CN116707818A - Online rapid identity authentication system and method based on trusted computing module - Google Patents

Online rapid identity authentication system and method based on trusted computing module Download PDF

Info

Publication number
CN116707818A
CN116707818A CN202310623980.XA CN202310623980A CN116707818A CN 116707818 A CN116707818 A CN 116707818A CN 202310623980 A CN202310623980 A CN 202310623980A CN 116707818 A CN116707818 A CN 116707818A
Authority
CN
China
Prior art keywords
data
user
module
client
biological characteristic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310623980.XA
Other languages
Chinese (zh)
Inventor
李欣
李元正
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Guotai Netcom Technology Co ltd
Chengdu Guotai Wangxin Technology Co ltd
Original Assignee
Beijing Guotai Netcom Technology Co ltd
Chengdu Guotai Wangxin Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Guotai Netcom Technology Co ltd, Chengdu Guotai Wangxin Technology Co ltd filed Critical Beijing Guotai Netcom Technology Co ltd
Publication of CN116707818A publication Critical patent/CN116707818A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an online quick identity authentication system and method based on a trusted computing module. The system comprises a client, an identity verifier and an identity authentication server. By embedding a TCM chip in the device to provide a secure environment for the level3FIDO verifier, the device can store the private key and any information about the local authentication method in the TCM and transfer the processing of challenge information, the generation and saving of user information to the TCM when it is done. The invention not only can better solve the problem of information leakage and improve the safety of the level3FIDO, but also has better practicability. By the design, the fact that a third party cannot steal the private key and related local identity authentication methods through technical means can be ensured, user information cannot be revealed when user equipment is stolen, and the safety of the level3FIDO verifier is greatly improved.

Description

Online rapid identity authentication system and method based on trusted computing module
Technical Field
The invention relates to the technical field of online quick identity authentication, in particular to an online quick identity authentication system and method based on a trusted computing module.
Background
FIDO (Fast Identity Online) is also called online quick identity authentication, and is a brand new identity authentication method proposed by the online quick authentication alliance established in 2012. The FIDO idea is that the user biological characteristic information is introduced into the FIDO verifier through UAF and U2F protocols, and the user identity authentication is performed by using the user identity characteristic information. In the FIDO, the user is not required to provide a private key in a key pair, but is only required to provide personal identity authentication information, namely the biological characteristics of a human face, a fingerprint, a pupil and the like. The user does not need to memorize and provide any information, the system can store the key information in the local area of the user, and the system directly calls the key information from the local area of the user when the system is used. Such a transition allows the system to generate sufficiently complex and feature-free key pairs and also avoids the possibility of human disclosure of key information since the user is not aware of the key information, thereby enabling faster, more compact, and safer password-free authentication.
The FIDO-enabled device implements user authentication using a FIDO authenticator and corresponding authentication protocols embedded in the device. Currently, the FIDO alliance provides three sets of user identity authentication specifications for user identity authentication, namely, FIDO UAF authentication, FIDO U2F authentication and FIDO2 authentication, wherein the FIDO2 is a combination of a set of protocols. All FIDO protocols are based on public key cryptography and are very resistant to phishing. The FIDO UAF is also called a FIDO universal authentication framework, and is applicable to B2C (business-personal) scenes. Besides, FIDO UAF can also use multiple identity authentication mechanisms to perform combined authentication; FIDO U2F is also known as FIDO generic second factor, and is applicable to B2E (Enterprise-employee) scenarios. The FIDO U2F allows the server to enhance the security of the user's existing cryptographic infrastructure, such as the sms authentication code, the FIDO security key, by adding a strong second factor to the user's login process. The software of the verifier using the FIDO U2F authentication still requires the user to log in with the user name and password as before, but the software will require the user to present the second factor device at a point in time selected by the user himself; the FIDO2 authentication is completed by the FIDO alliance and the world Wide Web alliance (W3C) together, is a Web-oriented body-building authentication, and the protocol is applicable to more scenes, so that the verifier can perform identity authentication through a browser and other devices. FIDO2 includes the W3C Web authentication (WebAuthn) specification and the client-to-identity-verifier protocol (CTAP) combination provided by the FIDO federation. Wherein CTAP is complementary to WebAuthn. At design time, the FIDO2 supports password-free, second-factor, and multi-factor authentication modes through an embedded identity verifier (e.g., biometric identification or PIN) or an external identity verifier (e.g., FIDO security key, mobile device, wearable device, etc.). The Level3 FIDO verifier uses FIDO2 as the authentication protocol.
The authentication flows of the different FIDO authentication specifications are substantially identical. In general, FIDO authentication falls into two categories, identity registration and identity authentication, respectively. The user must first generate a key pair for the user through identity registration, and then verify through re-authentication when the user needs to verify again later. During identity registration, the user selects the type of the FIDO identity verifier to be used, provides corresponding biometric information according to the selection to unlock the FIDO identity verifier, then the user equipment generates a key pair and sends the public key to the FIDO server, the FIDO server adds an account to associate the corresponding public key, and the private key and any information (such as biometric or template) related to the local identity verification method never leave the local equipment. When the authentication is needed, firstly, a user is required to provide the biological characteristic information of the user for the client containing the FIDO verifier according to the requirements of the authentication standard supported by the FIDO verifier, and after confirming that the biological characteristic information is correct, the FIDO verifier in the client can unlock a private key stored in a safe space and send an authentication request to the FIDO server. After receiving the request, the FIDO server generates a random number randomly, encrypts the random number by using the public key stored in the server by the corresponding user to generate a challenge message, and sends the challenge message to the client. After receiving the challenge information, the client decrypts the challenge information in the secure space by using the private key and returns the result to the server directly. After receiving the result, the server compares the result with the generated random number, and if the result is the same, the server confirms the identity of the client and completes re-identity verification.
However, in a common environment, the FIDO verifier performs key generation, during the process of challenge encryption, a third party can steal data used in the FIDO verifier through malicious software installed on user equipment, and the third party can indirectly learn information used by a user by monitoring signals of the FIDO verifier through side channel attack, so that leakage of user information is caused, and the security of the FIDO verifier cannot be ensured.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides an online rapid identity authentication system and method based on a trusted computing module.
In order to achieve the aim of the invention, the invention adopts the following technical scheme:
in a first aspect, the present invention provides an online rapid identity authentication system based on a trusted computing module, including:
the client is used for generating biological characteristic data and sending an identity registration request to the identity authentication server; receiving a user registration data segment sent by an identity authentication server, forming serialized client data with the client data, calculating a hash value of the serialized client data, simultaneously obtaining a server identifier of the identity authentication server, and sending the user registration data segment, the biometric data, the hash value of the serialized client data and the server identifier to an identity verifier; receiving a user public key and a proving statement item returned by the identity verifier, and sending the proving statement item and the serialized client data to an identity authentication server;
The identity verifier is used for receiving the user registration data segment, the biological characteristic data, the hash value of the serialized client data and the server identifier, performing format check, calling the trusted computing module to encrypt the biological characteristic data, generating a biological characteristic ciphertext and a user number, generating a key pair according to the user number, generating a certification statement and a credential ID of the user to form a certification statement item, and returning the user public key and the certification statement item to the client;
the identity authentication server is used for responding to the identity registration request sent by the client and sending the user registration data segment to the client; and receiving the proving statement items and the serialized client data sent by the client, and distributing rights to the client.
In a second aspect, the present invention provides an online rapid identity authentication method based on a trusted computing module, comprising the steps of:
s1, generating biological characteristic data by using a client, and sending an identity registration request to an identity authentication server;
s2, receiving an identity registration request sent by the client by using an identity authentication server, and sending a user registration data segment to the client;
s3, utilizing the client to receive the user registration data segment sent by the identity authentication server, forming serialized client data with the client data, calculating the hash value of the serialized client data, simultaneously obtaining the server identification of the identity authentication server, and sending the user registration data segment, the biological characteristic data, the hash value of the serialized client data and the server identification to the identity verifier;
S4, receiving a user registration data segment, biological characteristic data, hash values of serialized client data and server identification by using an identity verifier, performing format check, calling a trusted computing module to encrypt the biological characteristic data, generating a biological characteristic ciphertext and a user number, generating a key pair according to the user number, generating a certification statement and a credential ID of a user to form a certification statement item, and returning a user public key and the certification statement item to the client;
s5, the client is used for receiving the user public key and the proving statement item returned by the identity verifier and sending the proving statement item and the serialized client data to the identity authentication server;
s6, receiving the proving statement items and the serialized client data sent by the client by using the identity authentication server, and distributing rights to the client.
The invention has the following beneficial effects:
the invention designs a brand new level3 FIDO verifier based on a trusted computing module TCM, provides a safe environment for the level3 FIDO verifier by embedding a TCM chip in equipment, can store a private key and any information related to a local identity verification method into the TCM, processes challenge information, and generates and stores user information to the TCM. The invention not only can better solve the problem of information leakage and improve the safety of the level3 FIDO, but also has better practicability. By the design, the fact that a third party cannot steal the private key and related local identity authentication methods through technical means can be ensured, user information cannot be revealed when user equipment is stolen, and the safety of the level3 FIDO verifier is greatly improved.
Drawings
Fig. 1 is a schematic diagram of an online rapid identity authentication system based on a trusted computing module in embodiment 1;
fig. 2 is a schematic diagram of a user identity registration process in embodiment 1;
fig. 3 is a schematic diagram of a user identity authentication procedure in embodiment 1.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and all the inventions which make use of the inventive concept are protected by the spirit and scope of the present invention as defined and defined in the appended claims to those skilled in the art.
Example 1
The embodiment of the invention provides an online quick identity authentication system based on a trusted computing module, which comprises the following steps:
the client is used for generating biological characteristic data and sending an identity registration request to the identity authentication server; receiving a user registration data segment sent by an identity authentication server, forming serialized client data with the client data, calculating a hash value of the serialized client data, simultaneously obtaining a server identifier of the identity authentication server, and sending the user registration data segment, the biometric data, the hash value of the serialized client data and the server identifier to an identity verifier; receiving a user public key and a proving statement item returned by the identity verifier, and sending the proving statement item and the serialized client data to an identity authentication server;
The identity verifier is used for receiving the user registration data segment, the biological characteristic data, the hash value of the serialized client data and the server identifier, performing format check, calling the trusted computing module to encrypt the biological characteristic data, generating a biological characteristic ciphertext and a user number, generating a key pair according to the user number, generating a certification statement and a credential ID of the user to form a certification statement item, and returning the user public key and the certification statement item to the client;
the identity authentication server is used for responding to the identity registration request sent by the client and sending the user registration data segment to the client; and receiving the proving statement items and the serialized client data sent by the client, and distributing rights to the client.
In an alternative embodiment of the present invention, the client is specifically configured to:
receiving a user registration data segment sent by an identity authentication server, and decomposing the user registration data segment into a challenge value, user certification data and server request data;
forming the challenge value and the client data into serialized client data and calculating a hash value of the serialized client data;
the user attestation data, the server request data, the biometric data, the hash value of the serialized client data, and the server identification are sent to an identity verifier.
In an alternative embodiment of the invention, the identity verifier comprises in particular:
the processor module is used for receiving the biological characteristic ciphertext sent by the communication module, sending the biological characteristic ciphertext to the storage module, and receiving the user number returned by the storage module; sending a key negotiation application to a key generation module, and receiving a user public key returned by the key generation module; the method comprises the steps of sending an identity authentication application and a user number to a signature verification module, and receiving a challenge value ciphertext returned by the signature verification module; transmitting the user public key and the challenge value ciphertext to a communication module;
the encryption and decryption module is used for receiving the biological characteristic data sent by the communication module, calling the trusted computing module to store the user number and encrypt the biological characteristic data, acquiring the biological characteristic ciphertext and the user number returned by the trusted computing module and transmitting the biological characteristic ciphertext and the user number back to the communication module;
the key generation module is used for responding to the key negotiation application sent by the processor module, calling the trusted computing module to generate a public-private key pair, associating the user private key with the user identity information ciphertext and then storing the user private key in the trusted computing module, acquiring the user public key returned by the trusted computing module and returning the user public key to the processor module;
The signature verification module is used for responding to the identity authentication application and the user number sent by the processor module, searching a user private key in the trusted computing module according to the user number, calling the trusted computing module to encrypt the challenge value by using the user private key, obtaining a challenge value ciphertext returned by the trusted computing module and returning the challenge value ciphertext to the processor module;
the communication module is used for receiving the biological characteristic data sent by the client and sending the biological characteristic data to the encryption and decryption module, receiving the biological characteristic ciphertext and the user number returned by the encryption and decryption module, sending the biological characteristic ciphertext to the processor module, and sending the biological characteristic ciphertext and the user number to the storage module; receiving a user public key and a challenge value ciphertext sent by a processor module and sending the user public key and the challenge value ciphertext to a client;
the storage module is used for storing the biological characteristic ciphertext and the user number, receiving the biological characteristic ciphertext sent by the processor module, inquiring the corresponding user number according to the biological characteristic ciphertext and returning to the processor module.
In an alternative embodiment of the invention, the client is further configured to:
generating biological characteristic data and sending an identity authentication request to an identity authentication server; receiving a challenge value sent by an identity authentication server, forming serialized client data with the client data, calculating a hash value of the serialized client data, simultaneously obtaining a server identifier of the identity authentication server, and sending the biometric data, the hash value of the serialized client data and the server identifier to an identity verifier; and receiving the identity authentication assertion signature and the verifier data returned by the identity verifier, and sending the identity authentication assertion signature, the verifier data and the serialized client data to the identity authentication server.
In an alternative embodiment of the invention, the identity verifier is further adapted to:
receiving biological characteristic data, hash values of serialized client data and server identifiers, performing format check, calling a trusted computing module to encrypt the biological characteristic data, acquiring a biological characteristic ciphertext, searching a user number according to the biological characteristic ciphertext, and generating verifier data of a user; generating serialized verifier data according to the hash value of the serialized client data and the verifier data, calling a trusted computing module to extract a user private key according to the user number, generating an identity authentication assertion signature according to the user private key and the serialized verifier data, and returning the identity authentication assertion signature and the verifier data to the client.
In this embodiment, the FIDO verifier is roughly divided into 3 modules according to functions, which are respectively a processor module, a storage module, and a communication module. A secure computation call module is newly added in the FIDO verifier based on the TCM. By adding a secure computation calling module, the FIDO verifier can call the TCM to perform secure computation and generate a secure key, thereby ensuring that user registration and authentication can be performed in a secure environment.
In the FIDO verifier based on the TCM, the FIDO verifier mainly performs a communication interface between the FIDO verifier and a TCM chip through a secure computation calling module, so that encryption and decryption, key generation and signature verification functions required in identity registration and identity verification are realized, and a secure environment is provided for the FIDO verifier.
The TCM-based key generation interface in the FIDO verifier is implemented by a key generation module in the secure computation call module. The key generation module has the main function of generating public and private key pairs for registered users during identity registration. When the user identity is registered, the processor module of the FIDO verifier sends a key negotiation application to the key generation module, the key generation module calls the TCM to generate a public-private key pair, associates the private key of the user with the identity information ciphertext of the user and stores the private key in the TCM, and receives the public key of the user returned by the TCM. After receiving the public key, the key generation module transmits the public key of the user back to the processor module.
The encryption and decryption interface based on the TCM in the FIDO verifier is realized by an encryption and decryption module in the secure computation call module. The main functions of the encryption and decryption module are to encrypt the user's biometric at the time of identity registration and generate a user number and encrypt the user's biometric at the time of identity verification. When the user performs identity registration and identity authentication, the communication module of the FIDO verifier invokes the encryption and decryption module to send the biometric data of the user, and the encryption and decryption module encrypts the biometric data of the user by using the TCM. The TCM service module transmits the biological characteristic ciphertext back to the encryption and decryption module, and the encryption and decryption module transmits the biological characteristic ciphertext back to the communication module. And during identity registration, the encryption and decryption module uses the TCM to generate and store the user number of the registered user in the TCM, and returns the user number to the encryption and decryption module during return.
The TCM-based signature verification interface in the FIDO verifier is implemented by a signature verification module in the secure computation call module. The main function of the signature verification module is to encrypt challenge information transmitted by a server during identity verification. When the user performs identity authentication, the communication module of the FIDO verifier calls the signature verification module and sends the user number of the user, and the signature verification module uses the user number to search the private key of the user in the TCM and encrypts the challenge information in the TCM. After encryption is completed, the TCM transmits the challenge ciphertext back to the signature verification module.
The user identity registration is one of the main functions of the FIDO verifier, which creates a user token on the FIDO server and the FIDO verifier, respectively, and represents the user as a legal user, and has been given certain authority by the FIDO server. At the time of user identity registration, in order for the FIDO server to prove the source of the FIDO verifier and the data it issues, the FIDO verifier needs to submit a piece of proof to the FIDO server. A proof is a piece of declaration for witness, validation or authentication that consists essentially of verifier data and a proof declaration. The verifier data is stored in a memory module of the FIDO verifier and is a compact but scalable code resulting from the encoding of the context binding by the FIDO verifier. The RP ID HASH is a result of calculating the RP ID in the user save data by using SHA-256. Each FLAG bit in FLAG is set when the data provided by the client to the FIDO verifier contains a corresponding requirement. The UP flag is set only when the user has a test requirement; UV is set when the verifier executes the user verification requirement; setting the AT only when the public key certificate is newly generated and containing the certificate data, and not setting the AT if the public key certificate is not newly generated; ED is set to 0 if extension data is not contained, and 1 otherwise. Wherein the certified credential data is a variable length byte array that is added to the identity verifier data when generating a certification object for a given credential
A certification statement is a particular type of signed data object that contains a public key credential and a statement of an identity verifier that creates the public key credential that represents an encrypted signature of an authenticator over a set of context bindings.
When the online quick identity authentication system based on the trusted computing module provided by the embodiment of the invention performs user identity registration:
first, a user clicks a registration button on a user agent (software or browser) and submits the user's Biometric feature to a client, the user agent can directly use the user's Biometric feature and generate Biometric data or send the Biometric feature to the client platform, the client platform uses the user's Biometric feature and generates Biometric data, and the platform generating the Biometric data sends an identity registration Request1 to the FIDO server through a public key Cryptographic interface.
Then the server sends the user registration data segment public key Crycardstock RequestOptions to the client platform through the public key credential public key Crycardstock interface;
then, after acquiring the User registration data segment publicKeyCredentialRequestOptions, the client platform disassembles the User registration data segment into a challenge value challenge, user certification data User Info, and server request data Relying Party Info.
The challenge value challenge is used to combine together with the client-provided data into serialized client data clientDataJOSN and calculate the hash value clientDataHash of clientDataJOSN as SHA-256.
The client acquires the identification RP ID of the server according to the website which is requested to be registered by the user. Subsequently, the client platform invokes the api of the identity verifier: the "authenticator attestationresponse" passes the serialized client data hash value clientDataHash, the Biometric data, the User attestation data User Info, the server request data Relying Party Info, and the server identification RP ID to the identity verifier.
Then the identity verifier receives the serialized client data hash value clientDataHash, the Biometric data, the User certification data User Info, the server request data Relying Party Info and the server identification RP ID are checked first, and after the data format is confirmed to be correct, the TCM encrypted Biometric data is called to generate a Biometric ciphertext biometricode and a User number User ID. A memory module storing the Biometric cryptogram biometriccode and the user number UseId in the FIDO verifier.
And then, calling a key negotiation function in the TCM and transmitting the user number UserId into the TCM, and generating a key pair of the user according to the user number UseId by the TCM and transmitting the public key publicKey of the user back to the FIDO verifier. After generating the Attestation statement and the credential IDCredit ID of the user, the FIDO verifier transmits the public key public Key of the user, and the Attestation statement and the credential IDCredit ID form an Attestation statement item AttestationObject to be transmitted back to the client platform.
And finally, the client platform sends the attestation statement item AttestationObject and the serialized client data client DataJOSN on the client to the FIDO server, and the FIDO server stores the obtained data and distributes corresponding rights.
User identity authentication is one of the main functions of the FIDO verifier for achieving mutual authentication between a user and a server. For a FIDO identity verifier of level3 supporting the FIDO2 authentication protocol, the identity verifier uses the identity authentication assertion as a challenge response to realize the identity authentication of the server to the user.
The online quick identity authentication system based on the trusted computing module provided by the embodiment of the invention performs user identity authentication:
first, after a user clicks a login function on a user agent (software or browser) and submits a user's Biometric feature, the user agent may directly use the user's Biometric feature and generate Biometric data or send the Biometric feature to a client platform, the client platform uses the user's Biometric feature and generates Biometric data, and the platform that generates Biometric data sends an authentication Request2 to the FIDO server through a public key Creatensical interface.
Then the server sends the challenge value challenge to the client platform through the public Key Credit interface;
And then, after the client platform acquires the challenge, the challenge and the data provided by the client are combined together to form serialized client data clientDataJOSN, and a hash value clientDataHash of the clientDataJOSN is calculated according to SHA-256. The client acquires the identification RP ID of the server according to the website which is requested to be registered by the user.
Subsequently, the client platform invokes the api of the identity verifier: "AuthenticationResponse," passes the clientDataHash, biometric data and RP ID, and some optional data to the identity verifier.
Then, after the identity verifier receives the clientDataHash, the Biometric data and the RP ID are checked first, and after the data format is confirmed to be correct, the TCM is invoked to encrypt the Biometric data to obtain the Biometric code. The Biometric code is used to look up the UserId of the verifier in the FIDO verifier and generate verifier data authenticators data for the user. The clientDataHash is connected with the authenticatorData to form the clientDataHash||authenticatorData. The FIDO verifier passes the userId and the clientDataHash Authenticator data to the TCM.
The TCM then extracts the user private key PrivateKey from UserId and connects the authenticatordata||clientdatahash with PrivateKey to form an authentication assertion signature assertion signature and returns it to the FIDO verifier. The use of a simple, unlimited connection is secure here, as authenticatorData describes the length of authenticatorData. And clientDataHash is always the last element.
Finally the FIDO verifier returns assertion signature and authenticatorData to the client platform. The client platform sends the signature and the authenticatorData and the client-side client DataJOSN to the FIDO server, and the FIDO server verifies the obtained data and grants the corresponding authority to the user after confirming.
The invention designs a brand new level3 FIDO verifier based on a trusted computing module TCM, provides a safe environment for the level3 FIDO verifier by embedding a TCM chip in equipment, can store a private key and any information related to a local identity verification method into the TCM, processes challenge information, and generates and stores user information to the TCM. The invention not only can better solve the problem of information leakage and improve the safety of the level3 FIDO, but also has better practicability. By the design, the fact that a third party cannot steal the private key and related local identity authentication methods through technical means can be ensured, user information cannot be revealed when user equipment is stolen, and the safety of the level3 FIDO verifier is greatly improved.
Example 2
Based on the online quick identity authentication system based on the trusted computing module described in the embodiment 1, the embodiment of the invention also provides an online quick identity authentication method based on the trusted computing module, which comprises the following steps:
S1, generating biological characteristic data by using a client, and sending an identity registration request to an identity authentication server;
s2, receiving an identity registration request sent by the client by using an identity authentication server, and sending a user registration data segment to the client;
s3, utilizing the client to receive the user registration data segment sent by the identity authentication server, forming serialized client data with the client data, calculating the hash value of the serialized client data, simultaneously obtaining the server identification of the identity authentication server, and sending the user registration data segment, the biological characteristic data, the hash value of the serialized client data and the server identification to the identity verifier;
s4, receiving a user registration data segment, biological characteristic data, hash values of serialized client data and server identification by using an identity verifier, performing format check, calling a trusted computing module to encrypt the biological characteristic data, generating a biological characteristic ciphertext and a user number, generating a key pair according to the user number, generating a certification statement and a credential ID of a user to form a certification statement item, and returning a user public key and the certification statement item to the client;
s5, the client is used for receiving the user public key and the proving statement item returned by the identity verifier and sending the proving statement item and the serialized client data to the identity authentication server;
S6, receiving the proving statement items and the serialized client data sent by the client by using the identity authentication server, and distributing rights to the client.
In an alternative embodiment of the present invention, S3 specifically includes:
receiving a user registration data segment sent by an identity authentication server, and decomposing the user registration data segment into a challenge value, user certification data and server request data;
forming the challenge value and the client data into serialized client data and calculating a hash value of the serialized client data;
the user attestation data, the server request data, the biometric data, the hash value of the serialized client data, and the server identification are sent to an identity verifier.
In an alternative embodiment of the present invention, step S4 specifically includes:
s41, sending a key negotiation application to a key generation module by using a processor module;
s42, receiving a key negotiation application sent by the processor module by utilizing the key generation module, calling the trusted computing module to generate a public-private key pair, associating the user private key with the user identity information ciphertext, and storing the user private key in the trusted computing module, acquiring a user public key returned by the trusted computing module and returning the user public key to the processor module;
s43, receiving the user public key returned by the key generation module by using the processor module, and sending the user public key to the communication module;
S44, receiving the user public key sent by the processor module by using the communication module and sending the user public key to the client;
s45, the communication module is used for receiving the biological characteristic data sent by the client and sending the biological characteristic data to the encryption and decryption module;
s46, receiving the biological characteristic data sent by the communication module by utilizing the encryption and decryption module, calling the trusted computing module to store the user number and encrypt the biological characteristic data, obtaining the biological characteristic ciphertext and the user number returned by the trusted computing module, and returning the biological characteristic ciphertext and the user number to the communication module;
s47, the communication module is used for receiving the biological characteristic ciphertext and the user number returned by the encryption and decryption module, the biological characteristic ciphertext is sent to the processor module, and the biological characteristic ciphertext and the user number are sent to the storage module;
s48, the processor module is used for receiving the biological characteristic ciphertext sent by the communication module, and the biological characteristic ciphertext is sent to the storage module;
s49, storing the biological characteristic ciphertext and the user number by using a storage module, receiving the biological characteristic ciphertext sent by the processor module, inquiring the corresponding user number according to the biological characteristic ciphertext, and returning to the processor module;
s410, the processor module receives the user number returned by the storage module and sends an identity authentication application and the user number to the signature verification module;
S411, receiving an identity authentication application and a user number sent by a processor module by using a signature verification module, searching a user private key in a trusted computing module according to the user number, calling the trusted computing module to encrypt a challenge value by using the user private key, obtaining a challenge value ciphertext returned by the trusted computing module, and returning the challenge value ciphertext to the processor module;
s412, receiving the challenge value ciphertext returned by the signature verification module by using the processor module; sending the challenge value ciphertext to the communication module;
s413, receiving the challenge value ciphertext sent by the processor module by utilizing the communication module and sending the challenge value ciphertext to the client.
In an alternative embodiment of the present invention, further comprising:
generating biological characteristic data by using a client, and sending an identity authentication request to an identity authentication server; receiving a challenge value sent by an identity authentication server, forming serialized client data with the client data, calculating a hash value of the serialized client data, simultaneously obtaining a server identifier of the identity authentication server, and sending the biometric data, the hash value of the serialized client data and the server identifier to an identity verifier; and receiving the identity authentication assertion signature and the verifier data returned by the identity verifier, and sending the identity authentication assertion signature, the verifier data and the serialized client data to the identity authentication server.
In an alternative embodiment of the present invention, further comprising:
the authentication device is used for receiving the biological characteristic data, the hash value of the serialized client data and the server identifier, performing format check, calling the trusted computing module to encrypt the biological characteristic data, obtaining a biological characteristic ciphertext, searching for a user number according to the biological characteristic ciphertext, and generating authentication device data of the user; generating serialized verifier data according to the hash value of the serialized client data and the verifier data, calling a trusted computing module to extract a user private key according to the user number, generating an identity authentication assertion signature according to the user private key and the serialized verifier data, and returning the identity authentication assertion signature and the verifier data to the client.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principles and embodiments of the present invention have been described in detail with reference to specific examples, which are provided to facilitate understanding of the method and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Those of ordinary skill in the art will recognize that the embodiments described herein are for the purpose of aiding the reader in understanding the principles of the present invention and should be understood that the scope of the invention is not limited to such specific statements and embodiments. Those of ordinary skill in the art can make various other specific modifications and combinations from the teachings of the present disclosure without departing from the spirit thereof, and such modifications and combinations remain within the scope of the present disclosure.

Claims (10)

1. An online rapid identity authentication system based on a trusted computing module, comprising:
the client is used for generating biological characteristic data and sending an identity registration request to the identity authentication server; receiving a user registration data segment sent by an identity authentication server, forming serialized client data with the client data, calculating a hash value of the serialized client data, simultaneously obtaining a server identifier of the identity authentication server, and sending the user registration data segment, the biometric data, the hash value of the serialized client data and the server identifier to an identity verifier; receiving a user public key and a proving statement item returned by the identity verifier, and sending the proving statement item and the serialized client data to an identity authentication server;
The identity verifier is used for receiving the user registration data segment, the biological characteristic data, the hash value of the serialized client data and the server identifier, performing format check, calling the trusted computing module to encrypt the biological characteristic data, generating a biological characteristic ciphertext and a user number, generating a key pair according to the user number, generating a certification statement and a credential ID of the user to form a certification statement item, and returning the user public key and the certification statement item to the client;
the identity authentication server is used for responding to the identity registration request sent by the client and sending the user registration data segment to the client; and receiving the proving statement items and the serialized client data sent by the client, and distributing rights to the client.
2. The online rapid identity authentication system based on a trusted computing module of claim 1, wherein the client is specifically configured to:
receiving a user registration data segment sent by an identity authentication server, and decomposing the user registration data segment into a challenge value, user certification data and server request data;
forming the challenge value and the client data into serialized client data and calculating a hash value of the serialized client data;
the user attestation data, the server request data, the biometric data, the hash value of the serialized client data, and the server identification are sent to an identity verifier.
3. An online rapid identity authentication system based on a trusted computing module as claimed in claim 1, characterized in that said identity verifier comprises in particular:
the processor module is used for receiving the biological characteristic ciphertext sent by the communication module, sending the biological characteristic ciphertext to the storage module, and receiving the user number returned by the storage module; sending a key negotiation application to a key generation module, and receiving a user public key returned by the key generation module; the method comprises the steps of sending an identity authentication application and a user number to a signature verification module, and receiving a challenge value ciphertext returned by the signature verification module; transmitting the user public key and the challenge value ciphertext to a communication module;
the encryption and decryption module is used for receiving the biological characteristic data sent by the communication module, calling the trusted computing module to store the user number and encrypt the biological characteristic data, acquiring the biological characteristic ciphertext and the user number returned by the trusted computing module and transmitting the biological characteristic ciphertext and the user number back to the communication module;
the key generation module is used for responding to the key negotiation application sent by the processor module, calling the trusted computing module to generate a public-private key pair, associating the user private key with the user identity information ciphertext and then storing the user private key in the trusted computing module, acquiring the user public key returned by the trusted computing module and returning the user public key to the processor module;
The signature verification module is used for responding to the identity authentication application and the user number sent by the processor module, searching a user private key in the trusted computing module according to the user number, calling the trusted computing module to encrypt the challenge value by using the user private key, obtaining a challenge value ciphertext returned by the trusted computing module and returning the challenge value ciphertext to the processor module;
the communication module is used for receiving the biological characteristic data sent by the client and sending the biological characteristic data to the encryption and decryption module, receiving the biological characteristic ciphertext and the user number returned by the encryption and decryption module, sending the biological characteristic ciphertext to the processor module, and sending the biological characteristic ciphertext and the user number to the storage module; receiving a user public key and a challenge value ciphertext sent by a processor module and sending the user public key and the challenge value ciphertext to a client;
the storage module is used for storing the biological characteristic ciphertext and the user number, receiving the biological characteristic ciphertext sent by the processor module, inquiring the corresponding user number according to the biological characteristic ciphertext and returning to the processor module.
4. An online rapid identity authentication system based on a trusted computing module as claimed in claim 2, wherein said client is further adapted to:
generating biological characteristic data and sending an identity authentication request to an identity authentication server; receiving a challenge value sent by an identity authentication server, forming serialized client data with the client data, calculating a hash value of the serialized client data, simultaneously obtaining a server identifier of the identity authentication server, and sending the biometric data, the hash value of the serialized client data and the server identifier to an identity verifier; and receiving the identity authentication assertion signature and the verifier data returned by the identity verifier, and sending the identity authentication assertion signature, the verifier data and the serialized client data to the identity authentication server.
5. The online rapid authentication system of claim 4, wherein the identity verifier is further configured to:
receiving biological characteristic data, hash values of serialized client data and server identifiers, performing format check, calling a trusted computing module to encrypt the biological characteristic data, acquiring a biological characteristic ciphertext, searching a user number according to the biological characteristic ciphertext, and generating verifier data of a user; generating serialized verifier data according to the hash value of the serialized client data and the verifier data, calling a trusted computing module to extract a user private key according to the user number, generating an identity authentication assertion signature according to the user private key and the serialized verifier data, and returning the identity authentication assertion signature and the verifier data to the client.
6. An online rapid identity authentication method based on a trusted computing module is characterized by comprising the following steps:
s1, generating biological characteristic data by using a client, and sending an identity registration request to an identity authentication server;
s2, receiving an identity registration request sent by the client by using an identity authentication server, and sending a user registration data segment to the client;
S3, utilizing the client to receive the user registration data segment sent by the identity authentication server, forming serialized client data with the client data, calculating the hash value of the serialized client data, simultaneously obtaining the server identification of the identity authentication server, and sending the user registration data segment, the biological characteristic data, the hash value of the serialized client data and the server identification to the identity verifier;
s4, receiving a user registration data segment, biological characteristic data, hash values of serialized client data and server identification by using an identity verifier, performing format check, calling a trusted computing module to encrypt the biological characteristic data, generating a biological characteristic ciphertext and a user number, generating a key pair according to the user number, generating a certification statement and a credential ID of a user to form a certification statement item, and returning a user public key and the certification statement item to the client;
s5, the client is used for receiving the user public key and the proving statement item returned by the identity verifier and sending the proving statement item and the serialized client data to the identity authentication server;
s6, receiving the proving statement items and the serialized client data sent by the client by using the identity authentication server, and distributing rights to the client.
7. The online rapid identity authentication method based on a trusted computing module according to claim 6, wherein S3 specifically comprises:
receiving a user registration data segment sent by an identity authentication server, and decomposing the user registration data segment into a challenge value, user certification data and server request data;
forming the challenge value and the client data into serialized client data and calculating a hash value of the serialized client data;
the user attestation data, the server request data, the biometric data, the hash value of the serialized client data, and the server identification are sent to an identity verifier.
8. The online rapid identity authentication system according to claim 6, wherein step S4 specifically comprises:
s41, sending a key negotiation application to a key generation module by using a processor module;
s42, receiving a key negotiation application sent by the processor module by utilizing the key generation module, calling the trusted computing module to generate a public-private key pair, associating the user private key with the user identity information ciphertext, and storing the user private key in the trusted computing module, acquiring a user public key returned by the trusted computing module and returning the user public key to the processor module;
s43, receiving the user public key returned by the key generation module by using the processor module, and sending the user public key to the communication module;
S44, receiving the user public key sent by the processor module by using the communication module and sending the user public key to the client;
s45, the communication module is used for receiving the biological characteristic data sent by the client and sending the biological characteristic data to the encryption and decryption module;
s46, receiving the biological characteristic data sent by the communication module by utilizing the encryption and decryption module, calling the trusted computing module to store the user number and encrypt the biological characteristic data, obtaining the biological characteristic ciphertext and the user number returned by the trusted computing module, and returning the biological characteristic ciphertext and the user number to the communication module;
s47, the communication module is used for receiving the biological characteristic ciphertext and the user number returned by the encryption and decryption module, the biological characteristic ciphertext is sent to the processor module, and the biological characteristic ciphertext and the user number are sent to the storage module;
s48, the processor module is used for receiving the biological characteristic ciphertext sent by the communication module, and the biological characteristic ciphertext is sent to the storage module;
s49, storing the biological characteristic ciphertext and the user number by using a storage module, receiving the biological characteristic ciphertext sent by the processor module, inquiring the corresponding user number according to the biological characteristic ciphertext, and returning to the processor module;
s410, the processor module receives the user number returned by the storage module and sends an identity authentication application and the user number to the signature verification module;
S411, receiving an identity authentication application and a user number sent by a processor module by using a signature verification module, searching a user private key in a trusted computing module according to the user number, calling the trusted computing module to encrypt a challenge value by using the user private key, obtaining a challenge value ciphertext returned by the trusted computing module, and returning the challenge value ciphertext to the processor module;
s412, receiving the challenge value ciphertext returned by the signature verification module by using the processor module; sending the challenge value ciphertext to the communication module;
s413, receiving the challenge value ciphertext sent by the processor module by utilizing the communication module and sending the challenge value ciphertext to the client.
9. The online rapid identity authentication system based on a trusted computing module of claim 7, further comprising:
generating biological characteristic data by using a client, and sending an identity authentication request to an identity authentication server; receiving a challenge value sent by an identity authentication server, forming serialized client data with the client data, calculating a hash value of the serialized client data, simultaneously obtaining a server identifier of the identity authentication server, and sending the biometric data, the hash value of the serialized client data and the server identifier to an identity verifier; and receiving the identity authentication assertion signature and the verifier data returned by the identity verifier, and sending the identity authentication assertion signature, the verifier data and the serialized client data to the identity authentication server.
10. The online rapid identity authentication system based on a trusted computing module of claim 9, further comprising:
the authentication device is used for receiving the biological characteristic data, the hash value of the serialized client data and the server identifier, performing format check, calling the trusted computing module to encrypt the biological characteristic data, obtaining a biological characteristic ciphertext, searching for a user number according to the biological characteristic ciphertext, and generating authentication device data of the user; generating serialized verifier data according to the hash value of the serialized client data and the verifier data, calling a trusted computing module to extract a user private key according to the user number, generating an identity authentication assertion signature according to the user private key and the serialized verifier data, and returning the identity authentication assertion signature and the verifier data to the client.
CN202310623980.XA 2023-05-07 2023-05-30 Online rapid identity authentication system and method based on trusted computing module Pending CN116707818A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202310504323 2023-05-07
CN2023105043233 2023-05-07

Publications (1)

Publication Number Publication Date
CN116707818A true CN116707818A (en) 2023-09-05

Family

ID=87830489

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310623980.XA Pending CN116707818A (en) 2023-05-07 2023-05-30 Online rapid identity authentication system and method based on trusted computing module

Country Status (1)

Country Link
CN (1) CN116707818A (en)

Similar Documents

Publication Publication Date Title
CN110086608B (en) User authentication method, device, computer equipment and computer readable storage medium
CN108092776B (en) System based on identity authentication server and identity authentication token
US10929524B2 (en) Method and system for verifying an access request
US11501294B2 (en) Method and device for providing and obtaining graphic code information, and terminal
CN109729523B (en) Terminal networking authentication method and device
US7797532B2 (en) Device authentication system
CN103763631B (en) Authentication method, server and television set
US8112787B2 (en) System and method for securing a credential via user and server verification
KR101634158B1 (en) Method for authenticating identity and generating share key
CN111901346B (en) Identity authentication system
CN110990827A (en) Identity information verification method, server and storage medium
JP2018038068A (en) Method for confirming identification information of user of communication terminal and related system
CN105391734A (en) Secure login system, secure login method, login server and authentication server
CN109040060B (en) Terminal matching method and system and computer equipment
KR20110083886A (en) Apparatus and method for other portable terminal authentication in portable terminal
WO2010128451A2 (en) Methods of robust multi-factor authentication and authorization and systems thereof
CN116233832A (en) Verification information sending method and device
JP2015122073A (en) Method for generating one-time password and device for executing the same
CN106953731A (en) The authentication method and system of a kind of terminal management person
TWI772908B (en) System and method for using a device of fast identity online to certified and signed
CN109257381A (en) A kind of key management method, system and electronic equipment
TW201901508A (en) Authentication method for login capable of enhancing data security and protection of user privacies
CN116155598A (en) Authentication method and system under multi-server architecture
CN115103356A (en) Computer security verification system, method, mobile terminal and readable storage medium
CN114666114A (en) Mobile cloud data security authentication method based on biological characteristics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination