CN116248290A - Identity authentication method and device and electronic equipment - Google Patents

Identity authentication method and device and electronic equipment Download PDF

Info

Publication number
CN116248290A
CN116248290A CN202211737257.6A CN202211737257A CN116248290A CN 116248290 A CN116248290 A CN 116248290A CN 202211737257 A CN202211737257 A CN 202211737257A CN 116248290 A CN116248290 A CN 116248290A
Authority
CN
China
Prior art keywords
key
authentication
ciphertext
login
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211737257.6A
Other languages
Chinese (zh)
Inventor
杨浩
胡缙
米鹏伟
汪亮
黄胜云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202211737257.6A priority Critical patent/CN116248290A/en
Publication of CN116248290A publication Critical patent/CN116248290A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses an identity authentication method, an identity authentication device and electronic equipment. Wherein the method comprises the following steps: sending a key request to the security chip, and receiving first response information returned by the security chip, wherein the first response information at least comprises: a secret key; creating a session identifier corresponding to the session according to the application identifier, and initiating a request for acquiring an authentication key by the vector subkey management system; determining an authentication key returned by the quantum key management system, encrypting at least login authentication credentials according to the authentication key to generate login information ciphertext, and generating a message authentication code corresponding to the login information ciphertext; sending login information ciphertext, a message authentication code and a session identifier to an identity authentication server; and receiving second response information returned by the identity authentication server. The method and the device solve the technical problems that the security is poor and the data leakage is easy to occur due to the fact that the security verification is performed based on the user name and the password in the related technology.

Description

Identity authentication method and device and electronic equipment
Technical Field
The present invention relates to the field of security verification, and in particular, to a method and an apparatus for identity authentication, and an electronic device.
Background
SSL VPN is a new VPN (Virtual Private Network ) technology based on SSL (Secure Socket Layer, secure sockets layer protocol)/TLS (Transport Layer Security, secure transport layer protocol) protocol. SSL VPN authentication provides a secure and reliable way for access users to access internal resources.
In the related art, in the SSL VPN authentication process, an SSL VPN client sends a user name and a password to an SSL VPN gateway, and the SSL VPN gateway forwards the user name and the password to an AAA (Authentication Authorization Accounting, authentication, authorization, accounting) server for authentication, and if the authentication of the AAA server passes, it is determined that the SSL VPN authentication is successful. However, when the SSL VPN client and the SSL VPN gateway send the user name and the password, the attribute information such as the address and the name of the AAA server is sent to the AAA server, and the attribute information is easily utilized by a counterfeit phishing website, so that the illegal user name and password pass verification, and a large potential safety hazard exists.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides an identity authentication method, an identity authentication device and electronic equipment, which are used for at least solving the technical problems that the security is poor and the data is easy to leak due to the security verification mode based on a user name and a password in the related technology.
According to an aspect of the embodiments of the present application, there is provided a method for identity authentication, including: the quantum security middleware sends a key request to the security chip and receives first response information returned by the security chip, wherein the first response information at least comprises: a secret key; creating a session identifier corresponding to the session according to the application identifier, and initiating a request for acquiring an authentication key by the vector subkey management system, wherein the request at least comprises: session identification after key encryption; determining an authentication key returned by the quantum key management system, encrypting at least login authentication credentials according to the authentication key to generate login information ciphertext, and generating a message authentication code corresponding to the login information ciphertext; sending login information ciphertext, a message authentication code and a session identifier to an identity authentication server; and receiving second response information returned by the identity authentication server, wherein the second response information is at least used for indicating whether the login information ciphertext and the message authentication code are successfully checked.
Optionally, determining the authentication key returned by the quantum key management system includes: receiving an authentication key in a ciphertext form returned by the quantum key management system; and decrypting the authentication key in the ciphertext form based on the key to obtain the authentication ciphertext in the plaintext form.
Optionally, after decrypting the authentication key in the ciphertext form based on the key to obtain the authentication ciphertext in the plaintext form, the method further comprises: the application identification, the authentication key plaintext, the session identification and the challenge random number generated in the process of acquiring the authentication key are cached.
Optionally, encrypting at least the login authentication credential according to the authentication key to generate the login information ciphertext includes: and encrypting the time-varying parameters, the application identifier, the challenge random number and the login authentication credential according to the plaintext of the authentication key in the plaintext form to generate a login information ciphertext.
Optionally, after receiving the first response information returned by the security chip, the method further includes: determining first identification information of a security chip; determining whether the first identification information of the security chip and the secret key meet a corresponding relation; and under the condition that the first identification information and the secret key meet the corresponding relation, determining that the secret key is correct.
Optionally, after receiving the second response information returned by the identity authentication server, the method further includes: under the condition that the login information ciphertext and the message authentication code are successfully checked, second identification information and a token of a chip used by the security middleware are determined; initiating an authentication request to a virtual private network SSL VPN gateway based on a secure socket layer protocol, wherein the authentication request carries second identification information and a token; and receiving third response information returned by the SSL VPN gateway, wherein the SSL VPN gateway is used for forwarding the authentication request to the AAA server for authentication.
According to another aspect of the embodiments of the present application, there is provided another method for identity authentication, including: the quantum security middleware sends a key request to the security chip and receives a chip key serial number returned by the security chip, a key and identification information of the chip; creating a session identifier corresponding to the session according to the application identifier, and initiating a request for acquiring an authentication key by the vector subkey management system, wherein the request at least comprises: the method comprises the steps of time-varying parameters, a chip key serial number, and identification information and session identification of a chip encrypted by a key; receiving an authentication key ciphertext returned by the quantum key management system, decrypting the authentication key ciphertext by using a key corresponding to the key serial number to obtain an authentication key plaintext, and caching an application identifier, the authentication key plaintext, a session identifier and a challenge random number generated in the process of acquiring the authentication key; the quantum security middleware encrypts the time-varying parameter, the application identifier, the challenge random number and the login authentication credential according to the authentication key plaintext to generate a login information ciphertext, and generates a message authentication code corresponding to the login information ciphertext; sending login information ciphertext, a message authentication code and a session identifier to an identity authentication server; and receiving response information returned by the identity authentication server, wherein the response information is used for indicating whether verification of the login information ciphertext, the message authentication code and the session identifier is successful or not.
According to another aspect of the embodiments of the present application, there is also provided an apparatus for identity authentication, including: the first sending module is used for sending a key request to the security chip and receiving first response information returned by the security chip, wherein the first response information at least comprises: a secret key; the creation module is used for creating a session identifier corresponding to the session according to the application identifier, and initiating a request for acquiring an authentication key by the vector subkey management system, wherein the request at least comprises: session identification after key encryption; the determining module is used for determining an authentication key returned by the quantum key management system, encrypting at least login authentication credentials according to the authentication key to generate login information ciphertext, and generating a message authentication code corresponding to the login information ciphertext; the second sending module is used for sending the login information ciphertext, the message authentication code and the session identifier to the identity authentication server; the receiving module is used for receiving second response information returned by the identity authentication server, wherein the second response information is at least used for indicating whether the login information ciphertext and the message authentication code are successfully checked.
According to another aspect of the embodiments of the present application, there is further provided a non-volatile storage medium, where the storage medium includes a stored program, and when the program runs, the device in which the storage medium is controlled to perform any one of the methods of identity authentication.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to execute instructions to implement any one of a number of methods of identity authentication.
In the embodiment of the application, a mode of performing security verification based on a quantum security middleware is adopted, a key request is sent to a security chip through the quantum security middleware, first response information returned by the security chip is received, and the first response information at least comprises: a secret key; creating a session identifier corresponding to the session according to the application identifier, and initiating a request for acquiring an authentication key by the vector subkey management system, wherein the request at least comprises: session identification after key encryption; determining an authentication key returned by the quantum key management system, encrypting at least login authentication credentials according to the authentication key to generate login information ciphertext, and generating a message authentication code corresponding to the login information ciphertext; sending login information ciphertext, a message authentication code and a session identifier to an identity authentication server; and receiving second response information returned by the identity authentication server, wherein the second response information is at least used for indicating whether the login information ciphertext and the message authentication code are successfully checked, so that the technical effects of improving the data verification safety and ensuring the subsequent data safety transmission are achieved, and further the technical problems that the safety is poor and the data leakage is easy to cause because of the safety verification mode based on the user name and the password in the related technology are solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a flow chart of an alternative method of identity authentication according to an embodiment of the present application;
FIG. 2 is an alternative security middleware-based authentication system architecture diagram of the present application;
FIG. 3 is a flow chart of another method of identity authentication according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an apparatus for identity authentication according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to embodiments of the present application, there is provided an embodiment of a method of identity authentication, it being noted that the steps shown in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order other than that shown.
Fig. 1 is a method of identity authentication according to an embodiment of the present application, as shown in fig. 1, the method includes the steps of:
step S102, the quantum security middleware sends a key request to the security chip and receives first response information returned by the security chip, wherein the first response information at least comprises: a secret key;
step S104, a session identifier corresponding to the session is created according to the application identifier, and a request for acquiring an authentication key is initiated by the vector subkey management system, wherein the request at least comprises: session identification after key encryption;
step S106, determining an authentication key returned by the quantum key management system, encrypting at least login authentication credentials according to the authentication key to generate login information ciphertext, and generating a message authentication code corresponding to the login information ciphertext;
step S108, a login information ciphertext, a message authentication code and a session identifier are sent to an identity authentication server;
step S110, receiving second response information returned by the identity authentication server, wherein the second response information is at least used for indicating whether the login information ciphertext and the message authentication code are successfully checked.
In the identity authentication method, a mode of carrying out security verification based on a quantum security middleware is adopted, a key request is sent to a security chip through the quantum security middleware, first response information returned by the security chip is received, and the first response information at least comprises: a secret key; creating a session identifier corresponding to the session according to the application identifier, and initiating a request for acquiring an authentication key by the vector subkey management system, wherein the request at least comprises: session identification after key encryption; determining an authentication key returned by the quantum key management system, encrypting at least login authentication credentials according to the authentication key to generate login information ciphertext, and generating a message authentication code corresponding to the login information ciphertext; sending login information ciphertext, a message authentication code and a session identifier to an identity authentication server; and receiving second response information returned by the identity authentication server, wherein the second response information is at least used for indicating whether the login information ciphertext and the message authentication code are successfully checked, so that the technical effects of improving the data verification safety and ensuring the subsequent data safety transmission are achieved, and further the technical problems that the safety is poor and the data leakage is easy to cause because of the safety verification mode based on the user name and the password in the related technology are solved.
In some embodiments of the present application, determining an authentication key returned by a quantum key management system includes: receiving an authentication key in a ciphertext form returned by the quantum key management system; and decrypting the authentication key in the ciphertext form based on the key to obtain the authentication ciphertext in the plaintext form.
In some optional embodiments of the present application, after decrypting the authentication key in the ciphertext form based on the key to obtain the authentication ciphertext in the plaintext form, the application identifier, the authentication key plaintext, the session identifier, and the challenge random number generated in the process of obtaining the authentication key may be cached.
In some embodiments of the present application, at least encrypting the login authentication credential according to the authentication key to generate the login information ciphertext may be implemented by the following steps, specifically, encrypting the time-varying parameter, the application identifier, the challenge random number, and the login authentication credential according to the plaintext of the authentication key in plaintext form to generate the login information ciphertext.
As an alternative embodiment, after receiving the first response information returned by the security chip, the first identification information of the security chip may be determined; determining whether the first identification information of the security chip and the secret key meet a corresponding relation; and under the condition that the first identification information and the secret key meet the corresponding relation, determining that the secret key is correct.
In some embodiments of the present application, after receiving the second response information returned by the identity authentication server, the second identification information and the token of the chip used by the secure middleware may be determined under the condition that the login information ciphertext and the message authentication code are determined to be successfully checked; initiating an authentication request to a virtual private network SSL VPN gateway based on a secure socket layer protocol, wherein the authentication request carries second identification information and a token; and receiving third response information returned by the SSL VPN gateway, wherein the SSL VPN gateway is used for forwarding the authentication request to the AAA server for authentication.
FIG. 2 is an optional security middleware-based authentication system architecture diagram of the present application, as shown in FIG. 2: comprising the following steps: security chip (SIM card or USBKey shield), quantum security middleware, identity authentication server, quantum key management system, AAA server. The security chip (SIM card or USBKey shield) issues a certificate in accordance with the national commercial code bureau, has security protection capability, is initially written with ID information, and can be in butt joint with the quantum key management system to realize the key filling function in the security chip. The quantum security middleware is arranged between the security chip and the application client to realize the functions of symmetric key management, cryptographic algorithm management (HMAC-SM 3, SM4 and other algorithms), identity authentication management, data storage and the like. The identity authentication server uses CAS and JWT technology to complete business application management, user identity authentication, token maintenance, and uses a secure chip to fill a secret key to interact with the quantum key management system to obtain an authentication secret key. The quantum key management system is used for completing key filling in the security chip, and after the terminal integrates the security chip, the security middleware uses the filling key in the security chip to interactively obtain the functions of authentication key, authentication of the security chip and the like with the quantum key management system. The AAA server is a server program capable of processing the user access request, providing authentication authorization and account service, and mainly providing user service for the identity authentication of SSL VPN. And when the quantum key management is initialized, the quantum key filling and storage are completed in a security chip integrated with the mobile phone terminal and the identity authentication server. And simultaneously recording and storing the corresponding relation between the filled security chip and the secret key.
The quantum security middleware performs a process of acquiring an authentication key, and comprises the following steps:
s10, the security middleware initiates a key request to a security chip (SIM card), and the security chip returns a key serial number Z, a key B and a chip IDa;
s11, the security middleware generates a session identifier SessionId. Meanwhile, the vector subkey management system initiates an authentication key acquisition request, and the authentication key request message: the key sequence number z+the key B encryption (time-varying parameter+chip ida+session identifier SessionId).
S12, the quantum key management system acquires a corresponding key B filled in the security chip according to the key serial number Z, decrypts the authentication key information ciphertext, and distributes the authentication key AuthKey ciphertext according to the decrypted information.
S13, the security middleware obtains an authentication key AuthKey ciphertext, decrypts the response message by using a key B corresponding to a key serial number Z, obtains a key AuthKey plaintext, and caches an application identifier AppId, the authentication key AuthKey, a session identifier SessionId and a challenge random number data.
S14, after the authentication key AuthKey is obtained based on the example figure 2 flow chart, as shown in example figure 3, unified identity authentication based on the security middleware is carried out.
S15, the quantum security middleware respectively operates login request information by using an authentication key AuthKey and combining an SM4 algorithm and a HAMC-SM3 algorithm, calculates a ciphertext and a login information MAC value of login information (time-varying parameters, login authentication credentials, application identification AppId and challenge random numbers), and forwards the login information ciphertext, the login information MAC and session identification SessionId information to an identity authentication server. The identity authentication server receives login encryption information and a login information MAC value, initiates a key request to the security chip, and returns a key serial number Y, a key C and a chip ID beta;
s16, the authentication server side initiates an authentication key obtaining request to the vector subkey management system, and authentication key request information is encrypted by a key serial number Y+a key C (time-varying parameter+a chip ID beta+a session identifier SessionId).
S17, the quantum key management system acquires a corresponding key C filled in the security chip according to the key serial number Y, decrypts the request information, acquires an authentication key AuthKey according to the chip ID beta+SessionId, and returns an authentication key response message to the identity authentication server, wherein the key serial number Y+the key C is encrypted (time-varying parameter+the chip ID beta+SessionId+the authentication key AuthKey).
S18, the identity authentication server acquires the response message, decrypts the response message by using the key serial number Y corresponding to the key C, and acquires the authentication key AuthKey. And receiving login encryption data through an authentication key authKey decryption step S15, and obtaining user login authentication credentials, challenge random number, application identification AppId and login information MAC value data.
And S19, the identity authentication server side verifies the login authentication credentials of the user, and challenge random number is a, and login information MAC value data is obtained.
1) And if the verification fails, notifying the SSL VPN login failure information of the quantum security middleware.
2) If the verification is successful, the identity authentication server generates Token by using JWT technology, inserts chip and Token into the AAA server, and synchronously responds to the quantum security middleware.
S20, the quantum security middleware receives the information and checks whether the ciphertext message is successfully decrypted and whether the MAC value is consistent; if the decryption is successful and the comparison is consistent, S21 is carried out, and if the decryption is failed and the comparison is inconsistent, SSL VPN login failure is responded to the user;
s21, the quantum security middleware initiates an authentication request to the SSL VPN by using a security middleware chip ID and Token;
s22, the SSL VPN gateway receives the request, forwards the request to the AAA server for authentication, checks whether the chip ID and the Token are consistent, responds to successful login if the chip ID and the Token are consistent, and responds to failed login if the chip ID and the Token are inconsistent.
Fig. 3 is another method of identity authentication according to an embodiment of the present application, as shown in fig. 3, the method includes:
s302, the quantum security middleware sends a key request to the security chip and receives a chip key serial number, a key and identification information of the chip returned by the security chip;
s304, a session identifier corresponding to the session is created according to the application identifier, and a request for acquiring an authentication key is initiated by the vector subkey management system, wherein the request at least comprises: the method comprises the steps of time-varying parameters, a chip key serial number, and identification information and session identification of a chip encrypted by a key;
s306, receiving an authentication key ciphertext returned by the quantum key management system, decrypting the authentication key ciphertext by using a key corresponding to the key serial number to obtain an authentication key plaintext, and caching an application identifier, the authentication key plaintext, a session identifier and a challenge random number generated in the process of acquiring the authentication key;
s308, the quantum security middleware encrypts the time-varying parameters, the application identifier, the challenge random number and the login authentication credential according to the authentication key plaintext to generate a login information ciphertext, and generates a message authentication code corresponding to the login information ciphertext;
s310, sending login information ciphertext, a message authentication code and a session identifier to an identity authentication server;
s312, receiving response information returned by the identity authentication server, wherein the response information is used for indicating whether verification of login information ciphertext, a message authentication code and a session identifier is successful.
In the identity authentication method, a key request is sent to a security chip, and a chip key serial number, a key and identification information of the chip returned by the security chip are received; creating a session identifier corresponding to the session according to the application identifier, and initiating a request for acquiring an authentication key by the vector subkey management system, wherein the request at least comprises: the method comprises the steps of time-varying parameters, a chip key serial number, and identification information and session identification of a chip encrypted by a key; receiving an authentication key ciphertext returned by the quantum key management system, decrypting the authentication key ciphertext by using a key corresponding to the key serial number to obtain an authentication key plaintext, and caching an application identifier, the authentication key plaintext, a session identifier and a challenge random number generated in the process of acquiring the authentication key; the quantum security middleware encrypts the time-varying parameter, the application identifier, the challenge random number and the login authentication credential according to the authentication key plaintext to generate a login information ciphertext, and generates a message authentication code corresponding to the login information ciphertext; sending login information ciphertext, a message authentication code and a session identifier to an identity authentication server; receiving response information returned by the identity authentication server, wherein the response information is used for indicating whether the login information ciphertext, the message authentication code and the session identifier are successfully checked, so that the technical effects of improving the data verification safety and ensuring the subsequent data safety transmission are achieved, and further the technical problems that the safety is poor and the data leakage is easy to cause because of the safety verification mode based on the user name and the password in the related technology are solved.
Fig. 4 is an apparatus for identity authentication according to an embodiment of the present application, as shown in fig. 4, the apparatus includes:
the first sending module 40 is configured to send a key request to the security chip, and receive first response information returned by the security chip, where the first response information at least includes: a secret key;
the creation module 42 is configured to create a session identifier corresponding to the current session according to the application identifier, and initiate a request for obtaining an authentication key to the vector subkey management system, where the request at least includes: session identification after key encryption;
the determining module 44 is configured to determine an authentication key returned by the quantum key management system, encrypt at least the login authentication credential according to the authentication key to generate a login information ciphertext, and generate a message authentication code corresponding to the login information ciphertext;
a second sending module 46, configured to send the login information ciphertext, the message authentication code, and the session identifier to the identity authentication server;
the receiving module 48 is configured to receive second response information returned by the identity authentication server, where the second response information is at least used to indicate whether the login information ciphertext and the message authentication code are successfully checked.
In the identity authentication device, a first sending module 40 is configured to send a key request to a security chip, and receive first response information returned by the security chip, where the first response information at least includes: a secret key; the creation module 42 is configured to create a session identifier corresponding to the current session according to the application identifier, and initiate a request for obtaining an authentication key to the vector subkey management system, where the request at least includes: session identification after key encryption; the determining module 44 is configured to determine an authentication key returned by the quantum key management system, encrypt at least the login authentication credential according to the authentication key to generate a login information ciphertext, and generate a message authentication code corresponding to the login information ciphertext; a second sending module 46, configured to send the login information ciphertext, the message authentication code, and the session identifier to the identity authentication server; the receiving module 48 is configured to receive the second response information returned by the identity authentication server, where the second response information is at least used to indicate whether the login information ciphertext and the message authentication code are successfully checked, so as to improve the security of data verification and ensure the technical effect of secure transmission of subsequent data, thereby solving the technical problem that the security is poor and the data is easy to leak because of the security verification mode based on the user name and the password in the related art.
According to another aspect of the embodiments of the present application, there is further provided a non-volatile storage medium, where the storage medium includes a stored program, and when the program runs, the device in which the storage medium is controlled to perform any one of the methods of identity authentication.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to execute instructions to implement any one of a number of methods of identity authentication.
Specifically, the storage medium is configured to store program instructions for the following functions, and implement the following functions:
sending a key request to the security chip, and receiving first response information returned by the security chip, wherein the first response information at least comprises: a secret key; creating a session identifier corresponding to the session according to the application identifier, and initiating a request for acquiring an authentication key by the vector subkey management system, wherein the request at least comprises: session identification after key encryption; determining an authentication key returned by the quantum key management system, encrypting at least login authentication credentials according to the authentication key to generate login information ciphertext, and generating a message authentication code corresponding to the login information ciphertext; sending login information ciphertext, a message authentication code and a session identifier to an identity authentication server; and receiving second response information returned by the identity authentication server, wherein the second response information is at least used for indicating whether the login information ciphertext and the message authentication code are successfully checked.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.

Claims (10)

1. A method of identity authentication, comprising:
the quantum security middleware sends a key request to a security chip and receives first response information returned by the security chip, wherein the first response information at least comprises: a secret key;
creating a session identifier corresponding to the session according to the application identifier, and initiating a request for acquiring an authentication key by the vector subkey management system, wherein the request at least comprises: the session identifier encrypted by the key;
determining an authentication key returned by the quantum key management system, encrypting at least login authentication credentials according to the authentication key to generate login information ciphertext, and generating a message authentication code corresponding to the login information ciphertext;
sending the login information ciphertext, the message authentication code and the session identifier to an identity authentication server;
and receiving second response information returned by the identity authentication server, wherein the second response information is at least used for indicating whether the login information ciphertext and the message authentication code are successfully checked.
2. The method of claim 1, wherein determining an authentication key returned by the quantum key management system comprises:
receiving an authentication key in a ciphertext form returned by the quantum key management system;
and decrypting the authentication key in the ciphertext form based on the key to obtain the authentication ciphertext in the plaintext form.
3. The method of claim 2, wherein after decrypting the ciphertext-form authentication key based on the key to obtain a plaintext-form authentication ciphertext, the method further comprises:
and caching the application identifier, the authentication key plaintext, the session identifier and the challenge random number generated in the process of acquiring the authentication key.
4. The method of claim 3, wherein encrypting at least the login authentication credential according to the authentication key to generate the login information ciphertext comprises:
and encrypting the time-varying parameters, the application identifier, the challenge random number and the login authentication credential according to the plaintext of the authentication key in the plaintext form to generate the login information ciphertext.
5. The method of claim 1, wherein after receiving the first response information returned by the secure chip, the method further comprises:
determining first identification information of the security chip;
determining whether the first identification information of the security chip and the secret key meet a corresponding relation;
and under the condition that the first identification information and the secret key meet the corresponding relation, determining that the secret key is correct.
6. The method of claim 1, wherein after receiving the second response information returned by the authentication server, the method further comprises:
under the condition that the login information ciphertext and the message authentication code are successfully checked, second identification information and a token of a chip used by the security middleware are determined;
initiating an authentication request to a virtual private network SSL VPN gateway based on a secure socket layer protocol, wherein the authentication request carries the second identification information and a token;
and receiving third response information returned by the SSL VPN gateway, wherein the SSL VPN gateway is used for forwarding the authentication request to an AAA server for authentication.
7. A method of identity authentication, comprising:
the quantum security middleware sends a key request to the security chip and receives a chip key serial number, a key and identification information of the chip returned by the security chip;
creating a session identifier corresponding to the session according to the application identifier, and initiating a request for acquiring an authentication key by the vector subkey management system, wherein the request at least comprises: the time-varying parameter, the chip key serial number, the identification information of the chip encrypted by the key and the session identification;
receiving an authentication key ciphertext returned by the quantum key management system, decrypting the authentication key ciphertext by using the key corresponding to the key serial number to obtain an authentication key plaintext, and caching the application identifier, the authentication key plaintext, the session identifier and a challenge random number generated in the process of acquiring the authentication key;
the quantum security middleware encrypts the time-varying parameters, the application identifier, the challenge random number and the login authentication credentials according to the authentication key plaintext to generate login information ciphertext, and generates a message authentication code corresponding to the login information ciphertext;
sending the login information ciphertext, the message authentication code and the session identifier to an identity authentication server;
and receiving response information returned by the identity authentication server, wherein the response information is used for indicating whether the login information ciphertext, the message authentication code and the session identifier are successfully checked.
8. An apparatus for identity authentication, comprising:
the first sending module is used for sending a key request to the security chip and receiving first response information returned by the security chip, wherein the first response information at least comprises: a secret key;
the creation module is used for creating a session identifier corresponding to the session according to the application identifier, and initiating a request for acquiring an authentication key by the vector subkey management system, wherein the request at least comprises: the session identifier encrypted by the key;
the determining module is used for determining an authentication key returned by the quantum key management system, encrypting at least login authentication credentials according to the authentication key to generate login information ciphertext, and generating a message authentication code corresponding to the login information ciphertext;
the second sending module is used for sending the login information ciphertext, the message authentication code and the session identifier to an identity authentication server;
the receiving module is used for receiving second response information returned by the identity authentication server, wherein the second response information is at least used for indicating whether the login information ciphertext and the message authentication code are successfully checked.
9. A non-volatile storage medium, characterized in that the storage medium comprises a stored program, wherein the program, when run, controls a device in which the storage medium is located to perform the method of identity authentication according to any one of claims 1 to 7.
10. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the method of identity authentication of any one of claims 1 to 7.
CN202211737257.6A 2022-12-30 2022-12-30 Identity authentication method and device and electronic equipment Pending CN116248290A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211737257.6A CN116248290A (en) 2022-12-30 2022-12-30 Identity authentication method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211737257.6A CN116248290A (en) 2022-12-30 2022-12-30 Identity authentication method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN116248290A true CN116248290A (en) 2023-06-09

Family

ID=86623415

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211737257.6A Pending CN116248290A (en) 2022-12-30 2022-12-30 Identity authentication method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN116248290A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116527259A (en) * 2023-07-03 2023-08-01 中电信量子科技有限公司 Cross-domain identity authentication method and system based on quantum key distribution network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116527259A (en) * 2023-07-03 2023-08-01 中电信量子科技有限公司 Cross-domain identity authentication method and system based on quantum key distribution network
CN116527259B (en) * 2023-07-03 2023-09-19 中电信量子科技有限公司 Cross-domain identity authentication method and system based on quantum key distribution network

Similar Documents

Publication Publication Date Title
CN105050081B (en) Method, device and system for connecting network access device to wireless network access point
EP4040717B1 (en) Method and device for secure communications over a network using a hardware security engine
CN104639534B (en) The loading method and browser device of web portal security information
US7953391B2 (en) Method for inclusive authentication and management of service provider, terminal and user identity module, and system and terminal device using the method
CN111030814B (en) Secret key negotiation method and device
CN107948736A (en) A kind of audio and video preservation of evidence method and system
EP3633949B1 (en) Method and system for performing ssl handshake
JP2016082597A (en) Computer utilization system and computer utilization method for secure session establishment and encrypted data exchange
US9608971B2 (en) Method and apparatus for using a bootstrapping protocol to secure communication between a terminal and cooperating servers
CN109981255B (en) Method and system for updating key pool
CN108243176B (en) Data transmission method and device
CA2518032A1 (en) Methods and software program product for mutual authentication in a communications network
CN107888560A (en) A kind of mobile intelligent terminal mail security Transmission system and method
CN107800675A (en) A kind of data transmission method, terminal and server
CN113497778A (en) Data transmission method and device
CN106411926A (en) Data encryption communication method and system
CN103780609A (en) Cloud data processing method and device and cloud data security gateway
CN109314693B (en) Method and apparatus for authenticating a key requestor
CN111756529A (en) Quantum session key distribution method and system
CN112788594A (en) Data transmission method, device and system, electronic equipment and storage medium
CN101997835B (en) Network security communication method, data security processing device and system for finance
CN111756528A (en) Quantum session key distribution method and device and communication architecture
CN112332986A (en) Private encryption communication method and system based on authority control
CN116248290A (en) Identity authentication method and device and electronic equipment
CN114501591B (en) Intelligent equipment network access method and device and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination