CN115801333A - Method for applying root legal identity business account - Google Patents
Method for applying root legal identity business account Download PDFInfo
- Publication number
- CN115801333A CN115801333A CN202211323069.9A CN202211323069A CN115801333A CN 115801333 A CN115801333 A CN 115801333A CN 202211323069 A CN202211323069 A CN 202211323069A CN 115801333 A CN115801333 A CN 115801333A
- Authority
- CN
- China
- Prior art keywords
- identity
- account
- characteristic information
- digital
- digital identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a method for applying a root legal identity service account, which comprises the following steps: an application party acquires a digital identity file; the digital identity file comprises equipment characteristic information and an account identity; an application party generates equipment characteristic information; the application side sends a digital identity file and equipment characteristic information to a digital identity service side and requests an account identity; the digital identity service party analyzes the digital identity file to obtain an account identity identification and equipment characteristic information; and the digital identity service party compares the analyzed equipment characteristic information with the received equipment characteristic information, and if the comparison result is consistent, the account identity identifier is returned to the application party. The invention constructs the digital identity file as the login and transaction certificate of the user in the application system, and the binding relationship between the account identity and the equipment characteristic information is stored in the digital identity file instead of being uniformly stored in the system background, thereby avoiding the large-scale leakage and tampering of the binding relationship in the system background.
Description
Technical Field
The invention relates to a method for applying a service account with root legal identity, belonging to the field of identity authentication.
Background
The identity authentication means that when a user accesses an application system, identity information of the user is firstly verified to determine whether the user can complete the access. The currently common identity authentication methods mainly include the following methods:
1. based on username/password approach; the operator is considered a legitimate user as long as the application system receives the correct password. The method is simple and easy to implement, but the password leakage risk is extremely high, and once the password is leaked, anyone can impersonate the user.
2. Physical media based approaches; storing user identity related data in physical media such as IC card and U-key, and completing identity authentication by reading data in the physical media during authentication. But physical media are not portable, are easily lost or are subject to counterfeiting.
3. A biometric-based approach; the uniqueness of the physiological characteristics of the user is utilized to identify the user, such as face identification, fingerprint identification, palm print identification, retina identification and the like.
In summary, a method for authenticating an application system with higher security is needed.
Patent CN109413086B, "method and apparatus for on-line verification of identity information", discloses that when an on-line service needs to perform identity verification, the on-line verification of user identity information is implemented by using trusted application. Specifically, the online business application may invoke a verification service of the trusted application; the trusted application background collects the identity information of the user according to the verification requirement of the online service corresponding to the service application in combination with the verification information supported by the verification source and the verification information supported by the user terminal, and sends the identity information to the third-party trusted verification source for verification, so that the authority and the safety of the verification result are ensured, but the safety is further improved.
Disclosure of Invention
In order to overcome the problems in the prior art, the invention designs a root legal identity business account application method, which constructs a digital identity file based on account identity identification and equipment characteristic information as a login and item handling certificate of a user in an application system, so that the user equipment and the digital identity file have a strong binding relationship, and the user can only use the digital identity file on specific equipment; meanwhile, the binding relationship between the account identity and the device characteristic information is stored in the digital identity file instead of being uniformly stored in the system background, so that the risk that the binding relationship is leaked and tampered on a large scale in the system background is avoided.
In order to achieve the purpose, the invention adopts the following technical scheme:
a method for applying a root legal identity service account number comprises the following steps:
an application party acquires a digital identity file; the digital identity file comprises equipment characteristic information and an account identity;
an application party generates equipment characteristic information;
the application side sends a digital identity file and equipment characteristic information to a digital identity service side and requests an account identity;
the digital identity service party analyzes the digital identity file to obtain an account identity identification and equipment characteristic information; and the digital identity service party compares the analyzed equipment characteristic information with the received equipment characteristic information, and if the comparison result is consistent, the account identity identifier is returned to the application party.
Further, an application side is provided with a special control, and the special control stores a first algorithm; the application side generates device characteristic information according to a first algorithm.
Further, the digital identity service side is provided with a first authentication mode, and the first authentication mode comprises the following steps:
verifying a signature value in the digital identity file; if the verification is passed, returning the account identity to the application party; otherwise, returning authentication failure to the application side.
Further, the digital identity service side is provided with a second authentication mode, and the second authentication mode comprises the following steps:
searching a real-name identity associated with the account identity; using the real-name identity mark to inquire the real-name identity information; performing identity authentication according to the real-name identity information, and returning an account identity identifier to the application party if the identity authentication passes; otherwise, returning authentication failure to the application side.
Further, the digital identity file comprises a segment A data, a segment B data and a segment S data:
the A section data comprises an account identity; the B section data comprises equipment characteristic information; the S-segment data comprises A-segment data and B-segment data.
Further, the application party acquires the digital identity file, and the specific steps are as follows:
an application party generates equipment characteristic information;
the application side sends real-name identity information and equipment characteristic information to the digital identity service side and requests a digital identity file;
the digital identity service side issues an account identity; inquiring or generating a real-name identity of the user according to the real-name identity information; establishing and storing an association relation between the account identity and the real-name identity;
and the digital identity server generates and returns a digital identity file to the application party according to the equipment characteristic information and the account identity identification.
Technical scheme two
A root legal identity business account application method is applied to a client and comprises the following steps:
acquiring a digital identity file, wherein the digital identity file comprises equipment characteristic information and an account identity;
generating equipment characteristic information;
sending a digital identity file and equipment characteristic information and requesting an account identity;
and receiving the returned account identification.
Furthermore, the client is provided with a special control, and the special control stores a first algorithm; the client generates the device characteristic information according to a first algorithm
Technical scheme three
A root legal identity business account application method is applied to a server and comprises the following steps:
receiving a digital identity file, wherein the digital identity file comprises equipment characteristic information and an account identity;
receiving equipment characteristic information;
receiving an account identity request;
analyzing the digital identity file to obtain an account identity and equipment characteristic information; and comparing the analyzed equipment characteristic information with the received equipment characteristic information, and if the comparison result is consistent, returning the account identity identification.
Further, the server is provided with a second authentication mode, and the second authentication mode includes the following steps:
searching a real-name identity associated with the account identity; using the real-name identity mark to inquire the real-name identity information; performing identity authentication according to the real-name identity information, and if the identity authentication passes, returning an account identity identifier to the application party; otherwise, returning authentication failure.
Compared with the prior art, the invention has the following characteristics and beneficial effects:
1. the invention constructs a digital identity file based on account identity identification and equipment characteristic information as a login and item handling certificate of a user in an application system, so that the user equipment and the digital identity file have a strong binding relationship, and the user can only use the digital identity file on specific equipment; meanwhile, the binding relationship between the account identity and the device characteristic information is stored in the digital identity file instead of being uniformly stored in the system background, so that the risk that the binding relationship is leaked and tampered on a large scale in the system background is avoided.
2. The digital identity file adopts the data format of A + B + S, wherein the S section data is the signature values of the A section data and the B section data, and the integrity and the tamper resistance of the content of the digital identity file are ensured.
3. The method and the device have the advantages that the special control is arranged at the client side of the application system to store the first algorithm for reading the characteristic information of the equipment and the second algorithm for encrypting the message data, and the third party is prevented from decoding the first algorithm and the second algorithm used by the client side of the application system, so that the characteristic information of the equipment and the message data sent by the client side of the application system are forged, the third party is prevented from forging the message data to initiate certificate authentication across mobile phone terminals, and the security level is improved.
4. In the invention, an application system client sends a digital identity file to a digital identity server, the digital identity server checks and analyzes the digital identity file to obtain and return an account identity mark, and the application system client performs service handling according to the account identity mark; in the application process, a user does not need to input an account identification or a real-name identification, and sensitive data are prevented from being leaked.
5. The invention sets two authentication modes, the first authentication mode only verifies the digital identity file, and the user can conveniently and rapidly complete login authentication; and the second authentication mode is used for performing real-name identity authentication by utilizing an external authoritative digital identity service platform according to the real-name identity in the digital identity file, and further verifying the authenticity of the user.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a flow diagram of digital identity file generation;
fig. 3 is a flow chart of a digital identity file application.
Detailed Description
The present invention will be described in more detail with reference to examples.
Example one
As shown in fig. 1 and 2, the method for generating a digital identity file includes the following steps:
in this embodiment, the digital identity service provider is provided with a first digital identity service platform and a second digital identity service platform with authority; the application side comprises an application system client side and an application system server side.
The client of the application system collects real-name identity information, such as name, identification card number and the like.
The application system client collects authentication factors such as portraits, passwords and the like.
And the application system client reads the characteristic factors of the equipment and generates equipment characteristic information according to a first algorithm. The characteristic factor may be an advertisement identifier, a vendor identifier, a mobile device identification code, an ethernet physical address, a device fingerprint, etc.
The application system client sends the real-name identity information, the authentication factor and the equipment characteristic information to the first digital identity service platform and requests a digital identity file.
The first digital identity service platform sends real-name identity information and an authentication factor to the second digital identity service platform and requests identity authentication. And the second digital identity service platform performs identity authentication according to the real-name identity information and the authentication factor and returns an identity authentication result to the first digital identity service platform.
And if the identity authentication result is that the user passes, the first digital identity service platform issues an account identity for the user. Specifically, a random number which is not repeated is generated as the account identification through an encryption algorithm such as 'snowflake'.
And the first digital identity service platform inquires or generates a real-name identity/network identity certificate of the user according to the real-name identity information. The first digital identity service platform establishes an incidence relation between the account identity and the real-name identity/network identity certificate and stores the incidence relation in a database.
The first digital identity service platform splices data such as an account identity identification ciphertext, a random number, a timestamp and the like, and encrypts a splicing result through an SM4 algorithm to generate section A data; taking the device characteristic information as B-section data; splicing the data of the section A and the data of the section B, and using a signature value of a splicing result of the data of the section A and the data of the section B generated by an SM2 algorithm as S-end data; and splicing the data of the section A, the data of the section B and the data of the S end to obtain the digital identity file.
And the digital identity service party returns the digital identity file to the application system client.
Example two
The difference between this embodiment and the first embodiment is that the application system client requests the digital identity file from the application system server, and the application system server forwards the digital identity file request to the digital identity server.
EXAMPLE III
The difference between this embodiment and the first embodiment is that the application system client is provided with a dedicated control, and the dedicated control stores a first algorithm for reading the device characteristic information and a second algorithm for encrypting the message data, so that a third party is prevented from deciphering the data content and the data format of the device characteristic information and the message data, and thus the device characteristic information and the message data sent by the application system client are forged.
Example four
As shown in fig. 3, the digital identity service provider has a first digital identity service platform and a second digital identity service platform.
The application method of the digital identity file comprises the following steps:
the application system client encrypts the digital identity file using the dedicated control.
And the application system client reads the device characteristic information by using the special control.
And the application system client collects the authentication factors.
The application system client sends a digital identity file ciphertext, equipment characteristic information and an authentication factor to a first digital identity service platform to request an account identity;
the first digital identity service platform judges the authentication mode (the first digital identity service platform judges the authentication mode according to the interface called by the application system client);
if the authentication mode is the first authentication mode: the first digital identity service platform verifies the signature value in the digital identity file. And after the verification is passed, analyzing the ciphertext of the digital identity file to obtain the account identity identification and the equipment characteristic information. The first digital identity service platform judges the validity of the account identity identifier, if the validity is confirmed, the analyzed equipment characteristic information is further compared with the received equipment characteristic information, and if the comparison result is consistent, the first digital identity service platform returns the account identity identifier to the application system client; otherwise, returning authentication failure to the application system client.
If the authentication mode is the second authentication mode: the first digital identity service platform verifies and analyzes the digital identity file to obtain the account identity identification and the equipment characteristic information. The first digital identity service platform judges the validity of the account identity (such as whether the data format is correct or not, whether a hit result exists in an account identity database or not and the like), if so, the analyzed equipment characteristic information is further compared with the received equipment characteristic information, if the comparison result is consistent, the real-name identity associated with the account identity is searched in the database, the real-name identity information (such as a user name and an identity card number) is inquired by using the real-name identity, and the authentication factor and the real-name identity information are uploaded to the second digital identity service platform. Or searching a network identity certificate associated with the account identity in the database, and uploading the authentication factor and the network identity certificate to the second digital identity service platform. And the second digital identity service platform performs identity authentication according to the authentication factor, the real-name identity information/the network identity certificate and returns an identity authentication result. And if the identity authentication result is passed, the first digital identity service platform returns the account identity identifier to the application system client.
EXAMPLE five
The difference between the embodiment and the third embodiment is that the application system client requests the application system server for the account identity, and the application system server forwards the account identity request to the first digital identity service platform.
It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Claims (10)
1. A method for applying a root legal identity service account is characterized by comprising the following steps:
an application party acquires a digital identity file; the digital identity file comprises equipment characteristic information and an account identity;
an application party generates equipment characteristic information;
the application side sends a digital identity file and equipment characteristic information to the digital identity service side and requests an account identity;
the digital identity service party analyzes the digital identity file to obtain an account identity identification and equipment characteristic information; and the digital identity service party compares the analyzed equipment characteristic information with the received equipment characteristic information, and if the comparison result is consistent, the account identity identifier is returned to the application party.
2. The method for applying the root cause legal identity service account number as claimed in claim 1, wherein the application party is provided with a dedicated control, and the dedicated control stores the first algorithm; the application side generates device characteristic information according to a first algorithm.
3. The method for applying root legal identity service account number according to claim 1, wherein the digital identity server is provided with a first authentication mode, and the first authentication mode comprises the following steps:
verifying a signature value in the digital identity file; if the verification is passed, returning the account identity to the application party; otherwise, returning authentication failure to the application side.
4. The method as claimed in claim 1, wherein the digital identity server has a second authentication mode, and the second authentication mode includes the following steps:
searching a real-name identity associated with the account identity; using the real-name identity mark to inquire the real-name identity information; performing identity authentication according to the real-name identity information, and returning an account identity identifier to the application party if the identity authentication passes; otherwise, the authentication failure is returned to the application side.
5. The method for applying the service account with the root legal identity as claimed in claim 1, wherein the digital identity file comprises a segment a data, a segment B data and a segment S data:
the A section data comprises an account identity; the B section data comprises equipment characteristic information; the S-segment data comprises A-segment data and B-segment data.
6. The method for applying the root legal service account according to claim 1, wherein the application party obtains the digital identity file, and the method comprises the following steps:
an application party generates equipment characteristic information;
the application side sends real-name identity information and equipment characteristic information to the digital identity service side and requests a digital identity file;
the digital identity service side issues an account identity; inquiring or generating a real-name identity of the user according to the real-name identity information; establishing and storing an association relation between the account identity and the real-name identity;
and the digital identity server generates and returns a digital identity file to the application party according to the equipment characteristic information and the account identity identification.
7. A method for applying a root legal identity service account is characterized by being applied to a client and comprising the following steps:
acquiring a digital identity file, wherein the digital identity file comprises equipment characteristic information and an account identity;
generating equipment characteristic information;
sending a digital identity file and equipment characteristic information and requesting an account identity;
and receiving the returned account identification.
8. The method for applying the root cause legal identity to the business account as recited in claim 7, wherein the client is provided with a dedicated control, and the dedicated control stores the first algorithm; the client generates device feature information according to a first algorithm.
9. A method for applying a root legal identity service account is characterized by being applied to a server and comprising the following steps:
receiving a digital identity file, wherein the digital identity file comprises equipment characteristic information and an account identity;
receiving device characteristic information;
receiving an account identity request;
analyzing the digital identity file to obtain an account identity and equipment characteristic information; and comparing the analyzed equipment characteristic information with the received equipment characteristic information, and if the comparison result is consistent, returning the account identity identification.
10. The method for applying the root legal identity service account as claimed in claim 9, wherein the server has a second authentication mode, and the second authentication mode includes the following steps:
searching a real-name identity associated with the account identity; inquiring real-name identity information by using the real-name identity mark; performing identity authentication according to the real-name identity information, and if the identity authentication passes, returning an account identity identifier to the application party; otherwise, returning authentication failure.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211323069.9A CN115801333A (en) | 2022-10-27 | 2022-10-27 | Method for applying root legal identity business account |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211323069.9A CN115801333A (en) | 2022-10-27 | 2022-10-27 | Method for applying root legal identity business account |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115801333A true CN115801333A (en) | 2023-03-14 |
Family
ID=85433997
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211323069.9A Pending CN115801333A (en) | 2022-10-27 | 2022-10-27 | Method for applying root legal identity business account |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115801333A (en) |
-
2022
- 2022-10-27 CN CN202211323069.9A patent/CN115801333A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3343831B1 (en) | Identity authentication method and apparatus | |
| CN106330850B (en) | Security verification method based on biological characteristics, client and server | |
| CN110098932B (en) | Electronic document signing method based on safe electronic notarization technology | |
| CN109005155B (en) | Identity authentication method and device | |
| US10362019B2 (en) | Managing security credentials | |
| US20080184029A1 (en) | Method and system for generating digital fingerprint | |
| CN111275419B (en) | Block chain wallet signature right confirming method, device and system | |
| CN103679436A (en) | Electronic contract security system and method based on biological information identification | |
| WO2007094165A1 (en) | Id system and program, and id method | |
| US9124571B1 (en) | Network authentication method for secure user identity verification | |
| CN105164689A (en) | User authentication | |
| CN111327629B (en) | Identity verification method, client and server | |
| CN106713279A (en) | Video terminal identity authentication system | |
| CN111800378A (en) | Login authentication method, device, system and storage medium | |
| CN114531277A (en) | User identity authentication method based on block chain technology | |
| CN111130798A (en) | Request authentication method and related equipment | |
| CN111641615A (en) | Distributed identity authentication method and system based on certificate | |
| CN106656955A (en) | Communication method and system and user terminal | |
| CN106953731B (en) | Authentication method and system for terminal administrator | |
| CN113971274B (en) | Identity recognition method and device | |
| KR102372503B1 (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| US20090319778A1 (en) | User authentication system and method without password | |
| US20050076213A1 (en) | Self-enrollment and authentication method | |
| CN110535649B (en) | Data circulation method and system, service platform and first terminal device | |
| CN112383401A (en) | User name generation method and system for providing identity authentication service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |