CN115426106B - Identity authentication method, device and system, electronic equipment and storage medium - Google Patents

Identity authentication method, device and system, electronic equipment and storage medium Download PDF

Info

Publication number
CN115426106B
CN115426106B CN202211034032.4A CN202211034032A CN115426106B CN 115426106 B CN115426106 B CN 115426106B CN 202211034032 A CN202211034032 A CN 202211034032A CN 115426106 B CN115426106 B CN 115426106B
Authority
CN
China
Prior art keywords
quantum key
identity authentication
target account
identifier
quantum
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211034032.4A
Other languages
Chinese (zh)
Other versions
CN115426106A (en
Inventor
安晓江
胡伯良
蒋红宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Haitai Fangyuan High Technology Co Ltd
Original Assignee
Beijing Haitai Fangyuan High Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Haitai Fangyuan High Technology Co Ltd filed Critical Beijing Haitai Fangyuan High Technology Co Ltd
Priority to CN202211034032.4A priority Critical patent/CN115426106B/en
Publication of CN115426106A publication Critical patent/CN115426106A/en
Application granted granted Critical
Publication of CN115426106B publication Critical patent/CN115426106B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The application discloses an identity authentication method, an identity authentication device, an identity authentication system, an electronic device and a storage medium, wherein a quantum key filling module in the identity authentication system fills quantum key information obtained from first quantum key distribution equipment into hardware password equipment of a target account, and the hardware password equipment also comprises a digital certificate and a signature key which are issued to the target account by a certification center; the method comprises the following steps: the client of the target account selects a first quantum key from the hardware password equipment; and signing the first quantum key by using the signing key to generate a signing value, a first quantum key identifier and a target account identifier, and sending the signing value, the first quantum key identifier and the target account identifier to an identity authentication center, so that the identity authentication center obtains a digital certificate of the target account from a certification center according to the target account identifier, obtains a second quantum key corresponding to the first quantum key identifier from second quantum key distribution equipment according to the first quantum key identifier, and verifies the signing value according to the second quantum key and a public key in the digital certificate.

Description

Identity authentication method, device and system, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to an identity authentication method, device, system, electronic device, and storage medium.
Background
In the related art, the identity authentication mode comprises user name password authentication, short message authentication, fingerprint authentication, face authentication, digital certificate authentication and the like, and the identity authentication mode based on the digital certificate has higher security and is widely applied. The general flow of identity authentication based on digital certificates is as follows: the issuing center issues a digital certificate and a corresponding signature key for the account, the digital certificate and the signature key are stored in hardware password equipment, during identity authentication, an identity authentication server returns the generated random number to a client of the account, the client signs the random number by using the signature key in the hardware password equipment to obtain a signature value, the signature value and an account identifier are sent to the identity authentication server, the server acquires the digital certificate of the account from the issuing center according to the account identifier, the public key in the digital certificate is used for verifying the signature value, and if verification is passed, the identity authentication is successful.
However, the random number generated by the authentication server is transmitted to the client by the server in plain text, and is easily intercepted to forge the signature, so that the existing authentication method based on the digital certificate has security risk.
Disclosure of Invention
In order to solve the problem that the existing identity authentication mode based on the digital certificate has security risks, the embodiment of the application provides an identity authentication method, an identity authentication device, an identity authentication system, electronic equipment and a storage medium, and the security of identity authentication is improved.
In a first aspect, an embodiment of the present application provides an identity authentication method implemented at a client side, where the identity authentication system is applied to an identity authentication system, where the identity authentication system includes a certification center, a quantum key filling module, and an identity authentication center, where a first quantum key distribution device is deployed in the quantum key filling module, where a second quantum key distribution device is deployed in the identity authentication center, where the first quantum key distribution device and the second quantum key distribution device generate a same quantum key, where the quantum key filling module obtains quantum key information from the first quantum key distribution device, and the quantum key information is filled into a hardware cryptographic device of a target account, where the hardware cryptographic device further includes a digital certificate and a signature key that are issued by the certification center to the target account; the method comprises the following steps:
the client of the target account selects a first quantum key from the hardware password equipment;
Signing the first quantum key by using the signing key to generate a signature value;
the signature value, the first quantum key identification and the target account identification are sent to the identity authentication center, so that the identity authentication center obtains the digital certificate of the target account from the evidence issuing center according to the target account identification, obtains a second quantum key corresponding to the first quantum key identification from the second quantum key distribution equipment according to the first quantum key identification, and verifies the signature value according to the second quantum key and a public key in the digital certificate to obtain an identity authentication result.
In one possible implementation manner, the client of the target account selects a first quantum key from the hardware cryptographic device, and specifically includes:
the client of the target account selects a first quantum key segment with a set length from the first quantum key and records the offset of the first quantum key segment; and
the signature value, the first quantum key identification and the target account identification are sent to the identity authentication center, and meanwhile the method further comprises the following steps:
and sending the offset to the identity authentication center, so that the identity authentication center obtains the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier and the offset.
In one possible implementation manner, the client of the target account selects a first quantum key from the hardware cryptographic device, and specifically includes:
the client of the target account selects a first quantum key segment with any length from the first quantum key, and records the offset of the first quantum key segment and the length of the first key segment; and
the signature value, the first quantum key identification and the target account identification are sent to the identity authentication center, and meanwhile the method further comprises the following steps:
and sending the offset and the length to the identity authentication center, so that the identity authentication center obtains a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, the offset and the length.
In a second aspect, an embodiment of the present application provides an identity authentication device implemented on a client side, where the identity authentication device is applied to an identity authentication system, where the identity authentication system includes a certification center, a quantum key filling module, and an identity authentication center, where a first quantum key distribution device is deployed in the quantum key filling module, and a second quantum key distribution device is deployed in the identity authentication center, where the first quantum key distribution device and the second quantum key distribution device generate a same quantum key, where the quantum key filling module obtains quantum key information from the first quantum key distribution device, and the quantum key information is filled into a hardware cryptographic device of a target account, and where the hardware cryptographic device further includes a digital certificate and a signature key that are issued by the certification center to the target account; the device comprises:
A selecting unit, configured to select a first quantum key from the hardware cryptographic device;
a signing unit, configured to sign the first quantum key with the signing key to generate a signature value;
the sending unit is used for sending the signature value, the first quantum key identification and the target account identification to the identity authentication center, so that the identity authentication center obtains the digital certificate of the target account from the certification center according to the target account identification, obtains a second quantum key corresponding to the first quantum key identification from the second quantum key distribution equipment according to the first quantum key identification, and verifies the signature value according to the second quantum key and a public key in the digital certificate to obtain an identity authentication result.
In a possible implementation manner, the selecting unit is specifically configured to select a first quantum key segment with a set length from the first quantum key by the client of the target account, and record an offset of the first quantum key segment; and
the sending unit is further configured to send the signature value, the first quantum key identifier and the target account identifier to the identity authentication center, and simultaneously send the offset to the identity authentication center, so that the identity authentication center obtains the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier and the offset.
In a possible implementation manner, the selecting unit is specifically configured to select a first quantum key segment with an arbitrary length from the first quantum key, and record an offset of the first quantum key segment and a length of the first key segment; and
the sending unit is further configured to send the signature value, the first quantum key identifier and the target account identifier to the identity authentication center, and simultaneously send the offset and the length to the identity authentication center, so that the identity authentication center obtains a second quantum key segment of the length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, the offset and the length.
In a third aspect, an embodiment of the present application provides an identity authentication method implemented at an identity authentication center, where the identity authentication system is applied to an identity authentication system, where the identity authentication system includes a certification center, a quantum key filling module, and an identity authentication center, where a first quantum key distribution device is deployed in the quantum key filling module, and a second quantum key distribution device is deployed in the identity authentication center, where the first quantum key distribution device and the second quantum key distribution device generate a same quantum key, where the quantum key filling module obtains quantum key information from the first quantum key distribution device, and the quantum key information is filled into a hardware cryptographic device of a target account, and where the hardware cryptographic device further includes a digital certificate and a signature key that are issued by the certification center to the target account; the method comprises the following steps:
The identity authentication center receives a signature value, the first quantum key identifier and a target account identifier, wherein the signature value is generated by signing a first quantum key selected from the hardware password equipment by using the signature key, and the first quantum key identifier is sent by a client of the target account;
acquiring the digital certificate of the target account from the certification center according to the target account identifier;
acquiring a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier;
and verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
In one possible embodiment, the method further comprises:
receiving an offset of a first quantum key segment sent by a client of the target account, wherein the first quantum key segment is a quantum key segment with a set length selected from the first quantum keys by the client of the target account; and
obtaining a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, specifically including:
And acquiring the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier and the offset.
In one possible embodiment, the method further comprises:
receiving the offset of a first quantum key segment and the length of the first quantum key segment, which are sent by a client of the target account, wherein the first quantum key segment is a quantum key segment with any length selected from the first quantum key by the client of the target account; and
obtaining a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, specifically including:
and acquiring a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, the offset and the length.
In one possible implementation manner, before the second quantum key corresponding to the first quantum key identifier is obtained from the second quantum key distribution device according to the first quantum key identifier, the method further includes:
And determining that the client of the target account does not send the offset corresponding to the first quantum key identification before the current round of identity authentication.
In a fourth aspect, an embodiment of the present application provides an identity authentication device implemented on an identity authentication center side, where the identity authentication system includes a certification center, a quantum key filling module, and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate a same quantum key, the quantum key filling module obtains quantum key information from the first quantum key distribution device, and fills the quantum key information into a hardware cryptographic device of a target account, and the hardware cryptographic device further includes a digital certificate and a signature key issued by the certification center to the target account; the device comprises:
the receiving unit is used for receiving a signature value generated by signing a first quantum key selected from the hardware password equipment by using the signature key, the first quantum key identifier and a target account identifier, which are sent by a client of the target account;
A first obtaining unit, configured to obtain, from the issuing center, the digital certificate of the target account according to the target account identifier;
a second obtaining unit, configured to obtain, from the second quantum key distribution device according to the first quantum key identifier, a second quantum key corresponding to the first quantum key identifier;
and the authentication unit is used for verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
In a possible implementation manner, the receiving unit is further configured to receive an offset of a first quantum key segment sent by a client of the target account, where the first quantum key segment is a quantum key segment with a set length selected by the client of the target account from the first quantum key; and
the second obtaining unit is specifically configured to obtain, from the second quantum key distribution device, the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier and the offset.
In a possible implementation manner, the receiving unit is further configured to receive an offset of a first quantum key segment sent by a client of the target account and a length of the first quantum key segment, where the first quantum key segment is a quantum key segment with any length selected from the first quantum keys by the client of the target account; and
The second obtaining unit is specifically configured to obtain, from the second quantum key distribution device, a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, the offset, and the length.
In one possible embodiment, the apparatus further comprises:
the determining unit is used for determining that the offset corresponding to the first quantum key identifier is not sent by the client of the target account before the current round of identity authentication before the second quantum key corresponding to the first quantum key identifier is acquired from the second quantum key distribution equipment according to the first quantum key identifier.
In a fifth aspect, an embodiment of the present application provides an identity authentication system, including: the system comprises a certification center, a quantum key filling module and an identity authentication center, wherein the quantum key filling module deploys first quantum key distribution equipment, the identity authentication center deploys second quantum key distribution equipment, and the first quantum key distribution equipment and the second quantum key distribution equipment generate the same quantum key, wherein:
the issuing center is used for issuing a digital certificate and a signature key to the target account, and the digital certificate and the signature key are stored in hardware key equipment of the target account;
The quantum key filling module is used for acquiring quantum key information from the first quantum key distribution equipment and filling the quantum key information into the hardware password equipment of the target account;
the identity authentication center is used for receiving a signature value, the first quantum key identifier and a target account identifier, wherein the signature value is generated by signing a first quantum key selected from the hardware password equipment by using the signature key, and the first quantum key identifier is sent by a client of the target account; acquiring the digital certificate of the target account from the certification center according to the target account identifier; acquiring a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier; and verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
In a sixth aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the identity authentication method described in the present application when executing the program.
In a seventh aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which when executed by a processor performs steps in an identity authentication method described herein.
The beneficial effects of this application are as follows:
the identity authentication system provided by the embodiment of the application comprises a issuing center, a quantum key filling module and an identity authentication center, wherein the quantum key filling module is used for deploying first quantum key distribution equipment, the identity authentication center is used for deploying second quantum key distribution equipment, the first quantum key distribution equipment and the second quantum key distribution equipment are used for generating the same quantum key, the quantum key filling module is used for acquiring quantum key information from the first quantum key distribution equipment, the quantum key information is filled into hardware password equipment of a target account, a digital certificate and a signature key which are issued by a target account of a issuing center line are also stored in the hardware password equipment, a first quantum key is selected from the hardware password equipment by a client of the target account, the signature value is generated by signing the first quantum key by using the signature key, the client of the target account sends the signature value, a first quantum key identifier and a target account identifier to the identity authentication center for authentication, the identity authentication center acquires a digital certificate of the target according to the target account identifier, the first quantum key distribution equipment acquires the quantum key information from the first quantum key distribution equipment, the digital certificate is stored in the hardware password equipment, the hardware password equipment is used for issuing a digital certificate and the signature key is used for verifying the digital certificate based on the random key, compared with the digital certificate, and the digital certificate is used for carrying out the random signature based on the digital certificate, and the digital certificate is compared with the digital certificate, and the digital certificate is signed by the digital certificate signature by the random key, the quantum key is not required to be sent to the client of the target account by the identity authentication center, but is pre-filled into the hardware password equipment of the target account by the quantum key filling module, the client can directly obtain the quantum key from the hardware password equipment, the signature value is obtained by signing the quantum key by utilizing the signature key, after the identity authentication center receives the signature value sent by the client of the target account, the corresponding quantum key can be obtained according to the quantum key identification, and further, the public key in the obtained digital certificate is used for verifying the signature value, and whether the decrypted quantum key is consistent with the quantum key obtained by the public key is verified, so that whether the identity authentication is successful or not can be judged.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 2 is a schematic flow chart of an implementation of an identity authentication method according to an embodiment of the present application;
fig. 3 is a schematic implementation flow chart of an identity authentication method implemented by a client side according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an identity authentication device implemented at a client side according to an embodiment of the present application;
fig. 5 is a schematic diagram of an implementation flow of an identity authentication method implemented by an identity authentication center side according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an identity authentication device implemented at the side of an identity authentication center according to an embodiment of the present application;
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to solve the problems in the background art, the embodiment of the application provides an identity authentication method, an identity authentication device, electronic equipment and a storage medium.
The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it being understood that the preferred embodiments described herein are for illustration and explanation only, and are not intended to limit the present application, and embodiments and features of embodiments of the present application may be combined with each other without conflict.
Referring to fig. 1, which is a schematic diagram of an application scenario of an identity authentication method provided by the embodiment of the present application, the application scenario may include a client 100 of a target account and an identity authentication system 101, where the identity authentication system 101 may include a issuing center 1011, a quantum key filling module 1012 and an identity authentication center 1013, the client 100 of the target account is connected to the issuing center 1011 through a network, the client 100 of the target account is connected to the identity authentication center 1013 through a network, and the client 100 of the target account is connected to the quantum key filling module 1012 through a network. A first quantum key distribution device (Quantum Key Distribution, QKD) is deployed in the quantum key filling module 1012, a second quantum key distribution device is deployed in the identity authentication center 1013, the first quantum key distribution device and the second quantum key distribution device are used for generating the same quantum key, and the process of issuing the quantum key by the first quantum key distribution device and the second quantum key distribution device can be issued in a digital envelope mode.
The issuing center 1011 is configured to issue a digital certificate and a signing key to the target account, where the digital certificate and the signing key are stored in the hardware key device of the target account.
In specific implementation, a user inserts the hardware cryptographic device of the target account into the client 100, and the user can send a certificate request to the issuing center 1011 through the client 100, the issuing center 1011 issues a digital certificate and a signing key for the target account, and the digital certificate and the signing key are sent to the hardware cryptographic device on the client 100 for storage. The issuing center may be a CA (Certificate Authority, certification authority) issuing center, and the hardware cryptographic device may be, but is not limited to, a USBKey device.
The quantum key filling module 1012 is configured to obtain quantum key information from the first quantum key distribution device, and fill the quantum key information into the hardware cryptographic device of the target account.
In specific implementation, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key according to a pre-configured key generation policy, the first quantum key distribution device and the second quantum key distribution device can ensure that the first quantum key distribution device and the second quantum key distribution device can safely generate the same quantum key, the configured key generation policy can include the number of generated quantum keys, the length of the generated quantum keys and the like, for example, 10 quantum keys can be generated at a time, the length of each quantum key is 800 kbytes, and the key generation policy can be set according to actual requirements. After the first quantum key distribution device and the second quantum key distribution device generate quantum keys, unique identifiers are set for the quantum keys, the same identifiers (i.e. index values) are set for the same quantum keys, and each quantum key identifier is used for uniquely identifying one quantum key. The quantum key filling module 1012 obtains the generated quantum key information from the first quantum key distribution device, wherein the quantum key information comprises a quantum key identifier and a quantum key, the obtained quantum key information is filled into the hardware password device of the target account on the client 100, and the total size of the quantum key filled into the hardware password device each time can be determined according to the capacity of the hardware password device and does not exceed the capacity of the hardware password device.
The identity authentication center 1013 is configured to receive a signature value, a first quantum key identifier, and a target account identifier, which are generated by signing a first quantum key selected from the hardware cryptographic device by using a signature key, and are sent by the client 100 of the target account; acquiring a digital certificate of the target account from the issuing center 1011 according to the target account identifier; acquiring a second quantum key corresponding to the first quantum key identifier from second quantum key distribution equipment according to the first quantum key identifier; and verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
The issuing center 1011 is further configured to return a digital certificate corresponding to the target account identifier to the identity authentication center 1013.
In specific implementation, the identity authentication center 1013 decrypts the signature value sent by the client 100 by using the public key in the digital certificate of the target account obtained from the issuing center 1011, obtains the first quantum key, compares the first quantum key with the second quantum key, if the first quantum key and the second quantum key are consistent, the authentication is successful, otherwise, the authentication is failed, and an authentication failure message is returned to the client 100.
The identity authentication center 1013 may be a server, which may be an independent physical server, or may be a cloud server that provides basic cloud computing services such as a cloud server, a cloud database, and cloud storage. The client 100 may be, but is not limited to being: smart phones, tablet computers, notebook computers, desktop computers, etc., to which embodiments of the present application are not limited.
Based on the above application scenario, an exemplary embodiment of the present application will be described in more detail below with reference to fig. 2, and it should be noted that the above application scenario is only shown for the convenience of understanding the spirit and principles of the present application, and embodiments of the present application are not limited in any way herein. Rather, embodiments of the present application may be applied to any scenario where applicable.
As shown in fig. 2, which is a schematic implementation flow chart of an identity authentication method according to an embodiment of the present application, the identity authentication method may be applied to the identity authentication system 101 described above, and may specifically include the following steps:
s21, the quantum key filling module fills the quantum key information acquired from the first quantum key distribution equipment into the hardware password equipment of the target account on the client.
In the implementation process, the quantum key filling module obtains quantum key information from a first quantum key distribution device deployed by the quantum key filling module, namely, obtains a quantum key identifier and a quantum key, and fills the obtained quantum key information into a hardware password device of a target account inserted on a client.
S22, the client selects a first quantum key from the hardware password equipment.
In specific implementation, the client of the target account selects a quantitative subkey from the hardware password equipment of the target account, and can be recorded as a first quantum key.
In one embodiment, the client may select one complete quantum key, i.e., the first quantum key, for signing.
In order to save computing resources of the client, in another embodiment, the client may also select a set length of a character from the first quantum key, that is, the first quantum key segment is used for signing, and record an offset of the first quantum key segment, where the client may pre-agree with the identity authentication center on the set length of the character used for signing, and this embodiment of the present application is not limited.
For example, the length of the first quantum key is 800K, and the client may select the first quantum key segment with the length of 8K from the first quantum key at a time, may or may not be sequentially selected, which is not limited in the embodiment of the present application. Assuming that the offset of the first quantum key selected for the first time is 0, 1-8K characters are selected as the first quantum key segments, the second offset is 1, 2-9K characters are selected as the first quantum key segments, and so on until the first quantum key segments in the first quantum key are selected, the next client selects the first quantum key segments from the next first quantum key segments according to the first quantum key segment identification, so that the first quantum key segments for signature selected each time are ensured not to be repeated, and the one-time encryption effect is achieved. When a first quantum key in the hardware password equipment is used up, the client side can request a new quantum key for the quantum key filling module, the first quantum key distribution equipment deployed by the quantum key filling module and the second quantum key distribution equipment deployed by the identity authentication center generate a new same quantum key, and the quantum key filling module acquires newly generated quantum key information from the first quantum key distribution equipment and fills the newly generated quantum key information into the hardware password equipment of a target account on the client side.
As another possible implementation, the client of the target account may also select a first quantum key segment of arbitrary length from the first quantum key, and record the offset of the first quantum key segment and the length of the first key segment.
S23, the client signs the first quantum key by using the signing key to generate a signing value.
In the implementation process, the client signs the first quantum key segment by using a signature key stored in the hardware password equipment of the target account to obtain a signature value.
And S24, the client sends the signature value, the first quantum key identification and the target account identification to an identity authentication center.
When the client of the target account selects a first quantum key segment with a set length from the first quantum keys, the client sends the signature value, the first quantum key identifier and the target account identifier to the identity authentication center for authentication, and meanwhile, the offset of the first quantum key segment is required to be sent to the identity authentication center.
When the client of the target account selects a first quantum key segment with any length from the first quantum keys, the client sends the signature value, the first quantum key identifier and the target account identifier to the identity authentication center for authentication, and simultaneously, the offset of the first quantum key segment and the length of the first quantum key segment are required to be sent to the identity authentication center.
S25, the identity authentication center requests the digital certificate of the target account from the issuing center according to the target account identification.
S26, the issuing center returns the digital certificate of the target account to the identity authentication center.
And S27, the identity authentication center acquires a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier.
In the implementation, if the client of the target account sends a signature value, a first quantum key identifier, an offset of a first quantum key segment and a target account identifier to the identity authentication center, the identity authentication center compares the offset of the first quantum key segment of the original identity authentication with the offset corresponding to the first quantum key identifier sent by the client of the target account before the original identity authentication, and if it is determined that the client of the target account has not sent the offset of the first quantum key identifier sent this time before the original identity authentication, the quantum key segment (which is the second quantum key segment) with a set length in the quantum key corresponding to the first quantum key identifier (which is the second quantum key) is obtained from the second quantum key distribution device deployed by the client of the target account according to the offsets of the first quantum key identifier and the first quantum key segment, that is, the second quantum key segment is the same as the first quantum key segment. The identity authentication center directly acquires the second quantum key segment from the deployed quantum key distribution equipment, the first quantum key segment is not required to be transmitted to the client, and the client can complete the signature of the first quantum key segment, so that the safety of the identity authentication process is improved.
If the client of the target account sends the signature value, the first quantum key identifier, the offset of the first quantum key segment, the length of the first quantum key segment and the target account identifier to the identity authentication center, and the identity authentication center determines that the client of the target account does not send the offset of the first quantum key identifier sent this time before the original identity authentication, the second quantum key segment with the length in the second quantum key corresponding to the first quantum key identifier is obtained from the second quantum key distribution equipment according to the first quantum key identifier, the offset of the first quantum key segment and the length of the first quantum key.
It should be noted that, in the embodiment of the present application, the execution sequence of step S25 and step S27 is not limited, and these two steps may also be performed simultaneously.
And S28, the identity authentication center verifies the signature value according to the second quantum key and the public key in the digital certificate, and an identity authentication result is obtained.
The authentication center decrypts the signature value sent by the client according to the second quantum key segment obtained from the second quantum key distribution equipment and the public key in the digital certificate obtained from the certificate issuing center, verifies whether the obtained first quantum key segment is consistent with the second quantum key segment obtained from the second quantum key distribution equipment, if so, the authentication is successful, if not, the authentication is not successful, the authentication is failed, and an authentication failure message is returned to the client.
The identity authentication method provided by the embodiment of the application is applied to an identity authentication system, the identity authentication system provided by the embodiment of the application comprises a certification center, a quantum key filling module and an identity authentication center, wherein the quantum key filling module is used for deploying a first quantum key distribution device, the identity authentication center is used for deploying a second quantum key distribution device, the first quantum key distribution device and the second quantum key distribution device are used for generating the same quantum key, the quantum key filling module is used for acquiring quantum key information from the first quantum key distribution device, filling the quantum key information into a hardware password device of a target account, a digital certificate and a signature key issued by the certification center line target account are also stored in the hardware password device, a client of the target account selects the first quantum key from the hardware password device during identity authentication, the signing key is utilized to sign the first quantum key to generate a signature value, the client of the target account sends the signature value, the first quantum key identification and the target account identification to an identity authentication center for authentication, the identity authentication center obtains a digital certificate of the target account from a certification center according to the target account identification, and obtains a second quantum key corresponding to the first quantum key identification from a second quantum key distribution device according to the first quantum key identification, furthermore, the identity authentication center verifies the signature value according to the second quantum key and a public key in the digital certificate to obtain an identity authentication result, compared with the method of signing and verifying by using a random number when the digital certificate is used for identity authentication in the prior art, the method in the embodiment of the application uses the quantum key to replace the random number for signature, because the quantum key does not need to be sent to the client of the target account by the identity authentication center, the method comprises the steps that a quantum key filling module is used for filling the quantum key into hardware password equipment of a target account in advance, a client can directly obtain the quantum key from the hardware password equipment, a signature value is obtained by signing the quantum key by using the signature key, after receiving the signature value sent by the client of the target account, an identity authentication center can obtain the corresponding quantum key according to a quantum key identifier, and further, the public key in the obtained digital certificate is used for verifying the signature value, and whether the decrypted quantum key is consistent with the quantum key obtained by the public key is verified, so that whether the identity authentication is successful or not can be judged.
Based on the same inventive concept, the embodiment of the application also provides an identity authentication method implemented by the client side, and since the principle of solving the problem of the identity authentication method implemented by the client side is similar to that of the identity authentication method, the implementation of the identity authentication method implemented by the client side can refer to the implementation of the identity authentication method, and the repetition is omitted.
As shown in fig. 3, an implementation flow diagram of an identity authentication method implemented at a client side provided by an embodiment of the present application is shown, where the identity authentication method implemented at the client side may be applied to the above identity authentication system provided by an embodiment of the present application, where the identity authentication system includes a certificate issuing center, a quantum key filling module, and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module obtains quantum key information from the first quantum key distribution device, and the quantum key information is filled into a hardware cryptographic device of a target account, where the hardware cryptographic device further includes a digital certificate and a signature key issued by the certificate issuing center to the target account; the identity authentication method may include the steps of:
S31, the client of the target account selects a first quantum key from the hardware password equipment.
S32, signing the first quantum key by using the signing key to generate a signature value.
S33, the signature value, the first quantum key identification and the target account identification are sent to an identity authentication center, so that the identity authentication center obtains a digital certificate of the target account from a certification center according to the target account identification, obtains a second quantum key corresponding to the first quantum key identification from second quantum key distribution equipment according to the first quantum key identification, and verifies the signature value according to the second quantum key and a public key in the digital certificate to obtain an identity authentication result.
In one possible implementation manner, the client of the target account selects a first quantum key from the hardware cryptographic device, and specifically includes:
the client of the target account selects a first quantum key segment with a set length from the first quantum key and records the offset of the first quantum key segment; and
the signature value, the first quantum key identification and the target account identification are sent to the identity authentication center, and meanwhile the method further comprises the following steps:
and sending the offset to the identity authentication center, so that the identity authentication center obtains the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier and the offset.
In one possible implementation manner, the client of the target account selects a first quantum key from the hardware cryptographic device, and specifically includes:
the client of the target account selects a first quantum key segment with any length from the first quantum key, and records the offset of the first quantum key segment and the length of the first key segment; and
the signature value, the first quantum key identification and the target account identification are sent to the identity authentication center, and meanwhile the method further comprises the following steps:
and sending the offset and the length to the identity authentication center, so that the identity authentication center obtains a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, the offset and the length.
Based on the same inventive concept, the embodiment of the application also provides an identity authentication device implemented on the client side, and since the principle of solving the problem of the identity authentication device implemented on the client side is similar to that of the identity authentication method, the implementation of the identity authentication device implemented on the client side can refer to the implementation of the identity authentication method, and the repetition is omitted.
As shown in fig. 4, a schematic structural diagram of an identity authentication device implemented on an identity authentication center side provided by an embodiment of the present application, where the identity authentication device implemented on a client side may be applied to the above identity authentication system provided by an embodiment of the present application, where the identity authentication system includes a certificate issuing center, a quantum key filling module, and an identity authentication center, where a first quantum key distribution device is disposed in the quantum key filling module, and where a second quantum key distribution device is disposed in the identity authentication center, where the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, where the quantum key filling module obtains quantum key information from the first quantum key distribution device, and fills the quantum key information into a hardware cryptographic device of a target account, and where the hardware cryptographic device further includes a digital certificate and a signature key issued by the certificate issuing center to the target account; the apparatus may include:
a selection unit 41 for selecting a first quantum key from the hardware cryptographic device;
a signing unit 42 for signing the first quantum key with the signing key to generate a signature value;
The sending unit 43 is configured to send the signature value, the first quantum key identifier, and the target account identifier to the identity authentication center, so that the identity authentication center obtains the digital certificate of the target account from the issuing center according to the target account identifier, obtains a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, and verifies the signature value according to the second quantum key and a public key in the digital certificate to obtain an identity authentication result.
In a possible implementation manner, the selecting unit 41 is specifically configured to select a first quantum key segment with a set length from the first quantum key by the client of the target account, and record an offset of the first quantum key segment; and
the sending unit 43 is further configured to send the signature value, the first quantum key identifier, and the target account identifier to the identity authentication center, and send the offset to the identity authentication center, so that the identity authentication center obtains, from the second quantum key distribution device, the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier and the offset.
In a possible implementation manner, the selecting unit 41 is specifically configured to select a first quantum key segment with an arbitrary length from the first quantum key, and record an offset of the first quantum key segment and a length of the first key segment; and
the sending unit 43 is further configured to send the signature value, the first quantum key identifier, and the target account identifier to the identity authentication center, and send the offset and the length to the identity authentication center, so that the identity authentication center obtains, from the second quantum key distribution device, a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, the offset, and the length.
Based on the same inventive concept, the embodiment of the application also provides an identity authentication method implemented by the identity authentication center, and since the principle of solving the problem of the identity authentication method implemented by the identity authentication center is similar to that of the identity authentication method, the implementation of the identity authentication method implemented by the identity authentication center can be referred to the implementation of the identity authentication method, and the repetition is omitted.
As shown in fig. 5, which is a schematic implementation flow diagram of an identity authentication method implemented by an identity authentication center side provided by an embodiment of the present application, the identity authentication method implemented by the identity authentication center side may be applied to the above identity authentication system provided by the embodiment of the present application, where the identity authentication system includes a certificate issuing center, a quantum key filling module, and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module obtains quantum key information from the first quantum key distribution device, and the quantum key information is filled into a hardware cryptographic device of a target account, and the hardware cryptographic device further includes a digital certificate and a signature key issued by the certificate issuing center to the target account; the method may comprise the steps of:
s51, the identity authentication center receives a signature value, a first quantum key identifier and a target account identifier, wherein the signature value is generated by signing a first quantum key selected from the hardware password equipment by using a signature key, and the first quantum key identifier is sent by a client of the target account.
S52, acquiring the digital certificate of the target account from the issuing center according to the target account identifier.
S53, acquiring a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier.
And S54, verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
In one possible embodiment, the method further comprises:
receiving an offset of a first quantum key segment sent by a client of the target account, wherein the first quantum key segment is a quantum key segment with a set length selected from the first quantum keys by the client of the target account; and
obtaining a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, specifically including:
and acquiring the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier and the offset.
In one possible embodiment, the method further comprises:
Receiving the offset of a first quantum key segment and the length of the first quantum key segment, which are sent by a client of the target account, wherein the first quantum key segment is a quantum key segment with any length selected from the first quantum key by the client of the target account; and
obtaining a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, specifically including:
and acquiring a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, the offset and the length.
In one possible implementation manner, before the second quantum key corresponding to the first quantum key identifier is obtained from the second quantum key distribution device according to the first quantum key identifier, the method further includes:
and determining that the client of the target account does not send the offset corresponding to the first quantum key identification before the current round of identity authentication.
Based on the same inventive concept, the embodiment of the application also provides an identity authentication device implemented by the identity authentication center, and since the principle of solving the problem of the identity authentication device implemented by the identity authentication center is similar to that of the identity authentication method, the implementation of the identity authentication device implemented by the identity authentication center can refer to the implementation of the identity authentication method, and the repetition is omitted.
As shown in fig. 6, a schematic structural diagram of an identity authentication device implemented on an identity authentication center side provided by an embodiment of the present application is provided, where the identity authentication device implemented on the identity authentication center side may be applied to the above identity authentication system provided by the embodiment of the present application, where the identity authentication system includes a certificate issuing center, a quantum key filling module, and an identity authentication center, where a first quantum key distribution device is disposed in the quantum key filling module, where a second quantum key distribution device is disposed in the identity authentication center, where the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, where the quantum key filling module obtains quantum key information from the first quantum key distribution device, and fills the quantum key information into a hardware cryptographic device of a target account, and where the hardware cryptographic device further includes a digital certificate and a signature key issued by the certificate issuing center to the target account; the device comprises:
a receiving unit 61, configured to receive a signature value generated by signing a first quantum key selected from the hardware cryptographic device with the signature key, the first quantum key identifier, and a target account identifier, which are sent by a client of the target account;
A first obtaining unit 62, configured to obtain, from the issuing center, the digital certificate of the target account according to the target account identifier;
a second obtaining unit 63, configured to obtain, from the second quantum key distribution device, a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier;
and the authentication unit 64 is configured to verify the signature value according to the second quantum key and a public key in the digital certificate, so as to obtain an identity authentication result.
In a possible implementation manner, the receiving unit 61 is further configured to receive an offset of a first quantum key segment sent by the client of the target account, where the first quantum key segment is a quantum key segment with a set length selected by the client of the target account from the first quantum key; and
the second obtaining unit 63 is specifically configured to obtain, from the second quantum key distribution device, the second quantum key segment of the set length in the second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier and the offset.
In a possible implementation manner, the receiving unit 61 is further configured to receive an offset of a first quantum key segment sent by the client of the target account and a length of the first quantum key segment, where the first quantum key segment is a quantum key segment with any length selected from the first quantum keys by the client of the target account; and
The second obtaining unit 63 is specifically configured to obtain, from the second quantum key distribution device, a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, the offset, and the length.
In one possible embodiment, the apparatus further comprises:
the determining unit is used for determining that the offset corresponding to the first quantum key identifier is not sent by the client of the target account before the current round of identity authentication before the second quantum key corresponding to the first quantum key identifier is acquired from the second quantum key distribution equipment according to the first quantum key identifier.
Based on the same technical concept, the embodiment of the present application further provides an electronic device 700, referring to fig. 7, where the electronic device 700 is configured to implement the identity authentication method or the identity authentication apparatus described in the foregoing method embodiment, and the electronic device 700 of this embodiment may include: memory 701, processor 702, and a computer program stored in the memory and executable on the processor, such as an authentication program. The steps of the above-described embodiments of the authentication method are implemented when the processor executes the computer program, for example, step S21 shown in fig. 2.
The specific connection medium between the memory 701 and the processor 702 is not limited in the embodiments of the present application. In the embodiment of the present application, the memory 701 and the processor 702 are connected by the bus 703 in fig. 7, the bus 703 is shown by a thick line in fig. 7, and the connection manner between other components is only schematically illustrated, but not limited thereto. The bus 703 may be classified into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 7, but not only one bus or one type of bus.
The memory 701 may be a volatile memory (RAM), such as a random-access memory (RAM); the memory 701 may also be a non-volatile memory (non-volatile memory), such as a read-only memory, a flash memory (flash memory), a Hard Disk Drive (HDD) or a Solid State Drive (SSD), or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. Memory 701 may be a combination of the above.
A processor 702 for implementing the identity authentication method of various exemplary embodiments of the present application.
The embodiment of the application also provides a computer readable storage medium which stores computer executable instructions required to be executed by the processor, and the computer readable storage medium contains a program for executing the processor.
In some possible embodiments, aspects of the identity authentication method provided herein may also be implemented in the form of a program product comprising program code for causing an electronic device to carry out the steps of the identity authentication method according to various exemplary embodiments of the present application as described herein above, when the program product is run on the electronic device.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (17)

1. The identity authentication method is characterized by being applied to an identity authentication system, wherein the identity authentication system comprises a certificate issuing center, a quantum key filling module and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module acquires quantum key information from the first quantum key distribution device and fills the quantum key information into hardware password equipment of a target account, and the hardware password equipment further comprises a digital certificate and a signature key which are issued to the target account by the certificate issuing center; the method comprises the following steps:
The client of the target account selects a first quantum key from the hardware password equipment;
signing the first quantum key by using the signing key to generate a signature value;
the signature value, the first quantum key identification and the target account identification are sent to the identity authentication center, so that the identity authentication center obtains the digital certificate of the target account from the issuing center according to the target account identification, obtains a second quantum key corresponding to the first quantum key identification from the second quantum key distribution equipment according to the first quantum key identification, and verifies the signature value according to the second quantum key and a public key in the digital certificate to obtain an identity authentication result.
2. The method of claim 1, wherein the client of the target account selects a first quantum key from the hardware cryptographic device, comprising:
the client of the target account selects a first quantum key segment with a set length from the first quantum key and records the offset of the first quantum key segment; and
the signature value, the first quantum key identification and the target account identification are sent to the identity authentication center, and meanwhile the method further comprises the following steps:
And sending the offset to the identity authentication center, so that the identity authentication center obtains the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier and the offset.
3. The method of claim 1, wherein the client of the target account selects a first quantum key from the hardware cryptographic device, comprising:
the client of the target account selects a first quantum key segment with any length from the first quantum key, and records the offset of the first quantum key segment and the length of the first quantum key segment; and
the signature value, the first quantum key identification and the target account identification are sent to the identity authentication center, and meanwhile the method further comprises the following steps:
and sending the offset and the length to the identity authentication center, so that the identity authentication center obtains a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, the offset and the length.
4. The identity authentication method is characterized by being applied to an identity authentication system, wherein the identity authentication system comprises a certificate issuing center, a quantum key filling module and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module acquires quantum key information from the first quantum key distribution device and fills the quantum key information into hardware password equipment of a target account, and the hardware password equipment further comprises a digital certificate and a signature key which are issued to the target account by the certificate issuing center; the method comprises the following steps:
the identity authentication center receives a signature value, a first quantum key identifier and a target account identifier, wherein the signature value, the first quantum key identifier and the target account identifier are generated by signing a first quantum key selected from the hardware password equipment by using the signature key, and the signature value, the first quantum key identifier and the target account identifier are sent by a client of the target account;
acquiring the digital certificate of the target account from the certification center according to the target account identifier;
Acquiring a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier;
and verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
5. The method as recited in claim 4, further comprising:
receiving an offset of a first quantum key segment sent by a client of the target account, wherein the first quantum key segment is a quantum key segment with a set length selected from the first quantum keys by the client of the target account; and
obtaining a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, specifically including:
and acquiring the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier and the offset.
6. The method as recited in claim 4, further comprising:
receiving the offset of a first quantum key segment and the length of the first quantum key segment, which are sent by a client of the target account, wherein the first quantum key segment is a quantum key segment with any length selected from the first quantum key by the client of the target account; and
Obtaining a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, specifically including:
and acquiring a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, the offset and the length.
7. The method of claim 5 or 6, further comprising, prior to obtaining a second quantum key corresponding to the first quantum key identification from the second quantum key distribution device according to the first quantum key identification:
and determining that the client of the target account does not send the offset corresponding to the first quantum key identification before the current round of identity authentication.
8. The identity authentication device is characterized by being applied to an identity authentication system, wherein the identity authentication system comprises a certificate issuing center, a quantum key filling module and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module acquires quantum key information from the first quantum key distribution device and fills the quantum key information into hardware password equipment of a target account, and the hardware password equipment further comprises a digital certificate and a signature key which are issued to the target account by the certificate issuing center; the device comprises:
A selecting unit, configured to select a first quantum key from the hardware cryptographic device;
a signing unit, configured to sign the first quantum key with the signing key to generate a signature value;
the sending unit is used for sending the signature value, the first quantum key identification and the target account identification to the identity authentication center, so that the identity authentication center obtains the digital certificate of the target account from the evidence issuing center according to the target account identification, obtains a second quantum key corresponding to the first quantum key identification from the second quantum key distribution equipment according to the first quantum key identification, and verifies the signature value according to the second quantum key and a public key in the digital certificate to obtain an identity authentication result.
9. The apparatus of claim 8, wherein,
the selecting unit is specifically configured to select a first quantum key segment with a set length from the first quantum key, and record an offset of the first quantum key segment; and
the sending unit is further configured to send the signature value, the first quantum key identifier and the target account identifier to the identity authentication center, and simultaneously send the offset to the identity authentication center, so that the identity authentication center obtains the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier and the offset.
10. The apparatus of claim 8, wherein,
the selecting unit is specifically configured to select a first quantum key segment with an arbitrary length from the first quantum key, and record an offset of the first quantum key segment and a length of the first quantum key segment;
the sending unit is further configured to send the signature value, the first quantum key identifier and the target account identifier to the identity authentication center, and simultaneously send the offset and the length to the identity authentication center, so that the identity authentication center obtains a second quantum key segment of the length in the second quantum key corresponding to the first quantum key identifier from the second quantum key distribution device according to the first quantum key identifier, the offset and the length.
11. The identity authentication device is characterized by being applied to an identity authentication system, wherein the identity authentication system comprises a certificate issuing center, a quantum key filling module and an identity authentication center, a first quantum key distribution device is deployed in the quantum key filling module, a second quantum key distribution device is deployed in the identity authentication center, the first quantum key distribution device and the second quantum key distribution device generate the same quantum key, the quantum key filling module acquires quantum key information from the first quantum key distribution device and fills the quantum key information into hardware password equipment of a target account, and the hardware password equipment further comprises a digital certificate and a signature key which are issued to the target account by the certificate issuing center; the device comprises:
The receiving unit is used for receiving a signature value, a first quantum key identifier and a target account identifier, wherein the signature value, the first quantum key identifier and the target account identifier are generated by signing a first quantum key selected from the hardware password equipment by using the signature key, and the signature value, the first quantum key identifier and the target account identifier are sent by a client of the target account;
a first obtaining unit, configured to obtain, from the issuing center, the digital certificate of the target account according to the target account identifier;
a second obtaining unit, configured to obtain, from the second quantum key distribution device according to the first quantum key identifier, a second quantum key corresponding to the first quantum key identifier;
and the authentication unit is used for verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
12. The apparatus of claim 11, wherein the device comprises a plurality of sensors,
the receiving unit is further configured to receive an offset of a first quantum key segment sent by the client of the target account, where the first quantum key segment is a quantum key segment with a set length selected from the first quantum keys by the client of the target account; and
the second obtaining unit is specifically configured to obtain, from the second quantum key distribution device, the second quantum key segment with the set length in the second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier and the offset.
13. The apparatus of claim 11, wherein the device comprises a plurality of sensors,
the receiving unit is further configured to receive an offset of a first quantum key segment and a length of the first quantum key segment, where the offset is sent by a client of the target account, and the first quantum key segment is a quantum key segment with any length selected from the first quantum key by the client of the target account;
the second obtaining unit is specifically configured to obtain, from the second quantum key distribution device, a second quantum key segment of the length in a second quantum key corresponding to the first quantum key identifier according to the first quantum key identifier, the offset, and the length.
14. The apparatus as claimed in claim 12 or 13, further comprising:
the determining unit is used for determining that the offset corresponding to the first quantum key identifier is not sent by the client of the target account before the current round of identity authentication before the second quantum key corresponding to the first quantum key identifier is acquired from the second quantum key distribution equipment according to the first quantum key identifier.
15. An identity authentication system, comprising: the system comprises a certification center, a quantum key filling module and an identity authentication center, wherein the quantum key filling module deploys first quantum key distribution equipment, the identity authentication center deploys second quantum key distribution equipment, and the first quantum key distribution equipment and the second quantum key distribution equipment generate the same quantum key, wherein:
The issuing center is used for issuing a digital certificate and a signature key to a target account, and the digital certificate and the signature key are stored in hardware key equipment of the target account;
the quantum key filling module is used for acquiring quantum key information from the first quantum key distribution equipment and filling the quantum key information into the hardware password equipment of the target account;
the identity authentication center is used for receiving a signature value, the first quantum key identifier and a target account identifier, wherein the signature value is generated by signing a first quantum key selected from the hardware password equipment by using the signature key, and the first quantum key identifier is sent by a client of the target account; acquiring the digital certificate of the target account from the certification center according to the target account identifier; acquiring a second quantum key corresponding to the first quantum key identifier from the second quantum key distribution equipment according to the first quantum key identifier; and verifying the signature value according to the second quantum key and the public key in the digital certificate to obtain an identity authentication result.
16. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the identity authentication method of any one of claims 1 to 7 when the program is executed by the processor.
17. A computer readable storage medium having stored thereon a computer program, which when executed by a processor performs the steps of the identity authentication method according to any one of claims 1 to 7.
CN202211034032.4A 2022-08-26 2022-08-26 Identity authentication method, device and system, electronic equipment and storage medium Active CN115426106B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211034032.4A CN115426106B (en) 2022-08-26 2022-08-26 Identity authentication method, device and system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211034032.4A CN115426106B (en) 2022-08-26 2022-08-26 Identity authentication method, device and system, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115426106A CN115426106A (en) 2022-12-02
CN115426106B true CN115426106B (en) 2023-05-23

Family

ID=84200682

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211034032.4A Active CN115426106B (en) 2022-08-26 2022-08-26 Identity authentication method, device and system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115426106B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115955306B (en) * 2022-12-30 2023-11-14 北京海泰方圆科技股份有限公司 Data encryption transmission method and device, electronic equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991285A (en) * 2015-02-16 2016-10-05 阿里巴巴集团控股有限公司 Identity authentication methods, devices and system applied to quantum key distribution process
CN106301769A (en) * 2015-06-08 2017-01-04 阿里巴巴集团控股有限公司 Quantum key output intent, storage consistency verification method, Apparatus and system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001265735A (en) * 2000-03-22 2001-09-28 Ntt Communications Kk Authentication method, signature method, communication method and system utilizing id/password
WO2014069783A1 (en) * 2012-10-31 2014-05-08 삼성에스디에스 주식회사 Password-based authentication method, and apparatus for performing same
CN107769913B (en) * 2016-08-16 2020-12-29 广东国盾量子科技有限公司 Quantum UKey-based communication method and system
CN108243166A (en) * 2016-12-27 2018-07-03 航天信息股份有限公司 A kind of identity identifying method and system based on USBKey
CN111917543B (en) * 2020-08-14 2023-08-29 国科量子通信网络有限公司 User access cloud platform security access authentication system and application method thereof
CN114218548B (en) * 2021-12-14 2022-08-19 北京海泰方圆科技股份有限公司 Identity verification certificate generation method, authentication method, device, equipment and medium
CN114221765B (en) * 2022-02-17 2022-05-24 浙江九州量子信息技术股份有限公司 Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991285A (en) * 2015-02-16 2016-10-05 阿里巴巴集团控股有限公司 Identity authentication methods, devices and system applied to quantum key distribution process
CN106301769A (en) * 2015-06-08 2017-01-04 阿里巴巴集团控股有限公司 Quantum key output intent, storage consistency verification method, Apparatus and system

Also Published As

Publication number Publication date
CN115426106A (en) 2022-12-02

Similar Documents

Publication Publication Date Title
US10790976B1 (en) System and method of blockchain wallet recovery
US20200382326A1 (en) Digital certificate verification method and apparatus, computer device, and storage medium
US11196745B2 (en) Blockchain-based account management
CN110264200B (en) Block chain data processing method and device
CN110677376B (en) Authentication method, related device and system and computer readable storage medium
CN110348853B (en) Block chain off-line transaction method and system based on identification authentication
CN109409472B (en) Two-dimensional code generation method, data processing device and server
CA3164765A1 (en) Secure communication method and device based on identity authentication
CN111314172B (en) Block chain-based data processing method, device, equipment and storage medium
CN106921496A (en) A kind of digital signature method and system
CN110601855B (en) Root certificate management method and device, electronic equipment and storage medium
CN110286849B (en) Data processing method and device of data storage system
US10887110B2 (en) Method for digital signing with multiple devices operating multiparty computation with a split key
CN108200014B (en) Method, device and system for accessing server by using intelligent key device
CN112115205A (en) Cross-chain trust method, device, equipment and medium based on digital certificate authentication
CN114282193A (en) Application authorization method, device, equipment and storage medium
CN111311258A (en) Block chain based trusted transaction method, device, system, equipment and medium
CN114691669A (en) Electronic certificate storage method and device, electronic equipment and storage medium
CN111062059B (en) Method and device for service processing
CN115426106B (en) Identity authentication method, device and system, electronic equipment and storage medium
CN109150811B (en) Method and device for realizing trusted session and computing equipment
CN110798322B (en) Operation request method, device, storage medium and processor
CN101582876A (en) Method, device and system for registering user generated content (UGC)
CN110716724B (en) Method and device for realizing privacy block chain based on FPGA
CN114168923B (en) Group CA certificate generation method and system based on digital certificate

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant