CN115834253B - Identity verification method, identity verification system, client and server - Google Patents

Abstract

The embodiment of the invention relates to an identity authentication method, an identity authentication system, a client and a server, wherein after an authentication server in the identity authentication system receives an identity authentication request sent by the client, a database server inquires out a target identity type required to be authenticated by accessing the server and generates a token; receiving to-be-verified identity information and a token sent by a client, and generating a verification message according to the to-be-verified identity information and the token; sending the verification message to an intelligent contract on a block chain system to perform identity verification on identity information to be verified; and under the condition that the identity authentication is passed, generating an authentication bill and sending the authentication bill to the client so that the client performs electronic signature on the authentication bill and forwards the authentication bill to the authentication server through the server for bill authentication, and determining a final identity authentication result according to the bill authentication result, thereby realizing the identity authentication through the block chain system, and reducing the risk that the authentication information is easily tampered and the single machine fails.

Description

Identity verification method, identity verification system, client and server

Technical Field

The present invention relates to the field of communications technologies, and in particular, to an identity authentication method, an identity authentication system, a client, and a server.

Background

In most network application processes, authentication is required between a client and a server operated by a user.

Most of the traditional authentication modes are centralized storage and centralized service, so that the risk that a manager controls the authentication data of a client due to fraud is easy to occur, namely the authentication information is easy to be tampered; in addition, the proper functions can be completely lost once the service is broken down or the authentication data is damaged, and the single machine is easy to fail.

Disclosure of Invention

The embodiment of the invention provides an identity verification method, an identity verification system, a client and a server, and aims to solve the technical problems that the authentication information of the existing authentication mode is easy to tamper and the single machine fault risk is high.

In a first aspect, an embodiment of the present invention provides an identity authentication method, which is applied to an identity authentication system, where the identity authentication system includes an authentication server cluster including at least one authentication server, a database server, and a blockchain system, where the database server and the blockchain system both store client information and server information in advance, the client information includes a client identifier and identity information of at least one identity type of a client, and the server information includes a server identifier and a target identity type to be authenticated when accessing the server; the method comprises the following steps: the authentication server receives an authentication request sent by a client, wherein the authentication request comprises a client identifier and a server identifier to be accessed; the verification server inquires out a target identity type corresponding to the server identification through the database server and generates a token, wherein the token comprises a client identification, a server identification and the target identity type; the authentication server sends the target identity type and the token to a client; the authentication server receives to-be-authenticated identity information and the token which are sent by a client and correspond to the target identity type, and generates an authentication message according to the to-be-authenticated identity information, the client identification and the target identity type in the token; the verification server sends the verification message to a block chain system; the intelligent contract on the block chain system carries out identity verification on identity information to be verified according to pre-registered client information; under the condition that the identity authentication is passed, the authentication server generates an authentication bill, wherein the authentication bill comprises a client identifier, a server identifier and identity authentication passing information; the verification server sends the verification bill to the client so that the client carries out electronic signature on the verification bill and sends the verification bill subjected to electronic signature to the server; the verification server receives the verification bill after the electronic signature forwarded by the server side, and performs bill verification on the verification bill after the electronic signature to obtain a bill verification result; and the authentication server sends the bill authentication result to the server side so that the server side determines a final identity authentication result according to the bill authentication result and sends the final identity authentication result to the client side.

In a second aspect, an embodiment of the present application provides an identity authentication method, which is applied to a client, where the method includes: sending an identity authentication request to an authentication server in an identity authentication system, wherein the identity authentication request comprises a client identifier and a server identifier to be accessed, the identity authentication system comprises an authentication server cluster consisting of at least one authentication server, a database server and a block chain system, the database server and the block chain system both pre-store client information and server information, the client information comprises the client identifier and the identity information of at least one identity type of the client, and the server information comprises the server identifier and a target identity type to be authenticated for accessing the server; receiving a target identity type and a token sent by the verification server, wherein the target identity type is inquired from the database server by the verification server according to the server identification, and the token comprises a client identification, a server identification and a target identity type; acquiring identity information to be verified corresponding to the target identity type, sending the identity information to be verified and the token to a verification server, enabling the verification server to generate a verification message according to the identity information to be verified, a client identifier and the target identity type in the token, sending the verification message to a block chain system, performing identity verification on the identity information to be verified based on pre-registered client information through an intelligent contract on the block chain system, and generating a verification bill under the condition that the identity verification passes, wherein the verification bill comprises the client identifier, a server identifier and identity verification passing information; receiving a verification bill sent by a verification server, and carrying out electronic signature on the verification bill; sending the verification bill after the electronic signature to a server side, so that the server side forwards the verification bill after the electronic signature to a verification server for bill verification to obtain a bill verification result, and sending the bill verification result to the server side; and receiving a final identity authentication result determined by the server according to the bill authentication result.

In a third aspect, an embodiment of the present application provides an identity authentication method, which is applied to a server, and the method includes: receiving a verification bill which is sent by a client and is subjected to electronic signature, wherein the verification bill comprises a client identification, a server identification and identity verification passing information; forwarding the verification bill after the electronic signature to a verification server in an identity verification system so that the verification server performs bill verification on the verification bill after the electronic signature; receiving a bill verification result sent by a verification server, and determining a final identity verification result according to the bill verification result; sending the final identity verification result to the client; the identity authentication system comprises an authentication server cluster, a database server and a block chain system, wherein the authentication server cluster is composed of at least one authentication server, the database server and the block chain system both store client information and server information in advance, the client information comprises a client identifier and identity information of at least one identity type of a client, and the server information comprises a server identifier and a target identity type to be authenticated when accessing the server; the verification bill is that a verification server in the identity verification system receives an identity verification request sent by a client, the identity verification request comprises a client identifier and a server identifier to be accessed, a target identity type corresponding to the server identifier is inquired through the database server, a token is generated, the token comprises the client identifier, the server identifier and the target identity type, the target identity type and the token are sent to the client, identity information to be verified and the token, which are sent by the client and correspond to the target identity type, are received, a verification message is generated according to the identity information to be verified, the client identifier and the target identity type in the token, the verification message is sent to a block chain system, and an intelligent contract on the block chain system performs identity verification on the identity information to be verified according to pre-registered client information and generates the verification result under the condition that the identity verification passes.

In a fourth aspect, an embodiment of the present invention provides an identity authentication system, including an authentication server cluster formed by at least one authentication server, a database server, and a block chain system; the database server and the block chain system both store client information and server information in advance, wherein the client information comprises a client identifier and identity information of at least one identity type of the client, and the server information comprises a server identifier and a target identity type to be verified when accessing the server; the authentication system is configured to perform the steps of the authentication method of any one of the first aspect.

In a fifth aspect, an embodiment of the present invention provides a client, including: the system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for sending an identity verification request to a verification server in an identity verification system, the identity verification request comprises a client identifier and a server identifier to be accessed, the identity verification system comprises a verification server cluster formed by at least one verification server, a database server and a block chain system, the database server and the block chain system both store client information and server information in advance, the client information comprises the client identifier and identity information of at least one identity type of the client, and the server information comprises the server identifier and a target identity type to be verified when the server is accessed; the first receiving module is used for receiving a target identity type and a token sent by the verification server, wherein the target identity type is inquired from the database server by the verification server according to the server identification, and the token comprises a client identification, a server identification and a target identity type; the first receiving module is further configured to obtain to-be-verified identity information corresponding to the target identity type, and send the to-be-verified identity information and the token to a verification server, so that the verification server generates a verification message according to the to-be-verified identity information, a client identifier in the token and the target identity type, sends the verification message to a block chain system, performs identity verification on the to-be-verified identity information based on pre-registered client information through an intelligent contract on the block chain system, and generates a verification bill when the identity verification passes, where the verification bill includes the client identifier, a server identifier and identity verification passing information; the first receiving module is also used for receiving a verification bill sent by a verification server and carrying out electronic signature on the verification bill; the first sending module is further configured to send the electronically signed verification ticket to a server, so that the server forwards the electronically signed verification ticket to a verification server for ticket verification, obtains a ticket verification result, and sends the ticket verification result to the server; the first receiving module is further configured to receive a final authentication result determined by the server according to the bill authentication result.

In a sixth aspect, an embodiment of the present invention provides a server, including: the second receiving module is also used for receiving a verification bill which is sent by the client and is subjected to electronic signature, wherein the verification bill comprises a client identification, a server identification and identity verification passing information; the second sending module is also used for forwarding the verification bill after the electronic signature to a verification server in an identity verification system so that the verification server performs bill verification on the verification bill after the electronic signature; the second receiving module is used for receiving the bill verification result sent by the verification server and determining the final identity verification result according to the bill verification result; the second sending module is further used for sending the final authentication result to the client; the identity authentication system comprises an authentication server cluster consisting of at least one authentication server, a database server and a block chain system, wherein the database server and the block chain system both pre-store client information and server information, the client information comprises a client identifier and identity information of at least one identity type of the client, and the server information comprises a server identifier and a target identity type to be authenticated for accessing the server; the verification bill is generated by a verification server in the identity verification system by receiving an identity verification request sent by a client, wherein the identity verification request comprises a client identifier and a server identifier to be accessed, inquiring a target identity type corresponding to the server identifier through the database server, generating a token, wherein the token comprises the client identifier, the server identifier and the target identity type, sending the target identity type and the token to the client, receiving identity information to be verified and the token which are sent by the client and correspond to the target identity type, generating a verification message according to the identity information to be verified, the client identifier and the target identity type in the token, and sending the verification message to a block chain system, and carrying out identity verification on the identity information to be verified according to pre-registered client information by an intelligent contract on the block chain system under the condition that the identity verification passes.

A seventh aspect of the present invention provides an electronic device, which is characterized in that the electronic device includes a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus; a memory for storing a computer program; a processor configured to implement the steps of the authentication method according to any one of the first to third aspects when executing the program stored in the memory.

In an eighth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the authentication method according to any one of the first to third aspects.

According to the identity verification method, the identity verification system, the client and the server provided by the embodiment of the invention, the identity information of various identity types of the client and the identity type required to be verified by accessing the server are stored in the block chain system in advance, and when the identity verification is carried out by subsequently accessing the server by the client, the identity verification is carried out by calling the intelligent contract on the block chain system, so that the risk that the authentication information is easily tampered in the traditional authentication mode is reduced, and the single machine fault risk of the traditional centralized storage is reduced by verifying the server cluster.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.

In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present invention, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings without inventive labor.

Fig. 1 is a schematic view of an application scenario of an identity authentication method according to an embodiment of the present invention;

fig. 2 is a schematic flowchart of an authentication method according to an embodiment of the present invention;

fig. 3 is a schematic flowchart of another authentication method according to an embodiment of the present invention;

fig. 4a is a schematic structural diagram of a codebook index according to an embodiment of the present invention;

fig. 4b is a schematic structural diagram of a codebook according to an embodiment of the present invention;

fig. 5 is a schematic flowchart of another authentication method according to an embodiment of the present invention;

fig. 6 is a schematic flowchart of another authentication method according to an embodiment of the present invention;

FIG. 7 is a schematic diagram of an intelligent contract according to an embodiment of the present invention;

fig. 8 is a schematic flowchart of another authentication method according to an embodiment of the present invention;

fig. 9 is a schematic flowchart of another authentication method according to an embodiment of the present invention;

fig. 10 is a schematic flowchart of a user registration according to an embodiment of the present invention;

fig. 11 is an interaction diagram of an identity authentication method according to an embodiment of the present invention;

fig. 12 is a schematic structural diagram of a client according to an embodiment of the present invention;

fig. 13 is a schematic structural diagram of a server according to an embodiment of the present invention;

fig. 14 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.

Fig. 1 is a schematic view of an application scenario of an identity authentication method according to an embodiment of the present invention, as shown in fig. 1, the application scenario includes an identity authentication system 101, a client 102, and a server 103, where the identity authentication system 101 includes an authentication server cluster, a database server, and a blockchain system, where the authentication server cluster is formed by at least one authentication server, the authentication server cluster is respectively in communication connection with the database server and the blockchain system, and the client 102 and the server 103 perform information interaction with the identity authentication system 101 through the authentication server cluster.

Furthermore, hypertext Transfer Protocol Secure (HTTP) is used in the communication process between the client and the authentication server, between the client and the server, and between the server and the authentication server; the verification servers in the verification server cluster can be deployed across machine rooms and regions and can communicate with each other to synchronize data; the authentication server also has or is connected with a plurality of authentication services with public trust, such as a biometric authentication Service, a digital certificate Service, a household registration inspection Service, a stamp inspection Service and other auxiliary authentication services, and the authentication servers all access to the same Key Management Service system (KMS), wherein the authentication services and the KMS may be Web services (Web server); a plurality of block link points on the block chain system are positioned on the same public chain or alliance chain; the database server includes a source database server and a cache database, wherein the source database may be a conventional database, and the cache database may implement caching of data.

The authentication system 101, the client 102 and the server 103 may cooperate to perform the authentication methods in the following embodiments, and the authentication system 101, the client 102 and the server 103 may perform the authentication methods in the following embodiments respectively.

Fig. 2 is a schematic flow chart of an identity verification method according to an embodiment of the present invention, which is applied to the identity verification system shown in fig. 1, where the identity verification system includes a verification server cluster including at least one verification server, a database server, and a blockchain system, where the database server and the blockchain system both store client information and server information in advance, the client information includes a client identifier and identity information of at least one identity type of the client, and the server information includes a server identifier and a target identity type to be verified for accessing the server. As shown in fig. 2, the authentication method includes:

step S201, the authentication server receives an authentication request sent by a client, where the authentication request includes a client identifier and a server identifier to be accessed.

Specifically, when a client needs to access a server, the client first sends an authentication request to an authentication server in an authentication system, where the authentication request carries a client identifier and a server identifier to be accessed, where the client identifier may be a client account that the client registers in the authentication system in advance, and the server identifier may be a server account that the server registers in the authentication system in advance, or an Internet Protocol (IP) Address of the server.

Step S202, the verification server inquires out a target identity type corresponding to the server identification through the database server and generates a token, wherein the token comprises a client identification, a server identification and the target identity type.

Specifically, the authentication types include various types such as a conventional account password, certificate authentication (an identity card, a software/hardware certificate, and the like), behavior authentication (a signature, a gesture, a habitual behavior, and the like), biometric authentication (a face, a fingerprint, a voiceprint, an iris, DNA, and the like), and the like. The database server stores target identity types which need to be verified by the client for accessing the server, wherein the target identity types can be single identity types or combinations of a plurality of identity types. After receiving an identity authentication request sent by a client, an authentication server queries a target identity type required to be authenticated when accessing the server from a database server according to a server identifier to be accessed in the identity authentication request, and generates a token, wherein the token comprises the client identifier, the server identifier and the target identity type.

Further, under the condition that the database server comprises a source database and a cache database, the verification server firstly queries whether corresponding server information exists in the cache database according to the server identification in the identity verification request, if so, queries a corresponding target identity type from the cache database, and if not, queries a corresponding target identity type from the source database. The design of the cache database reduces the access pressure of the source database and improves the query efficiency.

Step S203, the authentication server sends the target identity type and the token to the client.

Step S204, the verification server receives the identity information to be verified and the token which are sent by the client and correspond to the target identity type, and generates a verification message according to the identity information to be verified, the client identification in the token and the target identity type.

Specifically, after receiving a target identity type and a token sent by a verification server, a client acquires identity information to be verified corresponding to the target identity type of a user through information acquisition equipment, and sends the acquired identity information to be verified and the token to the verification server together; and after receiving the identity information to be verified and the token, the verification server generates a verification message according to the identity information to be verified, the client identification and the target identity type in the token.

Step S205, the verification server sends the verification packet to a block chain system.

And S206, the intelligent contract on the block chain system performs identity authentication on identity information to be authenticated according to pre-registered client information.

Specifically, the intelligent contract on the block chain system determines corresponding client information according to a client identifier in the verification message, selects identity information corresponding to the target identity type from identity information of at least one identity type of the client, compares the identity information with identity information to be verified, and if the identity information is the same as the target identity type, the identity verification is passed, otherwise, the identity verification is not passed.

Step S207, under the condition that the identity authentication is passed, the authentication server generates an authentication bill, wherein the authentication bill comprises a client identifier, a server identifier and identity authentication passing information.

And step S208, the verification server sends the verification bill to the client so that the client performs electronic signature on the verification bill and sends the verification bill subjected to electronic signature to the server.

Specifically, the client can carry the electronically signed verification ticket in a login request initiated by the client to the server, so that the electronically signed verification ticket is sent to the server.

Step S209, the verification server receives the verification bill after the electronic signature forwarded by the server, and performs bill verification on the verification bill after the electronic signature to obtain a bill verification result.

Specifically, the bill verification mainly comprises signature verification of the verified bill so as to guarantee the authenticity of the verified bill. The bill verification result mainly comprises two conditions of bill verification passing and bill verification failing.

Step S210, the authentication server sends the bill authentication result to a server, so that the server determines a final identity authentication result according to the bill authentication result and sends the final identity authentication result to a client.

Specifically, the authentication server sends the bill authentication result to the server. If the bill verification result is passed, the server considers that the client passes the identity verification, and returns identity verification passing information to the client, preferably, information of successful login of the client to the server can be attached; and if the bill verification result is that the bill is not passed, the server side considers that the client side does not pass the identity verification, and identity verification failure information is returned to the client side.

In some embodiments, the token, and/or the validation ticket is encrypted, and the encrypted token, and/or the validation ticket can only be decrypted by the authentication system. Specifically, the token returned to the client by the verification server at the initial verification stage and the verification bill returned to the client by the verification server at the middle and later verification stages are all special encrypted information (only readable by the identity authentication system) in the verification server, so that the problem of counterfeit requests in the authentication process after the client is monitored or stolen by the identity authentication system is effectively isolated.

In some embodiments, the token further comprises first time information corresponding to the generation of the token; the step S204 includes: and generating a verification message according to the identity information to be verified, the client identifier in the token and the target identity type under the condition that the first time information does not exceed a first preset time threshold value.

Specifically, in order to further improve the security of the private data, the authentication server performs timeliness authentication after receiving the to-be-authenticated identity information and the token fed back by the client, that is, the authentication server determines whether the time is overtime according to the time stamp corresponding to the generation of the token and the time corresponding to the reception of the token, if the time is not overtime, the subsequent steps such as generation of an authentication message and the like are executed, if the time is overtime, an identity authentication failure message is fed back to the client, and the client can determine whether to send an identity authentication request to the identity authentication system again as required.

In some embodiments, the validation ticket further comprises second time information corresponding to the generation of the validation ticket; in step S209, performing ticket verification on the electronically signed verification ticket includes: and under the condition that the second time information does not exceed a second preset time threshold, performing bill verification on the verification bill subjected to the electronic signature.

Similarly, the verification server performs timeliness verification on the verification bill after the electronic signature fed back by the client, namely, whether the verification bill is overtime is determined according to the timestamp when the verification bill is generated and the time of receiving the verification bill after the electronic signature, if the verification bill is not overtime, the subsequent steps are continued, and if the verification bill is overtime, a bill verification failure message is fed back to the client.

In some embodiments, the client information further comprises a first identifier for characterizing whether the client information is enabled, and the server information further comprises a second identifier for characterizing whether the server information is enabled; the step S202 in which the authentication server queries the target identity type corresponding to the server-side identifier through the database server includes: the verification server determines a first identifier corresponding to the client identifier and a second identifier corresponding to the server identifier through the database server; and under the condition that the first identification and the second identification are both preset identifications, querying a target identity type corresponding to the server identification through the database server.

Specifically, the client information and the server information stored in the blockchain system cannot be deleted, but the client information and the server information have certain timeliness, and therefore, an identifier for representing whether the client information and the server information are in an enabled state can be set. After receiving an authentication request sent by a client, an authentication server determines whether a first identifier in corresponding client information is in an enabled state according to a client identifier in the authentication request, determines whether a second identifier in corresponding server information is in the enabled state according to a server identifier in the authentication request, and queries a target identity type required by a server to access the server in the server information if the first identifier and the second identifier are in the enabled state.

According to the identity verification method provided by the embodiment of the invention, the identity information of various identity types of the client and the identity type required to be verified by the access server are stored in the block chain system in advance, and when the subsequent client accesses the server to perform identity verification, the identity verification is performed by calling the intelligent contract on the block chain system, so that the risk that the authentication information is easily tampered in the traditional authentication mode is reduced, and the single machine fault risk of the traditional centralized storage is reduced by verifying the server cluster.

Fig. 3 is a schematic flow chart of another identity verification method according to an embodiment of the present invention, and on the basis of the embodiment shown in fig. 2, before step S201, the method further includes the following steps:

step S301, the verification server responds to a registration request initiated by the client, acquires identity information of at least one identity type of the client, and generates a corresponding client identifier.

Step S302, the verification server stores the client identification and the identity information of at least one identity type of the client as client information to a database server and a block chain system.

Specifically, the client registers in the identity authentication system in advance, that is, the client sends a registration request to an authentication server in the identity authentication system and sends identity information corresponding to a plurality of identity types of the client to the authentication server, after receiving the registration request, the authentication server generates a corresponding client account for the client, and stores the client account and the identity information of the plurality of identity types of the client in a database and a block chain system respectively, so that the subsequent client performs identity authentication when accessing the server.

In some embodiments, before acquiring the identity information of at least one identity type of the client in step S301, the method further includes: acquiring basic information of a client, and performing duplication checking processing on the basic information of the client; and under the condition that the check and the replay pass, executing the step of acquiring the identity information of at least one identity type of the client.

Specifically, the client basic information includes a user name, a mobile phone number, a certificate number, an age, and the like; after initiating a registration request, a client fills corresponding basic information of the client and sends the basic information to a verification server, the verification server verifies the basic information of the client, if the verification passes, the verification server obtains the identity information corresponding to a plurality of identity types of the client again and stores the identity information in a database and a block chain system, and if the verification fails, the client is registered without repeated registration.

In some embodiments, the authentication system further comprises a key management system communicatively connected to the authentication server cluster, the key management system generating a first encryption and decryption key corresponding to the authentication system; in step S301, responding to the registration request initiated by the client, the method further includes: and the authentication server generates a second encryption and decryption key corresponding to the client through the key management system, so that the interactive information between the client and the identity authentication system is encrypted or decrypted through the first encryption and decryption key and the second encryption and decryption key.

Specifically, the KMS system generates a first encryption and decryption key corresponding to the authentication system, and generates a second encryption and decryption key corresponding to the client after receiving a registration request from the client. Optionally, the first encryption and decryption key and the second encryption and decryption key are asymmetric keys, that is, the first encryption and decryption key includes an authentication system public key and an authentication system private key, and the second encryption and decryption key includes a client public key and a client private key. The authentication server sends the authentication system public key and the client private key generated by the KMS to the client, so that when information is transmitted between the client and the authentication system, information is processed by using an asymmetric key technology, for example, the message sent by the client and received by the authentication server in steps S201 and S204 is encrypted by the authentication system public key, and the authentication server decrypts the message based on the authentication system private key; if step S203 verifies that the message sent by the server to the client is encrypted by the client public key, the client decrypts the message based on the client private key. It should be noted that, the public and private key pair is exchanged in the client registration process, so as to prevent information leakage caused by middle man monitoring.

In some embodiments, the step S302 includes: storing the client identification and the identity information of at least one identity type of the client on a block chain system according to a first codebook index and a first codebook of a first preset format; the first codebook index comprises first index head information and first index content information, the first index head information comprises a client identifier, and the first index content information comprises a block chain storage address of a first codebook corresponding to at least one identity type of a client; the first codebook comprises first codebook header information and first codebook content information, wherein the first codebook header information comprises a client identifier and an identity type, and the first codebook content information comprises identity information corresponding to the identity type.

In some embodiments, the first index header information further comprises: the system comprises block chain protocol information, an encryption algorithm identifier of a client, a second encryption and decryption key address and a first identifier, wherein the first index content information also comprises client basic information; the first codebook header information further includes: the system comprises block chain protocol information, an encryption algorithm identifier of a client, a first identifier and a first preset effective time, wherein the first codebook content information further comprises an identity information abstract and an identity information abstract signature.

Specifically, the client information is stored as a codebook index and a codebook with a certain format on the block chain system, as shown in fig. 4a, which is a schematic structural diagram of a codebook index provided in an embodiment of the present invention, and fig. 4b, which is a schematic structural diagram of a codebook provided in an embodiment of the present invention. Referring to fig. 4a, the codebook index mainly consists of two parts, namely, header information and content information, the header information mainly includes protocol type, protocol version, encryption algorithm identifier, used encryption key index (i.e., used encryption key ID), user ID and data enable identifier, and the content information mainly includes: the key is the identity type, and the value is the address of the identity information in the block chain. Referring to fig. 4b, the codebook mainly comprises two parts, namely, header information and content information, wherein the header information mainly comprises a protocol type, a protocol version, an encryption algorithm identifier, an identity type, a user ID, a data enable identifier, a validity period start date and a validity period end date of the content information, and the content information mainly comprises: identity information details (e.g., password, face model, voiceprint model, etc.), an identity information digest, and a user signature for the digest.

Under the condition that the user is a client, the user ID is a client account which is registered in the identity authentication system in advance by the client, the protocol type and the protocol version are related protocol standards followed by the client, the encryption algorithm identifier is an encryption algorithm identifier adopted by the client, the used encryption key index is a storage address of a second encryption and decryption key of the client, the identifier whether data is enabled or not is a first identifier corresponding to the client, and the user type is the client.

In summary, the whole registration process of the client on the authentication system is as follows: the client side initiates a registration request to a verification server in the identity verification system and sends basic information of the client side to the server; the verification server performs verification processing on basic information of the client, receives identity information corresponding to a plurality of identity types sent by the client after the verification is passed, determines an encryption and decryption key of the client through a KMS (Key Messaging Server), and respectively stores client information in the whole registration process into a database server and a block chain system, wherein the client information on the block chain system is stored according to a codebook index and a codebook in a certain format.

On the basis of the embodiment, the identity information of multiple identity types of the client is registered and stored in the block chain system in advance, so that the identity authentication of the subsequent client is facilitated when the subsequent client accesses the server.

Fig. 5 is a schematic flowchart of another authentication method according to an embodiment of the present invention, and based on the embodiment shown in fig. 2 or fig. 3, before step S201, the method further includes the following steps:

step S501, the verification server responds to a registration request initiated by the server, obtains the target identity type required to be verified by the access server, and generates a corresponding server identifier.

And step S502, the verification server stores the server identification and the target identity type as server information to a database server and a block chain system.

Specifically, the server registers in the identity authentication system in advance, that is, the server sends a registration request to an authentication server in the identity authentication system, and sends a target identity type (a single identity type or a combination of multiple identity types) required for accessing the server to the authentication server; and the verification server generates a corresponding server-side identifier according to the registration request, and respectively stores the server-side identifier and the target identity type to be verified by accessing the server side to the database server and the blockchain system.

In some embodiments, the responding to the registration request initiated by the server in step S501 further includes: and acquiring the Internet protocol address of the server, and storing the Internet protocol address of the server to a database server and a block chain system.

Specifically, when the server side sends a registration request to the authentication server, the server side can also send a server side IP address to the authentication server, and the authentication server stores the server side IP address to the database server and the blockchain system respectively.

In some embodiments, before obtaining the target identity type required to be verified by the access server in step S501, the method further includes: obtaining basic information of a server side, and carrying out duplicate checking processing on the basic information of the server side; and under the condition that the check and the replay pass, acquiring identity information corresponding to at least one identity type of the server, and executing the step of acquiring the target identity type required to be verified by accessing the server.

Specifically, the basic information of the server includes a name of the server, certificate information and the like; after initiating a registration request to a verification server, a server first performs a re-check process on the basic information of the server, and if the re-check is passed, the server can continuously acquire a target identity type required by accessing the server, identity information corresponding to multiple identity types of the server, and the like and respectively store the target identity type, the identity information, the multiple identity types of the server, and the like in a database server and a block chain system; if the check fails, the server is registered, and the registration does not need to be repeated.

In some embodiments, the authentication system further comprises a key management system communicatively coupled to the cluster of authentication servers; the responding to the registration request initiated by the server further comprises: and the verification server generates a third encryption and decryption key corresponding to the server side through the key management system.

Specifically, after the server initiates the registration request, the authentication server further generates a third encryption and decryption key of the server through the KMS. Optionally, the third encryption and decryption key is an asymmetric key, and includes a server public key and a server private key; the authentication server sends the public key of the authentication system and the private key of the server to the server, and the information interaction between the server and the authentication system is carried out with corresponding encryption or decryption processing.

In some embodiments, the step S502 includes: storing the server identifier, the target identity type and a second codebook index in a second preset format to a block chain system; the second codebook index comprises second index header information and second index content information, the second index header information comprises a server identifier, and the second index content information comprises a target identity type required by accessing the server and a block chain storage address of a second codebook corresponding to at least one identity type of the server; the second codebook comprises second codebook header information and second codebook content information, the second codebook header information comprises a server identifier and an identity type of the server, and the second codebook content information comprises identity information of the corresponding identity type of the server.

In some embodiments, the second index header information further comprises: the second index content information also comprises service end basic information and an internet protocol address of the service end; the second codebook header information further includes: the system comprises block link protocol information, an encryption algorithm identifier of a server, a second identifier and second preset effective time, wherein the second codebook content information further comprises an identity information abstract and an identity information abstract signature.

Specifically, the codebook index and the codebook structure corresponding to the server information are similar to the client information, and as shown in fig. 4a and 4b, when the user is the server, the user ID is a server account registered in the authentication system in advance by the server, the protocol type and the protocol version are related protocol standards followed by the server, the encryption algorithm identifier is an encryption algorithm identifier adopted by the server, the encryption key index used is a storage address of a third encryption and decryption key of the server, the data enable identifier is a second identifier corresponding to the server, and the user type is the server. In addition, the system also comprises an identity type List required to be verified by the access server and a domain name or IP of the server.

To sum up, the whole registration process of the server on the identity authentication system is as follows: the server side initiates a registration request to a verification server in the identity verification system and sends basic information of the server side to the server; the verification server conducts verification processing on the basic information of the server, receives identity information corresponding to a plurality of identity types sent by the server, target identity types needing to be verified for accessing the server and the IP address of the server after the verification is passed, determines an encryption and decryption key of the server through a KMS (Key Messaging System), and stores the server information in the whole registration process to the database server and the block chain system respectively.

On the basis of the embodiment, the server information is registered in the identity verification system in advance, and when the client accesses the server, the identity information of which identity types of the client can be conveniently verified.

Fig. 6 is a schematic flowchart of another authentication method according to an embodiment of the present invention, and based on the embodiment shown in fig. 2, fig. 3, or fig. 5, a specific implementation manner of the step S206 is as follows:

step S601, the intelligent contract on the block chain system determines a corresponding first codebook index according to the client identifier in the verification message.

Step S602, determining a block chain storage address of the first codebook corresponding to the target identity type according to the first codebook index.

Step S603, determining a corresponding first codebook according to the block chain storage address of the first codebook, and verifying the identity information to be verified according to the identity information stored in the first codebook.

Fig. 7 is a schematic diagram illustrating an intelligent contract according to an embodiment of the present invention, where as shown in fig. 7, the intelligent contract mainly includes an entry method, a contract parameter format and content verification method, an identity verification method, and a method for determining and assembling return information, where the identity verification method specifically includes a method for obtaining an index of a codebook of an appointed user, a method for obtaining identity information of the appointed user, and a method for calling a dialer to compare the identity information.

Specifically, the verification message mainly includes a client identifier, and an identity map to be verified, which is composed of a target identity type and identity information to be verified, key represents the identity type requested to be verified, and Value represents the identity information requested to be verified. The verification message is sent to a block chain system, an intelligent contract on the block chain system firstly receives the verification message through an entry method, then the correctness and the content integrity of an entry format are verified based on a contract parameter format and a content verification method, the identity type to be verified and the identity information to be verified are split, then the corresponding codebook index is determined according to a client identifier based on a method for obtaining the specified client codebook index, the storage address of the corresponding codebook is determined according to an identity type map in the codebook index, then the corresponding codebook is found according to the codebook address based on a method for obtaining the specified user identity information, the identity information of the corresponding identity type is obtained through the codebook, then the external verification service is called through a calling speaker phone comparison identity information method based on calling a speaker phone, the identity information and the identity information to be verified are uploaded together, the identity verification result is obtained, and finally the identity verification result is returned to a verification server by adopting a method for judging and assembling the returned information.

On the basis of the embodiment, multiple format standards can be compatible through the use, verification and formatted storage of the method in the intelligent contract, the effective content verification is carried out on the execution data, the effective limitation and verification are carried out on the participants, and the traceability of the stored data is guaranteed.

Fig. 8 is a schematic flowchart of another authentication method according to an embodiment of the present invention, and is applied to the client shown in fig. 1. As shown in fig. 8, the authentication method includes:

step S801, an identity authentication request is sent to an authentication server in an identity authentication system, wherein the identity authentication request comprises a client side identifier and a server side identifier to be accessed.

The identity authentication system comprises an authentication server cluster consisting of at least one authentication server, a database server and a block chain system, wherein the database server and the block chain system both store client information and server information in advance, the client information comprises a client identifier and identity information of at least one identity type of a client, and the server information comprises a server identifier and a target identity type to be authenticated when accessing the server.

Step S802, receiving a target identity type and a token sent by the verification server, wherein the target identity type is inquired from the database server by the verification server according to the server identification, and the token comprises a client identification, a server identification and a target identity type.

Step S803, obtaining to-be-verified identity information corresponding to the target identity type, and sending the to-be-verified identity information and the token to a verification server, so that the verification server generates a verification message according to the to-be-verified identity information, the client identifier in the token, and the target identity type, and sends the verification message to a block chain system, and performs identity verification on the to-be-verified identity information based on pre-registered client information through an intelligent contract on the block chain system, and generates a verification ticket when the identity verification passes, where the verification ticket includes the client identifier, the server identifier, and identity verification passing information.

And step S804, receiving the verification bill sent by the verification server, and carrying out electronic signature on the verification bill.

Step S805, the verification bill after the electronic signature is sent to the server, so that the server forwards the verification bill after the electronic signature to a verification server for bill verification, a bill verification result is obtained, and the bill verification result is sent to the server.

And step S806, receiving a final identity authentication result determined by the server according to the bill authentication result.

The implementation principle and technical effect of the identity authentication method provided by this embodiment are similar to those of the above embodiments, and are not described herein again.

Fig. 9 is a flowchart illustrating another identity authentication method according to an embodiment of the present invention, which is applied to the server shown in fig. 1. As shown in fig. 9, the authentication method includes:

step S901, receiving a verification ticket sent by the client after the electronic signature, where the verification ticket includes a client identifier, a server identifier, and authentication passing information.

And S902, forwarding the verification bill after the electronic signature to a verification server in an identity verification system so that the verification server performs bill verification on the verification bill after the electronic signature.

And step S903, receiving a bill verification result sent by the verification server, and determining a final identity verification result according to the bill verification result.

Step S904, sending the final authentication result to the client.

The identity authentication system comprises an authentication server cluster consisting of at least one authentication server, a database server and a block chain system, wherein the database server and the block chain system both pre-store client information and server information, the client information comprises a client identifier and identity information of at least one identity type of the client, and the server information comprises a server identifier and a target identity type to be authenticated for accessing the server; the verification bill is that a verification server in the identity verification system receives an identity verification request sent by a client, the identity verification request comprises a client identifier and a server identifier to be accessed, a target identity type corresponding to the server identifier is inquired through the database server, a token is generated, the token comprises the client identifier, the server identifier and the target identity type, the target identity type and the token are sent to the client, identity information to be verified and the token, which are sent by the client and correspond to the target identity type, are received, a verification message is generated according to the identity information to be verified, the client identifier and the target identity type in the token, the verification message is sent to a block chain system, and an intelligent contract on the block chain system performs identity verification on the identity information to be verified according to pre-registered client information and generates the verification result under the condition that the identity verification passes.

The implementation principle and technical effect of the identity authentication method provided by this embodiment are similar to those of the above embodiments, and are not described herein again.

Fig. 10 is a schematic flowchart of user registration according to an embodiment of the present invention, and fig. 11 is an interaction schematic diagram of an authentication method according to an embodiment of the present invention. For a further understanding of the embodiments of the present invention, reference will now be made to fig. 1, 10 and 11 for a detailed description of the embodiments of the present invention.

Referring first to fig. 10, the user registration process will be described in detail. As shown in fig. 10, a link is first established, i.e., a link is established between a user equipment (client or server) and an authentication server; then determining whether the user is registered, namely the user can determine whether to register according to self requirements, if the user determines to register, registering the basic information of the user, and performing verification processing on the basic information of the user, if the verification fails, ending the embodiment, and if the verification passes, registering the basic verification information (usually account password information) of the user; if the user determines not to register, the authentication server can continuously ask the user whether to modify or supplement the basic information of the user through the user equipment, if the user still selects not, the embodiment is ended, if the user selects yes, the user modifies or supplements the basic information of the user, the existing registered information is verified, namely, the modified and supplemented basic information of the user is verified, if the verification fails, the embodiment is ended, and if the verification passes, the basic authentication information of the user is registered. Then, the user (client or server) can determine whether to register other verification information according to own requirements, if so, the user inputs other verification information, which usually comprises biological verification information, behavior verification information and hardware verification information, if not, the user continues to judge whether the user equipment is the server, if not, a corresponding user account is created, and if the user equipment is the server, the user equipment registers the identity type/identity type combination required to be verified for accessing the server to create the account. And finally, respectively storing the user information obtained in the registration process into the blockchain system and the database server, simultaneously generating a corresponding encryption and decryption key (generally a public and private key pair), and sending the encryption and decryption key to the user equipment, thereby ending the embodiment.

Referring to fig. 11 (omitting the database server in the authentication system), the authentication process of the client logging in the server will be described in detail, which includes the following steps:

step S1101, the client sends an authentication request to an authentication server in the authentication system, where the authentication request includes a client identifier and a server identifier to be accessed.

Correspondingly, the authentication server receives an authentication request sent by the client, wherein the authentication request comprises a client identifier and a server identifier to be accessed.

Specifically, the client initiates an authentication request to the authentication server and encrypts it using the authentication system public key. The identity authentication request includes a client account registered in the identity authentication system by the client, an IP address of a server to be accessed or a registered server account registered in the identity authentication system by the server.

Step S1102, the verification server queries a target identity type corresponding to the server identifier through the database server, and generates a token, where the token includes the client identifier, the server identifier, and the target identity type.

Specifically, the authentication server uses an authentication system private key to decrypt an authentication request sent by a client, detects whether a client account and a server account exist and are enabled through a database server, returns a target identity type required to be authenticated by an access server to the client as a response after the client account and the server account exist and are enabled, and attaches an encryption token, wherein the token content comprises information such as the client account, the server account, the target identity type required to be authenticated, a timestamp for generating the token, an IP (Internet protocol) initiated by the access and the like in a fixed format. The target identity type and the encrypted token are encrypted as a whole response by the authentication server using the retained client public key, wherein the encrypted token can only be decrypted by the authentication system.

Step S1103, the authentication server sends the target identity type and the token to the client.

Step S1104, the client acquires the to-be-verified identity information corresponding to the target identity type, and sends the to-be-verified identity information and the token to a verification server.

Correspondingly, the authentication server receives the identity information to be authenticated and the token which are sent by the client and correspond to the target identity type.

Specifically, after the client uses the client private key to decrypt the response, the client fills the specified verification information in a fixed information acquisition device and other modes, encrypts the obtained encrypted token together with the public key of the identity verification system and sends the encrypted token to the verification server.

Step S1105, the verification server generates a verification message according to the identity information to be verified, the client terminal identification and the target identity type in the token.

Step S1106, the verification server sends the verification packet to the blockchain system.

Specifically, after receiving the encrypted identity information to be verified and the encrypted token, the verification server first decrypts the encrypted token by using a private key of the identity verification system, and then decrypts the encrypted token. And acquiring a timestamp in the token, assembling the information to be verified into a verification message by using the target identity type stored in the token under the condition that the verification is not overtime, and sending the verification message to an intelligent contract on the block chain for verification.

And step S1107, the intelligent contract on the block chain system performs identity verification on identity information to be verified according to pre-registered client information, and returns an identity verification result to the verification server.

Specifically, the intelligent contract on the blockchain system calls a presidenting machine to verify the identity information to be verified.

Step S1108, in case that the identity authentication passes, the authentication server generates an authentication ticket, where the authentication ticket includes a client identifier, a server identifier, and identity authentication passing information.

And step S1109, the verification server sends the verification bill to the client.

Correspondingly, the client receives the verification bill sent by the verification server.

Specifically, after the intelligent contract is successfully verified, the authentication result is returned to the authentication server, the authentication server can generate an encrypted authentication bill to be returned to the client, and the authentication bill mainly comprises information such as a client account, a server account, an authentication pass, a timestamp and the like.

And step S1110, the client performs electronic signature on the verification bill, and sends the verification bill subjected to the electronic signature to the server.

Correspondingly, the server receives a verification bill sent by the client after the electronic signature, wherein the verification bill comprises a client identifier, a server identifier and identity verification passing information.

Step S1111, the server side forwards the verification bill after the electronic signature to a verification server in the identity verification system.

Correspondingly, the verification server receives the verification bill after the electronic signature forwarded by the server.

Specifically, after the client performs electronic signature on the verification bill, the verification bill after the electronic signature is sent to the server, and the server forwards the verification bill after the electronic signature to the verification server to verify the authenticity of the bill.

Step S1112, the verification server performs a bill verification on the verification bill after the electronic signature to obtain a bill verification result.

And S1113, the verification server sends the bill verification result to the server.

Step S1114, the server determines a final authentication result according to the ticket authentication result, and returns the final authentication result to the client.

Specifically, the verification server decrypts the verification bill after the electronic signature, verifies the timeliness and the bill authenticity of the verification bill, and returns the verification bill to the server after the verification is successful, at this time, the server can approve that the client passes the identity verification, and at this time, the server returns the result that the client passes the authentication, or can be accompanied by other login success information.

In summary, the embodiments of the present invention have the following effects:

first, authentication methods are diversified. The identity verification system provided by the embodiment of the invention supports various modes such as traditional account password authentication, certificate authentication, behavior authentication, biological authentication and the like, namely the identity information stored at the bottom layer of the identity verification system is not limited in format.

Second, the authentication information is not easily tampered. The identity information corresponding to the multiple identity types of the client is stored in the block chain system and is not easy to be tampered.

Thirdly, the mutual information in the authentication process is not easy to monitor. When establishing connection, HTTPS is adopted as a communication mode; except for http, data content is encrypted in an asymmetric key mode, and even if data is intercepted, readable information is still difficult to obtain under the condition of no private key; public and private keys are exchanged during registration, so that information leakage caused by monitoring by a middle man is prevented; the token and the verification bill are special encrypted information (only readable by the authentication center) in the server, and the problem that the request is forged in the authentication transmission process after the client is monitored or the information is stolen is effectively isolated.

Fourth, the risk of single machine failure and centralized tampering is reduced. The identity verification system provided by the embodiment of the invention adopts the cluster which can be deployed in different places, so that the in-resistance capability is greatly improved, and the block chain is adopted in the system storage layer, so that the stable checking capability can be provided even if the application layer loses the service capability; the traditional centralized data storage is easy to cause the risk of operating client data by the fraud of the manager, and the embodiment of the invention effectively reduces the risk and improves the public trust, privacy and safety by adopting block chain data storage and intelligent contract checking.

The embodiment of the invention also provides an identity verification system. As shown in fig. 1, the identity authentication system includes an authentication server cluster composed of at least one authentication server, a database server, and a blockchain system; the database server and the block chain system both store client information and server information in advance, wherein the client information comprises a client identifier and identity information of at least one identity type of the client, and the server information comprises a server identifier and a target identity type to be verified when accessing the server; the authentication system is configured to perform the steps of the authentication method described in any one of fig. 2, fig. 3, and fig. 5.

The implementation principle and technical effect of the identity authentication system provided in this embodiment are similar to those of the above embodiments, and are not described herein again.

Fig. 12 is a schematic structural diagram of a client according to an embodiment of the present invention, and as shown in fig. 12, the client includes:

a first sending module 1201, configured to send an authentication request to an authentication server in an authentication system, where the authentication request includes a client identifier and a server identifier to be accessed, the authentication system includes an authentication server cluster including at least one authentication server, a database server, and a block chain system, the database server and the block chain system both store client information and server information in advance, the client information includes the client identifier and identity information of at least one identity type of the client, and the server information includes the server identifier and a target identity type to be authenticated for accessing the server;

a first receiving module 1202, configured to receive a target identity type and a token sent by the authentication server, where the target identity type is queried by the authentication server from the database server according to the server identifier, and the token includes a client identifier, a server identifier, and a target identity type;

the first receiving module 1202 is further configured to obtain identity information to be verified corresponding to the target identity type, and send the identity information to be verified and the token to a verification server, so that the verification server generates a verification message according to the identity information to be verified, a client identifier in the token and the target identity type, sends the verification message to a block chain system, performs identity verification on the identity information to be verified based on pre-registered client information through an intelligent contract on the block chain system, and generates a verification ticket when the identity verification passes, where the verification ticket includes the client identifier, a server identifier and identity verification passing information;

the first receiving module 1202 is further configured to receive a verification ticket sent by a verification server, and perform an electronic signature on the verification ticket;

the first sending module 1201 is further configured to send the electronically signed verification ticket to a server, so that the server forwards the electronically signed verification ticket to a verification server for ticket verification, obtains a ticket verification result, and sends the ticket verification result to the server;

the first receiving module 1202 is further configured to receive a final identity verification result determined by the server according to the ticket verification result.

The implementation principle and technical effect of the client provided by the embodiment of the present invention are similar to those of the above embodiments, and are not described herein again.

Fig. 13 is a schematic structural diagram of a server according to an embodiment of the present invention, and as shown in fig. 12, the server includes:

the second receiving module 1301 is further configured to receive a verification ticket sent by the client after the electronic signature is performed, where the verification ticket includes a client identifier, a server identifier, and identity verification passing information;

the second sending module 1302 is further configured to forward the electronically signed verification ticket to a verification server in an identity verification system, so that the verification server performs ticket verification on the electronically signed verification ticket;

the second receiving module 1301 is further configured to receive a bill validation result sent by the validation server, and determine a final identity validation result according to the bill validation result;

a second sending module 1302, configured to send the final authentication result to the client;

the identity authentication system comprises an authentication server cluster consisting of at least one authentication server, a database server and a block chain system, wherein the database server and the block chain system both pre-store client information and server information, the client information comprises a client identifier and identity information of at least one identity type of the client, and the server information comprises a server identifier and a target identity type to be authenticated for accessing the server; the verification bill is that a verification server in the identity verification system receives an identity verification request sent by a client, the identity verification request comprises a client identifier and a server identifier to be accessed, a target identity type corresponding to the server identifier is inquired through the database server, a token is generated, the token comprises the client identifier, the server identifier and the target identity type, the target identity type and the token are sent to the client, identity information to be verified and the token, which are sent by the client and correspond to the target identity type, are received, a verification message is generated according to the identity information to be verified, the client identifier and the target identity type in the token, the verification message is sent to a block chain system, and an intelligent contract on the block chain system performs identity verification on the identity information to be verified according to pre-registered client information and generates the verification result under the condition that the identity verification passes.

The implementation principle and technical effect of the server provided by the embodiment of the present invention are similar to those of the above embodiments, and are not described herein again.

As shown in fig. 14, the embodiment of the present invention provides an electronic device, which includes a processor 1401, a communication interface 1402, a memory 1403 and a communication bus 1404, wherein the processor 1401, the communication interface 1402, and the memory 1403 are communicated with each other via the communication bus 1404,

a memory 1403 for storing a computer program;

in an embodiment of the present invention, the processor 1401 is configured to implement the steps of the authentication method provided in any one of the foregoing method embodiments when executing the program stored in the memory 1403.

The electronic device provided by the embodiment of the invention has the implementation principle and the technical effect similar to those of the above embodiments, and is not described herein again.

The memory 1403 described above may be an electronic memory such as a flash memory, an EEPROM (electrically erasable and programmable read only memory), an EPROM, a hard disk, or a ROM. The memory 1403 has storage space for program code for performing any of the method steps of the method described above. For example, the memory space for the program code may comprise respective program codes for implementing respective steps in the above method, respectively. The program code can be read from or written to one or more computer program products. These computer program products comprise a program code carrier such as a hard disk, a Compact Disc (CD), a memory card or a floppy disk. Such a computer program product is typically a portable or fixed storage unit. The storage unit may have a storage section or a storage space or the like arranged similarly to the memory 1403 in the electronic device described above. The program code may be compressed, for example, in a suitable form. Typically, the memory unit comprises a program for performing the steps of the method according to an embodiment of the invention, i.e. code that can be read by a processor, such as 1401, for example, which code, when run by an electronic device, causes the electronic device to perform the steps of the method described above.

Embodiments of the present invention also provide a computer-readable storage medium. The computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the authentication method as described above.

The computer-readable storage medium may be contained in the apparatus/device described in the above embodiments; or may be present alone without being assembled into the device/apparatus. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the present invention.

According to embodiments of the present invention, the computer readable storage medium may be a non-volatile computer readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device

It is noted that, in this document, relational terms such as "first" and "second," and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.

The foregoing are merely exemplary embodiments of the present invention, which enable those skilled in the art to understand or practice the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (24)

1. An identity authentication method is characterized by being applied to an identity authentication system, wherein the identity authentication system comprises an authentication server cluster consisting of at least one authentication server, a database server and a block chain system, wherein the database server and the block chain system both pre-store client information and server information, the client information comprises a client identifier and identity information corresponding to at least one identity type of the client, and the server information comprises a server identifier and a target identity type required to be authenticated by accessing the server; the method comprises the following steps:

the authentication server receives an authentication request sent by a client, wherein the authentication request comprises a client identifier and a server identifier to be accessed;

the verification server inquires out a target identity type corresponding to the server identification through the database server and generates a token, wherein the token comprises a client identification, a server identification and the target identity type;

the authentication server sends the target identity type and the token to a client;

the authentication server receives to-be-authenticated identity information and the token which are sent by a client and correspond to the target identity type, and generates an authentication message according to the to-be-authenticated identity information, the client identification and the target identity type in the token;

the verification server sends the verification message to a block chain system;

the intelligent contract on the block chain system carries out identity verification on identity information to be verified according to pre-registered client information;

under the condition that the identity authentication is passed, the authentication server generates an authentication bill, wherein the authentication bill comprises a client identifier, a server identifier and identity authentication passing information;

the verification server sends the verification bill to the client so that the client carries out electronic signature on the verification bill and sends the verification bill subjected to electronic signature to the server;

the verification server receives the verification bill forwarded by the server after the electronic signature, and performs bill verification on the verification bill after the electronic signature to obtain a bill verification result;

and the authentication server sends the bill authentication result to the server so that the server determines a final identity authentication result according to the bill authentication result and sends the final identity authentication result to the client.

2. The method of claim 1, wherein the token, and/or the validation ticket is encrypted, and wherein the encrypted token, and/or the validation ticket is only decryptable by the authentication system.

3. The method of claim 1, wherein the token further comprises generating first time information corresponding to the token;

the generating a verification message according to the identity information to be verified, the client identifier in the token and the target identity type includes:

and under the condition that the first time information does not exceed a first preset time threshold value, generating a verification message according to the identity information to be verified, the client identification and the target identity type in the token.

4. The method of claim 1, wherein the validation ticket further comprises generating second time information corresponding to the validation ticket;

the bill verification of the verification bill after the electronic signature comprises the following steps: and under the condition that the second time information does not exceed a second preset time threshold, performing bill verification on the verification bill after the electronic signature.

5. The method according to any one of claims 1-4, wherein the client information further comprises a first identifier for characterizing whether the client information is enabled, and the server information further comprises a second identifier for characterizing whether the server information is enabled; the verifying server inquires out a target identity type corresponding to the server-side identification through the database server, and the method comprises the following steps:

the verification server determines a first identifier corresponding to the client identifier and a second identifier corresponding to the server identifier through the database server;

and under the condition that the first identification and the second identification are both preset identifications, querying a target identity type corresponding to the server-side identification through the database server.

6. The method of claim 5, wherein before the authentication server receives the authentication request sent by the client, the method further comprises:

responding to a registration request initiated by a client, acquiring identity information of at least one identity type of the client, and generating a corresponding client identifier;

and storing the client identification and the identity information of at least one identity type of the client as client information on a database server and a block chain system.

7. The method of claim 6, wherein before obtaining identity information of at least one identity type of the client, the method further comprises:

acquiring basic information of a client, and performing duplication checking processing on the basic information of the client;

and under the condition that the check and the replay pass, executing the step of acquiring the identity information of at least one identity type of the client.

8. The method of claim 7, wherein the authentication system further comprises a key management system communicatively connected to the authentication server cluster, and the key management system generates a first encryption and decryption key corresponding to the authentication system; the responding to the registration request initiated by the client further comprises:

and the authentication server generates a second encryption and decryption key corresponding to the client through the key management system, so that the interactive information between the client and the identity authentication system is encrypted or decrypted through the first encryption and decryption key and the second encryption and decryption key.

9. The method of claim 8, wherein storing the client id and identity information of at least one identity type of the client as client information on a blockchain system comprises:

storing the client identification and the identity information of at least one identity type of the client on a block chain system according to a first codebook index and a first codebook of a first preset format;

the first codebook index comprises first index head information and first index content information, the first index head information comprises a client identifier, and the first index content information comprises a block chain storage address of a first codebook corresponding to at least one identity type of a client;

the first codebook comprises first codebook header information and first codebook content information, wherein the first codebook header information comprises a client identifier and an identity type, and the first codebook content information comprises identity information of the client corresponding to the identity type.

10. The method of claim 9, wherein the first index header information further comprises: the system comprises block chain protocol information, an encryption algorithm identifier of a client, a second encryption and decryption key address and a first identifier, wherein the first index content information also comprises client basic information;

the first codebook header information further includes: the system comprises block link protocol information, an encryption algorithm identifier of a client, a first identifier and a first preset effective time, wherein the first codebook content information further comprises an identity information abstract and an identity information abstract signature.

11. The method according to claim 9 or 10, wherein the intelligent contract on the blockchain system verifies the identity information to be verified according to the pre-registered client information, and the method comprises the following steps:

the intelligent contract on the block chain system determines a corresponding first cipher book index according to the client identification in the verification message;

determining a block chain storage address of a first codebook corresponding to the target identity type according to the first codebook index;

and determining a corresponding first code book according to the block chain storage address of the first code book, and verifying the identity information to be verified according to the identity information stored in the first code book.

12. The method of claim 6, wherein before the authentication server receives the authentication request sent by the client, the method further comprises:

responding to a registration request initiated by a server, acquiring a target identity type required to be verified for accessing the server, and generating a corresponding server identifier;

and storing the server identification and the target identity type as server information to a database server and a block chain system.

13. The method of claim 12, wherein the responding to the server-initiated registration request further comprises:

and acquiring the Internet protocol address of the server, and storing the Internet protocol address of the server to a database server and a block chain system.

14. The method of claim 13, wherein before obtaining the target identity type required by the access server, the method further comprises:

obtaining basic information of a server side, and carrying out duplicate checking processing on the basic information of the server side;

and under the condition that the verification passes, acquiring identity information corresponding to at least one identity type of the server, and executing the step of acquiring the target identity type required to be verified by the access server.

15. The method of claim 14, wherein the authentication system further comprises a key management system communicatively coupled to the cluster of authentication servers; the responding to the registration request initiated by the server further comprises:

and the verification server generates a third encryption and decryption key corresponding to the server side through the key management system.

16. The method of claim 15, wherein storing the server id and the target identity type as server information on a blockchain system comprises:

storing the server identifier, the target identity type and a second codebook index in a second preset format to a block chain system;

the second codebook index comprises second index header information and second index content information, the second index header information comprises a server identifier, and the second index content information comprises a target identity type required to be verified by accessing the server and a block chain storage address of a second codebook corresponding to at least one identity type of the server;

the second codebook comprises second codebook header information and second codebook content information, the second codebook header information comprises a server identifier and an identity type of the server, and the second codebook content information comprises identity information of the corresponding identity type of the server.

17. The method of claim 16, wherein the second index header information further comprises: the second index content information also comprises service end basic information and an internet protocol address of the service end;

the second codebook header information further includes: the system comprises block chain protocol information, an encryption algorithm identifier of a server, a second identifier and second preset effective time, wherein the second codebook content information further comprises an identity information abstract and an identity information abstract signature.

18. An identity authentication method applied to a client, the method comprising:

sending an identity authentication request to an authentication server in an identity authentication system, wherein the identity authentication request comprises a client identifier and a server identifier to be accessed, the identity authentication system comprises an authentication server cluster consisting of at least one authentication server, a database server and a block chain system, the database server and the block chain system both pre-store client information and server information, the client information comprises the client identifier and the identity information of at least one identity type of the client, and the server information comprises the server identifier and a target identity type to be authenticated by accessing the server;

receiving a target identity type and a token sent by the verification server, wherein the target identity type is inquired from the database server by the verification server according to the server identification, and the token comprises a client identification, a server identification and a target identity type;

acquiring identity information to be verified corresponding to the target identity type, sending the identity information to be verified and the token to a verification server, enabling the verification server to generate a verification message according to the identity information to be verified, a client identifier and the target identity type in the token, sending the verification message to a block chain system, performing identity verification on the identity information to be verified based on pre-registered client information through an intelligent contract on the block chain system, and generating a verification bill under the condition that the identity verification passes, wherein the verification bill comprises the client identifier, a server identifier and identity verification passing information;

sending the verification bill after the electronic signature to a server side, so that the server side forwards the verification bill after the electronic signature to a verification server for bill verification to obtain a bill verification result, and sending the bill verification result to the server side;

and receiving a final identity authentication result determined by the server according to the bill authentication result.

19. An identity authentication method is applied to a server side, and the method comprises the following steps:

receiving a verification bill sent by a client and subjected to electronic signature, wherein the verification bill comprises a client identifier, a server identifier to be accessed and identity information verification passing information;

forwarding the verification bill after the electronic signature to a verification server in an identity verification system so that the verification server performs bill verification on the verification bill after the electronic signature;

receiving a bill verification result sent by a verification server, and determining a final identity verification result according to the bill verification result;

sending the final identity verification result to the client;

the identity authentication system comprises an authentication server cluster consisting of at least one authentication server, a database server and a block chain system, wherein the database server and the block chain system both pre-store client information and server information, the client information comprises a client identifier and identity information of at least one identity type of the client, and the server information comprises the server identifier and a target identity type required to be authenticated by accessing the server; the verification bill is generated by a verification server in the identity verification system by receiving an identity verification request sent by a client, wherein the identity verification request comprises a client identifier and a server identifier to be accessed, inquiring a target identity type corresponding to the server identifier through the database server, generating a token, wherein the token comprises the client identifier, the server identifier and the target identity type, sending the target identity type and the token to the client, receiving identity information to be verified and the token which are sent by the client and correspond to the target identity type, generating a verification message according to the identity information to be verified, the client identifier and the target identity type in the token, and sending the verification message to a block chain system, and carrying out identity verification on the identity information to be verified according to pre-registered client information by an intelligent contract on the block chain system under the condition that the identity verification passes.

20. An identity authentication system is characterized by comprising an authentication server cluster consisting of at least one authentication server, a database server and a block chain system;

the database server and the block chain system both pre-store client information and server information, wherein the client information comprises a client identifier and identity information of at least one identity type of the client, and the server information comprises a server identifier and a target identity type required to be verified by accessing the server; the authentication system is adapted to perform the steps of the authentication method of any of claims 1-17.

21. A client, comprising:

the system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for sending an identity verification request to a verification server in an identity verification system, the identity verification request comprises a client identifier and a server identifier to be accessed, the identity verification system comprises a verification server cluster formed by at least one verification server, a database server and a block chain system, the database server and the block chain system both pre-store client information and server information, the client information comprises the client identifier and the identity information of at least one identity type of the client, and the server information comprises the server identifier and a target identity type required to be verified by accessing the server;

the first receiving module is used for receiving a target identity type and a token sent by the verification server, wherein the target identity type is inquired from the database server by the verification server according to the server identification, and the token comprises a client identification, a server identification and a target identity type;

the first receiving module is further configured to obtain to-be-verified identity information corresponding to the target identity type, and send the to-be-verified identity information and the token to a verification server, so that the verification server generates a verification message according to the to-be-verified identity information, a client identifier in the token and the target identity type, sends the verification message to a block chain system, performs identity verification on the to-be-verified identity information based on pre-registered client information through an intelligent contract on the block chain system, and generates a verification bill when the identity verification passes, where the verification bill includes the client identifier, a server identifier and identity verification passing information;

the first receiving module is also used for receiving a verification bill sent by a verification server and carrying out electronic signature on the verification bill;

the first sending module is further used for sending the electronically signed verification bill to a server, so that the server forwards the electronically signed verification bill to a verification server for bill verification, obtains a bill verification result, and sends the bill verification result to the server;

the first receiving module is further configured to receive a final authentication result determined by the server according to the bill authentication result.

22. A server, comprising:

the second receiving module is also used for receiving an electronically signed verification bill sent by the client, wherein the verification bill comprises a client identifier, a server identifier to be accessed and identity information verification passing information;

the second sending module is also used for forwarding the verification bill after the electronic signature to a verification server in an identity verification system so that the verification server performs bill verification on the verification bill after the electronic signature;

the second receiving module is also used for receiving the bill verification result sent by the verification server and determining the final identity verification result according to the bill verification result;

the second sending module is further used for sending the final authentication result to the client;

the identity authentication system comprises an authentication server cluster, a database server and a block chain system, wherein the authentication server cluster is composed of at least one authentication server, the database server and the block chain system both store client information and server information in advance, the client information comprises a client identifier and identity information of at least one identity type of a client, and the server information comprises a server identifier and a target identity type required to be authenticated by accessing the server; the verification bill is generated by a verification server in the identity verification system by receiving an identity verification request sent by a client, wherein the identity verification request comprises a client identifier and a server identifier to be accessed, inquiring a target identity type corresponding to the server identifier through the database server, generating a token, wherein the token comprises the client identifier, the server identifier and the target identity type, sending the target identity type and the token to the client, receiving identity information to be verified and the token which are sent by the client and correspond to the target identity type, generating a verification message according to the identity information to be verified, the client identifier and the target identity type in the token, and sending the verification message to a block chain system, and carrying out identity verification on the identity information to be verified according to pre-registered client information by an intelligent contract on the block chain system under the condition that the identity verification passes.

23. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing the communication between the processor and the memory through the communication bus;

a memory for storing a computer program;

a processor for implementing the steps of the authentication method of any one of claims 1 to 19 when executing a program stored on the memory.

24. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the authentication method according to any one of claims 1-19.

Images