CN114978543A

CN114978543A - Method and system for registering and authenticating certificate

Info

Publication number: CN114978543A
Application number: CN202210563864.9A
Authority: CN
Inventors: 陆舟
Original assignee: Feitian Technologies Co Ltd
Current assignee: Feitian Technologies Co Ltd
Priority date: 2022-05-23
Filing date: 2022-05-23
Publication date: 2022-08-30
Anticipated expiration: 2042-05-23
Also published as: CN114978543B

Abstract

The invention provides a method and a system for registering and authenticating a certificate, wherein the method comprises a certificate registering process and a certificate authenticating process, wherein the certificate registering process comprises the following steps: the FIDO equipment judges that a registered enterprise certificate parameter in a registered certificate instruction sent by an upper application is a first preset value, and when a relying party identifier exists in a preset relying party identifier list, a certificate ciphertext and a first signature value are generated according to a generated public key of a user key pair, and the enterprise authentication parameter, the certificate ciphertext, the first signature value and the public key of the user key pair form a registered certificate instruction response; and when the upper application judges that the value of the enterprise authentication parameter in the response of the register certificate instruction sent by the FIDO equipment is a preset value and successfully verifies the signature of the first signature value, correspondingly storing the certificate ciphertext and the public key of the user key pair. The invention increases the security management of the enterprise to the key equipment and the relying party in the identity authentication process.

Description

Method and system for registering and authenticating certificate

Technical Field

The invention relates to the field of information security, in particular to a method and a system for registering and authenticating a certificate.

Background

In the prior art, the identity authentication process based on the FIDO cannot realize enterprise customization, neither can control which relying parties allow identity authentication, nor can distinguish legal identity authenticators, such as FIDO devices, which is not convenient for allocation management of enterprise specific rights.

Disclosure of Invention

The invention provides a method and equipment for registering and authenticating a certificate, which solve the technical problems.

The invention provides a method for registering and authenticating a certificate, which comprises the following steps: the method comprises a certificate registration process and a certificate authentication process, wherein the certificate registration process comprises the following steps:

step 1, an upper layer application generates a register certificate instruction according to configuration information input by a user and sends the register certificate instruction to an FIDO device, wherein the configuration information comprises a relying party identifier;

step 2, the FIDO equipment judges whether the enterprise certificate registering parameters exist in the certificate registering instruction, if yes, step 3 is executed, and if not, a standard FIDO certificate registering process is executed;

step 3, the FIDO equipment judges the value of the enterprise certificate parameter, if the value is a first preset value, step 4 is executed, and if the value is a second preset value, step 5 is executed;

step 4, the FIDO equipment judges whether the relying party identifier in the certificate registering instruction is in a preset relying party identifier list, if so, the step 5 is executed, and if not, the standard FIDO certificate registering process is executed;

step 5, the FIDO equipment generates and stores a user key pair, generates certificate data according to a public key of the user key pair, encrypts the certificate data by using an enterprise encryption and decryption key to obtain a certificate ciphertext, signs the certificate ciphertext by using a private key of a preset enterprise certificate to generate a first signature value, sets an enterprise authentication parameter as a preset value, forms a registration certificate instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the certificate ciphertext, the first signature value and the public key of the user key pair, and returns the registration certificate instruction response to an upper application;

step 6, when the upper application judges that the value of the enterprise authentication parameter in the register certificate instruction response is a preset value and successfully verifies the signature of the first signature value by using a public key in a preset enterprise certificate, correspondingly storing a certificate ciphertext and a public key of a user key pair;

the credential authentication process includes:

step 1', the upper layer application sends a certificate verification instruction to the FIDO equipment;

step 2', the FIDO equipment analyzes the certificate verification instruction to obtain a relying party identifier, a certificate ciphertext and client data;

step 3 ', the FIDO equipment judges whether the dependency party identifier exists in a preset dependency party identifier list, if so, the step 4' is executed, and if not, a standard FIDO certificate authentication process is executed;

step 4', the FIDO equipment decrypts the certificate ciphertext by using the enterprise encryption and decryption key to obtain certificate data, generates a signature original text according to the certificate data, the relying party identifier and the client data, signs the signature original text by using a private key of the user key pair to obtain a second signature value, generates a response of a certificate verification instruction according to the signature original text and the second signature value, and sends the response of the certificate verification instruction to the upper application;

and 5', the upper layer application checks the signature of the second signature value according to the signature original text and the public key of the user key pair corresponding to the certificate ciphertext, and after the signature is checked successfully, the upper layer application prompts that the authentication is successful.

In a possible embodiment, step 1 further includes, before:

step M1, the upper layer application sends an instruction for acquiring device information to the FIDO device;

step M2, the FIDO device returns a response of the device information acquisition instruction to the upper layer application;

step M3, the upper layer application judges whether the FIDO equipment supports the enterprise certificate registration function according to the response of the equipment information acquisition instruction, if not, step 1 is executed, if yes, the upper layer application judges whether the enterprise certificate registration function of the FIDO equipment is activated, if activated, step 1 is executed, if not, the upper layer application sends an instruction for activating the enterprise certificate registration function to the FIDO equipment, and step M4 is executed;

in step M4, the FIDO device sets the status of the registered enterprise credential function to activated, returns a response to the instruction of activating the registered enterprise credential function to the upper layer application, and executes step M1.

In a possible embodiment, step 3 is specifically: the FIDO equipment judges the value of the certificate parameter of the registered enterprise, if the value is a first preset value, the step 4a is executed, and if the value is a second preset value, the step 5 is executed;

and 4a, the FIDO equipment displays the value of the relying party identifier in the certificate registering instruction to the user, judges whether the confirmation information of the user is received or not, if so, executes the step 4, and if not, returns a failed certificate registering instruction response to the upper-layer application.

In a possible embodiment, step 5 further includes, before:

the FIDO equipment judges the value of the key storage attribute identifier in the certificate registration instruction; the step 5 specifically comprises the following steps:

when the value of the key storage attribute identification is a second preset value,

the FIDO equipment generates and stores a user key pair, generates certificate data according to a public key of the user key pair and a private key of the user key pair, encrypts the certificate data by using an enterprise encryption and decryption key to generate a certificate ciphertext, executes signature operation on the certificate ciphertext according to a private key corresponding to a preset enterprise certificate to generate a first signature value, sets an enterprise authentication parameter as a preset value, forms a registration certificate instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the certificate ciphertext, the first signature value and the public key of the user key pair, and returns the registration certificate instruction response to the upper application;

when the value of the key storage attribute identifier is a first preset value, the FIDO equipment generates and stores a user key pair, generates certificate data according to a public key of the user key pair, encrypts the certificate data by using an enterprise encryption and decryption key to generate a certificate ciphertext, executes signature operation on the certificate ciphertext according to a private key corresponding to a preset enterprise certificate to generate a first signature value, correspondingly binds and stores the certificate data, a relying party identifier and the private key of the user key pair, sets an enterprise authentication parameter as a preset value, forms a registration certificate instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the certificate ciphertext, the first signature value and the public key of the user key pair, and returns the registration certificate instruction response to an upper application;

step 4' is preceded by: : the FIDO device determines the length of the credential cryptograph, where step 4' specifically is:

when the length of the certificate ciphertext is a first preset value, the FIDO equipment decrypts the certificate ciphertext by using the enterprise encryption and decryption key, successfully decrypts to obtain the certificate data and a private key of a user key pair, forms a signature original text according to the certificate data, the relying party identifier and the client data, signs the signature original text by using the private key of the user key pair to obtain a second signature value, generates a response of a certificate verification instruction according to the signature original text and the second signature value, and sends the response of the certificate verification instruction to an upper application;

when the length of the certificate ciphertext is a second preset value, the FIDO device decrypts the certificate ciphertext by using the enterprise encryption and decryption key to obtain certificate data, searches a private key of a corresponding user key pair according to the certificate data, forms a signature original text according to the certificate data, the relying party identifier and the client data, signs the signature original text by using the user private key to obtain a second signature value, generates a response of a certificate verification instruction according to the signature original text and the second signature value, and sends the response of the certificate verification instruction to the upper application.

In a possible embodiment, step 6 is specifically: and when the upper application judges that the value of the enterprise authentication parameter in the register certificate instruction response is a preset value, the certificate chain of the preset enterprise certificate is valid and the signature verification of the first signature value by using the public key in the preset enterprise certificate is successful, correspondingly storing the certificate ciphertext and the public key of the user key pair.

In a possible implementation, step M4 is specifically: the FIDO equipment verifies the PIN authentication parameter in the instruction for activating the certificate function of the registered enterprise, sets the certificate function state of the registered enterprise to be activated when the verification is successful, returns a successful response for activating the certificate function instruction of the registered enterprise to the upper-layer application, and executes the step M1; and when the verification fails, returning a failure response for activating the instruction for registering the enterprise certificate function to the upper-layer application.

The invention also provides a system for registering and authenticating the certificate, which comprises: the upper application device comprises:

the generation module is used for generating a registration certificate instruction according to the configuration information input by the user;

the sending module is used for sending a registration credential instruction to the FIDO equipment;

the device is also used for sending a certificate verification instruction to the FIDO equipment;

the judging and storing module is used for correspondingly storing the certificate ciphertext and the public key of the user key pair when judging that the value of the enterprise authentication parameter in the certificate registration instruction response is a preset value and successfully verifying the signature of the first signature value by using the public key in the preset enterprise certificate;

and the signature verification prompting module is used for verifying the signature of the second signature value according to the public key of the user key pair corresponding to the signature original text and the certificate ciphertext and prompting the authentication success after the signature verification is successful.

FIDO device comprising:

the first judgment module is used for judging whether the enterprise certificate registration parameters exist in the certificate registration instruction or not;

the execution module is used for executing the standard FIDO registration certificate process when the judgment result of the first judgment module is negative; the first judging module is used for judging whether the first FIDO certificate is registered or not; the first judging module is used for judging whether the first FIDO certificate is a normal FIDO certificate or not;

the second judgment module is used for judging the value of the enterprise certificate registration parameter when the judgment result of the first judgment module is positive;

the third judging module is used for judging whether the relying party identifier in the certificate registering instruction is in a preset relying party identifier list or not when the second judging module judges that the value of the certificate parameter of the registered enterprise is the first preset value, if so, the storage generating module is triggered, and if not, the execution module is triggered; when the second judging module judges that the value of the enterprise certificate parameter is the second preset value, the generation and storage module is triggered;

the generation and storage module is used for generating and storing a user key pair, generating certificate data according to a public key of the user key pair, encrypting the certificate data by using an enterprise encryption and decryption key to obtain a certificate ciphertext, performing signature operation on the certificate ciphertext by using a private key of a preset enterprise certificate to generate a first signature value, binding and storing the certificate data and a relying party identifier, setting an enterprise authentication parameter as a preset value, and forming a registration certificate instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the certificate ciphertext, the first signature value and the public key of the user key pair;

the return module is used for returning and generating a registration certificate instruction response formed by the storage module;

the analysis module is used for analyzing the certificate verification instruction to obtain a relying party identifier, a certificate ciphertext and client data;

the fourth judging module is used for judging whether the relying party identifier obtained by the analyzing module exists in a preset relying party identifier list or not;

the decryption generation module is used for decrypting the certificate ciphertext by using the enterprise encryption and decryption key to obtain certificate data when the judgment result of the fourth judgment module is yes, generating a signature original text according to the certificate data, the relying party identifier and the client data, signing the signature original text by using a private key of the user key pair to obtain a second signature value, and generating a response of the certificate verification instruction according to the signature original text and the second signature value;

and the sending module is used for sending the response of the certificate verification instruction to the upper application device.

The present invention also provides an FIDO device comprising at least one processor, a memory, and instructions stored on the memory and executable by the at least one processor, the at least one processor executing the instructions to implement the operations of the FIDO device in the above-described credential registration and authentication method.

The present invention also provides a computer-readable storage medium including a computer program which, when run on a computer, causes the computer to perform the operations of the upper layer application in the above-described method of credential registration and authentication.

The present invention also provides a computer-readable storage medium including a computer program which, when run on a computer, causes the computer to perform the operations of the FIDO device in the above-described method of credential registration and authentication.

The invention has the beneficial effects that: the invention provides a method and equipment for registering and authenticating a certificate, which increase the safety management of an enterprise on an identity authenticator, such as an FIDO (fixed identity data optimized) device and a relying party in the identity authentication process. The enterprise can realize the specific enterprise identity authentication process through simple configuration information in the registration process. In addition, the identity authenticator which enables enterprise authentication can still be used for identity authentication of the personal account, and the use scene of the identity authenticator is expanded.

Drawings

Fig. 1 and fig. 2 are flowcharts of a credential registration and authentication method according to an embodiment of the present invention;

fig. 3 and fig. 4 are flowcharts of a credential registration and authentication method according to a second embodiment of the present invention;

fig. 5 is a flowchart of a credential registration and authentication method according to a third embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Example one

The embodiment provides a method for registering and authenticating a certificate, which comprises the following steps: as shown in fig. 1, the credential registration process includes:

step 1, an upper layer application generates a certificate registration instruction according to configuration information input by a user and sends the certificate registration instruction to an FIDO device;

in this embodiment, the configuration information includes a relying party identifier.

Step 2, the FIDO equipment judges whether the enterprise certificate registering parameters exist in the certificate registering instruction, if so, step 3 is executed, if not, the standard FIDO certificate registering process is executed, and the process is ended;

step 4, the FIDO equipment judges whether the relying party identification in the certificate registering instruction exists in a preset relying party identification list or not, if yes, the step 5 is executed, and if not, the standard FIDO certificate registering process is executed;

step 5, the FIDO equipment generates and stores a user key pair, generates credential data according to a public key of the user key pair, encrypts the credential data by using an enterprise encryption and decryption key to obtain a credential ciphertext, signs the credential ciphertext by using a private key of a preset enterprise certificate to generate a first signature value, sets an enterprise authentication parameter as a preset value, forms a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair, and returns the registration credential instruction response to an upper application;

as shown in fig. 2, the credential authentication procedure includes:

step 3 ', the FIDO equipment judges whether the relying party identifier exists in a preset relying party identifier list or not, if so, step 4' is executed, and if not, a standard FIDO registration certificate flow is executed;

In a possible embodiment, step 1 further includes, before:

In a possible embodiment, step 5 further includes, before:

when the value of the key storage attribute identifier is a second preset value, the FIDO equipment generates and stores a user key pair, generates certificate data according to a public key of the user key pair and a private key of the user key pair, encrypts the certificate data by using an enterprise encryption and decryption key to generate a certificate ciphertext, executes signature operation on the certificate ciphertext according to a private key corresponding to a preset enterprise certificate to generate a first signature value, sets an enterprise authentication parameter as a preset value, forms a registration certificate instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the certificate ciphertext, the first signature value and the public key of the user key pair, and returns the registration certificate instruction response to the upper application;

the step 4' is preceded by: the FIDO equipment judges the length of the certificate ciphertext; the step 4' specifically comprises the following steps:

In a possible implementation, step M4 is specifically: the FIDO equipment verifies the PIN authentication parameter in the instruction for activating the certificate function of the registered enterprise, sets the certificate function state of the registered enterprise to be activated when the verification is successful, returns a response of the instruction for activating the certificate function of the registered enterprise to the upper-layer application, and executes the step M1; and when the verification fails, returning a response of the failed instruction for activating the registered enterprise certificate function to the upper-layer application.

Example two

The embodiment provides a method for registering and authenticating a certificate, which comprises a certificate registering process and a certificate authenticating process,

as shown in fig. 3, the credential registration process includes the following steps:

a1, after receiving a legal user name input by a user, the upper layer application prompts the user to input configuration information and receives the configuration information input by the user;

in this embodiment, the upper application may be an application program or a website;

in this step, the configuration information includes relying party identification, key storage attribute identification, registered enterprise credential parameters, and the like.

Wherein, the relying party identification is represented by rp id, the key storage attribute identification is represented by rk, and the registration enterprise certificate parameter is represented by entreprisestatation.

A2, the upper layer application sends an instruction for acquiring device information to the FIDO device;

a3, the FIDO device returns a response of the device information acquisition instruction to the upper layer application;

a4, the upper layer application judges whether the FIDO equipment supports the function of registering enterprise voucher according to the response of the equipment information acquisition command, if so, the step A5 is executed, and if not, the step A8 is executed;

the method comprises the following specific steps: the upper application analyzes the response of the device information acquisition instruction, judges whether a registered enterprise certificate function identifier exists in the response of the device information acquisition instruction, if so, executes the step A5, and if not, executes the step A8;

in this embodiment, step a4 may further include step a' 4:

the upper layer application judges whether the FIDO equipment is legal equipment, if so, the step A4 is executed, and if not, the user is prompted that the equipment operation is not supported.

Specifically, the method comprises the following steps: the upper layer application judges whether the value of the device unique identification parameter in the device response is a preset value, if so, step A4 is executed, and if not, the user is prompted that the device operation is not supported.

A5, the upper layer application judges whether the enterprise certificate function registered by the FIDO equipment is activated, if so, the step A8 is executed, and if not, the step A6 is executed;

the method comprises the following specific steps: the upper application judges the value of the enterprise certificate function identifier, if the value is a first preset value, the step A8 is executed, and if the value is a second preset value, the step A6 is executed;

in this embodiment, specifically, the first preset value is true, and the second preset value is false.

A6, the upper layer application sends an instruction for activating the function of registering enterprise credentials to the FIDO device;

a7, the FIDO device sets the state of the enterprise certificate function to be activated, sends the response of the command of activating the enterprise certificate function to the upper application, and executes the step A2;

in this step, the setting, by the FIDO device, the state of the certificate function of the registered enterprise to activated specifically includes: the FIDO equipment sets the state identification of the enterprise certificate registering function to be a first preset value.

A8, the upper layer application sends a certificate registration instruction to the FIDO device;

for example, the upper layer application sends registration credential instructions a 8015820687134968222 EC 17202E 42505F 8E D2B 16A E22F 16 BB 05B 88C DB 9E 602645F 14102 a 26269646965706174742E F6D 646E 616D 6569746573742E 6569746573742 a 36269645820D 4735 6569746573742 a 265E 16 EE 03E 03B 9B 5D 03019C 07D 6569746573742B 6569746573742C 51 6569746573742 DA 3a 666E EC 13 AB 35646D 6569746573742B 6569746573742C 6569746573742D 616D 6569746573742 a 6972C 696D 6579 a 6569746573742 a 3669632C 6B 6569746573742D 5072 a 6569746573742F 508553B 36728F 7D 629 6B 6569746573742 a 6569746573742B 6569746573742D 6569746573742 a 6569746573742D 6569746573742B 6569746573742D 6569746573742 a 6569746573742B 6569746573742D 6569746573742B 4D 6569746573742B 6569746573742D 6569746573742B 4F 6569746573742B 4D 6569746573742B 4D 6569746573742B 4C;

a9, the FIDO device judges whether the received certificate command has the certificate parameter of the registered enterprise, if yes, the step A11 is executed, if no, the step A10 is executed;

in this embodiment, after receiving the registration credential instruction sent by the upper application, the FIDO device parses the registration credential instruction.

For example, the FIDO device performs COBR parsing on the received registration credential instruction illustrated in step A8 to obtain:

{1:h'687134968222EC17202E42505F8ED2B16AE22F16BB05B88C25DB9E 602645F141'，2:{"id":"epatt.com"，"name":"test.ctap"}，3:{"id":h'D4735 E3A265E16EEE03F59718B9B5D03019C07D8B6C51F90DA3A666EEC13AB35'， "name":"2"，"displayName":"Test Ctap"}，4:[{"alg":-7，"type":"public-k ey"}，{"alg":-257，"type":"public-key"}，{"alg":-37，"type":"public-key "}]，7:{"rk":true}，8:h'B53F728F7D90E629A3AB0B5E7BFC07EE17DC196 D1DE5B22D4F89359755C3DCAF'，9:2，10:2}；

wherein field 2 is a relying party identifier, field 7 is a key storage attribute identifier, and field 10 is a registered enterprise credential parameter entrepressietatemation.

A10, the FIDO equipment executes the standard FIDO registration voucher process, and the process is finished;

a11, the FIDO device judges the value of the registered enterprise voucher parameter, if the value of the registered enterprise voucher parameter is the first preset value, the step A12 is executed, if the value of the registered enterprise voucher parameter is the second preset value, the step A17 is executed;

in this embodiment, the first pre-value represents that the provider assists in enterprise authentication, and the second pre-value represents that the platform manages enterprise authentication; the first predetermined value is, for example, 1, and the second predetermined value is, for example, 2;

a12, the FIDO device displays the value of the Relying Party Identification (RPID) of the register credential instruction to the user;

a13, the FIDO device judges whether the user confirmation information is received, if yes, the step A16 is executed, if no, the step A14 is executed;

a14, the FIDO equipment generates and returns a failed registration voucher instruction response, and the step A15 is executed;

a15, the upper layer application receives the failed registration certificate instruction response and prompts the user that the registration fails;

a16, the FIDO device judges whether the dependency identification of the register voucher command exists in the preset dependency identification list, if yes, the step A17 is executed, if no, the step A10 is executed;

a17, the FIDO equipment generates and stores a user key pair, generates certificate data according to a public key of the user key pair and a private key of the user key pair, encrypts the certificate data by using an encryption and decryption key to generate a certificate ciphertext, and executes signature operation on the certificate ciphertext according to the private key corresponding to a preset enterprise certificate to generate a first signature value;

in this step, generating credential data according to the public key of the user key pair and the private key of the user key pair specifically includes: and carrying out Hash operation according to the public key of the key pair to obtain a certificate identifier, and generating certificate data according to the certificate identifier and the private key of the user key pair.

In this embodiment, before this step, the FIDO device further determines a value of a key storage attribute identifier in the credential registration instruction, and performs step a' 17 when the value of the key storage attribute identifier is a first preset value, and performs step a17 when the value of the key storage attribute identifier (rk) is a second preset value;

step A' 17 is: the FIDO equipment generates and stores a user key pair, generates certificate data according to a user key pair public key, encrypts the certificate data by using an encryption and decryption key to generate a certificate ciphertext, executes signature operation on the certificate ciphertext according to a private key corresponding to a preset enterprise certificate to generate a first signature value, and correspondingly binds and stores the certificate data, a relying party identifier and the private key of the user key pair;

in this step, generating credential data according to the user key pair public key specifically includes: and carrying out Hash operation on the public key of the user key pair to obtain a certificate identifier, and generating certificate data according to the certificate identifier.

In this embodiment, the encryption and decryption keys are generated by the FIDO device before the FIDO device leaves the factory, and there are two encryption and decryption keys, one is a universal encryption and decryption key, and one is an enterprise encryption and decryption key, and the universal encryption and decryption key is used in the standard FIDO registration credential flow of step a10, and the encryption and decryption keys in step a17 and step a 17' are specifically enterprise encryption and decryption keys.

A18, the FIDO device sets the value of the enterprise authentication parameter as a first preset value, and generates a successful registration certificate instruction response according to the enterprise authentication parameter, a preset enterprise certificate, a certificate ciphertext, a first signature value and a public key of a user key pair;

in this embodiment, the enterprise authentication parameter may be Epatt.

A19, the FIDO device returns a registration credential instruction response to the upper application;

for example, the FIDO device returns a successful registration credential instruction response to the upper layer application A470E EA B85 FF BD D3041B 4901B 494A 0F AB FB 5D 356B D58E 03 EE 041B 25E 54 DB 8F 64184640020C 40473F 1285C EF D B D83E 0672306A 796D EC F5748A 5013262001215820B 79C 93C 149F 41C 7F 9E 4604 AE BC 84D F17A 83F D BB E43C F36D 23 CD 84B 81 FF 991B 82 CB 01C 803A 50E 38281B DA D3377334B 24 FD 8F 584C 68F 4660B 5093E 39B 37C D83D 65381C 532F BA 9A 689E 689A B38281B DA D84B 81 FF 991B 82 FD 2B 80C 9E 38281B DA D3377334B 96 FD 8F 584C 68F 4660B 5093E 39B 37C D83D 4D D65381C 532F BA 35F BA 9A 689A 9738 DD F E F B55 DC 4B 6885A D99 697F ED 12300A 06082A 8648 CE 3D B D301B 0C E6F 6C 6F B C E F D180F A B D301B 0C E6F 6C 6F B0C E F6E C0D F8648 CE 3D A8648 CE 3D B27E 8E 39001F 54 EC 9B 6F 4 8841903764520A 876 EB 698D 3 00D 5B 4 CC D95632A 31 AC BD 67F 38D 62A DC 0C AD B EA D0 E DD A67 AB BF D13 CF 3796 AE 77B 1301D C51 CE AB 1C 2B AD 84C F71 CE C D130101 FF B2B E51B 2B E51 EE 041B 25E 54 DB 8F 06082A 8648 CE 3D F16E 910B BD 7F AC 33D 43A 681B 6396867 DD 6D CB 9D F FC F B1022100A 33B 652 BB 9B 7 31832E 5026E 5029C 37C 94A 44 AB F344D 65901 FA A41B 743 AE 6B 419C 17A 82A 8648 CE 3D B310B 301D 301B 0C E6F 6C 6F D5932 301B 06035504030C 144665697469616E 204649444F 20526F 6F 20526D 20526A 180F 20526A 20526B 20526D 301B 20526A 0C 20526E 20526E 6F 6C 6F 20526B 20526C 20526E 20526F 20526A 8648 CE 3D 20526A 8648 CE 3D 20526C 20526A 20526 FC 72 BB 28 BA 4A 20526 BF 8F 472B 066B 20526 02 20526D 02433 EB B20526D 877A 9C 4E 2B 7047D 25 20526 CE 203 64551D 20526 DB 20526B 20526A 20526D 20526F 20526C 20526B 20526 AD 20526F 20526D 20526B DE 20526B 78B 20526D 20526F 20526D 20526B DE 20526B 8B 20526D 20526F 20526D 20526B DE 20526F 20526B DE 20526D 20526B DE 20526F 20526B DE 20526B 8B DE 20526D 20526F 20526B DE 20526D 20526B DE 20526D 20526B DE 20526F 20526B DE 20526B 8B DE 20526D 20526B 8B DE 20526F 20526D 20526F 20526B 20526F 20526B DE 20526F 20526B F20526B 8B 20526F 20526B 20526F 20526B DE 20526B 20526F 20526B F20526B 20526D 20526F 20526B F20526B DE 20526B F20526B 20526F 20526B DE 20526D 20526F 20526D 20526B F B F20526F 36 040302034800304502207F B540C 43F 46961624 BD 132548B 44A DF 04B 661718F E42C 32 BA 5F 9A D40 3540 40C 706A B5022100 FA C5A 67D DC D5C 7F 79158A 4190568995B AE C753E 27A 954A 4E 3221F 79E 4A 60C 2F 104F 5.

A20, the upper application receives the response of the certificate registration instruction, when the value of the enterprise authentication parameter is judged to be a second preset value, the validity of the certificate chain of the preset enterprise certificate is judged to obtain a judgment result, the public key in the preset enterprise certificate is used for verifying the first signature value to obtain a verification result, and when the verification result is successful and the certificate chain of the preset enterprise certificate is valid, the public key of the certificate ciphertext and the user key pair is correspondingly stored to prompt the user that the certificate registration is successful.

In this step, the upper layer application parses the response to the register credential instruction after receiving the response to the register credential instruction.

For example, after receiving the response of the registration credential instruction in the example of step a19, the upper layer application performs COBR analysis on the response of the registration credential instruction, and obtains:

{1:"packed"，2:h'70E0EAB85CFFBDD3041B521627B7B4901A4A0FABA BFB5D356B19173003B2D58B4500000E03EE041BCE25E54CDB8F86897FD6418 4640020C40473F9A1285D2988510CEFD4B4D83EE0672306A5A796D3ECF07526 6F5748A0A5010203262001215820B79DC93AC149F0C41F7F9ECE9E4604AE038 29309222947BC84D7F17D3DC9A83C2258206018F1D2BBE43CC9F36E84D5D23 ECD84B8B81B9789A629631EFF991B82CB01C8'，3:{"alg":-7，"sig":h'3045 022100B50AE38281B1E8DAD3377334B96A24FD8F584C21733996F68D4660B50 93DE39A022074B37F38C5D83D4D744047FA65381C35DC532FBA689A9738DD F2E919765B0718'，"x5c":[h'3082023B308201E1A00302010202101DF2B55A51 DC4B6885A3D99E697FED12300A06082A8648CE3D0403023049310B300906035 5040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6 F67696573311B301906035504030C124665697469616E204649444F204341203034 3020170D3138303532313030303030305A180F32303333303532303233353935395 A3068310B3009060355040613025553311D301B060355040A0C144665697469616 E20546563686E6F6C6F6769657331223020060355040B0C1941757468656E74696 361746F72204174746573746174696F6E3116301406035504030C0D465420464944 4F3220303433303059301306072A8648CE3D020106082A8648CE3D03010703420 004B27E0E8E39001F54EC9B6F4FE8841903764520A876EB698D3CC00D7D5B4 DC3CCD95632A31A13ACBD67F38F3D62B2A5A0DC0CA52896400DC9AD3978 8BEA288045A38189308186301D0603551D0E04160414DD3244171A67ABBF522 00773D13CCF3796AE77B1301F0603551D2304183016801493237066C51DCEC4 AB1C2BAD84C1F3E71DCE6067300C0603551D130101FF040230003013060B2B0 601040182E51C0201010404030204303021060B2B0601040182E51C010104041204 10EE041BCE25E54CDB8F86897FD6418464300A06082A8648CE3D04030203480 0304502203F16E910B2A1BD7FAC33D43DA681B9663867DD6FA2D7CB9D2747 07F7FCF1B1B1022100A33BB88152391FC652BB9B7DE31832E5026B9AD3E37A C94F25A6F44EABF344D6'，h'308201FA308201A0A003020102021018152B41B7 43AE6DB41599C3B17D8209300A06082A8648CE3D040302304B310B300906035 5040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6 F67696573311D301B06035504030C144665697469616E204649444F20526F6F7420 43413020170D3138303532303030303030305A180F3230333830353139323335393 5395A3049310B3009060355040613025553311D301B060355040A0C14466569746 9616E20546563686E6F6C6F67696573311B301906035504030C124665697469616E 204649444F2043412030343059301306072A8648CE3D020106082A8648CE3D030 10703420004C5A11656398A9216FC72BB28BA4A698539BF8F472B066CC8402A 9DA49FD02433EBB54767470F5D877A9C4E2E9B7047D25AF85BCE203DC6455 1EAD9DB71EBB833A3663064301D0603551D0E0416041493237066C51DCEC4A B1C2BAD84C1F3E71DCE6067301F0603551D230418301680144BBD872611AD1 C89CF0458BE70D2088C6B1623B730120603551D130101FF040830060101FF0201 00300E0603551D0F0101FF040403020106300A06082A8648CE3D0403020348003 04502207FB540C43F46961624BD132548B44ADF04B661718FE42C32BA5F9AD4 0C706AB5022100FAC5A67DDCD5C7F79158A4190568995BAEC753E27A954A4 E3221F79E4A60C2F1']}，4:true}；

wherein, field 2 contains the certificate ciphertext, field 3 is the first signature value and the certificate chain, and field 4 represents Epatt.

As shown in fig. 4, the credential authentication process includes the following steps:

b1, after receiving the user name input by the user, the upper layer application prompts the user to input configuration information and receives the configuration information input by the user;

in this step, the configuration information includes the relying party identifier, the credential cryptograph, and the like.

B2, the upper layer application sends an instruction for acquiring device information to the FIDO device;

b3, the FIDO device returns a response of the device information acquisition instruction to the client;

b4, the upper layer application sends a certificate verification instruction to the FIDO equipment;

in this embodiment, the credential validation instruction includes a relying party identification, credential ciphertext, and client data.

B5, the FIDO equipment analyzes the certificate verification instruction to obtain a relying party identifier, a certificate ciphertext and client data, judges whether the relying party identifier is in a preset relying party identifier list, if so, executes the step B6, otherwise, executes a standard FIDO authentication certificate process, and ends;

step B6, the FIDO device judges the length of the certificate ciphertext, when the length is a first preset value, step B7 is executed, and when the length is a second preset value, step B7' is executed;

in this step, the first predetermined value is specifically 96, and the second predetermined value is specifically 32.

B7, the FIDO device performs MAC verification on the certificate ciphertext, decrypts the certificate ciphertext by using the encryption and decryption key after the MAC verification is successful, successfully decrypts the certificate ciphertext to obtain a certificate identifier and a private key of a user key pair, forms a signature original text according to the certificate identifier, the relying party identifier and the client data, signs the signature original text by using the private key of the user key pair to obtain a second signature value, and executes the step B8;

step B7', the FIDO device performs MAC verification on the certificate ciphertext, decrypts the certificate ciphertext by using the encryption and decryption key after the MAC verification is successful to obtain a certificate identifier, searches a private key of a corresponding user key pair according to the certificate identifier, forms a signature original text according to the certificate identifier, the relying party identifier and the client data, signs the signature original text by using the user private key to obtain a second signature value, and executes the step B8;

in steps B7 and B7', the encryption/decryption key is specifically an enterprise encryption/decryption key.

In the step B7 and the step B7', the method further includes: and the FIDO equipment decrypts the certificate ciphertext by using the enterprise encryption and decryption key, executes the standard FIDO authentication certificate flow after decryption fails and ends.

The encryption and decryption keys used in executing the standard FIDO authentication credential flow are general encryption and decryption keys.

B8, the FIDO equipment forms a response of the certificate verification instruction according to the signature original text and the second signature value, and sends the response of the certificate verification instruction to the upper application;

and B9, the upper layer application analyzes the response of the certificate verification instruction to obtain a signature original text and a second signature value, the public key of the user key pair corresponding to the certificate ciphertext is used for verifying the signature of the second signature value, and after the signature verification is successful, the user is prompted to verify the signature successfully.

EXAMPLE III

The present embodiment provides a method for credential registration and authentication, as shown in fig. 5, including the following steps:

s1, the FIDO device receives the command, when the received command is the command of obtaining the device information, the step S2 is executed, when the received command is the command of activating the function of registering enterprise voucher, the step S3 is executed, when the received command is the command of registering the enterprise voucher, the step S6 is executed; when the received command is a credential verification command, performing step S15;

s2, the FIDO equipment returns a response of the equipment information acquisition instruction;

in this embodiment, when the FIDO device supports the registered enterprise authentication function, the returned response of the device information obtaining instruction includes the registered enterprise credential function identifier, and when the FIDO device does not support the registered enterprise authentication function, the returned response of the device information obtaining instruction does not include the registered enterprise credential function identifier.

S3, the FIDO device judges the state of the enterprise certificate function, if the state of the enterprise certificate function is activated, the step S5 is executed, and if the state of the enterprise certificate function is not activated, the step S4 is executed;

specifically, in this step, the FIDO device determines a value of the identifier of the credential function of the registered enterprise, and if the value of the identifier of the credential function of the registered enterprise is a second preset value, it indicates that the credential function of the registered enterprise is not activated, and performs step S4, and if the value of the identifier of the credential function of the registered enterprise is a first preset value, it indicates that the credential function of the registered enterprise is activated, and performs step S5;

s4, the FIDO device sets the state of the certificate function identifier of the registered enterprise to be activated, and executes S5;

s5, the FIDO equipment returns the response of the instruction for activating the certificate function of the registered enterprise after the certificate function of the registered enterprise is activated, and the step S1 is executed;

specifically, in this step, the FIDO device returns a response of the instruction to activate the enterprise credential function according to the response of the instruction to activate the enterprise credential function composed of the success status code.

Specifically, in step S1, the instruction for activating the enterprise certificate registration function is: the child instruction enablenamerstatation of the authorstoreconfig instruction.

The step can also be specifically as follows: the FIDO device verifies the value of the PIN authentication parameter in the command for activating the registered enterprise credential function, sets the state of the registered enterprise credential function to activated when verification is successful, performs step S5, returns an error response when verification is failed, and performs step S1.

Specifically, in this step, the value of the PIN authentication parameter in the instruction for activating the enterprise certificate registration function may be a PIN code, the FIDO device decrypts the PIN code using a pre-negotiated key, compares the decrypted data with pre-stored PIN code data, and if the decrypted data is the same as the pre-negotiated key, the verification is successful, and if the decrypted data is different from the pre-stored PIN code data, the verification fails.

In this embodiment, the value of the PIN authentication parameter may also be geometric pattern data and biometric data, and correspondingly, the pre-stored PIN code data may also be corresponding geometric pattern data and biometric data.

In this embodiment, the pre-negotiated key may be implemented by, but is not limited to, an ECDH algorithm.

S6, the FIDO device judges whether the registered enterprise voucher parameter exists in the registered voucher command, if yes, the step S8 is executed, and if not, the step S7 is executed;

specifically, in this embodiment, step S6 is preceded by: the FIDO device checks the value of the PIN authentication parameter in the register credential instruction, and when the check is successful, performs step S6, and when the check is failed, returns an error response, and performs step S1.

Specifically, in this step, the value of the PIN authentication parameter in the credential registration instruction may be PIN code ciphertext data, the FIDO device decrypts the PIN code ciphertext data using a pre-negotiated key, compares the decrypted data with pre-stored PIN code data, if the decrypted data is the same as the pre-negotiated key, the verification is successful, and if the decrypted data is different from the pre-negotiated key, the verification fails.

S7, the FIDO device executes the standard FIDO registration voucher process, and returns to the step S1;

the method comprises the following specific steps: the FIDO device searches for the general certificate, generates a signature operation according to a private key corresponding to the general certificate, generates a signature value, forms credential data, binds the credential data and the relying party identifier, generates a registration credential instruction response according to the signature value and the credential data, returns the registration credential instruction response, and executes step S1.

S8, the FIDO device judges the value of the enterprise certificate parameter of the certificate instruction, if the value of the enterprise certificate parameter is the first preset value, the step S9 is executed, if the value of the enterprise certificate parameter is the second preset value, the step S13 is executed;

in this embodiment, when the received instruction is a register credential instruction, before step S6, the method further includes: and the FIDO equipment analyzes the certificate registration instruction to obtain the certificate parameters of the registered enterprise, the identifier of the relying party and the identifier of the key storage attribute.

In this embodiment, for example, the first predetermined value is 1, and the second predetermined value is 2.

S9, the FIDO device displays the value of the relying party identifier of the certificate registering instruction to the user;

the method comprises the following specific steps: the FIDO equipment displays the value of the relying party identifier of the registered certificate instruction to the user and waits for the user to confirm information;

s10, the FIDO device judges whether the user confirmation information is received, if yes, the step S12 is executed, and if not, the step S11 is executed;

s11, the FIDO device generates and returns a failed registration voucher command response, and the step S1 is executed;

s12, the FIDO device judges whether the dependency party identification of the registered certificate instruction exists in a preset dependency party identification list, if so, the step S13 is executed, and if not, the step S7 is executed;

s13, the FIDO equipment generates and stores a user key pair, generates certificate data according to a public key of the user key pair and a private key of the user key pair, encrypts the certificate data by using an encryption and decryption key to generate a certificate ciphertext, and executes signature operation on the certificate ciphertext according to the private key corresponding to a preset enterprise certificate to generate a first signature value;

In this embodiment, the FIDO device is provisioned with an enterprise certificate corresponding to the value of the registered enterprise credential parameter.

Specifically, in this step, the FIDO device searches for the preset enterprise certificate corresponding to the value of the registered enterprise credential parameter according to the value of the registered enterprise credential parameter, for example, when the value of the registered enterprise credential parameter is the first preset value, the preset enterprise certificate corresponding to the first preset value is searched for, and when the value of the registered enterprise credential parameter is the second preset value, the preset enterprise certificate corresponding to the second preset value is searched for.

In this embodiment, the FIDO device only presets one enterprise certificate, and no matter whether the value of the enterprise credential parameter is the first preset value or the second preset value, the corresponding enterprise certificate is the same enterprise certificate.

In this embodiment, before this step, the FIDO device further determines a value of the key storage attribute identifier in the credential registration instruction, and when the value of the key storage attribute identifier is a first preset value, performs step S' 13, and when the value of the key storage attribute identifier is a second preset value, performs step S13;

step S' 13 is: the FIDO equipment generates and stores a user key pair, generates certificate data according to a user key pair public key, encrypts the certificate data by using an encryption and decryption key to generate a certificate ciphertext, executes signature operation on the certificate ciphertext according to a private key corresponding to a preset enterprise certificate to generate a first signature value, and correspondingly binds and stores the certificate data, a relying party identifier and the private key of the user key pair;

In this embodiment, the encryption and decryption keys are generated by the FIDO device before the FIDO device leaves the factory, and there are two encryption and decryption keys, one is a general encryption and decryption key, and the other is an enterprise encryption and decryption key, and the general encryption and decryption key is used in the standard FIDO registration credential flow of step S7, and the encryption and decryption key in step S13 and step S' 13 is specifically an enterprise encryption and decryption key.

S14, the FIDO device sets the value of the enterprise authentication parameter to a first preset value, generates a successful registration voucher command response according to the enterprise authentication parameter, the preset enterprise certificate, the voucher ciphertext and the first signature value, returns the successful registration voucher command response, and executes the step S1.

Specifically, in this step, the FIDO device sets the value of the enterprise authentication parameter to the first preset value True, generates a successful registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential cryptograph, and the signature value, returns the successful registration credential instruction response, and performs step S1.

S15, the FIDO equipment analyzes the certificate verification instruction to obtain a relying party identifier and a certificate ciphertext, judges whether the relying party identifier is in a preset relying party identifier list, if so, executes the step S16, otherwise, executes a standard FIDO authentication certificate process, and returns to the step S1;

s16, the FIDO device judges the length of the voucher ciphertext, when the length is the first preset value, the step S17 is executed, when the length is the second preset value, the step S17' is executed;

in this step, the first predetermined value is specifically 96 and the second predetermined value is specifically 32.

S17, the FIDO device conducts MAC verification on the certificate ciphertext, after the MAC verification is successful, the certificate ciphertext is decrypted through the encryption and decryption key, the certificate identification and the private key of the user key pair are obtained after the decryption is successful, a signature original text is formed according to the certificate identification, the relying party identification and the client data, the signature original text is signed through the private key of the user key pair, a second signature value is obtained, and the step S18 is executed;

s17', the FIDO device conducts MAC verification on the certificate ciphertext, after the MAC verification is successful, the encryption and decryption key is used for decrypting the certificate ciphertext to obtain a certificate identifier, a private key of a corresponding user key pair is searched according to the certificate identifier, a signature original text is formed according to the certificate identifier, a relying party identifier and client data, the signature original text is signed by the user private key to obtain a second signature value, and the step S18 is executed;

in steps S17 and S17', the encryption/decryption key is specifically an enterprise encryption/decryption key.

In steps S17 and S17', further comprising: and the FIDO equipment decrypts the certificate ciphertext by using the enterprise encryption and decryption key, executes the standard FIDO authentication certificate flow after decryption fails and ends.

S18, the FIDO device composes a response of the certificate verification instruction according to the signature original text and the second signature value, sends the response of the certificate verification instruction to the upper layer application, and returns to the step S1.

Example four

The present embodiment further provides a system for credential registration and authentication, including: the upper application device comprises:

the sending module is used for sending a registration certificate instruction to the FIDO equipment; the device is also used for sending a certificate verification instruction to the FIDO equipment;

the judging and storing module is used for correspondingly storing the certificate ciphertext and the public key of the user key pair when the value of the enterprise authentication parameter in the register certificate instruction response is judged to be a preset value and the signature verification of the first signature value by using the public key in the preset enterprise certificate is successful;

The FIDO device comprises:

In the above embodiments, all or part of the implementation may be realized by software, hardware, firmware, or any combination thereof. When implemented using a software program, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer programs. When the computer program is loaded and executed, the procedures or functions described in accordance with the embodiments of the present application are generated in whole or in part. The computer program can be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be transmitted from one base station, server or data center to another base station, server or data center by wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium can be any available medium that can be accessed by the apparatus of the invention or can comprise one or more data storage devices, such as a server, a data center, etc., that can be integrated with the medium. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), among others.

While the present application has been described in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed application, from a review of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the word "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims

1. A method of credential registration and authentication, the method comprising: the method comprises a certificate registration process and a certificate authentication process, wherein the certificate registration process comprises the following steps:

step 2, the FIDO equipment judges whether the certificate instruction of the registered enterprise has certificate parameters of the registered enterprise, if yes, step 3 is executed, and if not, a standard FIDO certificate registration process is executed;

step 4, the FIDO device judges whether the relying party identifier in the credential registering instruction is in a preset relying party identifier list, if yes, step 5 is executed, and if not, a standard FIDO credential registering process is executed;

the credential authentication procedure comprises:

step 3 ', the FIDO equipment judges whether the relying party identifier exists in a preset relying party identifier list or not, if so, step 4' is executed, and if not, a standard FIDO certificate authentication process is executed;

step 4', the FIDO equipment decrypts the certificate ciphertext by using the enterprise encryption and decryption key to obtain certificate data, generates a signature original text according to the certificate data, the relying party identifier and the client data, signs the signature original text by using a private key of a user key pair to obtain a second signature value, generates a response of a certificate verification instruction according to the signature original text and the second signature value, and sends the response of the certificate verification instruction to the upper application;

2. The method of claim 1, wherein step 1 is preceded by:

3. The method according to claim 1, wherein step 3 is specifically: the FIDO equipment judges the value of the certificate parameter of the registered enterprise, if the value is a first preset value, the step 4a is executed, and if the value is a second preset value, the step 5 is executed;

4. The method of claim 1, wherein step 5 is preceded by: the FIDO equipment judges the value of a key storage attribute identifier in a certificate registration instruction; the step 5 specifically comprises the following steps:

when the value of the key storage attribute identifier is a second preset value, the FIDO equipment generates and stores a user key pair, generates credential data according to a public key of the user key pair and a private key of the user key pair, encrypts the credential data by using an enterprise encryption and decryption key to generate a credential ciphertext, executes signature operation on the credential ciphertext according to a private key corresponding to a preset enterprise certificate to generate a first signature value, sets an enterprise authentication parameter as the preset value, forms a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair, and returns the registration credential instruction response to an upper application;

the step 4' is preceded by: the FIDO equipment judges the length of the certificate ciphertext; the step 4' is specifically as follows:

when the length of the certificate ciphertext is a first preset value, the FIDO equipment decrypts the certificate ciphertext by using an enterprise encryption and decryption key, successfully decrypts to obtain certificate data and a private key of a user key pair, forms a signature original text according to the certificate data, a relying party identifier and client data, signs the signature original text by using the private key of the user key pair to obtain a second signature value, generates a response of a certificate verification instruction according to the signature original text and the second signature value, and sends the response of the certificate verification instruction to an upper application;

5. The method of claim 1,

the step 6 specifically comprises the following steps: and when the upper application judges that the value of the enterprise authentication parameter in the register certificate instruction response is a preset value, the certificate chain of the preset enterprise certificate is valid and the signature verification of the first signature value by using the public key in the preset enterprise certificate is successful, correspondingly storing the certificate ciphertext and the public key of the user key pair.

6. The method of claim 2,

the step M4 is specifically: the FIDO equipment verifies the PIN authentication parameter in the instruction for activating the certificate function of the registered enterprise, sets the certificate function state of the registered enterprise to be activated when the verification is successful, returns a successful response for activating the certificate function instruction of the registered enterprise to the upper-layer application, and executes the step M1; and when the verification fails, returning a failure response for activating the instruction for registering the enterprise certificate function to the upper-layer application.

7. A system for credential enrollment and authentication, the system comprising: the device comprises an upper application device and an FIDO device, wherein the upper application device comprises:

the generating module is used for generating a registration credential instruction according to configuration information input by a user;

a sending module, configured to send the registration credential instruction to the FIDO device; further configured to send credential verification instructions to the FIDO device;

The FIDO device includes:

the second judgment module is used for judging the value of the registered enterprise certificate parameter when the judgment result of the first judgment module is yes;

a third judging module, configured to, when the second judging module judges that the value of the registered enterprise credential parameter is the first preset value, judge whether a relying party identifier in the registered credential instruction is in a preset relying party identifier list, if yes, trigger a generation storage module, and if not, trigger the execution module; when the second judging module judges that the value of the registered enterprise voucher parameter is a second preset value, the second judging module triggers to generate a storage module;

the generation and storage module is used for generating and storing a user key pair, generating credential data according to a public key of the user key pair, encrypting the credential data by using an enterprise encryption and decryption key to obtain a credential ciphertext, performing signature operation on the credential ciphertext by using a private key of a preset enterprise certificate to generate a first signature value, binding and storing the credential data and a relying party identifier, setting an enterprise authentication parameter as a preset value, and forming a registration credential instruction response according to the enterprise authentication parameter, the preset enterprise certificate, the credential ciphertext, the first signature value and the public key of the user key pair;

the return module is used for returning the registration certificate instruction response formed by the generation and storage module;

the fourth judging module is configured to judge whether the relying party identifier obtained by the analyzing module exists in a preset relying party identifier list;

the decryption generation module is used for decrypting the certificate ciphertext by using the enterprise encryption and decryption key to obtain certificate data when the judgment result of the fourth judgment module is yes, generating a signature original text according to the certificate data, the relying party identifier and the client data, signing the signature original text by using a private key of a user key pair to obtain a second signature value, and generating a response of a certificate verification instruction according to the signature original text and the second signature value;

8. An FIDO device, comprising at least one processor, memory, and instructions stored on the memory and executable by the at least one processor, the at least one processor executing the instructions to enable operation of the FIDO device in the method of any of claims 1-6.

9. A computer-readable storage medium, characterized in that the computer-readable storage medium comprises a computer program which, when run on a computer, causes the computer to perform the operations of an upper layer application in the method according to any one of claims 1 to 6.

10. A computer-readable storage medium, characterized in that the computer-readable storage medium comprises a computer program which, when run on a computer, causes the computer to perform the operations of the FIDO device in the method according to any of claims 1 to 6.