CN115085935A - Identity verification method and authentication system - Google Patents

Identity verification method and authentication system Download PDF

Info

Publication number
CN115085935A
CN115085935A CN202210678815.XA CN202210678815A CN115085935A CN 115085935 A CN115085935 A CN 115085935A CN 202210678815 A CN202210678815 A CN 202210678815A CN 115085935 A CN115085935 A CN 115085935A
Authority
CN
China
Prior art keywords
excitation
information
server
response
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210678815.XA
Other languages
Chinese (zh)
Inventor
邱成杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Financial Technology Co Ltd
Original Assignee
Bank of China Financial Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Financial Technology Co Ltd filed Critical Bank of China Financial Technology Co Ltd
Priority to CN202210678815.XA priority Critical patent/CN115085935A/en
Publication of CN115085935A publication Critical patent/CN115085935A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3278Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Mathematical Physics (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses an identity verification method and an authentication system, wherein the method is applied to the authentication system, the authentication system comprises a device end and a server, and the method comprises the following steps: the equipment terminal sends an authentication request and ID information of the equipment terminal to the server; the ID information of the equipment end is generated by the server by using the true random number generator when the equipment end is registered; the server verifies the ID information of the equipment terminal; if the ID information of the equipment end passes the verification, the equipment end and the server carry out identity verification on the two parties by utilizing the excitation information generated during the registration of the equipment end and the excitation response of the excitation information; the server generates excitation information aiming at the equipment end; the equipment end generates an excitation response of the excitation information by using a physical unclonable function after receiving the excitation information sent by the server and feeds the excitation response back to the server for storage; and if the equipment end and the server both pass the identity authentication, the server establishes a transaction communication channel with the equipment end.

Description

Identity verification method and authentication system
Technical Field
The present application relates to the field of identity verification technologies, and in particular, to an identity verification method and an authentication system.
Background
With the continuous development of technology, people's life style tends to be more convenient, so more convenient payment style is also needed for transactions, and for payment style, convenience and safety need to be considered.
A relatively convenient payment method currently used is to pay by using a financial IC card, but the payment method cannot support the transaction of digital money temporarily, so that the used scenes are not wide enough, and thus convenience is easily limited. Payment is currently made through the client, which is the more predominant use, and this approach does not require payment through the IC card. But authentication is required to ensure security. The used verification mode is to store information such as a pre-generated key, a digital certificate, a fingerprint and the like, so that identity verification can be performed by using the stored information when payment is performed, and interaction with a back end can be performed after the verification is passed, so that payment is realized.
However, the stored information such as the key, the digital certificate, the fingerprint and the like may be hacked and stolen, so that the security of the transaction cannot be effectively ensured.
Disclosure of Invention
Based on the defects of the prior art, the application provides an identity verification method and an authentication system, so as to solve the problem that the existing authentication method cannot effectively ensure the safety of transactions.
In order to achieve the above object, the present application provides the following technical solutions:
the first aspect of the present application provides an identity verification method, which is applied to an authentication system, where the authentication system includes an equipment terminal and a server, and the identity verification method includes:
the equipment terminal sends an authentication request and ID information of the equipment terminal to the server; the ID information of the equipment terminal is generated by the server by using a true random number generator when the equipment terminal is registered;
the server verifies the ID information of the equipment terminal;
if the ID information of the equipment end passes verification, the equipment end and the server carry out identity verification on the two parties by utilizing excitation information generated during registration of the equipment end and an excitation response of the excitation information; wherein the incentive information is generated by the server for the device side; the excitation response of the excitation information is generated by the equipment terminal by utilizing a physical unclonable function after receiving the excitation information sent by the server and is fed back to the server for storage;
and if the equipment end and the server both pass identity authentication, the server establishes a transaction communication channel with the equipment end.
Optionally, in the above identity verification method, before the device side sends the authentication request and the ID information of the device side to the server, the method further includes:
the server divides the complete excitation information corresponding to the equipment end into N pieces of excitation information;
the server generates ID information of the equipment terminal by using the true random number generator and generates a random index of each piece of excitation information;
the server sends the ID information of the equipment end and the excitation information of each block to the equipment end;
the equipment terminal generates excitation response of each piece of excitation information by using a physical unclonable function;
the equipment end feeds back excitation response of each piece of excitation information to the server;
and the server stores the excitation response of each piece of excitation information in a database.
Optionally, in the above identity authentication method, the authenticating a party by the device side and the server respectively using the excitation information generated at the time of registering the device side and the excitation response of the excitation information includes:
the equipment side carries out identity verification on the server by utilizing a plurality of pieces of the excitation information and excitation response of each piece of the excitation information generated during equipment side registration, and the server carries out identity verification on the equipment side by utilizing at least one piece of the excitation information and the excitation response of the excitation information generated during equipment side registration.
Optionally, in the above identity verification method, the authenticating, by the device side, the server by using the plurality of pieces of the incentive information generated when the device side registers and the incentive response of each piece of the incentive information includes:
the server selects a plurality of pieces of first excitation information and excitation responses of the first excitation information from the excitation information of each piece of the equipment end and the excitation responses of the excitation information of each piece stored in a database by using the true random number generator, and sends the excitation responses to the equipment end;
the equipment terminal generates the current excitation response of each piece of the received first excitation information by using a physical unclonable function;
whether the current excitation response of the equipment terminal comparing the currently generated first excitation information of each block is consistent with the received excitation response of the first excitation information of each block or not;
and if the current excitation response of the currently generated first excitation information of each block is consistent with the received excitation response of the first excitation information of each block, determining that the server passes the identity verification.
Optionally, in the above identity verification method, the performing, by the server, identity verification on the device side using at least one piece of the incentive information generated during registration of the device side and an incentive response of the incentive information includes:
the server selects at least one piece of second excitation information from all pieces of excitation information of the equipment end stored in a database by using the true random number generator, and sends the second excitation information to the equipment end;
the equipment terminal generates the current excitation response of each piece of the received second excitation information by using a physical unclonable function;
the equipment end feeds back the current excitation response of each generated block of the second excitation information to the server;
the server compares whether the received current excitation response of each piece of the second excitation information is consistent with the excitation response of each piece of the second excitation information stored in the database;
and if the received current excitation response of each piece of the second excitation information is consistent with the excitation response of each piece of the second excitation information stored in the database through comparison, determining that the equipment end passes the identity verification.
A second aspect of the present application provides an authentication system, including:
the device side and the server;
the equipment terminal is used for sending an authentication request and ID information of the equipment terminal to the server, and carrying out identity verification on the server by utilizing excitation information generated during registration of the equipment terminal and excitation response of the excitation information; the ID information of the equipment end is generated by the server by using a true random number generator when the equipment end is registered; the incentive information is generated by the server aiming at the equipment side; the excitation response of the excitation information is generated by the equipment terminal by utilizing a physical unclonable function after receiving the excitation information sent by the server and is fed back to the server for storage;
the server is used for verifying the ID information of the equipment end, utilizing the excitation information generated during the registration of the equipment end and the excitation response of the excitation information to verify the identity of the equipment end when the ID information of the equipment end passes the verification, and establishing a transaction communication channel between the equipment end and the server when the equipment end and the server both pass the identity verification.
Optionally, in the above authentication system, the server is further configured to:
dividing the complete excitation information corresponding to the equipment end into N pieces of excitation information;
generating ID information of the equipment terminal by using the true random number generator, and generating a random index of each piece of excitation information;
sending the ID information of the equipment end and each piece of excitation information to the equipment end;
receiving excitation response of each piece of excitation information fed back by the equipment end; the excitation response of each piece of excitation information is generated by the equipment terminal by using a physical unclonable function;
and storing the excitation response of each piece of excitation information in a database.
Optionally, in the above authentication system, the device side, when performing identity verification on the server by using the excitation information generated at the time of registration of the device side and the excitation response of the excitation information, is configured to:
and carrying out identity verification on the server by utilizing a plurality of pieces of the incentive information generated during the registration of the equipment side and incentive responses of the incentive information.
Optionally, in the above authentication system, the server, when performing identity verification on the device side by using the excitation information generated at the time of registration of the device side and the excitation response of the excitation information, is configured to:
and performing identity verification on the equipment side by using at least one piece of the excitation information generated during registration of the equipment side and the excitation response of the excitation information.
Optionally, in the above authentication system, when the device side performs authentication on the server by using a plurality of pieces of the excitation information generated at the time of registration of the device side and excitation responses of the respective pieces of the excitation information, the authentication system is configured to:
the equipment terminal generates the current excitation response of each piece of received first excitation information by using a physical unclonable function; the server selects and sends the excitation information and the excitation response thereof of each block of the first excitation information and the excitation response thereof of each block of the excitation information of the equipment terminal stored in the database by using the true random number generator;
whether the current excitation response of the equipment terminal comparing the currently generated first excitation information of each block is consistent with the received excitation response of the first excitation information of each block or not;
and if the current excitation response of the currently generated blocks of the first excitation information is consistent with the received excitation response of the blocks of the first excitation information, determining that the server passes the identity authentication.
Optionally, in the above authentication system, the server performs identity verification on the device side by using at least one piece of the incentive information and an incentive response of the incentive information, which are generated when the device side registers, and includes:
the server selects at least one piece of second excitation information from all pieces of excitation information of the equipment end stored in a database by using the true random number generator, and sends the second excitation information to the equipment end;
the server receives the current excitation response of each piece of the second excitation information fed back by the equipment terminal; the device end generates and feeds back the received current excitation response of each piece of the second excitation information by using a physical unclonable function;
the server compares whether the received current excitation response of each piece of the second excitation information is consistent with the excitation response of each piece of the second excitation information stored in the database;
and if the received current excitation response of each piece of the second excitation information is consistent with the excitation response of each piece of the second excitation information stored in the database, determining that the equipment end passes the identity authentication.
The application provides an identity verification method, which is applied to an authentication system, wherein the authentication system comprises an equipment end and a server. And the ID information of the equipment terminal is generated by the server by using the true random number generator when the equipment terminal is registered. And the server verifies the ID information of the equipment terminal. If the ID information of the equipment end passes the verification, the equipment end and the server verify the identities of the two parties by using the excitation information generated during the registration of the equipment end and the excitation response of the excitation information. The server generates excitation information aiming at the equipment end; and the excitation response of the excitation information is generated by the equipment terminal by utilizing the physical unclonable function after receiving the excitation information sent by the server and is fed back to the server for storage. And if the equipment end and the server both pass the identity authentication, the server establishes a transaction communication channel with the equipment end. The true random number generator has high safety, and the information generated by the physical unclonable function can uniquely identify the equipment, is generated and used immediately and cannot be stored in the equipment, so that the embodiment of the application realizes a safe and reliable verification method based on the true random number generator and the physical unclonable function, and effectively ensures the transaction safety.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic architecture diagram of an authentication system according to an embodiment of the present application;
fig. 2 is a flowchart of an identity authentication method according to an embodiment of the present application;
fig. 3 is a flowchart of a device side registration method according to an embodiment of the present application;
fig. 4 is a flowchart of a method for authenticating the server by the device side using multiple pieces of incentive information generated during registration of the device side and incentive responses of the pieces of incentive information according to an embodiment of the present application;
fig. 5 is a flowchart of a method for authenticating a device side by using at least one piece of incentive information generated by a server during device side registration and an incentive response of the incentive information according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In this application, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The embodiment of the application provides an identity authentication method, which aims to solve the problem that the prior art cannot effectively realize transaction safety.
The identity verification method provided in the embodiment of the present application is applied to an authentication system, and therefore, in order to implement the identity verification method provided in the embodiment of the present application, optionally, the embodiment of the present application provides an authentication system, as shown in fig. 1, including an equipment end and a server.
As shown in fig. 1, the device end mainly includes an identity authentication protocol, a networking module, a single chip Microcomputer (MCU), an ink screen, a True Random Number Generator (TRNG), a Physical Unclonable Function (PUF) module, and a basic multimedia software platform (Flash), a Random Access Memory (RAM), and a Read Only Memory (ROM) to support animation display and storage functions.
The identity authentication protocol is mainly used for identity authentication with the server.
The networking module is mainly used for networking so as to realize data interaction between the local server and the network server and upload the local data to the server background.
The singlechip is mainly used for processing digital signals, providing programmable logic calculation, performing function management on hardware peripherals and the like.
The ink screen is mainly used for realizing the visualization of local data.
A True Random Number Generator (TRNG) and a Physical Unclonable Function (PUF) interact with the various modules mainly via USB, which is mainly used for the generation of the corresponding stimulus response, as well as for the encryption of data, etc.
Optionally, in another embodiment of the present application, in order to implement face-to-face interaction, client identity information verification, and the like, in another embodiment of the present application, the device side may further include an NFC module.
Specifically, the authentication system provided in the embodiment of the present application includes an equipment side and a server, where the equipment side is configured to send an authentication request and ID information of the equipment side to the server, and perform identity verification on the server by using excitation information generated when the equipment side registers and excitation response of the excitation information.
And the ID information of the equipment side is generated by the server by using the true random number generator when the equipment side is registered. The incentive information is generated by the server for the device side. And the excitation response of the excitation information is generated by the equipment terminal by utilizing the physical unclonable function after receiving the excitation information sent by the server and is fed back to the server for storage.
The server is used for verifying the ID information of the equipment end, utilizing the excitation information generated during the registration of the equipment end and the excitation response of the excitation information to verify the identity of the equipment end when the ID information of the equipment end passes the verification, and establishing a transaction communication channel between the equipment end and the server when the equipment end and the server both pass the identity verification.
Optionally, in an authentication system provided in another embodiment of the present application, the server is further configured to:
and dividing the complete excitation information corresponding to the equipment end into N pieces of excitation information.
And generating ID information of the equipment side by using a true random number generator, and generating a random index of each piece of excitation information.
And sending the ID information of the equipment side and the excitation information of each block to the equipment side.
And receiving the excitation response of each piece of excitation information fed back by the equipment side.
And the excitation response of each piece of excitation information is generated by the equipment side by using a physical unclonable function.
And storing the excitation response of each piece of excitation information in a database.
Optionally, in the authentication system provided in another embodiment of the present application, when the device side performs authentication on the server by using the incentive response that generates the incentive information and the incentive information when the device side registers, the device side is configured to:
and carrying out identity verification on the server by using a plurality of pieces of excitation information generated during equipment side registration and excitation response of each piece of excitation information.
Optionally, in the authentication system provided in another embodiment of the present application, the server, when performing identity verification on the device side, uses an excitation response that is generated by the excitation information and the excitation information at the time of device side registration to:
and performing identity verification on the equipment side by using at least one piece of excitation information generated during equipment side registration and excitation response of the excitation information.
Optionally, in the authentication system provided in another embodiment of the present application, when the device side performs authentication on the server by using the plurality of pieces of excitation information generated at the time of registration of the device side and the excitation response of each piece of excitation information, the authentication system is configured to:
and the device side generates the current excitation response of the received first excitation information of each block by using a physical unclonable function. And the server selects the excitation information of each block and the excitation response thereof from the excitation information of each block and the excitation response of each block of excitation information stored in the database by using a true random number generator, and sends the excitation information and the excitation response to the equipment.
And whether the current excitation response of the equipment terminal compared with the currently generated excitation response of each block of first excitation information is consistent with the received excitation response of each block of first excitation information.
And if the current excitation response of the currently generated first excitation information of each block is consistent with the received excitation response of the first excitation information of each block, determining that the server passes the identity verification.
Optionally, in an authentication system provided by another embodiment of the present application, a server performs identity verification on a device side by using at least one piece of incentive information generated at the time of device side registration and an incentive response of the incentive information, including:
and the server selects at least one piece of second excitation information from the excitation information of the equipment end stored in the database by using the true random number generator and sends the second excitation information to the equipment end.
And the server receives the current excitation response of each piece of second excitation information fed back by the equipment terminal. And the current excitation response of each piece of second excitation information is generated and fed back by the equipment terminal by using the physical unclonable function.
And the server compares whether the received current excitation response of each piece of second excitation information is consistent with the excitation response of each piece of second excitation information stored in the database.
And if the current excitation response of each piece of received second excitation information is consistent with the excitation response of each piece of second excitation information stored in the database through comparison, determining that the equipment end passes the identity authentication.
Based on the authentication system provided above, another embodiment of the present application provides an identity verification method, which is applied to the authentication system provided above, and according to the embodiment, the authentication system includes a device side and a server. As shown in fig. 2, an identity authentication method provided in the embodiment of the present application includes the following steps:
s201, the equipment side sends an authentication request and the ID information of the equipment side to a server.
And the ID information of the equipment side is generated by the server by using the true random number generator when the equipment side is registered.
It should be noted that, in the embodiment of the present application, the device side needs to interact with the server to perform authentication and then implement subsequent transactions, and the server needs to register the device side in advance and generate information corresponding to the device side, such as ID information and incentive information of the device side.
Specifically, for the device side which has been registered on the server, when a traffic channel for transaction needs to be established with the server for transaction, an authentication request and ID information of the device side are sent to the server.
S202, the server verifies the ID information of the equipment side.
After receiving the ID information of the equipment end, the server searches whether information consistent with the ID information of the equipment end is stored, and if the information consistent with the ID information of the equipment end is stored, the server determines that the ID information of the equipment end passes verification.
S203, the server judges whether the ID information of the equipment side passes the verification.
If the ID information of the device is determined to be verified, step S204 is executed.
S204, the equipment side and the server verify the identities of the two sides by using the excitation information generated during the registration of the equipment side and the excitation response of the excitation information.
It should be noted that, in order to ensure security, in the embodiment of the present application, not only the server needs to perform authentication on the device side, but also the device side needs to perform authentication on the server. In the specific verification, the interaction of the excitation information and the excitation response of the excitation information by the two parties and the comparison of the excitation response of the excitation information are realized.
Wherein the incentive information is generated by the server for the device side. And the equipment end generates an excitation response of the excitation information by using a physical unclonable function after receiving the excitation information sent by the server and feeds the excitation response back to the server for storage.
Specifically, another embodiment of the present application provides an apparatus side registration method, as shown in fig. 3, including:
s301, the server divides the complete excitation information corresponding to the equipment terminal into N pieces of excitation information.
S302, the server generates ID information of the equipment side by using the true random number generator and generates a random index of each piece of excitation information.
It should be noted that the output of the true random number generator has non-periodicity and unpredictable characteristics, and is a part of the current high-security encryption algorithm, so in the embodiment of the present application, the true random number generator is used to encrypt information to obtain corresponding encrypted information.
Generating a random index of each piece of incentive information may facilitate the use and management of incentive information.
And S303, the server sends the ID information of the equipment end and the excitation information of each block to the equipment end.
And S304, the device side generates excitation response of each piece of excitation information by using a physical unclonable function.
The information generated by the physically unclonable function may be considered to resemble the biological recognition of a human. They are the inherent and unique identifiers of each piece of silicon, i.e., the chip fingerprint. Each IC produced is physically different due to imperfections in the silicon processing technology. These process variations manifest themselves as different path delays, transistor threshold voltages, voltage gains, and myriad other ways between different integrated circuits. Importantly, while these variations may be random from integrated circuit to integrated circuit, once known, they are deterministic. PUFs exploit this inherent difference in IC behavior to generate a unique cryptographic key for each IC, and thus can authenticate different device sides through it.
S305, the equipment end feeds back excitation response of each piece of excitation information to the server.
S306, the server stores the excitation response of each piece of excitation information in a database.
Optionally, when the method shown in fig. 3 is used for registration, a specific implementation manner of step S204 includes:
the equipment side carries out identity verification on the server by utilizing a plurality of pieces of excitation information generated during equipment side registration and excitation response of each piece of excitation information, and the server carries out identity verification on the equipment side by utilizing at least one piece of excitation information generated during the equipment side registration and the excitation response of the excitation information.
Since there are multiple pieces of excitation information and corresponding excitation responses, in order to effectively ensure the accuracy of authentication, in the embodiment of the present application, multiple pieces of excitation information and excitation responses thereof are selected from all excitation information and excitation responses at the time of registration for authentication.
Optionally, in another embodiment of the present application, an implementation manner of the device side performing identity verification on the server by using multiple pieces of incentive information generated when the device side registers and an incentive response of each piece of incentive information, as shown in fig. 4, includes:
s401, the server selects a plurality of pieces of first excitation information and excitation responses of the first excitation information from the excitation information of each piece of excitation information and the excitation responses of the excitation information of each piece of equipment stored in the database by using a true random number generator, and sends the excitation responses to the equipment.
Optionally, a plurality of pieces of excitation information are randomly selected from the excitation information of each block of the device terminal stored in the database as the first excitation information, and then excitation responses of the first excitation information of each block are searched from the database and are jointly sent to the device terminal.
S402, the device side generates the current excitation response of the received first excitation information of each block by using a physical unclonable function.
And S403, whether the current excitation response of the equipment terminal compared with the currently generated excitation response of each block of first excitation information is consistent with the received excitation response of each block of first excitation information or not is judged.
If the identity of the server is legal, that is, the server is the server that registers the device side, the excitation response of each piece of the first excitation information sent by the server is generated by the device side at the time of registration, so that the current excitation response of each piece of the first excitation information currently generated by the device side should be consistent with the current excitation response of each piece of the first excitation information currently generated by the device side, and if the current excitation response of each piece of the first excitation information currently generated is compared with the received excitation response of each piece of the first excitation information, step S404 is executed.
S404, determining that the server passes the identity authentication.
Optionally, in another embodiment of the present application, the server performs identity verification on the device side by using at least one piece of incentive information generated during registration of the device side and an incentive response of the incentive information, as shown in fig. 5, including:
s501, the server selects at least one piece of second excitation information from the excitation information stored in the database by using the true random number generator, and sends the second excitation information to the equipment.
Specifically, the server randomly selects at least one piece of excitation information from the excitation information stored in the database as second excitation information by using the true random number generator, and sends the second excitation information to the equipment.
S502, the device side generates the current excitation response of the received second excitation information blocks by using the physical unclonable function.
S503, the device side feeds the current excitation response of each piece of generated second excitation information back to the server.
S504, the server compares whether the received current excitation response of each piece of second excitation information is consistent with the excitation response of each piece of second excitation information stored in the database.
Since the device side feeds back the generated excitation response to the server for storage when registering, if the device side is the device side that the server has registered, that is, if the device side is legal, the current excitation response of each piece of second excitation information currently generated should be consistent with the excitation response of each piece of second excitation information stored in the database, so if the server compares that the current excitation response of each piece of second excitation information received is consistent with the excitation response of each piece of second excitation information stored in the database, step S505 is executed.
And S505, determining that the equipment end passes the identity authentication.
S205, if the equipment end and the server both pass the identity authentication, the server establishes a transaction communication channel with the equipment end.
Alternatively, after the device side and the server verify the identity of the other party, the device side and the server send the verification result to the other party, and then the server establishes a transaction communication channel with the device side to perform the transaction through the transaction communication channel. Certainly, the server may request to establish the transaction communication channel with the device end after the authentication device end passes the identity authentication, and if the device end also verifies that the server passes the identity authentication, the server receives the request of the server to establish the transaction communication channel. Or the equipment end requests to establish a transaction communication channel with the server after the authentication server passes the identity authentication, and receives the request of the equipment if the server also verifies that the equipment end passes the identity authentication.
The embodiment of the application provides an identity verification method, which is applied to an authentication system, wherein the authentication system comprises an equipment end and a server. And the ID information of the equipment terminal is generated by the server by using the true random number generator when the equipment terminal is registered. And the server verifies the ID information of the equipment terminal. If the ID information of the equipment end passes the verification, the equipment end and the server carry out identity verification on the two parties by using the excitation information generated during the registration of the equipment end and the excitation response of the excitation information. The server generates excitation information aiming at the equipment end; and the excitation response of the excitation information is generated by the equipment terminal by utilizing the physical unclonable function after receiving the excitation information sent by the server and is fed back to the server for storage. And if the equipment end and the server pass the identity authentication, the server establishes a transaction communication channel with the equipment end. The true random number generator has high safety, and the information generated by the physical unclonable function can uniquely identify the equipment, is generated and used immediately and cannot be stored in the equipment, so that the embodiment of the application realizes a safe and reliable verification method based on the true random number generator and the physical unclonable function, and effectively ensures the transaction safety.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. An identity verification method is applied to an authentication system, the authentication system comprises a device side and a server, and the identity verification method comprises the following steps:
the equipment terminal sends an authentication request and ID information of the equipment terminal to the server; the ID information of the equipment terminal is generated by the server by using a true random number generator when the equipment terminal is registered;
the server verifies the ID information of the equipment terminal;
if the ID information of the equipment end passes verification, the equipment end and the server carry out identity verification on the two parties by utilizing excitation information generated during registration of the equipment end and an excitation response of the excitation information; wherein the incentive information is generated by the server for the device side; the excitation response of the excitation information is generated by the equipment terminal by utilizing a physical unclonable function after receiving the excitation information sent by the server and is fed back to the server for storage;
and if the equipment end and the server both pass identity authentication, the server establishes a transaction communication channel with the equipment end.
2. The method according to claim 1, wherein before the device side sends the authentication request and the ID information of the device side to the server, the method further comprises:
the server divides the complete excitation information corresponding to the equipment end into N pieces of excitation information;
the server generates ID information of the equipment terminal by using the true random number generator and generates a random index of each piece of excitation information;
the server sends the ID information of the equipment end and the excitation information of each block to the equipment end;
the equipment terminal generates excitation response of each piece of excitation information by using a physical unclonable function;
the equipment end feeds back excitation response of each piece of excitation information to the server;
and the server stores the excitation response of each piece of excitation information in a database.
3. The method according to claim 2, wherein the device side and the server authenticate the party by respectively using the incentive information generated at the time of registration of the device side and the incentive response of the incentive information, and the method comprises:
the equipment terminal performs identity verification on the server by using a plurality of pieces of the excitation information generated during equipment terminal registration and excitation responses of the excitation information, and the server performs identity verification on the equipment terminal by using at least one piece of the excitation information generated during equipment terminal registration and the excitation responses of the excitation information.
4. The method according to claim 3, wherein the device side performs authentication on the server by using a plurality of pieces of the incentive information and incentive responses of the incentive information, which are generated when the device side registers, and comprises:
the server selects a plurality of pieces of first excitation information and excitation responses of the first excitation information from the excitation information of each piece of the equipment end and the excitation responses of the excitation information of each piece stored in a database by using the true random number generator, and sends the excitation responses to the equipment end;
the equipment terminal generates the current excitation response of each piece of the received first excitation information by using a physical unclonable function;
whether the current excitation response of the equipment terminal comparing the currently generated first excitation information of each block is consistent with the received excitation response of the first excitation information of each block or not;
and if the current excitation response of the currently generated blocks of the first excitation information is consistent with the received excitation response of the blocks of the first excitation information, determining that the server passes the identity authentication.
5. The method according to claim 3, wherein the server performs identity verification on the device side by using at least one piece of the incentive information and an incentive response of the incentive information, which are generated when the device side registers, and comprises:
the server selects at least one piece of second excitation information from all pieces of excitation information of the equipment end stored in a database by using the true random number generator, and sends the second excitation information to the equipment end;
the equipment terminal generates the current excitation response of each piece of the received second excitation information by using a physical unclonable function;
the equipment end feeds back the current excitation response of each generated block of the second excitation information to the server;
the server compares whether the received current excitation response of each piece of the second excitation information is consistent with the excitation response of each piece of the second excitation information stored in the database;
and if the received current excitation response of each piece of the second excitation information is consistent with the excitation response of each piece of the second excitation information stored in the database, determining that the equipment end passes the identity authentication.
6. An authentication system, comprising:
the device side and the server;
the equipment terminal is used for sending an authentication request and ID information of the equipment terminal to the server, and carrying out identity verification on the server by utilizing excitation information generated during registration of the equipment terminal and excitation response of the excitation information; the ID information of the equipment terminal is generated by the server by using a true random number generator when the equipment terminal is registered; the incentive information is generated by the server aiming at the equipment side; the excitation response of the excitation information is generated by the equipment terminal by utilizing a physical unclonable function after receiving the excitation information sent by the server and is fed back to the server for storage;
the server is used for verifying the ID information of the equipment end, utilizing the excitation information generated during the registration of the equipment end and the excitation response of the excitation information to verify the identity of the equipment end when the ID information of the equipment end passes the verification, and establishing a transaction communication channel between the equipment end and the server when the equipment end and the server both pass the identity verification.
7. The authentication system of claim 6, wherein the server is further configured to:
dividing complete excitation information corresponding to the equipment end into N pieces of excitation information;
generating ID information of the equipment terminal by using the true random number generator, and generating a random index of each piece of excitation information;
sending the ID information of the equipment end and each piece of excitation information to the equipment end;
receiving excitation response of each piece of excitation information fed back by the equipment end; the excitation response of each piece of excitation information is generated by the equipment terminal by using a physical unclonable function;
and storing the excitation response of each piece of excitation information in a database.
8. The authentication system according to claim 7, wherein the device side, when performing authentication with the server, uses the incentive response that generates the incentive information and the incentive information at the time of registration of the device side, to:
and carrying out identity verification on the server by utilizing a plurality of pieces of the incentive information generated during the registration of the equipment side and incentive responses of the incentive information.
9. The authentication system according to claim 7, wherein the server, when performing authentication on the device side, is configured to, by using an incentive response that generates incentive information and the incentive information at the time of registration of the device side:
and performing identity verification on the equipment side by using at least one piece of the excitation information generated during registration of the equipment side and the excitation response of the excitation information.
10. The authentication system according to claim 8, wherein the device side, when authenticating the server using a plurality of pieces of the incentive information generated at the time of registration of the device side and an incentive response of each piece of the incentive information, is configured to:
the equipment terminal generates the current excitation response of each piece of received first excitation information by using a physical unclonable function; the server selects and sends the excitation information and the excitation response thereof of each block of the first excitation information and the excitation response thereof of each block of the excitation information of the equipment terminal stored in the database by using the true random number generator;
whether the current excitation response of the equipment terminal comparing the currently generated first excitation information of each block is consistent with the received excitation response of the first excitation information of each block or not;
and if the current excitation response of the currently generated blocks of the first excitation information is consistent with the received excitation response of the blocks of the first excitation information, determining that the server passes the identity authentication.
CN202210678815.XA 2022-06-16 2022-06-16 Identity verification method and authentication system Pending CN115085935A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210678815.XA CN115085935A (en) 2022-06-16 2022-06-16 Identity verification method and authentication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210678815.XA CN115085935A (en) 2022-06-16 2022-06-16 Identity verification method and authentication system

Publications (1)

Publication Number Publication Date
CN115085935A true CN115085935A (en) 2022-09-20

Family

ID=83254604

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210678815.XA Pending CN115085935A (en) 2022-06-16 2022-06-16 Identity verification method and authentication system

Country Status (1)

Country Link
CN (1) CN115085935A (en)

Similar Documents

Publication Publication Date Title
KR102044749B1 (en) Method for obtaining one-time authentication information for authentication based on blockchain
CN104994114B (en) A kind of identity authorization system and method based on electronic ID card
US9830447B2 (en) Method and system for verifying an access request
CN110677376B (en) Authentication method, related device and system and computer readable storage medium
CN107493273A (en) Identity identifying method, system and computer-readable recording medium
EP1351113A2 (en) A biometric authentication system and method
US20080184029A1 (en) Method and system for generating digital fingerprint
CN105868970B (en) authentication method and electronic equipment
CN109243045A (en) A kind of voting method, device, computer equipment and computer readable storage medium
CN112491843B (en) Database multiple authentication method, system, terminal and storage medium
CN112165382B (en) Software authorization method and device, authorization server side and terminal equipment
EP3206329B1 (en) Security check method, device, terminal and server
CN110177124A (en) Identity identifying method and relevant device based on block chain
CN112000744A (en) Signature method and related equipment
CN112953978B (en) Multi-signature authentication method, device, equipment and medium
CN108540447A (en) A kind of certification authentication method and system based on block chain
US10990978B2 (en) Method of transaction without physical support of a security identifier and without token, secured by the structural decoupling of the personal and service identifiers
CN111937348A (en) Authentication system and authentication program
CN111078649A (en) Block chain-based on-cloud file storage method and device and electronic equipment
CN115085935A (en) Identity verification method and authentication system
CN111294315B (en) Block chain-based security authentication method, block chain-based security authentication device, block chain-based security authentication equipment and storage medium
KR102021956B1 (en) Smart card based authentication system, device and method
CN113191751A (en) Block chain-based digital currency multi-sign method and system and electronic equipment
CN115277240B (en) Authentication method and device for Internet of things equipment
Fujita et al. Design and Implementation of a multi-factor web authentication system with MyNumberCard and WebUSB

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination