CN116599709A - Method, terminal and computer storage medium for verifying identity - Google Patents
Method, terminal and computer storage medium for verifying identity Download PDFInfo
- Publication number
- CN116599709A CN116599709A CN202310494360.0A CN202310494360A CN116599709A CN 116599709 A CN116599709 A CN 116599709A CN 202310494360 A CN202310494360 A CN 202310494360A CN 116599709 A CN116599709 A CN 116599709A
- Authority
- CN
- China
- Prior art keywords
- data
- verification
- target information
- main body
- verification data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000012795 verification Methods 0.000 claims abstract description 250
- 230000006870 function Effects 0.000 claims description 62
- 238000004590 computer program Methods 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 8
- 230000001360 synchronised effect Effects 0.000 claims description 6
- 238000010200 validation analysis Methods 0.000 claims description 4
- 238000013475 authorization Methods 0.000 description 14
- 230000008569 process Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 10
- 238000004364 calculation method Methods 0.000 description 8
- 238000010276 construction Methods 0.000 description 5
- 230000004044 response Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 150000003839 salts Chemical class 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application relates to the technical field of data authentication, and provides a method, a device, a terminal and a computer storage medium for authentication. The method comprises the following steps: acquiring first verification data sent by a data providing end, wherein the first verification data is constructed by the data providing end based on a first homomorphic hidden function and first target information of the data providing end; verifying the first verification data by using a first verification mode to obtain a first verification result; if the first verification result indicates that the data providing end is a target information end, constructing second verification data, wherein the second verification data is constructed by the data main body end based on a second homomorphic hidden function and second target information of the data main body end; and sending second verification data to the data providing end, wherein the second verification data is used for indicating the data providing end to verify whether the second verification data comes from the data main body end or not. By the scheme provided by the application, the leakage of target data can be avoided, and the data security is provided.
Description
Technical Field
The present application relates to the field of data authentication technologies, and in particular, to a method, a terminal, and a computer storage medium for authentication.
Background
In various data flow techniques, for example: data sharing exchanges, data asset credentials, secure transfer of data, etc., by way of one exception, a shared transfer technique is a process of transferring data from a to B, where the process may be transparent to the outside world, meaning that any system may participate in the process for data flow.
However, the above data circulation technology may cause a problem of security phenomenon, for example, in a data asset credential scenario, the data provider needs to obtain the authorization of the data provider to issue the credential data, but the data provider needs to authorize the data provider to prove that the data provider can actually own the data of the data provider, and after the data provider is authorized by the data provider, the data provider also needs to verify whether the authorization information is from the real data provider, which may result in that the data provider randomly authorizes the data provider without knowledge, and the data provider issues the credential data under the condition of possibly false authorization information of the data provider, but the data is not actually authorized by the real data provider, so that the authorization mechanism may have a great security hidden danger.
Content of the application
The application aims to provide a method, a terminal and a computer storage medium for verifying identity, which aim to solve the technical problem that privacy sensitive data is revealed in the existing data identity verification process.
In a first aspect, the present application provides a method for verifying identity, for a data body side, including:
acquiring first verification data sent by a data providing end, wherein the first verification data is constructed by the data providing end based on a first synchronous hiding function and first target information of the data providing end;
verifying the first verification data by using a first verification mode to obtain a first verification result;
if the first verification result indicates that the data providing end is a target information end, second verification data are constructed, wherein the second verification data are constructed by the data main body end based on a second homomorphic hidden function and second target information of the data main body end;
and sending the second verification data to the data providing end, wherein the second verification data is used for indicating the data providing end to verify whether the second verification data is from the data main body end.
According to the method for verifying the identity, the first verification data sent by the data providing end is obtained, the first verification mode is utilized to verify the first verification data, a first verification result is obtained, whether the first verification data is from the data providing end or not is known through the verification result, if the first verification data is from the data providing end, the data main body can verify that the data providing end actually has the data of the data main body end without knowing any privacy information of the data providing end, and meanwhile, the second verification data is sent to the data providing end, so that the data providing end can verify that the authorization information is truly authorized by the true data main body under the condition that any privacy data is not leaked, and privacy sensitive data leakage is avoided in the process of verifying the identity by the data.
In a second aspect, the present application provides a method for verifying identity, for use in a data provider, comprising:
constructing and obtaining first verification data according to the first homomorphic hiding function and the first target information;
the first verification data is sent to a data main body end, the data main body end verifies the first verification data in a first verification mode, and when a verification result indicates that the data providing end is a target information end, second verification data is sent to the data providing end, and the second verification data is constructed by the data main body end based on a second homomorphic hiding function and second target information of the data main body end;
And verifying the second verification data to obtain a second verification result, and confirming whether the second verification data come from the data main body end or not according to the second verification result.
In a fourth aspect, the present application provides a terminal device comprising a memory, a processor and a computer program stored in said memory and executable on said processor, said processor implementing said method of verifying identity when executing said computer program.
In a fifth aspect, the present application provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, which when executed by a processor implements the method of verifying an identity.
It will be appreciated that the advantages of the second to fifth aspects may be found in the relevant description of the first aspect, and are not described here again.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an implementation of a method for verifying identity according to an embodiment of the present application.
Fig. 2 is a schematic diagram of a merker tree of a method for verifying identity according to an embodiment of the present application.
Fig. 3 is a schematic diagram of a merker tree of a method for verifying identity according to another embodiment of the present application.
Fig. 4 is a schematic diagram of a merker tree of a method for verifying identity according to another embodiment of the present application.
Fig. 5 is a flowchart illustrating a specific implementation of step S12 of the method for verifying identity according to an embodiment of the present application.
Fig. 6 is a schematic flow chart of an implementation of a method for verifying identity according to another embodiment of the present application.
Fig. 7 is a schematic flow chart of an implementation of a method for verifying identity according to another embodiment of the present application.
Fig. 8 is an application diagram of a method for verifying identity according to an embodiment of the present application.
Fig. 9 is a schematic structural diagram of an apparatus for verifying identity according to an embodiment of the present application.
Fig. 10 is a schematic structural diagram of an apparatus for verifying identity according to another embodiment of the present application.
Fig. 11 is a schematic structural diagram of a method of a terminal device according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular device structures, techniques, etc. in order to provide a thorough understanding of embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details.
As used in the present specification and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
Furthermore, the terms "first," "second," "third," and the like in the description of the present specification and in the appended claims, are used for distinguishing between descriptions and not necessarily for indicating or implying a relative importance.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
In order to illustrate the technical scheme of the application, the following description is made by specific examples.
The application provides a method for verifying identity, which can well reduce the risk of revealing private data in the process of verifying the identity by data.
The identity verification method provided by the embodiment of the application can be applied to terminal equipment or servers including, but not limited to, mobile phones, tablet computers, notebook computers, ultra mobile personal computers (ultramobile personal computer, UMPC), netbooks, personal digital assistants (personal digital assistant, PDA) and the like, and the embodiment of the application does not limit the specific types of the terminal equipment or the servers.
Referring to fig. 1, fig. 1 is a flowchart of an implementation of a method for verifying identity according to an embodiment of the present application, including the following steps:
s11: and acquiring first verification data sent by the data providing end, wherein the first verification data is constructed by the data providing end based on the first homomorphic hiding function and first target information of the data providing end.
In this embodiment, in order to verify that the data providing end has the private data of the data main body end, the first verification data sent by the data providing end is acquired first, so that verification can be performed based on the first verification data later, and then the data main body end can verify that the data providing end does have the data of the data main body end without knowing any private information of the data providing end, so that the risk of leakage of the private data in the transmission process is effectively reduced.
The first target information comprises information of a data main body end.
For example, in conjunction with fig. 2 and fig. 3, the data provider sends values of the four merker tree nodes E (b), E (c+d), E (e+f+g+h), E (a+b+c+d+e+f+g+h) as first verification data to the data body, where E (a+b+c+d+e+f+g+h) is a merker tree root, and the data body needs to verify whether the merker tree root is correct.
In some embodiments, the first target information is private data.
S12: and verifying the first verification data by using a first verification mode to obtain a first verification result.
In this embodiment, since the core data, such as the privacy data, of each data body end is stored in the data providing end, in order to verify that the data providing end is the object storing the data of the data body end, after the first verification data sent by the data providing end is obtained, the first verification data is verified by using the first verification method, so as to obtain the first verification result.
For example, referring to fig. 4, the data body receives the four node values of the moek tree sent by the data providing end, the data body locally holds own private data, and the data body holds a data, at this time, the data body performs homomorphic concealment function calculation on a by using the first homomorphic concealment function obtained from the data providing end to obtain E (a), and then performs homomorphic concealment functions on E (a), E (b), E (c+d), and E (e+f+g+h) to obtain the local own moek tree root of the data body. The data main body end obtains the own Murr tree root and compares with the Murr tree root transmitted by the data providing end, if the data main body end is equal to the Murr tree root, the data providing end actually has the data a of the data main body end, the verification is successful, the corresponding verification result indicates that the data providing end is the target information end, meanwhile, the privacy data such as a, b, c, d, e, f, g, h are not revealed, and the zero knowledge proof of the data main body by the data provider is achieved.
S13: if the first verification result indicates that the data providing end is the target information end, second verification data are constructed, and the second verification data are constructed by the data main body end based on the second homomorphic hiding function and second target information of the data main body end.
In this embodiment, after the data main body end verifies that the data providing end is the target information end, in order for the data providing end to be able to correspondingly determine that the data main body end is an object for subsequent communication, the data main body end constructs and obtains second verification data based on the second homomorphic hidden function and second target information of the data main body end.
For example, in connection with fig. 5, after the first verification result indicates that the data providing end is the target information end, the data body end makes authorization information of the data provider, namely second verification data, and once the data provider verifies that the second verification data is indeed from the true data body, the data provider considers that the true data body is authorized. At this time, the data body end regards E (a), E (b), E (c+d), E (e+f+g+h) as four privacy-sensitive data, and before the homomorphic concealment function is used to homomorphically conceal the four privacy data, the latest second homomorphic concealment function needs to be determined again. Using the second homomorphic concealment function and E (a), E (b), E (c+d), E (e+f+g+h), a second order moek tree is finally constructed as shown in fig. 5.
S14: and sending second verification data to the data providing end, wherein the second verification data is used for indicating the data providing end to verify whether the second verification data comes from the data main body end or not.
In this embodiment, in order for the data providing end to correspondingly determine that the data body end is the object of subsequent communication, after the data body end constructs second verification data, the second verification data is sent to the data providing end, where the second verification data is used to instruct the data providing end to verify whether the second verification data is from the data body end.
For example, the data body end only needs to send the second verification data, namely, the second-order moek tree root E' (E (a) +e (b) +e (c+d) +e (e+f+g+h)) to the data providing end, and the data providing end itself holds the values of E (a), E (b), E (c+d), E (e+f+g+h) and the like, so that the data body end only needs to transmit the second-order moek tree root as the second-order proof condition. Further, the data providing end receives the second order moek tree root sent from the data main body end, at this time, the data providing end carries out homomorphic hiding on E (a), E (b), E (c+d) and E (e+f+g+h) locally held by the data providing end according to a second homomorphic hiding function of the data main body to construct the second order moek tree as shown in fig. 5, so as to obtain the second order moek tree root locally provided by the data providing end, and compares the second order moek tree root sent by the data main body with the second order moek tree root, and if the second order moek tree root is equal, the second order moek tree is indicated to be sent by the real data main body a.
According to the method for verifying the identity, the first verification data sent by the data providing end is obtained, the first verification mode is utilized to verify the first verification data, a first verification result is obtained, whether the first verification data is from the data providing end or not is known through the verification result, if the first verification data is from the data providing end, the data main body can verify that the data providing end actually has the data of the data main body end without knowing any privacy information of the data providing end, and meanwhile, the second verification data is sent to the data providing end, so that the data providing end can verify that the authorization information is truly authorized by the true data main body under the condition that any privacy data is not leaked, and privacy sensitive data leakage is avoided in the process of verifying the identity by the data.
In one embodiment, the first validation data is a first order moek tree and the second validation data is a second order moek tree.
Referring to fig. 6, in an embodiment, verifying the first verification data by using a first verification manner, to obtain a first verification result includes:
s21: and constructing and obtaining first comparison verification data based on the first homomorphic hiding function and the second target information.
S22: and comparing the first comparison verification data with the first verification data to obtain a first verification result.
S23: if the first comparison verification data is the same as the first verification data, the first verification result indicates that the data providing end is the target information end.
In this embodiment, since the data providing end stores core data, such as privacy data, of each data body end, in order to verify that the data providing end is an object storing data of the data body end, after obtaining first verification data sent by the data providing end, the data body end uses a first synchronous hidden function and second target information to construct first comparison verification data, and compares the first comparison verification data with the first verification data to obtain a first verification result, if the first comparison verification data is the same as the first verification data, it means that the data providing end and the data body end store the same data, and the corresponding first verification result indicates that the data providing end is the target information end.
In some embodiments, when the data providing end sends the first verification data to the data body end, the first homomorphic hidden function is sent to the data body end together.
In some embodiments, when the data body sends the second verification data to the data provider, the second homomorphic hidden function is sent to the data provider.
Referring to fig. 7, fig. 7 is a flowchart of another method for verifying identity according to an embodiment of the present application, including the following steps:
s31: and constructing and obtaining first verification data according to the first homomorphic hiding function and the first target information.
S32: and sending the first verification data to the data main body end, verifying the first verification data by the data main body end in a first verification mode, and sending second verification data to the data providing end when the verification result indicates that the data providing end is the target information end, wherein the second verification data is constructed by the data main body end based on a second homomorphic hiding function and second target information of the data main body end.
S33: and verifying the second verification data to obtain a second verification result, and confirming whether the second verification data come from the data main body end or not according to the second verification result.
In this embodiment, in order to verify that the data providing end and the data main end are mutually authorized information communication objects, first verification data is constructed according to a first synchronous hiding function and first target information, the first verification data is sent to the data main end, so that the data main end verifies the first verification data in a first verification mode, when the verification result indicates that the data providing end is the target information end, second verification data is sent to the data providing end, then the data providing end verifies the second verification data to obtain a second verification result, whether the second verification data is from the data main end or not is confirmed through the second verification result, and bidirectional verification of both sides is completed on the premise that privacy data is not revealed between the data providing end and the data main end.
For example, in combination with fig. 2 and fig. 3, in one scenario, the data provider sends values of four merker tree nodes E (b), E (c+d), E (e+f+g+h), E (a+b+c+d+e+f+g+h) as first verification data to the data body, where E (a+b+c+d+e+f+g+h) is a merker tree root, and the data body needs to verify whether the merker tree root is correct. The data main body receives the four Morkey node values sent by the data providing end, the data main body locally holds own private data, and the data main body holds a data, at the moment, the data main body carries out homomorphic hiding function calculation on a by using a first homomorphic hiding function obtained from the data providing end to obtain E (a), and then carries out homomorphic hiding functions on E (a), E (b), E (c+d) and E (e+f+g+h) to obtain the local Morkey of the data main body. The data main body end obtains the own Murr tree root and compares with the Murr tree root transmitted by the data providing end, if the data main body end is equal to the Murr tree root, the data providing end actually has the data a of the data main body end, the verification is successful, the corresponding verification result indicates that the data providing end is the target information end, meanwhile, the privacy data such as a, b, c, d, e, f, g, h are not revealed, and the zero knowledge proof of the data main body by the data provider is achieved. After the first verification result indicates that the data providing end is the target information end, the data main body end makes authorization information of the data provider, namely second verification data, and once the data provider verifies that the second verification data is really from the true data main body, the data main body is authorized. At this time, the data body end regards E (a), E (b), E (c+d), E (e+f+g+h) as four privacy-sensitive data, and before the homomorphic concealment function is used to homomorphically conceal the four privacy data, the latest second homomorphic concealment function needs to be determined again. Using the second homomorphic concealment function and E (a), E (b), E (c+d), E (e+f+g+h), a second order moek tree is finally constructed as shown in fig. 5. The data main end only needs to send the second verification data, namely, the second-order moek tree root E' (E (a) +E (b) +E (c+d) +E (e+f+g+h)) to the data providing end, and the data providing end only needs to transmit the second-order moek tree root as a second-order proof condition because the data providing end itself holds the values of E (a), E (b), E (c+d), E (e+f+g+h) and the like. Further, the data providing end receives the second order moek tree root sent from the data main body end, at this time, the data providing end carries out homomorphic hiding on E (a), E (b), E (c+d) and E (e+f+g+h) locally held by the data providing end according to a second homomorphic hiding function of the data main body to construct the second order moek tree as shown in fig. 5, so as to obtain the second order moek tree root locally provided by the data providing end, and compares the second order moek tree root sent by the data main body with the second order moek tree root, and if the second order moek tree root is equal, the second order moek tree is indicated to be sent by the real data main body a.
Referring to fig. 8, in an embodiment, the data providing end stores second target information of a plurality of data body ends.
Before the first verification data is constructed according to the first homomorphic hiding function and the first target information, the method comprises the following steps:
s41: acquiring an absolute value of a hash value of second target information of each data main body end;
s42: and obtaining the first target information of the data providing end according to the absolute value of the hash value of the second target information of each data main end.
In this embodiment, in order to solve the problem that the exponent power operation in the homomorphic hidden function cannot solve the problem of the oversized value, improve the calculation efficiency, ensure the uniqueness of data between the data main bodies, acquire the absolute value of the hash value of the second target information of each data main body end, and obtain the first target information of the data providing end according to the absolute value of the hash value of the second target information of each data main body end.
In an embodiment, obtaining the first target information of the data providing end according to the absolute value of the hash value of the second target information of each data main end includes:
for each absolute value in the positive integer data set consisting of the absolute values of the hash values of the second target information of each data main body end, carrying out root finding processing on each absolute value, and reserving the decimal of the preset bit number for the root finding result to obtain a root finding value;
The decimal numerical value of the root value and the integral numerical value are subjected to difference obtaining to obtain a difference obtaining result;
and taking the absolute value of the difference result as first target information of a data providing end.
In this embodiment, in order to solve the problem that the exponent power operation in the homomorphic hidden function cannot solve the oversized value, improve the calculation efficiency and ensure the uniqueness of the data between the data main bodies, root-finding processing is performed on a positive integer data set composed of absolute values of hash values of the second target information at each data main body end to obtain a root-finding value, and difference between the decimal value and the integral value of the root-finding value is performed to obtain a difference result, and the absolute value of the difference result is used as the first target information at the data providing end.
For example, the data provider locally holds the private data of each data body, and the private data exists in a plurality of rows, wherein each row represents one data body and is marked as data_subjects. Because the first homomorphic hidden function is needed to be used later and is based on a mathematical formula substitution solving mode, at this time, the hash code of each data main body end data in the data_subjects is acquired, the absolute value of the hash code is acquired, and finally a batch of positive integer data sets are obtained and recorded as data_subjects_numbers. In order to solve the problem that the exponent power operation in the first synchronous hidden function cannot solve the problem of the ultra-large value, improve the calculation efficiency and ensure the uniqueness of data among data main body ends, the data_subjects_numbers are subjected to integral root-finding and then remain 4-bit decimal numbers, integer digits are respectively rounded, m is assumed, 4-bit decimal numbers are assumed to be n, the result obtained by subtracting n from m is an absolute value again, a data set similar to a pure integer set added with a salt value equivalent to a hash function can be finally obtained, and meanwhile, the data set is scaled by the data_subjects_numbers, each integer in the data set is ensured to be uniquely corresponding to each data main body end as far as possible while large integers are not needed, and the privacy data set obtained by the final processing is recorded as the data_subjects_scale_numbers. The construction of the moek tree using the first homomorphism concealment function is then started, the first homomorphism concealment function being prior to the construction.
E(x)=g x modp
The values of the generator g and the modulus p need to be determined, the value of p is obtained first, the maximum value of data_subjects_scale_numbers is firstly marked as max_data, the max_data is gradually increased to +1, namely max_data=max_data+1, when max_data is obtained once, the max_data is substituted into a trial division method, namely whether the positive integer of the max_data can be divided wholly or not is searched in the integer interval of (1, max_data), except 1 and the positive integer, if the positive integer can be found, the searching is continued to +1, otherwise, the current max_data is taken as the modulus p. The generator is obtained according to the following algorithm logic:
(1) g is a positive integer less than p;
(2) g and p are mutually prime, that is they have no common factor;
(3) gζmod p=1, but for any positive integer k less than p-1, gζmod p+.1;
the generator g can ultimately be determined according to the above logic. Substituting data_subjects_scale_numbers into the first homomorphic concealment function builds a first order moek tree, assuming that data_subjects_scale_numbers have 8 data body side data, a, b, c, d, e, f, g, h respectively.
The data providing terminal sends the values of four nodes of the Morkey tree such as E (b), E (c+d), E (e+f+g+h) and E (a+b+c+d+e+f+g+h) to the data main terminal, wherein E (a+b+c+d+e+f+g+h) is the Morkey tree root, and the data main terminal needs to verify whether the Morkey tree root is correct or not.
The data main body end receives the four nodes of the Morker tree, and the data main body end locally holds own private data, namely the data main body end holds a data according to the assumption scheme of S2. At this time, the data main body end performs homomorphic hiding function calculation on the homomorphic hiding function, the generator g and the modulus p obtained by the step a to obtain E (a), and then performs homomorphic hiding functions on E (a), E (b), E (c+d) and E (e+f+g+h) to obtain the local self-Morker tree root of the data main body end. The data main body end obtains the own Murr tree root and compares with the Murr tree root transmitted by the data providing end, if the data main body end is equal to the Murr tree root, the data providing end actually has the data a of the data main body end, the verification is successful, and meanwhile, the privacy data such as a, b, c, d, e, f, g, h are not revealed, so that the zero knowledge proof of the data main body end by the data providing end is achieved.
The data main body end makes authorization information of the data providing end, in the invention, the authorization information is a second order Mortiered tree, and once the data providing end verifies that the second order Mortiered tree is really from the true data main body end, the true data main body end authorization is considered to be obtained. At this time, the data body end regards E (a), E (b), E (c+d), E (e+f+g+h) as four privacy sensitive data, and before the homomorphic concealment function is used to homomorphically conceal the four privacy data, the modulus p and the generator g need to be determined again, because at this time, the original 8 data of the data set data_subjects_scale_numbers become the 4 data at this time, the data also changes, that is, the maximum value of the final data set also changes, these factors can all cause the change of the modulus p and the generator g finally, at this time, the latest modulus p is recorded as p_new according to the value mode of S1 with respect to the modulus p and the generator g, the generator g is recorded as g_new, and finally the latest homomorphic concealment function is obtained:
E'(x)=g_new x modp_new
Using the homomorphic concealment function and E (a), E (b), E (c+d), E (e+f+g+h), a second order moek tree is finally constructed as shown in fig. 5.
The data main end is different from the data providing end, wherein the data main end only needs to send the second-order moek tree root, namely E' (E (a) +E (b) +E (c+d) +E (e+f+g+h)) to the data providing end, and the data main end only needs to transmit the second-order moek tree root as a second-order proof condition because the data providing end itself holds the values of E (a), E (b), E (c+d) and E (e+f+g+h).
The data providing end receives the second order Morkey tree root sent from the data main end, at this time, the data providing end carries out homomorphic hiding on E (a), E (b), E (c+d) and E (e+f+g+h) locally held by the data providing end according to the homomorphic hiding function of the data main end to construct a second order Morkey tree like S4, the local second order Morkey tree root of the data providing end is obtained, at this time, the data providing end is compared with the second order Morkey tree root sent by the data main end, if the data providing end is equal to the second order Morkey tree root sent by the data main end, the data providing end is taken as authorization information of the data main end, and after the authorization information is obtained, the data providing end can make a certificate and send data of the data main end to the data demand side; if not, it is considered that the data is authorized by the false data body end, and the true a data is not held by the false data body end, and the manufactured second-order moek tree does not contain the a data. And the verification is successful, meanwhile, the data main body end only needs to transmit the second order Murr tree root and does not reveal any intermediate tree node privacy data, so that the zero knowledge proof of the data main body end to the data providing end is achieved.
In an embodiment, verifying the second verification data to obtain a second verification result includes:
constructing and obtaining second comparison verification data based on the second homomorphic hiding function and the first verification data;
comparing the second comparison verification data with the second verification data to obtain a second verification result;
if the second comparison verification data is the same as the second verification data, the second verification result indicates that the second verification data is from the data main body end.
In this embodiment, since the core data of each data body end, such as privacy data, is stored in the data providing end, in order to verify that the data providing end is an object storing data of the data body end, after second verification data sent by the data providing end is obtained, second comparison verification data is constructed based on the second homomorphic hidden function and the first verification data, and the second comparison verification data is compared with the second verification data to obtain a second verification result; if the second comparison verification data is the same as the second verification data, the second verification result indicates that the second verification data is from the data main body end.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.
Corresponding to the authentication method described in the above embodiments, fig. 9 shows a block diagram of an apparatus for authenticating identity according to an embodiment of the present application, and for convenience of explanation, only a portion related to the embodiment of the present application is shown.
Referring to fig. 9, the apparatus 100 includes:
the first obtaining module 101 is configured to obtain first verification data sent by the data providing end, where the first verification data is constructed by the data providing end based on a first homomorphic hidden function and first target information of the data providing end;
the first verification module 102 is configured to verify the first verification data by using a first verification manner, so as to obtain a first verification result;
the first construction module 103 is configured to construct second verification data if the first verification result indicates that the data providing end is the target information end, where the second verification data is constructed by the data body end based on the second homomorphic hidden function and second target information of the data body end;
the first sending module 104 is configured to send second verification data to the data providing end, where the second verification data is used to instruct the data providing end to verify whether the second verification data is from the data body end.
In an embodiment, the first verification module 102 is further configured to construct and obtain first comparison verification data based on the first synchronous hidden function and the second target information; comparing the first comparison verification data with the first verification data to obtain a first verification result; if the first comparison verification data is the same as the first verification data, the first verification result indicates that the data providing end is the target information end.
According to the device for verifying the identity, the first verification data sent by the data providing end is obtained, the first verification mode is utilized to verify the first verification data, a first verification result is obtained, whether the first verification data is from the data providing end or not is known through the verification result, if the first verification data is from the data providing end, the data main body can verify that the data providing end actually has the data of the data main body end without knowing any privacy information of the data providing end, and meanwhile, the second verification data is sent to the data providing end, so that the data providing end can verify that the authorization information is truly authorized by the true data main body under the condition that any privacy data is not leaked, and privacy sensitive data leakage is avoided in the process of verifying the identity by the data.
Corresponding to the authentication method described in the above embodiments, fig. 10 shows a block diagram of an apparatus for authenticating identity according to an embodiment of the present application, and for convenience of explanation, only a portion related to the embodiment of the present application is shown.
Referring to fig. 10, the apparatus 200 includes:
a second construction module 201, configured to construct first verification data according to the first homomorphic hidden function and the first target information;
The second sending module 202 is configured to send first verification data to the data body end, where the data body end verifies the first verification data by using a first verification manner, and send second verification data to the data providing end when the verification result indicates that the data providing end is a target information end, where the second verification data is constructed by the data body end based on a second homomorphic hiding function and second target information of the data body end;
the second verification module 203 is configured to verify the second verification data to obtain a second verification result, and confirm whether the second verification data is from the data body terminal according to the second verification result.
In one embodiment, the data provider stores second target information of the plurality of data body sides.
The apparatus 200 further comprises a second acquisition module.
The second acquisition module is used for acquiring the absolute value of the hash value of the second target information of each data main body end; and obtaining the first target information of the data providing end according to the absolute value of the hash value of the second target information of each data main end.
In an embodiment, the second obtaining module is further configured to perform root finding processing on each absolute value in the positive integer data set composed of absolute values of hash values of the second target information of each data body end, and reserve a decimal of a preset number of bits for the root finding result to obtain a root finding value; the decimal numerical value of the root value is subjected to difference calculation with the integral numerical value, and a difference calculation result is obtained; the absolute value of the difference result is used as first target information of the data providing end.
In an embodiment, the second construction module 201 is further configured to construct second comparison verification data based on the second homomorphic hiding function and the first verification data.
The second verification module 203 is further configured to compare the second comparison verification data with the second verification data to obtain a second verification result; if the second comparison verification data is the same as the second verification data, the second verification result indicates that the second verification data is from the data main body end.
The technical effects of the device for verifying identity provided by the embodiment of the present application can be seen from the above embodiments, and are not described herein.
Fig. 11 is a schematic structural diagram of a terminal device according to an embodiment of the present application. As shown in fig. 11, the terminal device 6 of this embodiment includes: at least one processor 60 (only one processor is shown in fig. 11), a memory 61 and a computer program 62 stored in the memory 61 and executable on the at least one processor 60, the processor 60 executing the computer program 62 performing the steps of any of the various method embodiments for verifying identity described above.
The terminal device 6 may be a computing device such as a desktop computer, a notebook computer, a palm computer, and a cloud server. The terminal device may include, but is not limited to, a processor 60, a memory 61. It will be appreciated by those skilled in the art that fig. 11 is merely an example of the terminal device 6 and is not meant to be limiting as to the terminal device 6, and may include more or fewer components than shown, or may combine certain components, or may include different components, such as input-output devices, network access devices, etc.
The processor 60 may be a central processing unit (Central Processing Unit, CPU), the processor 60 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (FieldProgrammable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 61 may in some embodiments be an internal storage unit of the terminal device 6, such as a hard disk or a memory of the terminal device 6. The memory 61 may in other embodiments also be an external storage device of the terminal device 6, such as a plug-in hard disk provided on the terminal device 6, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like. Further, the memory 61 may also include both an internal storage unit and an external storage device of the terminal device 6. The memory 61 is used to store an operating device, an application program, a boot loader (BootLoader), data, and other programs and the like, such as program codes of computer programs and the like. The memory 61 may also be used to temporarily store data that has been output or is to be output.
It should be noted that, because the content of information interaction and execution process between the above devices/units is based on the same concept as the method embodiment of the present application, specific functions and technical effects thereof may be referred to in the method embodiment section, and will not be described herein. It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, the specific names of the functional units and modules are only for distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above device may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
The embodiment of the application also provides a terminal device, which comprises: at least one processor, a memory, and a computer program stored in the memory and executable on the at least one processor, the processor implementing the steps in any of the various method embodiments described above when the computer program is executed.
The embodiments of the present application also provide a computer readable storage medium storing a computer program, which when executed by a processor, implements the steps of the above-described method embodiments.
The embodiments of the present application provide a computer program product enabling a terminal device to carry out the steps of the method embodiments described above when the computer program product is run on the terminal device.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application may implement all or part of the flow of the method of the above-described embodiments, and may be implemented by a computer program to instruct related hardware, and the computer program may be stored in a computer readable storage medium, where the computer program, when executed by a processor, may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, executable files or in some intermediate form, etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to an apparatus/terminal device, a recording medium, a computer Memory, a Read Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunication signal, and a software distribution medium. Such as a U-disk, removable hard disk, magnetic or optical disk, etc.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (10)
1. A method for verifying identity for a data hosting terminal, comprising:
acquiring first verification data sent by a data providing end, wherein the first verification data is constructed by the data providing end based on a first synchronous hiding function and first target information of the data providing end;
verifying the first verification data by using a first verification mode to obtain a first verification result;
if the first verification result indicates that the data providing end is a target information end, second verification data are constructed, wherein the second verification data are constructed by the data main body end based on a second homomorphic hidden function and second target information of the data main body end;
and sending the second verification data to the data providing end, wherein the second verification data is used for indicating the data providing end to verify whether the second verification data is from the data main body end.
2. The method of claim 1, wherein verifying the first verification data using a first verification method to obtain a first verification result comprises:
constructing and obtaining first comparison verification data based on the first homomorphic hiding function and the second target information;
Comparing the first comparison verification data with the first verification data to obtain a first verification result;
and if the first comparison verification data is the same as the first verification data, the first verification result indicates that the data providing end is a target information end.
3. The method according to any one of claims 1 to 2, wherein the first verification data is a first order merck tree and the second verification data is a second order merck tree.
4. A method for verifying identity for a data provider, comprising:
constructing and obtaining first verification data according to the first homomorphic hiding function and the first target information;
the first verification data is sent to a data main body end, the data main body end verifies the first verification data in a first verification mode, and when a verification result indicates that the data providing end is a target information end, second verification data is sent to the data providing end, and the second verification data is constructed by the data main body end based on a second homomorphic hiding function and second target information of the data main body end;
and verifying the second verification data to obtain a second verification result, and confirming whether the second verification data come from the data main body end or not according to the second verification result.
5. The method of claim 4, wherein the data provider stores second target information of a plurality of data body terminals;
before the first verification data is constructed according to the first homomorphic hiding function and the first target information, the method comprises the following steps:
acquiring an absolute value of a hash value of the second target information of each data main body end;
and obtaining the first target information of the data providing end according to the absolute value of the hash value of the second target information of each data main end.
6. The method according to claim 5, wherein the obtaining the first target information of the data providing terminal based on the absolute value of the hash value of the second target information of each of the data body terminals includes:
for each absolute value in a positive integer data set consisting of the absolute values of hash values of the second target information of each data body end, carrying out root finding processing on each absolute value, and reserving decimal of a preset bit number for a root finding result to obtain a root finding value;
the decimal numerical value of the root value and the integral numerical value are subjected to difference obtaining to obtain a difference obtaining result;
and taking the absolute value of the difference result as first target information of the data providing end.
7. The method of claim 4, wherein verifying the second verification data to obtain a second verification result comprises:
constructing and obtaining second comparison verification data based on the second homomorphic hiding function and the first verification data;
comparing the second comparison verification data with the second verification data to obtain a second verification result;
and if the second comparison verification data is the same as the second verification data, the second verification result indicates that the second verification data is from the data main body end.
8. The method of any of claims 4 to 7, wherein the first validation data is a first order merck tree and the second validation data is a second order merck tree.
9. A terminal device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing a method of verifying identity as claimed in any one of claims 1 to 3 or 4 to 8 when the computer program is executed.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements a method of verifying an identity according to any one of claims 1 to 3 or 4 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310494360.0A CN116599709B (en) | 2023-04-28 | 2023-04-28 | Method, terminal and computer storage medium for verifying identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310494360.0A CN116599709B (en) | 2023-04-28 | 2023-04-28 | Method, terminal and computer storage medium for verifying identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116599709A true CN116599709A (en) | 2023-08-15 |
| CN116599709B CN116599709B (en) | 2024-02-20 |
Family
ID=87594782
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310494360.0A Active CN116599709B (en) | 2023-04-28 | 2023-04-28 | Method, terminal and computer storage medium for verifying identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116599709B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR102009132B1 (en) * | 2019-03-15 | 2019-08-19 | 주식회사 위즈덤그룹 | Big data-based knowledge·information sharing online platform and its application system |
| CN113872751A (en) * | 2021-09-29 | 2021-12-31 | 深圳市电子商务安全证书管理有限公司 | Service data monitoring method, device, equipment and storage medium |
| CN114785802A (en) * | 2022-04-18 | 2022-07-22 | 上海阵方科技有限公司 | Data node structure based on P2P and private calculation and data management method |
| CN116015900A (en) * | 2022-12-28 | 2023-04-25 | 中国联合网络通信集团有限公司 | Data self-storage self-verification method, device, equipment and storage medium |
-
2023
- 2023-04-28 CN CN202310494360.0A patent/CN116599709B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR102009132B1 (en) * | 2019-03-15 | 2019-08-19 | 주식회사 위즈덤그룹 | Big data-based knowledge·information sharing online platform and its application system |
| CN113872751A (en) * | 2021-09-29 | 2021-12-31 | 深圳市电子商务安全证书管理有限公司 | Service data monitoring method, device, equipment and storage medium |
| CN114785802A (en) * | 2022-04-18 | 2022-07-22 | 上海阵方科技有限公司 | Data node structure based on P2P and private calculation and data management method |
| CN116015900A (en) * | 2022-12-28 | 2023-04-25 | 中国联合网络通信集团有限公司 | Data self-storage self-verification method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116599709B (en) | 2024-02-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI784002B (en) | Computer-implemented method and system for script-based blockchain interaction and non-transitory computer-readable storage medium | |
| JP7272960B2 (en) | Method, storage medium and electronic device for secure dynamic threshold signature schemes utilizing trusted hardware | |
| CN109196816B (en) | Public key infrastructure using blockchains | |
| CN109639714B (en) | Internet of things identity registration and verification method based on block chain | |
| US10700861B2 (en) | System and method for generating a recovery key and managing credentials using a smart blockchain contract | |
| CN110336774B (en) | Mixed encryption and decryption method, equipment and system | |
| Anwar et al. | Hash Algorithm In Verification Of Certificate Data Integrity And Security | |
| CN110910110B (en) | Data processing method and device and computer storage medium | |
| Cao et al. | Anonymous scheme for blockchain atomic swap based on zero-knowledge proof | |
| CN110191467A (en) | A kind of method for authenticating of internet of things equipment, unit and storage medium | |
| CN112184245B (en) | Transaction identity confirmation method and device for cross-region block chain | |
| CN112422516B (en) | Trusted connection method and device based on power edge calculation and computer equipment | |
| CN116599709B (en) | Method, terminal and computer storage medium for verifying identity | |
| CN114499854B (en) | Identity authentication method and system based on wireless sensor network and electronic equipment | |
| CN113987446A (en) | Authentication method and device | |
| WO2021196478A1 (en) | Method for comparing equality relationship of encryption data, device, computer apparatus, and storage medium | |
| CN112417393B (en) | Identity verification method, device, computer equipment and computer readable storage medium | |
| CN117081744B (en) | Signature processing method and device based on elliptic curve and electronic equipment | |
| Huo et al. | ECC-based RFID/NFC mutual authentication protocol | |
| CN113312651B (en) | Interactive authentication method, device, equipment and computer readable storage medium | |
| US20230060347A1 (en) | Electronic authentication system and method of supporting multi-signature | |
| WO2021212611A1 (en) | Encrypted data peer-to-peer relationship parameter inspection method and apparatus, and device and storage medium | |
| CN117522399A (en) | Digital asset processing system and method based on block chain | |
| CN115277240A (en) | Authentication method and device for Internet of things equipment | |
| CN114091119A (en) | Information processing method, information processing device, electronic equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |