CN114928469A - IDaaS system for access control based on mutual authentication mechanism - Google Patents

IDaaS system for access control based on mutual authentication mechanism Download PDF

Info

Publication number
CN114928469A
CN114928469A CN202210351647.3A CN202210351647A CN114928469A CN 114928469 A CN114928469 A CN 114928469A CN 202210351647 A CN202210351647 A CN 202210351647A CN 114928469 A CN114928469 A CN 114928469A
Authority
CN
China
Prior art keywords
virtual identity
identity
service
public key
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210351647.3A
Other languages
Chinese (zh)
Inventor
周文明
王志鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Zhongyue Technology Co ltd
Original Assignee
Shenzhen Zhongyue Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Zhongyue Technology Co ltd filed Critical Shenzhen Zhongyue Technology Co ltd
Publication of CN114928469A publication Critical patent/CN114928469A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses an IDaaS system for access control based on a mutual authentication mechanism, comprising: the system comprises a service request device, an identity management device and a service providing device; the service request equipment sends preset registration information comprising the first virtual identity to the identity management equipment and sends a preset service access request comprising a first signature result generated by the first virtual identity to the service providing equipment; after the service providing equipment acquires a second public key from the identity management equipment according to the received second virtual identity to successfully decrypt the first signature result, the service providing equipment sends a preset verification request comprising the second public key, the second virtual identity and a third public key to the service request equipment, so that the service request equipment determines a first virtual identity from the received preset verification request, and sends a preset verification response comprising the third public key and the first virtual identity to the service providing equipment for decryption to determine whether the virtual identity in the verification preset response is the second virtual identity or not; in conclusion, through mutual authentication, identity forgery can be resisted.

Description

IDaaS system for access control based on mutual authentication mechanism
Technical Field
The application relates to the technical field of information security, in particular to an IDaaS system for performing access control based on a mutual authentication mechanism.
Background
The information security problems, such as identity forgery attack, identity theft attack and the like, are faced in the construction and exploration of the unified authentication management system of the smart campus.
Disclosure of Invention
Based on the problems and the defects of the prior art, the application provides the IDaaS system for performing access control based on the mutual authentication mechanism, and by adopting the IDaaS system, through the mechanism of mutual authentication of virtual identities among the service request equipment, the body management equipment and the service providing equipment, the identity forgery attack, the identity theft attack and the like are resisted, and the safety of information in the IDaaS system is improved.
In a first aspect, the present application provides an IDaaS system for performing access control based on a mutual authentication mechanism, the system including:
the system comprises a service request device, an identity management device and a service providing device; the service request equipment, the identity management equipment and the service providing equipment are connected through a network;
the service request device is configured to generate a key pair including a first public key and a first private key, generate a first virtual identity based on the first public key, send preset registration information of the first virtual identity, which includes the first public key and is associated with the first public key, to the identity management device, sign the first virtual identity through the first private key, generate a first signature result, and send a preset service access request including the first signature result to the service providing device;
the identity management device is used for carrying out digital signature on the received registration information and storing an obtained second digital signature result in a database of the identity management device; the registration information includes: the preset registration information;
the service providing device is configured to: in response to receiving a service access request, accessing the identity management device according to a second virtual identity in the service access request, and acquiring a second public key associated with the second virtual identity from the database to decrypt the first signature result in the service access request and generate a key pair comprising a third public key and a third private key; the service access request comprises: the preset service access request;
the service providing device is further configured to: if the first signature result is successfully decrypted, the second virtual identity and the third public key are encrypted through the second public key to obtain a first encryption result, and a preset verification request comprising the first encryption result is sent to the service request device;
the service request device is further configured to: determining whether the virtual identity in the encryption result of the received verification request is the first virtual identity, if so, encrypting the first virtual identity through the third public key to obtain a second encryption result, and sending a preset verification response comprising the second encryption result to the service providing equipment; the virtual identity in the encrypted result of the authentication request comprises: a second virtual identity in a second encryption result of the preset authentication request;
the service providing device is further configured to: in response to receiving a verification response sent by the service request device, decrypting an encryption result in the verification response through the third private key, and determining whether the virtual identity in the verification response is the second virtual identity; the virtual identity in the verification response comprises: the first virtual identity in the preset verification response;
the service providing device is further configured to: and if the virtual identity in the verification response is determined to be the second virtual identity, sending a confirmation instruction to the service request device, wherein the confirmation instruction is used for indicating that the service request device successfully accesses the service providing device.
In combination with the first aspect, in some alternative embodiments,
the identity management device is specifically configured to:
performing digital signature on the received registration information through a fourth private key generated by the identity management equipment to obtain a second digital signature result; the fourth public key and the fourth private key are a key pair generated by the identity management device;
and writing the second digital signature result into a block chain, or storing the second digital signature result in a distributed storage system.
In combination with the first aspect, in some alternative embodiments,
the identity management device is further configured to:
after the service providing device accesses the identity management device according to the second virtual identity in the service access request, before the service providing device acquires the second public key associated with the second virtual identity from the database,
and in response to the second virtual identity received in the identity management device, decrypting the digital signature result stored in the block chain or the distributed storage system through the fourth public key, and determining a second public key associated with the second virtual identity from the digital signature result.
In combination with the first aspect, in some alternative embodiments,
the service request device is specifically further configured to:
and decrypting the encryption result of the received verification request through the first private key, and if the decryption is successful, determining that the virtual identity in the encryption result of the received verification request is the first virtual identity and the second public key is the first public key.
In combination with the first aspect, in some alternative embodiments,
the service request device is specifically configured to:
generating a first public key
Figure BDA0003580733370000031
And a first private key
Figure BDA0003580733370000032
Based on the first public key
Figure BDA0003580733370000033
Generating a first virtual identity
Figure BDA0003580733370000034
And will include the first public key
Figure BDA0003580733370000035
And said first public key
Figure BDA0003580733370000036
The first virtual identity associated
Figure BDA0003580733370000037
Is registered in advance
Figure BDA0003580733370000038
Sending to the identity management device and by the first private key
Figure BDA0003580733370000039
For the first virtual identity
Figure BDA00035807333700000310
Signing to generate a first signature result
Figure BDA00035807333700000311
Will include the first signature result
Figure BDA00035807333700000312
Predetermined service access request M 1 To the service providing apparatus, wherein the
Figure BDA00035807333700000313
R is used for judging M 1 Whether tampered with.
In combination with the first aspect, in some alternative embodiments,
the identity management device is specifically configured to:
for received preset registration information
Figure BDA00035807333700000314
A fourth private key generated by the identity management device
Figure BDA00035807333700000315
Performing digital signature to obtain a second digital signature result
Figure BDA00035807333700000316
Wherein the fourth public key
Figure BDA00035807333700000317
And the fourth private key
Figure BDA00035807333700000318
A key pair generated for the identity management device;
the second digital signature result is obtained
Figure BDA00035807333700000319
And writing the second digital signature result into a block chain, or storing the second digital signature result in a distributed storage system.
In combination with the first aspect, in some alternative embodiments,
the service providing device is specifically further configured to:
if the first signature results in
Figure BDA0003580733370000041
Decryption succeeds, and passes the second public key
Figure BDA0003580733370000042
Associating the second virtual identity with the second virtual identity
Figure BDA0003580733370000043
And thirdPublic key
Figure BDA0003580733370000044
Line encryption to obtain a first encryption result
Figure BDA0003580733370000045
And will include the first encrypted result
Figure BDA0003580733370000046
Is requested to verify by default 2 To the service request device, wherein,
Figure BDA0003580733370000047
the (r +1) is used for judging the M 2 Whether it has been tampered with; third private key
Figure BDA0003580733370000048
With said third public key
Figure BDA0003580733370000049
Providing a key pair generated by the device for the service.
In combination with the first aspect, in some alternative embodiments,
the service request device is specifically further configured to:
determining a received predetermined authentication request M 2 First encryption result of
Figure BDA00035807333700000410
Second virtual identity
Figure BDA00035807333700000411
Whether or not it is the first virtual identity
Figure BDA00035807333700000412
If so, the result is encrypted from the first encryption
Figure BDA00035807333700000413
Said third public key obtained in
Figure BDA00035807333700000414
By the third public key
Figure BDA00035807333700000415
Associating the first virtual identity with the second virtual identity
Figure BDA00035807333700000416
Encrypting to obtain a second encrypted result
Figure BDA00035807333700000417
And will include the second encryption result
Figure BDA00035807333700000418
Is preset to verify the response M 3 To the service providing apparatus, wherein,
Figure BDA00035807333700000419
the (r +2) is used for judging the M 3 Whether it has been tampered with.
In combination with the first aspect, in some alternative embodiments,
the service providing device is specifically further configured to:
responding to the received preset verification response M sent by the service request equipment 3 By said third private key
Figure BDA00035807333700000420
Responding M to the preset verification 3 Second encryption result in (2)
Figure BDA00035807333700000421
Decrypting to determine the predetermined verification response M 3 A first virtual identity in
Figure BDA00035807333700000422
Whether or not it is the second virtual identity
Figure BDA00035807333700000423
If the preset verification response M is determined 3 A first virtual identity in
Figure BDA00035807333700000424
Is the second virtual identity
Figure BDA00035807333700000425
A confirmation indication is sent to the service requesting device indicating that the service requesting device has successfully accessed the service providing device.
In combination with the first aspect, in some alternative embodiments,
the service request device is further configured to:
after receiving a confirmation instruction sent by the service providing equipment, encrypting the acquired student privacy data and sending the encrypted student privacy data to the service providing equipment; the student privacy data includes: facial images, scores, archives or family backgrounds of students.
The application provides an IDaaS system for access control based on a mutual authentication mechanism, which comprises: the system comprises a service request device, an identity management device and a service providing device; the service request equipment, the identity management equipment and the service providing equipment are connected through a network; the service request device may be configured to generate a key pair including a first public key and a first private key, generate a first virtual identity based on the first public key, send preset registration information of the first virtual identity including the first public key and a relationship between the first public key and the first public key to the identity management device, sign the first virtual identity through the first private key, generate a first signature result, and send a preset service access request including the first signature result to the service providing device.
The identity management device is used for carrying out digital signature on the received registration information and storing an obtained second digital signature result in a database of the identity management device; the registration information includes: and presetting registration information.
A service providing device for: in response to receiving the service access request, accessing the identity management device according to a second virtual identity in the service access request, and acquiring a second public key associated with the second virtual identity from the database to decrypt a second signature result in the service access request and generate a key pair comprising a third public key and a third private key; the service access request includes: presetting a service access request; a service providing device further configured to: and if the second signature result is successfully decrypted, the second virtual identity and the third public key are encrypted through the second public key to obtain a first encryption result, and the preset verification request comprising the first encryption result is sent to the service request device.
A service request device further configured to: determining whether the virtual identity in the encryption result of the received verification request is the first virtual identity, if so, encrypting the first virtual identity through a third public key to obtain a second encryption result, and sending a preset verification response comprising the second encryption result to the service providing equipment; the virtual identity in the encrypted result of the verification request comprises: and presetting a second virtual identity in a second encryption result of the authentication request.
A service providing device further configured to: in response to receiving a verification response sent by the service request equipment, decrypting an encryption result in the verification response through a third private key, and determining whether the virtual identity in the verification response is a second virtual identity; verifying the virtual identity in the response includes: presetting a first virtual identity in the verification response; a service providing device further operable to: and if the virtual identity in the verification response is determined to be the second virtual identity, sending a confirmation instruction to the service request equipment, wherein the confirmation instruction is used for indicating that the service request equipment successfully accesses the service providing equipment. In summary, with the present application, through a mechanism of mutually authenticating virtual identities among the service request device, the body management device, and the service providing device, it is possible to realize resistance to identity forgery attacks, identity theft attacks, and the like, and improve the security of information in the IDaaS system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an IDaaS system for performing access control based on a mutual authentication mechanism according to the present application;
fig. 2 is a schematic diagram of a specific generation process of a first virtual identity provided in the present application;
fig. 3 is a schematic structural diagram of another IDaaS system for performing access control based on a mutual authentication mechanism according to the present application.
Detailed Description
The technical solutions in the present application will be described clearly and completely with reference to the accompanying drawings in the present application, and it is obvious that the described embodiments are some, not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to improve the information security in the IDaaS system and resist identity forgery attack, identity theft attack and identity authentication attack, the application provides the IDaaS system which performs access control based on a mutual verification mechanism. In particular, the method comprises the following steps of,
referring to fig. 1, it is a schematic structural diagram of an IDaaS system for performing access control based on a mutual authentication mechanism provided in the present application, as shown in fig. 1,
the IDaaS system may include, but is not limited to:
the system comprises a service request device, an identity management device and a service providing device; the service request equipment, the identity management equipment and the service providing equipment can be connected through a communication network;
it should be noted that the service request device may include, but is not limited to: the camera that can be used to data acquisition, the AI intelligence box that can be used to data acquisition, the camera that can be used to data acquisition, or other equipment that can be used to data acquisition.
The service providing device may include, but is not limited to: the server can be used for processing the privacy data of the students.
It should be noted that the above communication network may include, but is not limited to, the following ways:
mode 1: communication networks in a wired manner (e.g., network cable or fiber optic cable);
mode 2: a communication network in a wireless mode (such as WIFI6 or 5G);
mode 3: a communication network combining the wired mode and the wireless mode.
A service request device operable to:
the method comprises the steps of generating a key pair comprising a first public key and a first private key, generating a first virtual identity based on the first public key, sending preset registration information of the first virtual identity comprising the first public key and the first public key in association to identity management equipment, signing the first virtual identity through the first private key, generating a first signature result, and sending a preset service access request comprising the first signature result to service providing equipment.
It should be noted that the first, second, third, or fourth embodiments in this application are only used to distinguish different virtual identities, public keys, private keys, or digital signature results, and the like, and should not be limited in this application.
The service request device may be specifically configured to: the first public key is subjected to a series of one-way hash algorithms to obtain a first virtual identity, and more specifically,
a service request device operable to:
firstly, based on the first public key, SHA256 (first public key) is calculated by a hash algorithm through a hash operation, then RIPEMD160(SHA256 (first public key)) is calculated through the hash operation, then RIPEMD160(SHA256 (first public key)) is encoded through Base58Check, and the encoding result is used as a first virtual identity, it should be noted that, in this application, with regard to a specific generation process of the first virtual identity, refer to fig. 2, as shown in fig. 2, specifically,
an identity management device operable to:
carrying out digital signature on the received registration information, and storing an obtained second digital signature result in a database of the identity management equipment; the registration information includes: and presetting registration information.
It should be noted that the identity management device may be specifically configured to:
performing digital signature on the received registration information through a fourth private key generated by the identity management equipment to obtain a second digital signature result; the fourth public key and the fourth private key are a key pair generated by the identity management device;
and writing the second digital signature result into the block chain, or storing the second digital signature result in a distributed storage system, or in a local database of the identity management device, or in a cloud database of the identity management device.
It should be noted that the block chain may include, but is not limited to:
private blockchains or public blockchains.
The distributed storage system may include, but is not limited to: ipfs (internet File System) distributed storage System.
A service providing device operable to:
in response to receiving the service access request, accessing the identity management device according to a second virtual identity in the service access request, and acquiring a second public key associated with the second virtual identity from the database to decrypt the first signature result in the service access request and generate a key pair comprising a third public key and a third private key; the service access request includes: a service access request is preset.
The preset service access request is one of the service access requests;
it should be noted that the identity management device may also be configured to:
after the service providing device accesses the identity management device according to the second virtual identity in the service access request, before the service providing device acquires the second public key associated with the second virtual identity from the database,
in response to the second virtual identity received in the identity management device, a second public key associated with the second virtual identity is determined from the digital signature result stored in the identity management device.
Wherein, the digital signature result comprises: and a second digital signature result.
A service providing device further operable to: and if the first signature result is successfully decrypted, the second virtual identity and the third public key are encrypted through the second public key to obtain a first encryption result, and the preset verification request comprising the first encryption result is sent to the service request device.
The service request device may be further operable to: and determining whether the virtual identity in the encryption result of the received verification request is the first virtual identity, if so, encrypting the first virtual identity through the third public key to obtain a second encryption result, and sending a preset verification response comprising the second encryption result to the service providing equipment.
It should be noted that the virtual identity in the encrypted result of the authentication request includes: and presetting a second virtual identity in a second encryption result of the authentication request.
That is, the service request device may be further configured to:
and decrypting the encryption result of the received verification request through the first private key, and if the decryption is successful, determining that the virtual identity in the encryption result of the received verification request is a first virtual identity and the second public key is a first public key.
A service providing device further operable to: and in response to receiving the verification response sent by the service request equipment, decrypting the encrypted result in the verification response through a third private key, and determining whether the virtual identity in the verification response is the second virtual identity.
It should be noted that verifying the virtual identity in the response includes: presetting the first virtual identity in the verification response.
The service providing device may be further configured to: and if the virtual identity in the verification response is determined to be the second virtual identity, sending a confirmation indication to the service request device, wherein the confirmation indication can be used for indicating that the service request device successfully accesses the service providing device.
That is, if the service providing device determines that the first virtual identity in the preset authentication response is the second virtual identity, a confirmation indication is sent to the service requesting device.
In summary, the service request device sends the preset registration information including the first virtual identity to the identity management device, and sends the preset service access request including the first signature result generated by the first virtual identity to the service providing device; after the service providing equipment acquires a second public key from the identity management equipment according to the received second virtual identity to successfully decrypt the first signature result, the service providing equipment sends a preset verification request comprising the second public key, the second virtual identity and a third public key to the service request equipment, so that the service request equipment determines a first virtual identity from the received preset verification request, and sends a preset verification response comprising the third public key and the first virtual identity to the service providing equipment for decryption to determine whether the first virtual identity and the second virtual identity in the verification preset response are equal or not, if so, a confirmation instruction is sent to the service request equipment, and the confirmation instruction is used for indicating that the service request equipment successfully accesses the service providing equipment;
by adopting the method and the system, the mechanism of mutual authentication of the virtual identities among the service request equipment, the body management equipment and the service providing equipment can realize the resistance to identity forgery attack, identity theft attack and the like, and the safety of information in the IDaaS system is improved.
In order to improve the information security in the IDaaS system and further elaborate the identity forgery attack, identity theft attack and identity authentication attack resistance, the application also provides another IDaaS system for performing access control based on a mutual authentication mechanism.
Referring to fig. 3, a schematic structural diagram of another IDaaS system for performing access control based on a mutual authentication mechanism provided in the present application is shown in fig. 3, where the system may include, but is not limited to:
the system comprises a service request device, an identity management device and a service providing device; the service request equipment, the identity management equipment and the service providing equipment are connected through a network; wherein the content of the first and second substances,
the service request device may be specifically configured to:
generating a first public key
Figure BDA0003580733370000101
And a first private key
Figure BDA0003580733370000102
Based on the first public key
Figure BDA0003580733370000103
Generating a first virtual identity
Figure BDA0003580733370000104
And will include the first public key
Figure BDA0003580733370000105
And a first public key
Figure BDA0003580733370000106
Associated first virtual identity
Figure BDA0003580733370000107
Is preset with registration information
Figure BDA0003580733370000108
Sending to the identity management device and through the first private key
Figure BDA0003580733370000109
For the first virtual identity
Figure BDA00035807333700001010
Signing to generate a first signature result
Figure BDA00035807333700001011
Will include the first signature result
Figure BDA00035807333700001012
Predetermined service access request M 1 To the service providing apparatus, wherein,
Figure BDA00035807333700001013
wherein r is used for judging the preset service access request M 1 Whether tampered with.
The identity management device may be specifically configured to:
for received preset registration information
Figure BDA00035807333700001014
Fourth private key generated by identity management device
Figure BDA00035807333700001015
Performing digital signature to obtain a second digital signature result
Figure BDA00035807333700001016
Wherein the fourth public key
Figure BDA00035807333700001017
And a fourth private key
Figure BDA00035807333700001018
Generating a key pair for the identity management device;
signing the second digital signature result
Figure BDA00035807333700001019
And writing the result into the block chain, or storing the result of the second digital signature in a distributed storage system.
The service providing device may be further configured to:
if the first signature results in
Figure BDA00035807333700001020
The decryption is successful, passing the second public key
Figure BDA00035807333700001021
Associating the second virtual identity
Figure BDA00035807333700001022
And the third public key
Figure BDA00035807333700001023
Line encryption to obtain a first encryption result
Figure BDA00035807333700001024
And will include the first encrypted result
Figure BDA00035807333700001025
Is requested to verify by default 2 To the service request device, wherein,
Figure BDA00035807333700001026
wherein the (r +1) is used for judging the preset verification request M 2 Whether it has been tampered with; third private key
Figure BDA00035807333700001027
And the third public key
Figure BDA00035807333700001028
A key pair generated for the service providing device.
The service request device may be further configured to:
determining a received preset authentication request M 2 First encryption result of
Figure BDA00035807333700001029
Second virtual identity
Figure BDA00035807333700001030
Whether or not it is a first virtual identity
Figure BDA00035807333700001031
If the second virtual identity
Figure BDA00035807333700001032
Is the first virtual identity
Figure BDA00035807333700001033
From the first encryption result
Figure BDA00035807333700001035
The third public key obtained in
Figure BDA00035807333700001036
By means of a third public key
Figure BDA00035807333700001037
The first virtual identity
Figure BDA00035807333700001038
Encrypting to obtain a second encrypted result
Figure BDA00035807333700001039
And will include the second encrypted result
Figure BDA00035807333700001040
Is preset to verify the response M 3 To the service providing apparatus, wherein,
Figure BDA00035807333700001041
wherein (r +2) is used for the judgment of M 3 Whether it has been tampered with.
The service providing device may be further configured to:
responding to the received preset verification response M sent by the service request equipment 3 By means of a third private key
Figure BDA00035807333700001042
To preset verification response M 3 Second encryption result in (2)
Figure BDA0003580733370000111
Decrypting to determine a predetermined verification response M 3 A first virtual identity in
Figure BDA0003580733370000112
Whether or not it is a second virtual identity
Figure BDA0003580733370000113
If the preset verification response M is determined 3 A first virtual identity in
Figure BDA0003580733370000114
As a second virtual identity
Figure BDA0003580733370000115
A confirmation indication indicating that the service requesting apparatus has successfully accessed the service providing apparatus is transmitted to the service requesting apparatus.
A service request device further operable to:
after receiving the confirmation instruction sent by the service providing equipment, the acquired student privacy data is encrypted and then sent to the service providing equipment.
In summary, the service request devices respectively include the first virtual identities
Figure BDA0003580733370000116
Is preset with registration information
Figure BDA0003580733370000117
Sending the first signature result generated by the first virtual identity to the identity management device
Figure BDA0003580733370000118
Predetermined service access request of
Figure BDA0003580733370000119
Sending the information to the service providing equipment; the service providing device receives the second virtual identity
Figure BDA00035807333700001110
After the second public key is obtained from the identity management equipment to successfully decrypt the first signature result, the second public key is included
Figure BDA00035807333700001111
Second virtual identity
Figure BDA00035807333700001112
And a third public key
Figure BDA00035807333700001113
Is requested to verify by default 2 Sending the first virtual identity to the service request equipment, enabling the service request equipment to determine the first virtual identity from the received preset verification request, and enabling the first virtual identity to comprise the third public key
Figure BDA00035807333700001114
A first virtual identity
Figure BDA00035807333700001115
Preset verification response M 3 Sending the virtual identity to the service providing equipment for decryption to determine whether the virtual identity in the preset verification response is the second virtual identity
Figure BDA00035807333700001116
If yes, sending a confirmation instruction to the service request equipment, wherein the confirmation instruction is used for indicating that the service request equipment successfully accesses the service providing equipment; therefore, by adopting the method and the system, through a mutual authentication mechanism among the service request equipment, the service providing equipment and the identity providing equipment, the purpose of resisting identity forgery attack, identity theft attack and the like can be realized, and the information security in the IDaaS system is improved.
It should be noted that the definitions or explanations in the embodiment of fig. 3, which are not explained in detail, may refer to the embodiment of fig. 1.
It should be noted that fig. 1-3 are only used for illustration and description of the present application and should not be taken as limiting the scope of the present application.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses, systems and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, device and method may be implemented in other ways. For example, the components and steps of the various examples are described. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The above-described embodiments of the apparatus and device are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices, apparatuses or units, and may also be an electrical, mechanical or other form of connection.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the elements may be selected according to actual needs to achieve the purpose of the solution of the embodiments of the present application.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be substantially or partially contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a memory and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned memory comprises: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
While the invention has been described with reference to specific embodiments, the scope of the invention is not limited thereto, and those skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the invention. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. An IDaaS system for performing access control based on a mutual authentication mechanism, comprising:
the system comprises a service request device, an identity management device and a service providing device; the service request equipment, the identity management equipment and the service providing equipment are connected through a network;
the service request device is configured to generate a key pair including a first public key and a first private key, generate a first virtual identity based on the first public key, send preset registration information of the first virtual identity including the first public key and association of the first public key to the identity management device, sign the first virtual identity through the first private key, generate a first signature result, and send a preset service access request including the first signature result to the service providing device;
the identity management device is used for carrying out digital signature on the received registration information and storing an obtained second digital signature result in a database of the identity management device; the registration information includes: the preset registration information;
the service providing device is configured to: in response to receiving a service access request, accessing the identity management device according to a second virtual identity in the service access request, and acquiring a second public key associated with the second virtual identity from the database to decrypt the first signature result in the service access request and generate a key pair comprising a third public key and a third private key; the service access request includes: the preset service access request;
the service providing device is further configured to: if the first signature result is successfully decrypted, the second virtual identity and the third public key are encrypted through the second public key to obtain a first encryption result, and a preset verification request comprising the first encryption result is sent to the service request device;
the service request device is further configured to: determining whether the virtual identity in the encryption result of the received verification request is the first virtual identity, if so, encrypting the first virtual identity through the third public key to obtain a second encryption result, and sending a preset verification response comprising the second encryption result to the service providing equipment; the virtual identity in the encrypted result of the authentication request comprises: a second virtual identity in a second encryption result of the preset authentication request;
the service providing device is further configured to: in response to receiving a verification response sent by the service request device, decrypting an encryption result in the verification response through the third private key, and determining whether the virtual identity in the verification response is the second virtual identity; the virtual identity in the verification response comprises: the first virtual identity in the preset verification response;
the service providing device is further configured to: and if the virtual identity in the verification response is determined to be the second virtual identity, sending a confirmation instruction to the service request device, wherein the confirmation instruction is used for indicating that the service request device successfully accesses the service providing device.
2. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 1,
the identity management device is specifically configured to:
carrying out digital signature on the received registration information through a fourth private key generated by the identity management equipment to obtain a second digital signature result; the fourth public key and the fourth private key are a key pair generated by the identity management device;
and writing the second digital signature result into a block chain, or storing the second digital signature result in a distributed storage system.
3. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 2,
the identity management device is further configured to:
after the service providing device accesses the identity management device according to the second virtual identity in the service access request, before the service providing device acquires the second public key associated with the second virtual identity from the database,
and in response to the second virtual identity received in the identity management device, decrypting the digital signature result stored in the block chain or the distributed storage system through the fourth public key, and determining a second public key associated with the second virtual identity from the digital signature result.
4. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 3,
the service request device is specifically further configured to:
and decrypting the encryption result of the received verification request through the first private key, and if the decryption is successful, determining that the virtual identity in the encryption result of the received verification request is the first virtual identity and the second public key is the first public key.
5. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 1,
the service request device is specifically configured to:
generating a first public key
Figure FDA0003580733360000031
And a first private key
Figure FDA0003580733360000032
Based on the first public key
Figure FDA0003580733360000033
Generating a first virtual identity
Figure FDA0003580733360000034
And will include the first public key
Figure FDA0003580733360000035
And said first public key
Figure FDA0003580733360000036
The first virtual identity associated
Figure FDA0003580733360000037
Is preset with registration information
Figure FDA0003580733360000038
Sending the information to the identity management equipment and passing the first private key
Figure FDA0003580733360000039
For the first virtual identity
Figure FDA00035807333600000310
Signing to generate a first signature result
Figure FDA00035807333600000311
Will include the first signature result
Figure FDA00035807333600000312
Predetermined service access request M 1 To the service providing apparatus, wherein the service providing apparatus is configured to provide the service to the service providing apparatus
Figure FDA00035807333600000313
The r is used for judging the M 1 Whether tampered with.
6. An IDaaS system with access control based on a mutual authentication mechanism according to claim 5,
the identity management device is specifically configured to:
for received preset registration information
Figure FDA00035807333600000314
A fourth private key generated by the identity management device
Figure FDA00035807333600000315
Performing digital signature to obtain a second digital signature result
Figure FDA00035807333600000316
Wherein the fourth public key
Figure FDA00035807333600000317
And the fourth private key
Figure FDA00035807333600000318
A key pair generated for the identity management device;
the second digital signature result is obtained
Figure FDA00035807333600000319
And writing the second digital signature result into a block chain, or storing the second digital signature result in a distributed storage system.
7. An IDaaS system with access control based on a mutual authentication mechanism according to claim 6,
the service providing device is specifically further configured to:
if the first signature results in
Figure FDA00035807333600000320
The decryption is successful, and the second public key is passed
Figure FDA00035807333600000321
Associating the second virtual identity with the second virtual identity
Figure FDA00035807333600000322
And the third public key
Figure FDA00035807333600000323
Line encryption to obtain a first encryption result
Figure FDA00035807333600000324
And will include the first encrypted result
Figure FDA00035807333600000325
Is requested to verify by default 2 To the service request device, wherein,
Figure FDA00035807333600000326
the (r +1) is used for judging the M 2 Whether it has been tampered with; third private key
Figure FDA00035807333600000327
With said third public key
Figure FDA00035807333600000328
A key pair generated for the service providing device.
8. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 7,
the service request device is specifically further configured to:
determining a received predetermined authentication request M 2 First encryption result of
Figure FDA0003580733360000041
Second virtual identity
Figure FDA0003580733360000042
Whether or not it is the first virtual identity
Figure FDA0003580733360000043
If so, the first encryption result is obtained
Figure FDA0003580733360000044
Said third public key obtained in
Figure FDA0003580733360000045
By the third public key
Figure FDA0003580733360000046
Associating the first virtual identity with the second virtual identity
Figure FDA0003580733360000047
Encrypting to obtain a second encrypted result
Figure FDA0003580733360000048
And will include the second encryption result
Figure FDA0003580733360000049
Is preset to verify the response M 3 To the service providing apparatus, wherein,
Figure FDA00035807333600000410
the (r +2) is used for judging the M 3 Whether it has been tampered with.
9. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 8,
the service providing device is specifically further configured to:
responding to the receiving of a preset verification response M sent by the service request equipment 3 By said third private key
Figure FDA00035807333600000411
To the preset verification response M 3 Second encryption result in (2)
Figure FDA00035807333600000412
Decrypting to determine the preset verification response M 3 A first virtual identity in
Figure FDA00035807333600000413
Whether or not it is the second virtual identity
Figure FDA00035807333600000414
If the preset verification response M is determined 3 A first virtual identity in
Figure FDA00035807333600000415
Is the second virtual identity
Figure FDA00035807333600000416
Sending an acknowledgement indication to the service requesting device, the acknowledgement indication indicating that the service requesting device successfully accessed the service providing device.
10. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 9,
the service request device is further configured to:
after receiving a confirmation instruction sent by the service providing equipment, encrypting the acquired student private data and sending the encrypted student private data to the service providing equipment; the student privacy data includes: facial images, scores, archives or home backgrounds of students.
CN202210351647.3A 2022-03-28 2022-04-02 IDaaS system for access control based on mutual authentication mechanism Pending CN114928469A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202220690604 2022-03-28
CN2022206906043 2022-03-28

Publications (1)

Publication Number Publication Date
CN114928469A true CN114928469A (en) 2022-08-19

Family

ID=82805599

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210351647.3A Pending CN114928469A (en) 2022-03-28 2022-04-02 IDaaS system for access control based on mutual authentication mechanism

Country Status (1)

Country Link
CN (1) CN114928469A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110401615A (en) * 2018-04-24 2019-11-01 广东工业大学 A kind of identity identifying method, device, equipment, system and readable storage medium storing program for executing
CN111245870A (en) * 2020-04-26 2020-06-05 国网电子商务有限公司 Identity authentication method based on mobile terminal and related device
US20200412554A1 (en) * 2017-12-26 2020-12-31 Sangmyung University Cheonan Council For Industry-Academic Cooperation Foundation Id as service based on blockchain
CN113407361A (en) * 2021-05-27 2021-09-17 中国联合网络通信集团有限公司 Desktop access control method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200412554A1 (en) * 2017-12-26 2020-12-31 Sangmyung University Cheonan Council For Industry-Academic Cooperation Foundation Id as service based on blockchain
CN110401615A (en) * 2018-04-24 2019-11-01 广东工业大学 A kind of identity identifying method, device, equipment, system and readable storage medium storing program for executing
CN111245870A (en) * 2020-04-26 2020-06-05 国网电子商务有限公司 Identity authentication method based on mobile terminal and related device
CN113407361A (en) * 2021-05-27 2021-09-17 中国联合网络通信集团有限公司 Desktop access control method and system

Similar Documents

Publication Publication Date Title
US20220191012A1 (en) Methods For Splitting and Recovering Key, Program Product, Storage Medium, and System
CN106612180B (en) Method and device for realizing session identification synchronization
KR101226651B1 (en) User authentication method based on the utilization of biometric identification techniques and related architecture
CN114726643B (en) Data storage and access methods and devices on cloud platform
KR100670005B1 (en) Apparatus for verifying memory integrity remotely for mobile platform and system thereof and method for verifying integrity
CN110990827A (en) Identity information verification method, server and storage medium
WO2017164159A1 (en) 1:n biometric authentication, encryption, signature system
US9401059B2 (en) System and method for secure voting
EP3132368B1 (en) Method and apparatus of verifying usability of biological characteristic image
US10021077B1 (en) System and method for distributing and using signed send tokens
KR20010052105A (en) Cryptographic key generation using biometric data
JPWO2007094165A1 (en) Identification system and program, and identification method
CN108616531B (en) Radio frequency signal secure communication method and system
WO2014052748A1 (en) Device, method, and system for controlling access to web objects of a webpage or web-brower application
CN110690956B (en) Bidirectional authentication method and system, server and terminal
CN112565265B (en) Authentication method, authentication system and communication method between terminal devices of Internet of things
JP2005197912A (en) Method and program for information disclosure control and tamper resistant instrument
CN105191332B (en) For the method and apparatus of the embedded watermark in unpressed video data
JP2009272737A (en) Secret authentication system
WO2020183250A1 (en) A system for generation and verification of identity and a method thereof
CN117424709B (en) Login method and device of terminal device and readable storage medium
JP2018133739A (en) Secret key copying system, terminal, and secret key copying method
US20060200667A1 (en) Method and system for consistent recognition of ongoing digital relationships
CN117240625B (en) Tamper-resistant data processing method and device and electronic equipment
CN111740995B (en) Authorization authentication method and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination