CN114928469A - IDaaS system for access control based on mutual authentication mechanism - Google Patents
IDaaS system for access control based on mutual authentication mechanism Download PDFInfo
- Publication number
- CN114928469A CN114928469A CN202210351647.3A CN202210351647A CN114928469A CN 114928469 A CN114928469 A CN 114928469A CN 202210351647 A CN202210351647 A CN 202210351647A CN 114928469 A CN114928469 A CN 114928469A
- Authority
- CN
- China
- Prior art keywords
- virtual identity
- identity
- service
- public key
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses an IDaaS system for access control based on a mutual authentication mechanism, comprising: the system comprises a service request device, an identity management device and a service providing device; the service request equipment sends preset registration information comprising the first virtual identity to the identity management equipment and sends a preset service access request comprising a first signature result generated by the first virtual identity to the service providing equipment; after the service providing equipment acquires a second public key from the identity management equipment according to the received second virtual identity to successfully decrypt the first signature result, the service providing equipment sends a preset verification request comprising the second public key, the second virtual identity and a third public key to the service request equipment, so that the service request equipment determines a first virtual identity from the received preset verification request, and sends a preset verification response comprising the third public key and the first virtual identity to the service providing equipment for decryption to determine whether the virtual identity in the verification preset response is the second virtual identity or not; in conclusion, through mutual authentication, identity forgery can be resisted.
Description
Technical Field
The application relates to the technical field of information security, in particular to an IDaaS system for performing access control based on a mutual authentication mechanism.
Background
The information security problems, such as identity forgery attack, identity theft attack and the like, are faced in the construction and exploration of the unified authentication management system of the smart campus.
Disclosure of Invention
Based on the problems and the defects of the prior art, the application provides the IDaaS system for performing access control based on the mutual authentication mechanism, and by adopting the IDaaS system, through the mechanism of mutual authentication of virtual identities among the service request equipment, the body management equipment and the service providing equipment, the identity forgery attack, the identity theft attack and the like are resisted, and the safety of information in the IDaaS system is improved.
In a first aspect, the present application provides an IDaaS system for performing access control based on a mutual authentication mechanism, the system including:
the system comprises a service request device, an identity management device and a service providing device; the service request equipment, the identity management equipment and the service providing equipment are connected through a network;
the service request device is configured to generate a key pair including a first public key and a first private key, generate a first virtual identity based on the first public key, send preset registration information of the first virtual identity, which includes the first public key and is associated with the first public key, to the identity management device, sign the first virtual identity through the first private key, generate a first signature result, and send a preset service access request including the first signature result to the service providing device;
the identity management device is used for carrying out digital signature on the received registration information and storing an obtained second digital signature result in a database of the identity management device; the registration information includes: the preset registration information;
the service providing device is configured to: in response to receiving a service access request, accessing the identity management device according to a second virtual identity in the service access request, and acquiring a second public key associated with the second virtual identity from the database to decrypt the first signature result in the service access request and generate a key pair comprising a third public key and a third private key; the service access request comprises: the preset service access request;
the service providing device is further configured to: if the first signature result is successfully decrypted, the second virtual identity and the third public key are encrypted through the second public key to obtain a first encryption result, and a preset verification request comprising the first encryption result is sent to the service request device;
the service request device is further configured to: determining whether the virtual identity in the encryption result of the received verification request is the first virtual identity, if so, encrypting the first virtual identity through the third public key to obtain a second encryption result, and sending a preset verification response comprising the second encryption result to the service providing equipment; the virtual identity in the encrypted result of the authentication request comprises: a second virtual identity in a second encryption result of the preset authentication request;
the service providing device is further configured to: in response to receiving a verification response sent by the service request device, decrypting an encryption result in the verification response through the third private key, and determining whether the virtual identity in the verification response is the second virtual identity; the virtual identity in the verification response comprises: the first virtual identity in the preset verification response;
the service providing device is further configured to: and if the virtual identity in the verification response is determined to be the second virtual identity, sending a confirmation instruction to the service request device, wherein the confirmation instruction is used for indicating that the service request device successfully accesses the service providing device.
In combination with the first aspect, in some alternative embodiments,
the identity management device is specifically configured to:
performing digital signature on the received registration information through a fourth private key generated by the identity management equipment to obtain a second digital signature result; the fourth public key and the fourth private key are a key pair generated by the identity management device;
and writing the second digital signature result into a block chain, or storing the second digital signature result in a distributed storage system.
In combination with the first aspect, in some alternative embodiments,
the identity management device is further configured to:
after the service providing device accesses the identity management device according to the second virtual identity in the service access request, before the service providing device acquires the second public key associated with the second virtual identity from the database,
and in response to the second virtual identity received in the identity management device, decrypting the digital signature result stored in the block chain or the distributed storage system through the fourth public key, and determining a second public key associated with the second virtual identity from the digital signature result.
In combination with the first aspect, in some alternative embodiments,
the service request device is specifically further configured to:
and decrypting the encryption result of the received verification request through the first private key, and if the decryption is successful, determining that the virtual identity in the encryption result of the received verification request is the first virtual identity and the second public key is the first public key.
In combination with the first aspect, in some alternative embodiments,
the service request device is specifically configured to:
generating a first public keyAnd a first private keyBased on the first public keyGenerating a first virtual identityAnd will include the first public keyAnd said first public keyThe first virtual identity associatedIs registered in advanceSending to the identity management device and by the first private keyFor the first virtual identitySigning to generate a first signature resultWill include the first signature resultPredetermined service access request M 1 To the service providing apparatus, wherein theR is used for judging M 1 Whether tampered with.
In combination with the first aspect, in some alternative embodiments,
the identity management device is specifically configured to:
for received preset registration informationA fourth private key generated by the identity management devicePerforming digital signature to obtain a second digital signature resultWherein the fourth public keyAnd the fourth private keyA key pair generated for the identity management device;
the second digital signature result is obtainedAnd writing the second digital signature result into a block chain, or storing the second digital signature result in a distributed storage system.
In combination with the first aspect, in some alternative embodiments,
the service providing device is specifically further configured to:
if the first signature results inDecryption succeeds, and passes the second public keyAssociating the second virtual identity with the second virtual identityAnd thirdPublic keyLine encryption to obtain a first encryption resultAnd will include the first encrypted resultIs requested to verify by default 2 To the service request device, wherein,the (r +1) is used for judging the M 2 Whether it has been tampered with; third private keyWith said third public keyProviding a key pair generated by the device for the service.
In combination with the first aspect, in some alternative embodiments,
the service request device is specifically further configured to:
determining a received predetermined authentication request M 2 First encryption result ofSecond virtual identityWhether or not it is the first virtual identityIf so, the result is encrypted from the first encryptionSaid third public key obtained inBy the third public keyAssociating the first virtual identity with the second virtual identityEncrypting to obtain a second encrypted resultAnd will include the second encryption resultIs preset to verify the response M 3 To the service providing apparatus, wherein,the (r +2) is used for judging the M 3 Whether it has been tampered with.
In combination with the first aspect, in some alternative embodiments,
the service providing device is specifically further configured to:
responding to the received preset verification response M sent by the service request equipment 3 By said third private keyResponding M to the preset verification 3 Second encryption result in (2)Decrypting to determine the predetermined verification response M 3 A first virtual identity inWhether or not it is the second virtual identityIf the preset verification response M is determined 3 A first virtual identity inIs the second virtual identityA confirmation indication is sent to the service requesting device indicating that the service requesting device has successfully accessed the service providing device.
In combination with the first aspect, in some alternative embodiments,
the service request device is further configured to:
after receiving a confirmation instruction sent by the service providing equipment, encrypting the acquired student privacy data and sending the encrypted student privacy data to the service providing equipment; the student privacy data includes: facial images, scores, archives or family backgrounds of students.
The application provides an IDaaS system for access control based on a mutual authentication mechanism, which comprises: the system comprises a service request device, an identity management device and a service providing device; the service request equipment, the identity management equipment and the service providing equipment are connected through a network; the service request device may be configured to generate a key pair including a first public key and a first private key, generate a first virtual identity based on the first public key, send preset registration information of the first virtual identity including the first public key and a relationship between the first public key and the first public key to the identity management device, sign the first virtual identity through the first private key, generate a first signature result, and send a preset service access request including the first signature result to the service providing device.
The identity management device is used for carrying out digital signature on the received registration information and storing an obtained second digital signature result in a database of the identity management device; the registration information includes: and presetting registration information.
A service providing device for: in response to receiving the service access request, accessing the identity management device according to a second virtual identity in the service access request, and acquiring a second public key associated with the second virtual identity from the database to decrypt a second signature result in the service access request and generate a key pair comprising a third public key and a third private key; the service access request includes: presetting a service access request; a service providing device further configured to: and if the second signature result is successfully decrypted, the second virtual identity and the third public key are encrypted through the second public key to obtain a first encryption result, and the preset verification request comprising the first encryption result is sent to the service request device.
A service request device further configured to: determining whether the virtual identity in the encryption result of the received verification request is the first virtual identity, if so, encrypting the first virtual identity through a third public key to obtain a second encryption result, and sending a preset verification response comprising the second encryption result to the service providing equipment; the virtual identity in the encrypted result of the verification request comprises: and presetting a second virtual identity in a second encryption result of the authentication request.
A service providing device further configured to: in response to receiving a verification response sent by the service request equipment, decrypting an encryption result in the verification response through a third private key, and determining whether the virtual identity in the verification response is a second virtual identity; verifying the virtual identity in the response includes: presetting a first virtual identity in the verification response; a service providing device further operable to: and if the virtual identity in the verification response is determined to be the second virtual identity, sending a confirmation instruction to the service request equipment, wherein the confirmation instruction is used for indicating that the service request equipment successfully accesses the service providing equipment. In summary, with the present application, through a mechanism of mutually authenticating virtual identities among the service request device, the body management device, and the service providing device, it is possible to realize resistance to identity forgery attacks, identity theft attacks, and the like, and improve the security of information in the IDaaS system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an IDaaS system for performing access control based on a mutual authentication mechanism according to the present application;
fig. 2 is a schematic diagram of a specific generation process of a first virtual identity provided in the present application;
fig. 3 is a schematic structural diagram of another IDaaS system for performing access control based on a mutual authentication mechanism according to the present application.
Detailed Description
The technical solutions in the present application will be described clearly and completely with reference to the accompanying drawings in the present application, and it is obvious that the described embodiments are some, not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to improve the information security in the IDaaS system and resist identity forgery attack, identity theft attack and identity authentication attack, the application provides the IDaaS system which performs access control based on a mutual verification mechanism. In particular, the method comprises the following steps of,
referring to fig. 1, it is a schematic structural diagram of an IDaaS system for performing access control based on a mutual authentication mechanism provided in the present application, as shown in fig. 1,
the IDaaS system may include, but is not limited to:
the system comprises a service request device, an identity management device and a service providing device; the service request equipment, the identity management equipment and the service providing equipment can be connected through a communication network;
it should be noted that the service request device may include, but is not limited to: the camera that can be used to data acquisition, the AI intelligence box that can be used to data acquisition, the camera that can be used to data acquisition, or other equipment that can be used to data acquisition.
The service providing device may include, but is not limited to: the server can be used for processing the privacy data of the students.
It should be noted that the above communication network may include, but is not limited to, the following ways:
mode 1: communication networks in a wired manner (e.g., network cable or fiber optic cable);
mode 2: a communication network in a wireless mode (such as WIFI6 or 5G);
mode 3: a communication network combining the wired mode and the wireless mode.
A service request device operable to:
the method comprises the steps of generating a key pair comprising a first public key and a first private key, generating a first virtual identity based on the first public key, sending preset registration information of the first virtual identity comprising the first public key and the first public key in association to identity management equipment, signing the first virtual identity through the first private key, generating a first signature result, and sending a preset service access request comprising the first signature result to service providing equipment.
It should be noted that the first, second, third, or fourth embodiments in this application are only used to distinguish different virtual identities, public keys, private keys, or digital signature results, and the like, and should not be limited in this application.
The service request device may be specifically configured to: the first public key is subjected to a series of one-way hash algorithms to obtain a first virtual identity, and more specifically,
a service request device operable to:
firstly, based on the first public key, SHA256 (first public key) is calculated by a hash algorithm through a hash operation, then RIPEMD160(SHA256 (first public key)) is calculated through the hash operation, then RIPEMD160(SHA256 (first public key)) is encoded through Base58Check, and the encoding result is used as a first virtual identity, it should be noted that, in this application, with regard to a specific generation process of the first virtual identity, refer to fig. 2, as shown in fig. 2, specifically,
an identity management device operable to:
carrying out digital signature on the received registration information, and storing an obtained second digital signature result in a database of the identity management equipment; the registration information includes: and presetting registration information.
It should be noted that the identity management device may be specifically configured to:
performing digital signature on the received registration information through a fourth private key generated by the identity management equipment to obtain a second digital signature result; the fourth public key and the fourth private key are a key pair generated by the identity management device;
and writing the second digital signature result into the block chain, or storing the second digital signature result in a distributed storage system, or in a local database of the identity management device, or in a cloud database of the identity management device.
It should be noted that the block chain may include, but is not limited to:
private blockchains or public blockchains.
The distributed storage system may include, but is not limited to: ipfs (internet File System) distributed storage System.
A service providing device operable to:
in response to receiving the service access request, accessing the identity management device according to a second virtual identity in the service access request, and acquiring a second public key associated with the second virtual identity from the database to decrypt the first signature result in the service access request and generate a key pair comprising a third public key and a third private key; the service access request includes: a service access request is preset.
The preset service access request is one of the service access requests;
it should be noted that the identity management device may also be configured to:
after the service providing device accesses the identity management device according to the second virtual identity in the service access request, before the service providing device acquires the second public key associated with the second virtual identity from the database,
in response to the second virtual identity received in the identity management device, a second public key associated with the second virtual identity is determined from the digital signature result stored in the identity management device.
Wherein, the digital signature result comprises: and a second digital signature result.
A service providing device further operable to: and if the first signature result is successfully decrypted, the second virtual identity and the third public key are encrypted through the second public key to obtain a first encryption result, and the preset verification request comprising the first encryption result is sent to the service request device.
The service request device may be further operable to: and determining whether the virtual identity in the encryption result of the received verification request is the first virtual identity, if so, encrypting the first virtual identity through the third public key to obtain a second encryption result, and sending a preset verification response comprising the second encryption result to the service providing equipment.
It should be noted that the virtual identity in the encrypted result of the authentication request includes: and presetting a second virtual identity in a second encryption result of the authentication request.
That is, the service request device may be further configured to:
and decrypting the encryption result of the received verification request through the first private key, and if the decryption is successful, determining that the virtual identity in the encryption result of the received verification request is a first virtual identity and the second public key is a first public key.
A service providing device further operable to: and in response to receiving the verification response sent by the service request equipment, decrypting the encrypted result in the verification response through a third private key, and determining whether the virtual identity in the verification response is the second virtual identity.
It should be noted that verifying the virtual identity in the response includes: presetting the first virtual identity in the verification response.
The service providing device may be further configured to: and if the virtual identity in the verification response is determined to be the second virtual identity, sending a confirmation indication to the service request device, wherein the confirmation indication can be used for indicating that the service request device successfully accesses the service providing device.
That is, if the service providing device determines that the first virtual identity in the preset authentication response is the second virtual identity, a confirmation indication is sent to the service requesting device.
In summary, the service request device sends the preset registration information including the first virtual identity to the identity management device, and sends the preset service access request including the first signature result generated by the first virtual identity to the service providing device; after the service providing equipment acquires a second public key from the identity management equipment according to the received second virtual identity to successfully decrypt the first signature result, the service providing equipment sends a preset verification request comprising the second public key, the second virtual identity and a third public key to the service request equipment, so that the service request equipment determines a first virtual identity from the received preset verification request, and sends a preset verification response comprising the third public key and the first virtual identity to the service providing equipment for decryption to determine whether the first virtual identity and the second virtual identity in the verification preset response are equal or not, if so, a confirmation instruction is sent to the service request equipment, and the confirmation instruction is used for indicating that the service request equipment successfully accesses the service providing equipment;
by adopting the method and the system, the mechanism of mutual authentication of the virtual identities among the service request equipment, the body management equipment and the service providing equipment can realize the resistance to identity forgery attack, identity theft attack and the like, and the safety of information in the IDaaS system is improved.
In order to improve the information security in the IDaaS system and further elaborate the identity forgery attack, identity theft attack and identity authentication attack resistance, the application also provides another IDaaS system for performing access control based on a mutual authentication mechanism.
Referring to fig. 3, a schematic structural diagram of another IDaaS system for performing access control based on a mutual authentication mechanism provided in the present application is shown in fig. 3, where the system may include, but is not limited to:
the system comprises a service request device, an identity management device and a service providing device; the service request equipment, the identity management equipment and the service providing equipment are connected through a network; wherein the content of the first and second substances,
the service request device may be specifically configured to:
generating a first public keyAnd a first private keyBased on the first public keyGenerating a first virtual identityAnd will include the first public keyAnd a first public keyAssociated first virtual identityIs preset with registration informationSending to the identity management device and through the first private keyFor the first virtual identitySigning to generate a first signature resultWill include the first signature resultPredetermined service access request M 1 To the service providing apparatus, wherein,wherein r is used for judging the preset service access request M 1 Whether tampered with.
The identity management device may be specifically configured to:
for received preset registration informationFourth private key generated by identity management devicePerforming digital signature to obtain a second digital signature resultWherein the fourth public keyAnd a fourth private keyGenerating a key pair for the identity management device;
signing the second digital signature resultAnd writing the result into the block chain, or storing the result of the second digital signature in a distributed storage system.
The service providing device may be further configured to:
if the first signature results inThe decryption is successful, passing the second public keyAssociating the second virtual identityAnd the third public keyLine encryption to obtain a first encryption resultAnd will include the first encrypted resultIs requested to verify by default 2 To the service request device, wherein,wherein the (r +1) is used for judging the preset verification request M 2 Whether it has been tampered with; third private keyAnd the third public keyA key pair generated for the service providing device.
The service request device may be further configured to:
determining a received preset authentication request M 2 First encryption result ofSecond virtual identityWhether or not it is a first virtual identityIf the second virtual identityIs the first virtual identityFrom the first encryption resultThe third public key obtained inBy means of a third public keyThe first virtual identityEncrypting to obtain a second encrypted resultAnd will include the second encrypted resultIs preset to verify the response M 3 To the service providing apparatus, wherein,wherein (r +2) is used for the judgment of M 3 Whether it has been tampered with.
The service providing device may be further configured to:
responding to the received preset verification response M sent by the service request equipment 3 By means of a third private keyTo preset verification response M 3 Second encryption result in (2)Decrypting to determine a predetermined verification response M 3 A first virtual identity inWhether or not it is a second virtual identityIf the preset verification response M is determined 3 A first virtual identity inAs a second virtual identityA confirmation indication indicating that the service requesting apparatus has successfully accessed the service providing apparatus is transmitted to the service requesting apparatus.
A service request device further operable to:
after receiving the confirmation instruction sent by the service providing equipment, the acquired student privacy data is encrypted and then sent to the service providing equipment.
In summary, the service request devices respectively include the first virtual identitiesIs preset with registration informationSending the first signature result generated by the first virtual identity to the identity management devicePredetermined service access request ofSending the information to the service providing equipment; the service providing device receives the second virtual identityAfter the second public key is obtained from the identity management equipment to successfully decrypt the first signature result, the second public key is includedSecond virtual identityAnd a third public keyIs requested to verify by default 2 Sending the first virtual identity to the service request equipment, enabling the service request equipment to determine the first virtual identity from the received preset verification request, and enabling the first virtual identity to comprise the third public keyA first virtual identityPreset verification response M 3 Sending the virtual identity to the service providing equipment for decryption to determine whether the virtual identity in the preset verification response is the second virtual identityIf yes, sending a confirmation instruction to the service request equipment, wherein the confirmation instruction is used for indicating that the service request equipment successfully accesses the service providing equipment; therefore, by adopting the method and the system, through a mutual authentication mechanism among the service request equipment, the service providing equipment and the identity providing equipment, the purpose of resisting identity forgery attack, identity theft attack and the like can be realized, and the information security in the IDaaS system is improved.
It should be noted that the definitions or explanations in the embodiment of fig. 3, which are not explained in detail, may refer to the embodiment of fig. 1.
It should be noted that fig. 1-3 are only used for illustration and description of the present application and should not be taken as limiting the scope of the present application.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses, systems and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, device and method may be implemented in other ways. For example, the components and steps of the various examples are described. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The above-described embodiments of the apparatus and device are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices, apparatuses or units, and may also be an electrical, mechanical or other form of connection.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the elements may be selected according to actual needs to achieve the purpose of the solution of the embodiments of the present application.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be substantially or partially contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a memory and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned memory comprises: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
While the invention has been described with reference to specific embodiments, the scope of the invention is not limited thereto, and those skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the invention. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. An IDaaS system for performing access control based on a mutual authentication mechanism, comprising:
the system comprises a service request device, an identity management device and a service providing device; the service request equipment, the identity management equipment and the service providing equipment are connected through a network;
the service request device is configured to generate a key pair including a first public key and a first private key, generate a first virtual identity based on the first public key, send preset registration information of the first virtual identity including the first public key and association of the first public key to the identity management device, sign the first virtual identity through the first private key, generate a first signature result, and send a preset service access request including the first signature result to the service providing device;
the identity management device is used for carrying out digital signature on the received registration information and storing an obtained second digital signature result in a database of the identity management device; the registration information includes: the preset registration information;
the service providing device is configured to: in response to receiving a service access request, accessing the identity management device according to a second virtual identity in the service access request, and acquiring a second public key associated with the second virtual identity from the database to decrypt the first signature result in the service access request and generate a key pair comprising a third public key and a third private key; the service access request includes: the preset service access request;
the service providing device is further configured to: if the first signature result is successfully decrypted, the second virtual identity and the third public key are encrypted through the second public key to obtain a first encryption result, and a preset verification request comprising the first encryption result is sent to the service request device;
the service request device is further configured to: determining whether the virtual identity in the encryption result of the received verification request is the first virtual identity, if so, encrypting the first virtual identity through the third public key to obtain a second encryption result, and sending a preset verification response comprising the second encryption result to the service providing equipment; the virtual identity in the encrypted result of the authentication request comprises: a second virtual identity in a second encryption result of the preset authentication request;
the service providing device is further configured to: in response to receiving a verification response sent by the service request device, decrypting an encryption result in the verification response through the third private key, and determining whether the virtual identity in the verification response is the second virtual identity; the virtual identity in the verification response comprises: the first virtual identity in the preset verification response;
the service providing device is further configured to: and if the virtual identity in the verification response is determined to be the second virtual identity, sending a confirmation instruction to the service request device, wherein the confirmation instruction is used for indicating that the service request device successfully accesses the service providing device.
2. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 1,
the identity management device is specifically configured to:
carrying out digital signature on the received registration information through a fourth private key generated by the identity management equipment to obtain a second digital signature result; the fourth public key and the fourth private key are a key pair generated by the identity management device;
and writing the second digital signature result into a block chain, or storing the second digital signature result in a distributed storage system.
3. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 2,
the identity management device is further configured to:
after the service providing device accesses the identity management device according to the second virtual identity in the service access request, before the service providing device acquires the second public key associated with the second virtual identity from the database,
and in response to the second virtual identity received in the identity management device, decrypting the digital signature result stored in the block chain or the distributed storage system through the fourth public key, and determining a second public key associated with the second virtual identity from the digital signature result.
4. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 3,
the service request device is specifically further configured to:
and decrypting the encryption result of the received verification request through the first private key, and if the decryption is successful, determining that the virtual identity in the encryption result of the received verification request is the first virtual identity and the second public key is the first public key.
5. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 1,
the service request device is specifically configured to:
generating a first public keyAnd a first private keyBased on the first public keyGenerating a first virtual identityAnd will include the first public keyAnd said first public keyThe first virtual identity associatedIs preset with registration informationSending the information to the identity management equipment and passing the first private keyFor the first virtual identitySigning to generate a first signature resultWill include the first signature resultPredetermined service access request M 1 To the service providing apparatus, wherein the service providing apparatus is configured to provide the service to the service providing apparatusThe r is used for judging the M 1 Whether tampered with.
6. An IDaaS system with access control based on a mutual authentication mechanism according to claim 5,
the identity management device is specifically configured to:
for received preset registration informationA fourth private key generated by the identity management devicePerforming digital signature to obtain a second digital signature resultWherein the fourth public keyAnd the fourth private keyA key pair generated for the identity management device;
7. An IDaaS system with access control based on a mutual authentication mechanism according to claim 6,
the service providing device is specifically further configured to:
if the first signature results inThe decryption is successful, and the second public key is passedAssociating the second virtual identity with the second virtual identityAnd the third public keyLine encryption to obtain a first encryption resultAnd will include the first encrypted resultIs requested to verify by default 2 To the service request device, wherein,the (r +1) is used for judging the M 2 Whether it has been tampered with; third private keyWith said third public keyA key pair generated for the service providing device.
8. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 7,
the service request device is specifically further configured to:
determining a received predetermined authentication request M 2 First encryption result ofSecond virtual identityWhether or not it is the first virtual identityIf so, the first encryption result is obtainedSaid third public key obtained inBy the third public keyAssociating the first virtual identity with the second virtual identityEncrypting to obtain a second encrypted resultAnd will include the second encryption resultIs preset to verify the response M 3 To the service providing apparatus, wherein,the (r +2) is used for judging the M 3 Whether it has been tampered with.
9. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 8,
the service providing device is specifically further configured to:
responding to the receiving of a preset verification response M sent by the service request equipment 3 By said third private keyTo the preset verification response M 3 Second encryption result in (2)Decrypting to determine the preset verification response M 3 A first virtual identity inWhether or not it is the second virtual identityIf the preset verification response M is determined 3 A first virtual identity inIs the second virtual identitySending an acknowledgement indication to the service requesting device, the acknowledgement indication indicating that the service requesting device successfully accessed the service providing device.
10. The IDaaS system for access control based on a mutual authentication mechanism as claimed in claim 9,
the service request device is further configured to:
after receiving a confirmation instruction sent by the service providing equipment, encrypting the acquired student private data and sending the encrypted student private data to the service providing equipment; the student privacy data includes: facial images, scores, archives or home backgrounds of students.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202220690604 | 2022-03-28 | ||
CN2022206906043 | 2022-03-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114928469A true CN114928469A (en) | 2022-08-19 |
Family
ID=82805599
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210351647.3A Pending CN114928469A (en) | 2022-03-28 | 2022-04-02 | IDaaS system for access control based on mutual authentication mechanism |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114928469A (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110401615A (en) * | 2018-04-24 | 2019-11-01 | 广东工业大学 | A kind of identity identifying method, device, equipment, system and readable storage medium storing program for executing |
CN111245870A (en) * | 2020-04-26 | 2020-06-05 | 国网电子商务有限公司 | Identity authentication method based on mobile terminal and related device |
US20200412554A1 (en) * | 2017-12-26 | 2020-12-31 | Sangmyung University Cheonan Council For Industry-Academic Cooperation Foundation | Id as service based on blockchain |
CN113407361A (en) * | 2021-05-27 | 2021-09-17 | 中国联合网络通信集团有限公司 | Desktop access control method and system |
-
2022
- 2022-04-02 CN CN202210351647.3A patent/CN114928469A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200412554A1 (en) * | 2017-12-26 | 2020-12-31 | Sangmyung University Cheonan Council For Industry-Academic Cooperation Foundation | Id as service based on blockchain |
CN110401615A (en) * | 2018-04-24 | 2019-11-01 | 广东工业大学 | A kind of identity identifying method, device, equipment, system and readable storage medium storing program for executing |
CN111245870A (en) * | 2020-04-26 | 2020-06-05 | 国网电子商务有限公司 | Identity authentication method based on mobile terminal and related device |
CN113407361A (en) * | 2021-05-27 | 2021-09-17 | 中国联合网络通信集团有限公司 | Desktop access control method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220191012A1 (en) | Methods For Splitting and Recovering Key, Program Product, Storage Medium, and System | |
CN106612180B (en) | Method and device for realizing session identification synchronization | |
KR101226651B1 (en) | User authentication method based on the utilization of biometric identification techniques and related architecture | |
CN114726643B (en) | Data storage and access methods and devices on cloud platform | |
KR100670005B1 (en) | Apparatus for verifying memory integrity remotely for mobile platform and system thereof and method for verifying integrity | |
CN110990827A (en) | Identity information verification method, server and storage medium | |
WO2017164159A1 (en) | 1:n biometric authentication, encryption, signature system | |
US9401059B2 (en) | System and method for secure voting | |
EP3132368B1 (en) | Method and apparatus of verifying usability of biological characteristic image | |
US10021077B1 (en) | System and method for distributing and using signed send tokens | |
KR20010052105A (en) | Cryptographic key generation using biometric data | |
JPWO2007094165A1 (en) | Identification system and program, and identification method | |
CN108616531B (en) | Radio frequency signal secure communication method and system | |
WO2014052748A1 (en) | Device, method, and system for controlling access to web objects of a webpage or web-brower application | |
CN110690956B (en) | Bidirectional authentication method and system, server and terminal | |
CN112565265B (en) | Authentication method, authentication system and communication method between terminal devices of Internet of things | |
JP2005197912A (en) | Method and program for information disclosure control and tamper resistant instrument | |
CN105191332B (en) | For the method and apparatus of the embedded watermark in unpressed video data | |
JP2009272737A (en) | Secret authentication system | |
WO2020183250A1 (en) | A system for generation and verification of identity and a method thereof | |
CN117424709B (en) | Login method and device of terminal device and readable storage medium | |
JP2018133739A (en) | Secret key copying system, terminal, and secret key copying method | |
US20060200667A1 (en) | Method and system for consistent recognition of ongoing digital relationships | |
CN117240625B (en) | Tamper-resistant data processing method and device and electronic equipment | |
CN111740995B (en) | Authorization authentication method and related device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |