CN115987499A - Method and system for generating private key of user - Google Patents
Method and system for generating private key of user Download PDFInfo
- Publication number
- CN115987499A CN115987499A CN202211640235.8A CN202211640235A CN115987499A CN 115987499 A CN115987499 A CN 115987499A CN 202211640235 A CN202211640235 A CN 202211640235A CN 115987499 A CN115987499 A CN 115987499A
- Authority
- CN
- China
- Prior art keywords
- user
- identity
- private key
- key
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The present disclosure relates to a method and system for generating a private key of a user. A method of generating a private key of a user, comprising: the method comprises the steps that a client side obtains identity information used for identifying the identity of a user and biological identification information of the user; the client verifies the identity of the user according to the identity information and the biological identification information and generates a verification result; the client sends the identity information and the verification result to an identity authentication service; after the identity authentication service confirms that the verification result is correct according to the identity information, the identity authentication service sends information related to the identity information to the trusted execution environment component; and the trusted execution environment component generates a private key of the user based on the information related to the identity information and returns the private key of the user to the client.
Description
Technical Field
The embodiment of the specification belongs to the technical field of block chains, and particularly relates to a method and a system for generating a private key of a user.
Background
The Blockchain (Blockchain) is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. In the block chain system, data blocks are combined into a chain data structure in a sequential connection mode according to a time sequence, and a distributed account book which is not falsifiable and counterfeitable is ensured in a cryptographic mode. Because the blockchain has the characteristics of decentralization, information non-tampering, autonomy and the like, the blockchain is also paid more and more attention and is applied by people.
Disclosure of Invention
According to an aspect of the present disclosure, there is provided a method of generating a private key of a user, including:
the method comprises the steps that a client side obtains identity information used for identifying the identity of a user and biological identification information of the user;
the client verifies the identity of the user according to the identity information and the biological identification information and generates a verification result;
the client sends the identity information and the verification result to an identity authentication service;
after the identity authentication service confirms that the verification result is correct according to the identity information, the identity authentication service sends information related to the identity information to the trusted execution environment component;
the trusted execution environment component generates a private key of the user based on the information related to the identity information and returns the private key of the user to the client.
According to another aspect of the present disclosure, there is provided a system for generating a private key of a user, including:
a client configured to:
acquiring identity information for identifying the identity of a user and biometric information of the user;
verifying the identity of the user according to the identity information and the biological identification information and generating a verification result;
the identity information and the result of the verification are sent,
an identity authentication service configured to:
after confirming that the verification result is correct according to the identity information, sending information related to the identity information, and
a trusted execution environment component configured to:
the private key of the user is generated based on the information related to the identity information, and the private key of the user is returned to the client.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and it is obvious for a person skilled in the art to obtain other drawings based on these drawings without inventive labor.
FIG. 1 illustrates a flow diagram of a method of generating a private key of a user, in accordance with some embodiments of the present disclosure;
FIG. 2 illustrates a process flow of a system to generate a private key of a user in accordance with some embodiments of the present disclosure;
FIG. 3 illustrates a process flow of a system to generate a private key of a user in accordance with some embodiments of the present disclosure;
fig. 4 illustrates a flow diagram for saving transactions on a blockchain according to some embodiments of the present disclosure.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.
The block chain has the core characteristic that the control right of an account system is on a user side, technically, a pair of public key and private key of cryptography is generated on a mobile terminal (client) user side through a distributed key, then the public key participates in the registration and binding association of a block chain account, then the user controls the private key of the mobile terminal to carry out some signature right confirmation, and further, the transaction and the intelligent contract execution on the block chain are triggered. However, the obvious disadvantage of the distributed storage of the private key on the mobile terminal is that once the private key is lost, the difficulty of recovering the private key is very high, and no simple scheme is available at present, some ways of recovering the private key by requiring a user to memorize dozens of mnemonics appear in the blockchain industry, so that the threshold for the user is high, the private key is further lost and is difficult to recover, and finally, the identity of the user and the blockchain data asset are affected.
Fig. 1 illustrates a flow diagram of a method of generating a private key of a user, according to some embodiments of the present disclosure. As shown in fig. 1, the method of generating a private key of a user may include the steps of:
in step 150, the trusted execution environment component generates a private key of the user based on the information related to the identity information and returns the private key of the user to the client.
The method and system for generating a private key of a user according to the present disclosure will be described in detail below with reference to specific embodiments.
Figure 2 illustrates a process flow of a system to generate a user's private key according to some embodiments of the present disclosure. The system that generates the user's private key includes a client 210, an authentication service 220, and a Trusted Execution Environment (TEE) component 230. An application (i.e., application unit) 211 and an identity authentication component 212 may be installed in the client 210.
In the present disclosure, the client 210 may be, for example, a mobile device, such as a laptop, a mobile phone, a tablet computer, a smart watch, a smart bracelet, smart glasses, etc., or may be another device other than a mobile device, such as a desktop computer or a server, etc., which is not limited in the present disclosure.
The application 211 may be, for example, an application (app) installed on a mobile device such as a mobile phone, a smart wearable device (such as a smart watch, a smart band, smart glasses), or a computer program installed in a computer.
The identity authentication component 212 may be a stand-alone application or computer program or may be integrated into the application 211. For example, the identity authentication component 212 may be integrated in the mobile device's app in the manner of an SDK. The identity authentication component 212 can maintain a private key of the user and manage operations involving the private key of the user. Such as verification of the user's identity, making a digital signature, etc.
When the application 211 needs to perform operations such as signature or authentication using the private key of the user, the application 211 may send a request to the identity authentication component 212, and the identity authentication component 212 performs corresponding operation processing using the private key of the user. When the user loses the mobile device or resets the client device, etc., the user's private key may be lost. The user may generate or recover the private key using the methods of the present disclosure.
As shown in fig. 2, first, a user may send a request for generating/recovering a private key to the identity authentication component 212 through the application 211, where the request may include identity information of the user, such as at least one of the user's name, identification number, passport number, social security number, telephone number, account number, and the like. The telephone number may be a fixed telephone number or a mobile telephone number, etc. authenticated by real name, so as to correspond to the real identity of the user. The account number may be a real-name authenticated account number bound to the real identity of the user, such as a social account number (e.g., a Payment account number, a Taobao account number) or a bank account number of the user.
The identity authentication component 212 can further verify the identity of the user based on the identity information of the user. One common way to verify the identity of a user is through a user's biometric. The biometric information is information including physiological characteristics inherent to a human body, such as a fingerprint, voice, face image, iris image, palm image, retina image, vein image, and the like of a user. With biometric information, the identity of the user can be uniquely determined.
The identity authentication component 212 itself typically does not have the ability to recognize and verify the biometric information of the user. For example, data regarding the identity of the user and corresponding biometric information is typically stored on a remote server or the cloud. Accordingly, the identity authentication component 212 may send a request to the identity authentication service 220 for biometric information verification. The identity authentication service 220 may be, for example, a distributed digital identity service with distributed identity capabilities based on a blockchain implementation. However, the present disclosure is not so limited, and the authentication service 220 may be any device having the ability to verify the identity of a user.
Upon receiving the request of the identity authentication component 212, the identity authentication service 220 may return a URL address of an identity verification service for biometric information verification to the identity authentication component 212, and may attach a unique ID for biometric verification to the URL.
The identity authentication component 212 may obtain biometric information of the user. Such as taking a picture of the user's face using the camera of the mobile device, acquiring the user's fingerprint using a fingerprint sensor, etc. Then, the authentication component 212 accesses an identity verification service (not shown) using the received URL address, thereby verifying whether the acquired biometric information is consistent with the user's identity information provided by the application 211, and generating a verification result.
If the verification result indicates that the biometric information is inconsistent with the identity information of the user, indicating that the user currently requesting to generate or recover the private key is not the owner of the private key, the identity authentication component 212 may reject the request of the application 211 and end the private key generation or recovery process.
If the verification result indicates that the biometric information acquired by the identity authentication component 212 is consistent with the identity information of the user provided by the application 211, it can be confirmed that the user currently requesting to generate or recover the private key is the owner of the private key, and the verification is passed.
After verification, the identity authentication component 212 may generate a first key using a symmetric encryption algorithm and encrypt the first key using a public key of the trusted execution environment component 230 of the remote server, resulting in an encrypted first key (hereinafter referred to as a second key). In the present disclosure, the symmetric encryption algorithm is not limited, and various known symmetric encryption algorithms, such as DES, 3DES (TripleDES), AES, RC2, RC4, RC5, blowfish, and the like, may be used.
The authentication component 212 may send the verification result from the authentication, the unique ID for biometric verification, and the second key to the authentication service 220. The authentication service 220 is typically located in a remote server or provided as a cloud service. The authentication service 220 can query the authentication service for authenticity based on the unique ID for biometric verification, thereby again verifying whether the verification results from the authentication component 212 are authentic. If the authentication service 220 finds that the authentication result from the authentication component 212 is not authentic according to the feedback of the authentication service, it can confirm that the authentication has failed and inform the authentication component 212 that the process of generating the private key is finished.
If the authentication service 220 confirms the authenticity of the verification result from the authentication component 212 based on the feedback from the authentication service, the second key and information related to the identity information may continue to be sent to the trusted execution environment component 230. Here, the information related to the identity information may be, for example, the identity information itself of the user, such as the user's name, identification number, passport number, or real-name-authenticated telephone number and account number, or may be, for example, a digest value of the identity information of the user. For example, a digest value of the user's identity information is calculated using an information digest algorithm (such as MD, SHA, MAC, etc.), and the digest value is taken as information related to the identity information.
In the present disclosure, the trusted execution environment component 230 may be located in a remote server or cloud. Furthermore, in some embodiments according to the present disclosure, the trusted execution environment component 230 may be located in a node of a distributed computing platform using blockchain techniques based on hardware security module support. Taking an ant trusted hardware privacy contract chain as an example, the ant trusted hardware privacy contract chain is configured on an ant block contract platform and serves as a core component to provide general and efficient privacy protection capability. Under the general framework of an ant block chain platform, an ant trusted hardware privacy contract chain integrates and encapsulates a contract engine, necessary transaction processing and cryptology operation units in a TEE safety area by using a TEE technology, and achieves the purpose of privacy protection by matching with a series of strict safety protocol flows. The architecture fully utilizes the existing functional characteristics of the ant blockchain platform, furthest increases the compatibility of the TEE contract chain and the existing ant blockchain platform, and is convenient for users to develop and use blockchain application with privacy protection capability. Meanwhile, the safe credible base is minimized, and the principle of the design of the safe technical scheme is met.
The trusted execution environment component 230 may generate the user's private key from information related to the identity information. The trusted execution environment component 230 may calculate a private key of the user Based on information related to identity information in a trusted hardware environment (TEE) according to, for example, an identity-Based Cryptography (IBC) system algorithm.
It should be understood that the identity information of the user has uniqueness. In case of using the same algorithm, the same identity information (or digest value of the identity information) necessarily gets the same private key. Thus, the trusted execution environment component 230 may generate a new private key to a new user or may recover its private key at the request of an existing user. The process of recovering the private key is basically the same as the process of generating a new private key, and the original private key can be obtained by calculation again as long as the identity information of the user is not changed.
The trusted execution environment component 230 needs to return the private key to the user after computing the private key of the user. In some embodiments according to the present disclosure, the trusted execution environment component 230 may return the private key to the identity authentication component 212 of the client 210 via the identity authentication service 220, and then the returned private key is saved by the identity authentication component 212 and informs the application 211 that the registration was successful or that the recovery of the private key was successful.
However, given that the delivery of the private key over the network poses a risk of compromise, in some embodiments according to the present disclosure, the private key may also be encrypted. As described above, the identity authentication component 212 may send the second key to the trusted execution environment component 230 via the identity authentication service 220. The second key is the first key encrypted using the public key of the trusted execution environment 230.
In this case, the trusted execution environment 230 may decrypt the second key using its own private key of the trusted execution environment 230, resulting in the first key. The first key is a key generated using a symmetric encryption algorithm. The trusted execution environment 230 may encrypt the user's private key using the first key and the same symmetric encryption algorithm to obtain an encrypted private key.
Next, the trusted execution environment component 230 may return the encrypted private key to the client's identity authentication component 212 via the identity authentication service 220. The identity authentication component 212 can decrypt the encrypted private key based on the first key to obtain the user's private key.
Through the above described process, the method can be used for generating the private key of the user and can also be used for recovering the private key of the user. Further, in some embodiments according to the present disclosure, the identity of the user may be further confirmed by the user answering questions. For example, for a new user, several (e.g. 3 or 5) questions may be selected at registration and the corresponding answers given. These questions and corresponding answers may also be stored in the trusted execution environment 230. In the case of, for example, using an ant trusted hardware privacy contract chain, these questions and corresponding answers may be kept private in the privacy contract chain.
In the method for generating the private key of the user, the private key of the user can be generated according to the identity information or the related information of the user. The user does not need to remember the recovery password, mnemonic words or passwords, etc. As long as the user provides his own identity information. Therefore, the difficulty of recovering the private key by the user is reduced. In addition, the method and the system also reduce the requirement on the client. The client for storing the private key can be various mobile devices such as a mobile phone, a tablet computer and the like. Also, the user's private key may be recovered across devices.
FIG. 3 illustrates a process flow of a system to generate a user's private key according to some embodiments of the present disclosure. The differences of the flow of fig. 3 from fig. 2 include the following process steps.
Upon receiving a request to generate the user's private key, the trusted execution environment 230 may generate questions for recovering the private key and send the questions to the authentication component 212 in the client via the authentication service 220. The identity authentication component 212, upon receiving questions for recovering the private key, may forward the questions to the application 211. The application 211 may display a question for recovering the private key to the user and receive an answer to the question input by the user. The user's answer is returned to the trusted execution environment component 230 via the authentication component 212, the authentication service 220 in turn.
The problem for recovering the private key may include a number of problems. In the event that a newly registered user requests generation of a private key, the trusted execution environment component 230 may provide the user of the client with a number of candidate questions, some of which are selected by the user to answer. For example, the trusted execution environment component 230 may provide 10 candidate questions to the user, from which the user selects 3 questions and provides corresponding answers. Both the user-selected question and the corresponding answer may be saved in the trusted execution environment component 230.
In the case where the user requests recovery of the private key, the trusted execution environment component 230 may provide the user with the questions answered at the time of user registration again, and then compare the user's answers fed back by the client with the answers provided at the time of user registration, which are stored by the trusted execution environment component 230. If the correct rate of the answer newly provided by the user reaches a predetermined threshold (e.g., greater than 60%), it can be confirmed that the user currently requesting recovery of the private key is the user when initially registered. The trusted execution environment component 230 may then compute the user's private key and return it to the client, similar to the process flow shown in FIG. 2 and will not be described again.
In addition, in some embodiments according to the present disclosure, the question for recovering the private key and the answer thereof may also be encrypted using the first key to further secure the communication. As shown in fig. 3, after the trusted execution environment component 230 receives the request, the second key may be decrypted according to the private key of the trusted execution environment component 230 itself, thereby obtaining the first key. The trusted execution environment component 230 may then encrypt the question for recovering the private key using the first key and send to the authentication component 212 of the client 210 via the authentication service 220. Accordingly, the authentication component 212 in the client 210 may encrypt the user's answer using the first key and send to the trusted execution environment component 230 via the authentication service 220.
After the user obtains the private key, the user can use the private key to perform various corresponding operations.
Fig. 4 illustrates a flow diagram for saving transactions on a blockchain according to some embodiments of the present disclosure. As shown in fig. 4, an application 211 of a client 210 may request an identity authentication component 212 to sign a transaction. The authentication component 212 can authenticate the user. For example, the identity authentication component 212 can perform biometric information verification on the user in a manner similar to that described above in fig. 2 and 3. In the event that the user requesting the signature is confirmed to be the user possessing the private key, authentication component 212 may sign the transaction using the stored private key and send the signed transaction to authentication service 220.
The authentication service 220 may verify the digital signature of the user's private key signed transaction to confirm the correctness of the digital signature. Upon confirming that the digital signature is correct, identity authentication service 220 may save the transaction signed by the user's private key to ant trusted hardware privacy contract chain 430.
The foregoing embodiment is described by taking the ant trusted hardware privacy contract chain 430 as an example. It will be understood by those skilled in the art that the authentication service 220 may store the user signed transaction in any suitable blockchain, and the disclosure is not limited in this respect.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as ABEL (Advanced Boolean Expression Language), AHDL (alternate Hardware Description Language), traffic, CUPL (core universal Programming Language), HDCal, jhddl (Java Hardware Description Language), lava, lola, HDL, PALASM, rhyd (Hardware Description Language), and vhigh-Language (Hardware Description Language), which is currently used in most popular applications. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium that stores computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a server system. Of course, this application does not exclude that with future developments in computer technology, the computer implementing the functionality of the above described embodiments may be, for example, a personal computer, a laptop computer, a vehicle-mounted human-computer interaction device, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device or a combination of any of these devices.
Although one or more embodiments of the present description provide method operational steps as described in the embodiments or flowcharts, more or fewer operational steps may be included based on conventional or non-inventive approaches. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual apparatus or end product executes, it may execute sequentially or in parallel (e.g., parallel processors or multi-threaded environments, or even distributed data processing environments) according to the method shown in the embodiment or the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in a process, method, article, or apparatus that comprises the recited elements is not excluded. For example, if the terms first, second, etc. are used to denote names, they do not denote any particular order.
For convenience of description, the above devices are described as being divided into various modules by functions, which are described separately. Of course, when implementing one or more of the present description, the functions of each module may be implemented in one or more software and/or hardware, or the modules implementing the same functions may be implemented by a combination of a plurality of sub-modules or sub-units, etc. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of logical functional division, and other divisions may be realized in practice, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage, graphene storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
As will be appreciated by one skilled in the art, one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
One or more embodiments of the specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the present specification can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment. In the description of the specification, reference to the description of "one embodiment," "some embodiments," "an example," "a specific example," or "some examples" or the like means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the specification. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Moreover, various embodiments or examples and features of various embodiments or examples described in this specification can be combined and combined by one skilled in the art without being mutually inconsistent.
The above description is intended to be illustrative of one or more embodiments of the disclosure, and is not intended to limit the scope of one or more embodiments of the disclosure. Various modifications and alterations to one or more embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement made within the spirit and principle of the present specification shall be included in the scope of the claims.
Claims (24)
1. A method of generating a private key of a user, comprising:
the method comprises the steps that a client side obtains identity information used for identifying the identity of a user and biological identification information of the user;
the client verifies the identity of the user according to the identity information and the biological identification information and generates a verification result;
the client sends the identity information and the verification result to an identity authentication service;
after the identity authentication service confirms that the verification result is correct according to the identity information, the identity authentication service sends information related to the identity information to the trusted execution environment component;
the trusted execution environment component generates a private key of the user based on the information related to the identity information and returns the private key of the user to the client.
2. The method of claim 1, wherein the client comprises an application unit and an identity authentication component, the method further comprising:
the application unit acquires the identity information of the user and provides the identity information of the user for the identity authentication component;
the identity authentication component obtains biometric information of a user.
3. The method of claim 2, further comprising
The identity authentication component generates a first key by using a symmetric encryption algorithm, and encrypts the first key by using a public key of a trusted execution environment component of the remote server to generate a second key;
the identity authentication component sends the second secret key to the identity authentication service;
the identity authentication service sends the second key to the trusted execution environment component;
the trusted execution environment component decrypts the second key according to the private key of the trusted execution environment component to obtain a first key;
after the trusted execution environment component uses the first secret key to encrypt the private key of the user, the encrypted private key is sent to the identity authentication component through the identity authentication service;
the identity authentication component decrypts the encrypted private key of the user using the first key, thereby obtaining the private key of the user.
4. The method of any of claims 1-3, wherein the client is a mobile device.
5. The method of claim 4, wherein the mobile device comprises: notebook computer, mobile phone, panel computer, intelligent wrist-watch, intelligent bracelet, intelligent glasses.
6. The method of any of claims 1-3, wherein the identity information comprises at least one of: name, identification number, passport number, telephone number, account number.
7. The method of any of claims 1-3, wherein the biometric information includes at least one of: fingerprint, face picture, iris image, palm image, retina image, vein image, voice.
8. The method of any of claims 1-3, wherein the trusted execution environment component generates a private key of the user using an identity-based password (IBC) system.
9. The method of any of claims 1-3, wherein the information related to identity information comprises at least one of: identity information, digest value of identity information.
10. The method of claim 9, wherein the digest value of the identity information is a hash value of the identity information.
11. The method of any of claims 1-3, wherein the trusted execution environment component is located in a node of a blockchain.
12. The method of claim 11, wherein the blockchain is an ant trusted hardware privacy contract chain.
13. A system for generating a private key of a user, comprising:
a client configured to:
acquiring identity information for identifying the identity of a user and biometric information of the user;
verifying the identity of the user according to the identity information and the biological identification information and generating a verification result;
the identity information and the result of the verification are sent,
an identity authentication service configured to:
after the verification result is confirmed to be correct according to the identity information, the information related to the identity information is sent,
a trusted execution environment component configured to:
generating a private key of the user based on the information related to the identity information, and returning the private key of the user to the client.
14. The system of claim 13, wherein the client comprises an application unit and an identity authentication component, the application unit configured to:
acquiring identity information of a user;
the identity information of the user is provided to an identity authentication component,
the identity authentication component is configured to:
biometric information of a user is acquired.
15. The system of claim 14, wherein the identity authentication component is further configured to:
generating a first key using a symmetric encryption algorithm, the first key being encrypted using a public key of a trusted execution environment component of the remote server to produce a second key;
sending the second key to an identity authentication service;
the encrypted private key of the user is decrypted using the first key,
the identity authentication service is further configured to:
sending the second key to the trusted execution environment component,
the trusted execution environment component is configured to:
decrypting the second key according to a private key of the trusted execution environment component to obtain a first key;
after encrypting the user's private key with the first key, the encrypted private key is sent to an authentication component via an authentication service.
16. The system of any of claims 13-15, wherein the client is a mobile device.
17. The system of claim 16, wherein the mobile device comprises: notebook computer, mobile phone, panel computer, intelligent wrist-watch, intelligent bracelet, intelligent glasses.
18. The system of any of claims 13-15, wherein the identity information comprises at least one of: name, identification number, passport number, telephone number, account number.
19. The system of any of claims 13-15, wherein the biometric information includes at least one of: fingerprint, face picture, iris image, palm image, retina image, vein image, voice.
20. The system of any one of claims 13-15, wherein the trusted execution environment component generates a private key of the user using an identity based cryptography system (IBC).
21. The system of any of claims 13-15, wherein the information related to identity information comprises at least one of: identity information, digest value of identity information.
22. The system of claim 21, wherein the digest value of the identity information is a hash value of the identity information.
23. The system of any of claims 13-15, wherein the trusted execution environment component is located in a node of a blockchain.
24. The system as recited in claim 23, wherein the blockchain is an ant trusted hardware privacy contract chain.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211640235.8A CN115987499A (en) | 2022-12-20 | 2022-12-20 | Method and system for generating private key of user |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211640235.8A CN115987499A (en) | 2022-12-20 | 2022-12-20 | Method and system for generating private key of user |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115987499A true CN115987499A (en) | 2023-04-18 |
Family
ID=85958906
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211640235.8A Pending CN115987499A (en) | 2022-12-20 | 2022-12-20 | Method and system for generating private key of user |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115987499A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106899552A (en) * | 2015-12-21 | 2017-06-27 | 中国电信股份有限公司 | Authentication method, certification terminal and system |
| CN109768865A (en) * | 2019-01-18 | 2019-05-17 | 深圳市威赫科技有限公司 | Block chain upper body part under credible performing environment digitizes realization method and system |
| CN110995410A (en) * | 2019-11-12 | 2020-04-10 | 杭州云萃流图网络科技有限公司 | Method, device, equipment and medium for generating public key and private key |
| CN112217807A (en) * | 2020-09-25 | 2021-01-12 | 山西特信环宇信息技术有限公司 | Cone block chain key generation method, authentication method and system |
| CN113055157A (en) * | 2019-12-27 | 2021-06-29 | 京东数字科技控股有限公司 | Biological characteristic verification method and device, storage medium and electronic equipment |
| CN113904850A (en) * | 2021-10-10 | 2022-01-07 | 普华云创科技(北京)有限公司 | Secure login method, generation method and system based on block chain private key keystore and electronic equipment |
| CN114036471A (en) * | 2021-11-02 | 2022-02-11 | 上海数据交易中心有限公司 | Data right determining method and device based on block chain and terminal |
-
2022
- 2022-12-20 CN CN202211640235.8A patent/CN115987499A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106899552A (en) * | 2015-12-21 | 2017-06-27 | 中国电信股份有限公司 | Authentication method, certification terminal and system |
| CN109768865A (en) * | 2019-01-18 | 2019-05-17 | 深圳市威赫科技有限公司 | Block chain upper body part under credible performing environment digitizes realization method and system |
| CN110995410A (en) * | 2019-11-12 | 2020-04-10 | 杭州云萃流图网络科技有限公司 | Method, device, equipment and medium for generating public key and private key |
| CN113055157A (en) * | 2019-12-27 | 2021-06-29 | 京东数字科技控股有限公司 | Biological characteristic verification method and device, storage medium and electronic equipment |
| CN112217807A (en) * | 2020-09-25 | 2021-01-12 | 山西特信环宇信息技术有限公司 | Cone block chain key generation method, authentication method and system |
| CN113904850A (en) * | 2021-10-10 | 2022-01-07 | 普华云创科技(北京)有限公司 | Secure login method, generation method and system based on block chain private key keystore and electronic equipment |
| CN114036471A (en) * | 2021-11-02 | 2022-02-11 | 上海数据交易中心有限公司 | Data right determining method and device based on block chain and terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11107075B2 (en) | Blockchain data processing methods, apparatuses, devices, and systems | |
| US9740849B2 (en) | Registration and authentication of computing devices using a digital skeleton key | |
| CN111466097B (en) | Server-assisted privacy preserving biometric comparison | |
| US9218473B2 (en) | Creation and authentication of biometric information | |
| JP6921222B2 (en) | Encryption key management based on ID information | |
| JP7021417B2 (en) | Biodata template update | |
| EP3586264B1 (en) | Securely performing cryptographic operations | |
| JP6756056B2 (en) | Cryptographic chip by identity verification | |
| US11251941B2 (en) | Managing cryptographic keys based on identity information | |
| CN117561508A (en) | Cross-session issuance of verifiable credentials | |
| CN116011028B (en) | Electronic signature method, electronic signature device and electronic signature system | |
| CN115987499A (en) | Method and system for generating private key of user | |
| CN113055157A (en) | Biological characteristic verification method and device, storage medium and electronic equipment | |
| RU2776258C2 (en) | Biometric comparison for privacy protection using server | |
| WO2022255151A1 (en) | Data management system, data management method, and non-transitory recording medium | |
| CN116260648A (en) | Account management method, account management device and account management system | |
| CN116318981A (en) | Method and user equipment for issuing verifiable statement | |
| CN115017230A (en) | Data uplink control method and device and data downlink control method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |