

storing a first password set by a user;

receiving a second password sent by a user;

9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of claim 7 or 8.

10. A terminal device, comprising: a processor and a memory for storing processor-executable instructions; wherein the processor is configured to execute the instructions to implement the method of claim 7 or 8.