CN116723027A - Method and device for providing and acquiring safety identity information - Google Patents
Method and device for providing and acquiring safety identity information Download PDFInfo
- Publication number
- CN116723027A CN116723027A CN202310777349.5A CN202310777349A CN116723027A CN 116723027 A CN116723027 A CN 116723027A CN 202310777349 A CN202310777349 A CN 202310777349A CN 116723027 A CN116723027 A CN 116723027A
- Authority
- CN
- China
- Prior art keywords
- information
- identity
- user
- identity information
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000012795 verification Methods 0.000 claims abstract description 231
- 230000006870 function Effects 0.000 claims description 12
- 230000004044 response Effects 0.000 claims description 5
- 230000001172 regenerating effect Effects 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 230000003993 interaction Effects 0.000 description 7
- 239000000284 extract Substances 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 230000000670 limiting effect Effects 0.000 description 2
- 238000011179 visual inspection Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the specification provides a method and a device for providing and acquiring safety identity information. Under the condition that the user needs to carry out identity verification or provide safety identity information, the trusted application acquires the identity information of the user and sends the identity information to a third party verification source for verification. After the verification is passed, the trusted application registers with the registration platform based on the verified information, thereby obtaining the two-dimensional code for the user. The user can then present the two-dimensional code through a trusted application. A service party needing safety identity information scans the two-dimensional code, and sends an identity request aiming at the user to a trusted application through a registration platform based on the two-dimensional code to request for acquiring the needed identity information; the trusted application then returns the required identity information to the business party via the registration platform.
Description
The application relates to a divisional application of an application patent application with the application number 201811365789.5 which is named as a method and a device for providing and acquiring safety identity information and is filed on the date of 2018, 11 and 16.
Technical Field
One or more embodiments of the present disclosure relate to the field of identity security authentication, and more particularly, to methods and apparatus for providing and obtaining secure identity information.
Background
In various application scenarios under the line, the conventional identity verification of a user is usually implemented based on credentials, i.e. follows a "attesting to identity authenticity of a person by credential implementation" logic. In a specific implementation, a natural person provides a certificate (such as an identity card, a passport and the like), a natural person representing a scene merchant (such as a foreground person of a hotel and a window office person of an administrative hall) confirms the corresponding relation between a user and the certificate in a visual inspection mode, and confirms the authenticity of the certificate through visual inspection or assistance of card reading equipment, and on the basis, the required verification information is obtained from the certificate, so that the verification information can be considered to be trusted identity information, and then service is provided according to business logic of the scene merchant.
However, with the continuous enhancement of user privacy protection (such as the minimum available principle) and the increasing demand of users for convenience, the above-mentioned conventional offline verification manner for user identity is facing more and more challenges, and in many scenarios, situations that cannot meet the demand occur. For example:
-the user may not have an identity card with him;
in some low-level offline application scenarios, users are not willing to deliver core credentials such as identity cards to others for verification, even to leave copies;
The business itself only needs part of user information, and does not need all element information in the identity card;
with the continuous development of online commercialization, the popularization of authentication modes such as real name/real person/real certificate in network space, etc., and the electronic certificate becomes a future trend. However, identity verification based on document electronization is also faced with security threats: such as that the electronic version of the identification card may be attacked by ps (for real-name verification), that the face verification may be broken (for real-name verification), and the like, which requires a trusted verification source to provide the identity verification service. Such as public security certification databases, population libraries, etc.
Thus, an improved solution is desired to enable verification of identity more safely and more conveniently.
Disclosure of Invention
One or more embodiments of the present disclosure describe a method and an apparatus for providing and obtaining secure identity information, by which a user may use a trusted application online, and provide verified secure identity information to a service party safely and conveniently by displaying a two-dimensional code.
According to a first aspect, there is provided a method of providing secure identity information, the method being performed by a trusted application server, comprising:
Responding to a first request from a user for requesting identity verification, and acquiring first identity information required by verification;
the first identity information is sent to a third party trusted verification source for verification;
transmitting registration information for registration to a registration platform, the registration information including an identity index of the user, the identity index being generated based on at least a portion of the verified first identity information;
receiving two-dimension code information returned by the registration platform, wherein the two-dimension code information is used for displaying the corresponding two-dimension code for scanning;
receiving a second request sent by a registration platform, wherein the second request comprises the identity index, the identification information of a first service party which scans the two-dimensional code, the second identity information required by the first service party and the public key of the first service party;
generating safety identity information, wherein the safety identity information comprises identification information of the first service party and encryption information, and the encryption information is obtained by encrypting second identity information of the user corresponding to the identity index by utilizing a public key of the first service party;
and sending the security identity information to the registration platform so that the registration platform routes the encrypted information to the first service party according to the identification information of the first service party.
In one embodiment, before obtaining the first identity information required for verification, the method further includes:
sending an application authentication request of the trusted application to the user;
receiving authentication information input by a user;
performing application authentication based on the authentication information;
and under the condition that the application authentication passes, acquiring the first identity information.
In one embodiment, the first identity information may be collected through a terminal where the client of the trusted application is located. For example, the method includes the steps of collecting face information through a camera on the terminal; and/or reading the identity card information through the NFC function of the terminal and the control on the NFC function of the terminal.
In one embodiment, input information of the user may be received through a client of the trusted application to obtain the first identity information, where the input information may include, for example, a user name, an identification card number, and a password.
According to one embodiment, a pre-generated trusted voucher may also be read as part of the first identity information.
In one embodiment, the trusted credential is generated by:
acquiring verification identity information of a user;
Sending the verification identity information to the third party trusted verification source;
and receiving the trusted certificate generated by the third party trusted verification source based on the verification identity information.
Further, in one embodiment, the third party trusted verification source includes a first verification source and a second verification source; accordingly, the trusted credential is generated by:
acquiring first verification information and second verification information as the verification identity information;
transmitting the first verification information to the first verification source and transmitting the second verification information to a second verification source;
receiving a first credential from the first verification source and a second credential from the second verification source;
the first credential and the second credential are combined, thereby generating the trusted credential.
According to one embodiment, the secure identity information may be generated by:
determining a corresponding user according to the identity index;
acquiring second identity information of the user;
and encrypting the second identity information of the user by using the public key of the first service party to obtain the encrypted information.
According to a second aspect, there is provided a method of obtaining secure identity information, the method being performed by a registration platform, comprising:
Receiving registration information from a first application, the registration information including an identity index of a user in the first application, the identity index being generated based on at least a portion of first identity information of the user verified by a third party trusted verification source;
generating two-dimensional code information according to the identity index and the application information of the first application, and returning the two-dimensional code information to the first application;
receiving identity request information from a first service party, wherein the identity request information is generated by the first service party by scanning a two-dimensional code corresponding to the two-dimensional code information, the identity request information comprises the two-dimensional code information and service index information of the first service party, and the service index information corresponds to service registration information submitted by the first service party to the registration platform in advance;
determining the identity index and the application information of the first application according to the two-dimensional code information contained in the identity request information, and determining the identification information of the first service party, the second identity information required by the first service party and the public key of the first service party according to the service index information;
Sending a second request to the first application, wherein the second request comprises the identity index, the identification information of the first service party, the second identity information and a public key of the first service party;
receiving security identity information from the first application, wherein the security identity information comprises identification information of the first service party and encryption information, and the encryption information is obtained by encrypting second identity information of a user corresponding to the identity index by the first application by utilizing a public key of the first service party;
and sending the encryption information to the first service party according to the identification information of the first service party.
In one embodiment, the registration information further includes a timeout time; in this case, the two-dimensional code information is regenerated every the timeout period.
According to one possible design, the registry may be located in the same physical entity as the server side of the particular application; in such a case, the registration information may include a first field indicating that the first application is the specific application in the case where the first field has a first value, and indicating that the first application is not the specific application in the case where the first field has a second value.
In one embodiment, the first field has a first value, that is, the registry and the server of the first application are located in the same object entity; at this time, the registry may locally provide the two-dimensional code information to application logic of the first application; application logic that locally provides the second request to the first application; the secure identity information is then obtained locally from application logic of the first application.
According to a third aspect, there is provided a method of obtaining secure identity information, the method being performed by a service party requiring secure identity information, comprising:
reading a user two-dimensional code displayed by a user through a first application, and obtaining corresponding two-dimensional code information, wherein the two-dimensional code information is generated by a registration platform according to an identity index of the user and application information of the first application, and the identity index is generated based on at least one part of first identity information of the user verified by a third-party trusted verification source;
the method comprises the steps that identity request information is sent to a registration platform, wherein the identity request information comprises two-dimensional code information and service index information of a service party, the service index information corresponds to service registration information submitted to the registration platform in advance by the service party, and the service registration information comprises identification information of the service party, second identity information required by the service party and a public key of the service party;
Receiving encryption information from a registration platform, wherein the encryption information is obtained by encrypting second identity information of the user by the first application through the public key;
and decrypting the encrypted information to obtain second identity information of the user.
In one embodiment, the business party sends identity request information to the registration platform by:
determining a platform address of the registration platform by analyzing the user two-dimensional code;
combining the two-dimensional code information and the service index information of the service party into the identity request information;
and sending the identity request information to the registration platform according to the platform address.
In one embodiment, the service party decrypts the encrypted information using the private key of the service party.
According to a fourth aspect, there is provided an apparatus for providing secure identity information, the apparatus deployed at a trusted application server, comprising:
a first information acquisition unit configured to acquire first identity information required for verification in response to a first request for requesting identity verification from a user;
the first information sending unit is configured to send the first identity information to a third party trusted verification source for verification;
A registration information transmitting unit configured to transmit registration information for registration to a registration platform, the registration information including an identity index of the user, the identity index being generated based on at least a part of the first identity information that has been verified;
the two-dimensional code receiving unit is configured to receive two-dimensional code information returned by the registration platform and is used for displaying the corresponding two-dimensional code for scanning;
the second request receiving unit is configured to receive a second request sent by the registration platform, wherein the second request comprises the identity index, the identification information of the first service party which scans the two-dimensional code, the second identity information required by the first service party and the public key of the first service party;
an identity information generating unit configured to generate secure identity information, where the secure identity information includes identification information of the first service party and encryption information, and the encryption information is obtained by encrypting second identity information of the user corresponding to the identity index by using a public key of the first service party;
and the identity information sending unit is configured to send the safety identity information to the registration platform so that the registration platform routes the encrypted information to the first service party according to the identification information of the first service party.
According to a fifth aspect, there is provided an apparatus for obtaining security identity information, the apparatus deployed at a registry, comprising:
a registration information receiving unit configured to receive registration information from a first application, the registration information including an identity index of a user in the first application, the identity index being generated based on at least a part of first identity information of the user verified by a third party trusted verification source;
the two-dimensional code generating unit is configured to generate two-dimensional code information according to the identity index and the application information of the first application, and return the two-dimensional code information to the first application;
an identity request receiving unit configured to receive identity request information from a first service party, the identity request information being generated by the first service party by scanning a two-dimensional code corresponding to the two-dimensional code information, the identity request information including the two-dimensional code information and service index information of the first service party, the service index information corresponding to service registration information submitted in advance by the first service party to the registration platform;
the determining unit is used for determining the identity index and the application information of the first application according to the two-dimensional code information contained in the identity request information, and determining the service registration information of the first service party according to the service index information, wherein the service registration information comprises the identification information of the first service party, the second identity information required by the first service party and the public key of the first service party;
A second request sending unit configured to send a second request to the first application, where the second request includes the identity index, identification information of the first service party, the second identity information, and a public key of the first service party;
an identity information receiving unit configured to receive secure identity information from the first application, where the secure identity information includes identification information of the first service party, and encryption information, where the encryption information is obtained by encrypting, by the first application, second identity information of a user corresponding to the identity index using a public key of the first service party;
and the encryption information sending unit is configured to send the encryption information to the first service party according to the identification information of the first service party.
According to a sixth aspect, there is provided an apparatus for obtaining security identity information, the apparatus being deployed at a service party requiring the security identity information, comprising:
the two-dimensional code reading unit is configured to read a user two-dimensional code displayed by a first application by a user to obtain corresponding two-dimensional code information, wherein the two-dimensional code information is generated by a registration platform according to an identity index of the user and application information of the first application, and the identity index is generated based on at least one part of first identity information of the user verified by a third-party trusted verification source;
The identity request sending unit is configured to send identity request information to the registration platform, wherein the identity request information comprises the two-dimensional code information and service index information of the service party, the service index information corresponds to service registration information which is submitted to the registration platform in advance by the service party, and the service registration information comprises identification information of the service party, second identity information required by the service party and a public key of the service party;
an encrypted information receiving unit configured to receive encrypted information from a registration platform, the encrypted information being obtained by encrypting second identity information of the user by the first application using the public key;
and the decryption unit is configured to decrypt the encrypted information to obtain second identity information of the user.
According to a seventh aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the methods of the first to third aspects.
According to an eighth aspect, there is provided a computing device comprising a memory and a processor, characterized in that the memory has stored therein executable code, which when executed by the processor, implements the methods of the first to third aspects.
Through the method and the device provided by the embodiment of the specification, under the condition that identity verification is needed, a user displays the two-dimensional code generated by the registration platform for the user through trusted application, and a business party obtains the needed identity information from the registration platform by scanning the two-dimensional code. Before the two-dimension code is requested to be generated, the trusted application firstly sends the identity information of the user to a third party verification source for verification, so that the accuracy and the authority of the identity information are ensured. In the process, interconnection and intercommunication between different service parties and different trusted applications are realized through the registration platform, so that the service parties do not need to pay attention to which application is used by a user to provide identity information, and verification is more flexible and convenient.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a schematic diagram of an implementation scenario of one embodiment disclosed herein;
FIG. 2 illustrates a method of obtaining secure identity information according to one embodiment;
FIG. 3 illustrates a method of obtaining secure identity information according to another embodiment;
FIG. 4 illustrates a method of obtaining secure identity information according to another embodiment;
FIG. 5 shows a schematic block diagram of an apparatus for providing secure identity information according to one embodiment;
FIG. 6 shows a schematic block diagram of an apparatus for obtaining secure identity information according to one embodiment;
fig. 7 shows a schematic block diagram of an apparatus for obtaining secure identity information according to one embodiment.
Detailed Description
The following describes the scheme provided in the present specification with reference to the drawings.
Fig. 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in the present specification. According to the embodiment of fig. 1, in a scenario where identity verification is required or identity information is provided online, the user does not need to directly provide the identity information to a business party (i.e., the aforementioned scenario merchant) that requires secure identity information, but instead performs identity verification by communicating the trusted application to an authoritative third party verification source. After the verification is passed, a unified registration platform supporting various applications generates a user two-dimension code, and the user two-dimension code is displayed through a trusted application. The service party obtains the required user identity information through the registration platform by scanning the user two-dimension code.
In particular, in the event that a user needs identity verification or provides secure identity information, the user may invoke an electronic identity verification service in a trusted application. At this time, the trusted application may obtain identity information of the user, including, for example, name, id card information, face information, and the like, and send the information to a third party verification source for verification. After the verification is passed, the trusted application registers with the registration platform based on the verified information, thereby obtaining the two-dimensional code for the user. The user can then present the two-dimensional code through a trusted application. A service party needing safety identity information scans the two-dimensional code, and sends an identity request aiming at the user to a trusted application through a registration platform based on the two-dimensional code to request for acquiring the needed identity information; the trusted application then returns the required identity information to the business party via the registration platform. In this way, the trusted application interacts with the registration platform after the identity information of the user is submitted to the third party verification source verification, requests and obtains the two-dimensional code, and then provides the identity information required by the service party through the registration platform. And the service party acquires the verified identity information provided by the trusted application by interacting with the registration platform after scanning the user two-dimensional code. The specific implementation steps of the above procedure are described below.
Fig. 2 illustrates a method of obtaining secure identity information according to one embodiment. As shown in fig. 2, the method involves at least a trusted application, a verification source, a registration platform, and a business party.
Verification sources, also known as trusted verification sources or third party verification sources, are third parties that provide trusted identity information verification services. The third party verification source usually holds a trusted database, configures a verification policy of a trusted electronic identity, usually supports a trusted credential, verifies whether or not it is truly accurate according to the provided user information, and the verification result thereof is considered to be accurate and valid. Such verification sources include, for example, CTID network certification platforms currently set up by public security, population libraries, and the like.
The business party, or referred to as a scene merchant, is a business application party that needs security identity information in an offline application scene. The service party originally needs to confirm the identity of the user on line according to the entity certificate, and after confirming the trusted identity information of the user, services are developed according to service logic, such as hotels, administrative offices, internet cafes and the like which need identity verification.
The trusted application is an application trusted by scene merchants and third-party verification sources. The trusted application interfaces with a trusted verification source, and the credibility of both parties is ensured through signature. The trusted application is for example a payment instrument.
The registration platform is responsible for maintaining registration of the service party, registration of the trusted application, and mapping and analysis of registration information and code strings. The registration platform may interface with several trusted applications, as well as a number of business parties.
Before proceeding with the procedure for providing the service party with the security identity information shown in fig. 2, the service party generally needs to register with the registration platform in advance. Specifically, in the registration stage, the service party registration platform submits service registration information, where the service registration information includes at least a service party identifier, identity information to be verified, public key information, and other information, such as some description information, and the like.
The registration platform generates a service index, or referred to as a service token (token), for service registration information submitted by the service party, binds the service index to the service registration information, in other words, associates and correspondingly stores the service index and the service registration information. The registration platform may then return the business index to the business party, who may then store the business index assigned to or generated by the registration platform locally for later use in interacting with the registration platform.
The following describes a process in which a user performs identity verification through a trusted application, and further provides secure identity information to a certain service party.
It will be appreciated that the user is typically a natural person and is also the subject of electronic verification of identity, such as the user of a payment device. When a user encounters a scene requiring identity verification under online conditions, such as check-in of a hotel, instead of providing an identity card to a hotel foreground, the user can issue a verification request to a trusted application to invoke an electronic identity verification service. That is, as shown in fig. 2, in step S201, the trusted application receives a request for identity verification from the user. For example, in one example, the user may open a payment instrument, enter a "card pack" service, click on a corresponding option, and initiate a verification request.
In step S202, the trusted application obtains identity information, referred to herein as first identity information, required for verification.
It should be understood that the "first" and "second" herein are merely labels applied to and distinguish between similar concepts for clarity of presentation and do not have other limiting effect.
In different embodiments, the first identity information may include one or more of a name, an identification number, an ethnicity, a certificate validity period, a face photo, driver's license information, and the like, and the specific content may be different according to a requirement of a verification source, and/or a service setting of a trusted application, and/or a scene or industry selected when the user issues a verification request.
In one embodiment, the step of obtaining the first identity information required for verification in step S202 may include collecting the first identity information through a terminal where a client of the trusted application is located. For example, in one example, face information may be collected by a camera on the terminal; in another example, the identification card information may be read through the NFC functionality of the terminal and controls thereon.
In another embodiment, the first identity information required for obtaining the verification in step S202 may include receiving, by the client of the trusted application, input information of the user, for example, the input information may include a user name, an identification card number, and so on.
In yet another embodiment, the step S202 of obtaining the first identity information required for verification may include reading the user identity information stored in the trusted application. For example, the user may store his name, identification card number in advance at the trusted application client or server. In this way, in step 202, the user identity information already stored in the trusted application can be directly extracted, so as to reduce the number of times of manual input by the user and improve the convenience of the user.
The above embodiments may be used in combination. For example, in one example, the second-generation identity card of the user may be read through the NFC function and the corresponding control of the terminal, to obtain the name, the identity card number, and the validity period of the certificate, and the face photo may be collected through the camera of the terminal as the first identity information.
In another example, the name and the identification card number manually input by the user can be received through the client, and the face photo is collected through the camera and used as the first identity information.
In one embodiment, the step S202 of obtaining the first identity information required for verification may include reading a pre-generated trusted credential. The trusted certificate can be a certificate issued to the user after the user applies to a trusted verification source in advance and the trusted verification source verifies the identity of the user at a high security level, and the trusted verification source acts like an electronic identity card. The process of applying for and generating trusted certificates is described in more detail below in connection with other embodiments.
In general, the pre-generated trusted credentials may be stored in a secure storage area of the user terminal, or in the present application, or in other applications. In case the user already has a trusted credential, the pre-generated trusted credential may be read as part of the first identity information in step S202. For example, in the case where the trusted credential is stored in a secure storage area of the user terminal, the trusted credential may be read from the secure storage area; in the case where the trusted credential is stored in the present application, the trusted credential may be read directly; in the case where the trusted credential is stored in another application, the trusted credential may be read by invoking the other application.
This embodiment may be further used in combination with the above embodiments. For example, in one example, the second-generation identity card of the user can be read through the NFC function and the corresponding control of the terminal to obtain the name, the identity card number and the certificate validity period; acquiring a face photo through a camera of the terminal; and reading the trusted voucher, and taking the information as first identity information together.
In another example, the name and the identification card number manually input by the user can be received through the client, the face photo is collected through the camera, the trusted certificate is read, and the information is used as the first identity information together.
Thus, in step S202, the trusted application obtains the first identity information of the plurality of contents in a plurality of ways.
Then, in step S203, the trusted application sends the obtained first identity information to a third party verification source for verification. In the process, the trusted application and the verification source can establish a trust relationship through signature and verification, so that the safety and effectiveness of data are ensured.
After receiving the first identity information, in step S204, the verification source verifies the first identity information.
In one embodiment, the verification source maintains complete user information. In this case, the verification source performs user identity verification by directly comparing the first identity information with the stored user information.
In another embodiment, the verification source may configure a policy to only save a hash value of the user information in order to avoid being attacked and thereby reveal the user information in bulk. In this case, the verification source performs the same hash operation on the received user identity information, and compares the calculated hash value with the stored hash value, thereby performing user identity verification. Further, the verification source may delete the received user information at certain time intervals to increase security.
After verification, the verification source returns verification results to the trusted application in step S205. The verification result may correspond to two modes. In the authentication mode, the verification source feeds back verification results of verification passing/verification failure, and in the information mode, the verification source can return certain information, such as ethnic information of a user.
Although only one verification source is shown in fig. 2, in practice there may be a plurality of verification sources. In this case, the first identity information may be divided into a plurality of groups according to the verification requirements of the verification sources, each group of information may be transmitted to the corresponding verification source, and the verification results may be received from the verification sources.
In case the verification passes, in step S206, the trusted application generates an identity index based on the verified first identity information, and initiates registration with the registration platform using the identity index. In other words, the trusted application sends registration information to the registration platform to request two-dimensional code registration for the user, where the registration information includes an identity index of the user.
In one embodiment, the trusted application may use the verified first identity information itself as the identity index; alternatively, a portion of the verified first identity information may be used as an identity index. In another embodiment, the trusted application may encrypt or hash the verified first identity information, and use the operation result as an identity index; or, encrypting or hashing a part of the verified first identity information, and taking the operation result as the identity index.
In one embodiment, the trusted application also includes a timeout in the registration information so that the registration platform can update the two-dimensional code according to the timeout to support the generation of dynamic two-dimensional codes.
The following table exemplarily shows an example of registration information. In this example, the registration information includes an identity index and a timeout, wherein the identity index is obtained by encrypting the user's identification number and name (which may be part of the first identity information).
Next, in step S207, after receiving the registration information sent by the trusted application, the registration platform generates two-dimensional code information according to the identity index in the registration information and the application information of the trusted application that initiates registration. It can be appreciated that each two-dimensional code can correspond to a code string, which can be mapped to a two-dimensional code. Therefore, the two-dimensional code information here may be the two-dimensional code itself or a code string corresponding to the two-dimensional code.
In one embodiment, the registration platform extracts an identity index from the registration information, adds application information of the trusted application initiating registration on the basis of the identity index, thereby generating a code string, and maps the code string to a two-dimensional code. The code string or the two-dimensional code can be used as the two-dimensional code information.
Specifically, in one example, the two-dimensional code information generated by the registration platform may include a URL address that points to the identity index and application information of the trusted application. In another example, the registration platform encodes the identity index of the user and the application information of the trusted application to obtain a code string as two-dimensional code information; thus, the two-dimensional code information is loaded with the identity index of the user and the application information of the trusted application.
Next, in step S208, the registration platform returns the two-dimensional code information to the trusted application.
As described above, when the registration information includes the timeout period, the dynamic two-dimensional code may be supported. In such a case, the registration platform may regenerate the two-dimensional code information, that is, update the two-dimensional code information, every the timeout period, and then send the two-dimensional code information to the trusted application again.
After receiving the two-dimension code information, the trusted application can display the corresponding two-dimension code through the client. Then, in step S209, the service party requiring the security identity information may scan the two-dimensional code to request for the security identity information.
It can be understood that the two-dimensional code will carry information of the generating party of the two-dimensional code, such as a logo or an address. Therefore, after the service party scans the two-dimensional code, the two-dimensional code can be analyzed in a conventional mode, and a registration platform for generating the two-dimensional code is determined. In addition, the service party can also acquire the two-dimension code information. However, it should be understood that the two-dimensional code information is generated by the registration platform according to a certain rule and based on various operations such as coding, mapping and the like of the identity index and the application information, and the service party can read the code string corresponding to the two-dimensional code, but cannot analyze the user information and the application information from the code string. Thus, the business party still needs to interact with the registration platform to obtain the required identity information.
Accordingly, in step S210, the registration platform parsed by the service direction sends the identity request information. Specifically, the service party determines the registration platform by analyzing the two-dimension code, and can acquire the two-dimension code information. On the other hand, as described above, when the service party registers with the registration platform in advance, the service index information (e.g., token) generated by the registration platform for the service party is received, where the service index information corresponds to the service registration information submitted by the service party. Thus, the service party can combine the service index information and the two-dimensional code information into identity request information; and then, according to the analyzed platform address of the registration platform, sending the identity request information to the registration platform.
In step S211, after receiving the identity request information sent by the service party, the registration platform parses the request. Specifically, the registration platform may extract service index information and two-dimensional code information of the service party from the identity request information.
For the service index information included in the identity request information, the registration platform may determine the corresponding service registration information according to the service index information, where the service registration information includes at least identification information of the service party, identity information (hereinafter referred to as second identity information) that needs to be verified, and a public key of the service party.
And for the two-dimensional code information contained in the identity request information, the registration platform further analyzes the two-dimensional code information according to the inverse rule corresponding to the rule for generating the two-dimensional code, and determines the identity index of the user and the application information of the trusted application.
Specifically, as described above, in one example, the URL address may be included in the two-dimensional code information. In such a case, the registration platform determines the identity index to which the URL address points and the application information of the trusted application in step S211.
In another example, the two-dimensional code information includes a coded code string loaded with a user identity index and a trusted application. In this case, in step S211, the registration platform parses the two-dimensional code information to obtain the identity index of the user and the application information of the trusted application by decoding.
Thus, the registration platform obtains information (identification information, required second identity information, public key and the like) of the service party requesting to obtain the identity information on one hand, and determines the requested user and the trusted application where the user is located from the two-dimensional code information on the other hand. Thus, in step S212, the registration platform aggregates this information and issues a request, referred to herein as a second request, to the trusted application. The second request at least comprises the identity index of the user, the identification information of the service party, the required second identity information and the public key of the service party. I.e. by means of the second request, which service party, which user's identity information is needed.
The following table shows the specific content contained in the second request in one embodiment.
In the example of the above table, the second request includes the service party identifier, the service party public key, the identity index of the targeted user, and the identity information (second identity information) required by the service party, specifically, the required identity information includes an identity card number, a name, and face information.
Upon receiving such a second request, the trusted application generates secure identity information from the information in the second request, step S213. Specifically, the trusted application first determines the corresponding user according to the identity index contained in the second request. As previously described, the identity index is generated by the trusted application based on the first identity information of the user, and in one embodiment, the trusted application may store a correspondence of the identity index to the user. Thus, the trusted application can determine the user corresponding to the identity index based on the corresponding relation. The trusted application may then obtain second identity information for the user. Typically, the second identity information corresponds to, or is part of, the first identity information. The second identity information obtained here is trusted identity information, since the first identity information has already been verified by the verification source. And then, the trusted application encrypts the obtained second identity information of the user by using the public key of the service party to obtain encrypted information.
The trusted application then sends the thus obtained encrypted information, together with the identification information of the service party received previously, as secure identity information to the registration platform, as shown in step S214.
After receiving the security identity information sent by the trusted application, the registration platform sends the encrypted information to the service party in step S215. Specifically, in one embodiment, the registration platform parses the secure identity information, extracts the encrypted information therefrom, and the identity information of the service party. Because each service party is registered in the registration platform in advance, the registration platform can determine the destination address of the service party according to the identification information of the service party. The registration platform then sends the encrypted information to the terminal corresponding to the service party according to the destination address.
After receiving the encrypted information, the service party decrypts the encrypted information in step S216, thereby obtaining the second identity information of the user. It can be understood that the encrypted information is obtained by encrypting the second identity information of the user by the trusted application using the public key of the service party, and the service party locally stores a private key corresponding to the public key. The public key and the private key are paired keys that can be used to decrypt data encrypted by another key. Thus, in one embodiment, the service party decrypts the received encrypted information using its own private key, thereby obtaining the second identity information of the user.
After obtaining the second identity information of the user, the service party can develop services according to the service logic thereof, for example, the internet bar can judge whether the age of the user meets the standard, the hotel can register for check-in based on the name and the identification card number of the user, and the like.
As can be seen from the above description, in a scenario where identity verification is required or identity information is provided on-line, a user may not need to give an identity document to a staff member of a business party, but may display a two-dimensional code through a trusted application. The service party obtains the required identity information by scanning the two-dimensional code. In the process, a common registration platform is introduced to realize interconnection and intercommunication between different service parties and different trusted applications. Each trusted application and each business party register with the registration platform, send out various requests, the registration platform generates two-dimension codes according to the requests, maintains mapping and analysis of registration information and code strings, and forwards identity information provided by the trusted application to the business party. Before the two-dimension code is requested to be generated, the trusted application firstly sends the identity information of the user to a third party verification source for verification, and therefore accuracy and authority of providing the identity information are guaranteed.
As known to those skilled in the art, trusted applications generally include clients and servers. The client may be, for example, an App (e.g., payment device App) installed on a mobile terminal, or an application software client on a PC, or may be software loaded by an off-line tool, such as a dedicated software installed in a dedicated PC of a hotel facility. In the method shown in fig. 2, the interaction between the trusted application and the user is performed by the client. For example, in step S201, the user issues a verification request through the client, such as clicking on the corresponding option in the client interface. In one embodiment, the client forwards the verification request to the server. At step S202, according to one embodiment, at least a portion of the first identity information of the user may be collected or received by the client. As previously described, in some embodiments, step S202 may also be performed by the server, where the server obtains the first identity information by reading the pre-stored identity information (including the trusted credential and/or other identity information). In addition, after the trusted application receives the two-dimensional code information of the registration platform, the two-dimensional code is displayed through the client. The other steps, namely the interaction step of the trusted application and the verification source and the interaction step of the trusted application and the registration platform, are executed through the server.
Fig. 3 illustrates a method of obtaining secure identity information according to another embodiment. In contrast to the method shown in fig. 2, the method of fig. 3 further includes the optional step of the user obtaining a trusted credential from a third party trusted verification source application, and the optional step of the trusted application authenticating and access controlling the user.
As previously mentioned, a trusted credential is an electronic credential issued by a trusted verification source to a user to prove its identity. Steps S101 to S105 of fig. 3 illustrate the process of generating trusted credentials in one embodiment.
As shown, first, in step S101, a user applies for obtaining a trusted credential through a trusted application.
Then, in step S102, the trusted application collects verification identity information of the user. The verification identity information is set according to verification requirements of a trusted verification source. In general, authentication at the time of issuing a trusted electronic certificate is authentication of a high security level, and thus comprehensive identity information is required. The verification identity information of the user may be collected in a number of ways.
In one embodiment, in step S102, card information and identity content information of the user id card are read through the NFC function of the terminal and the corresponding control, where the card information is information of the physical card of the id card itself, and is used to identify and distinguish between entity cards, such as DN numbers in the second-generation id card chip. The identity content information is readable and visible information on the identity card, such as a user name, an identity card number, a validity period and the like displayed on the identity card. In addition, the camera is also used for collecting the face information. These pieces of information are used together as the verification identity information described above.
In another embodiment, driver's license-related information manually input by the user is received as the above verification identity information.
In a further embodiment, card information of the user identity card, such as a chip DN number, is read through the NFC function of the terminal and the corresponding control; collecting the ID card number, name and ethnic information by a manual input mode of a user; and acquiring face information by using a camera. These pieces of information are used together as the verification identity information described above.
Then, in step S103, the trusted application sends verification identity information to the verification source.
Next, in step S104, the verification source generates a trusted credential based on the verification identity information.
In one embodiment, the verification source hashes verification identity information of the user, thereby generating a trusted credential. In another embodiment, each request for applying a trusted credential from a verification source has a serial number, the verification source combines the serial number with verification identity information, and hashes the combined result, thereby generating the trusted credential.
Then, in step S105, the verification source returns the generated trusted credential to the trusted application.
Although only one verification source is shown in the above illustration, the verification sources may be plural. The case of a plurality of verification sources will be described below by taking 2 verification sources as an example.
In the case where the verification source includes a first verification source and a second verification source, the verification identity information may be divided into first verification information required by the first verification source and second verification information required by the second verification source. In step S103, the first verification information is transmitted to the first verification source, and the second verification information is transmitted to the second verification source.
For example, in one example, the first verification source is a public security-computer CTID platform and the second verification source is a population pool. Accordingly, the first verification information may include identification card information, identification card number, name, face information, etc., and the second verification information may include ethnic information. Thus, the identity card information, the identity card number, the name, the face information and the like can be sent to a public security-personal Computer (CTID) platform, and the ethnic information can be sent to a population library for verification.
After verification, each verification source generates a respective certificate, and the respective certificate is returned to the application. Thus, at step S104, the trusted application receives a first credential from a first verification source and a second credential from a second verification source. Further, the trusted application merges the first credential and the second credential, thereby generating a trusted credential desired by the user.
In addition, it should be noted that, in the example of fig. 3, the trusted application utilized by the user to apply for the trusted credential is the same application as the trusted application that subsequently displays the two-dimensional code in the business side scenario. However, this is not necessary. The user may apply for obtaining the trusted credential through another application.
In one embodiment, a user displays a two-dimensional code through a first application according to the method shown in fig. 2, and identity information is provided; before this, the user applies for trusted credentials through the second application. The second application may be other trusted applications that interface with the verification source, such as a dedicated application that is used when the bank opens an account.
In one embodiment, the terminal where the second application is located is provided with a special tool, so that verification identity information of the user can be conveniently collected. For example, a banking system is equipped with an identity card reader, which can read card information of an identity card, with a dedicated camera, and collect face information. In such a case, the second application may utilize a dedicated tool to collect verification identity information, send it to the verification source to verify, and generate a trusted credential.
After the second application obtains the trusted credential, it may be stored in a secure storage area of the user terminal, or a secure interface API may be provided for other applications to call.
In step S202 shown in fig. 2, in the case where the first application needs to read the trusted credential, the first application may read the trusted credential from the secure storage area of the user terminal, or call the second application through the API to read the trusted credential.
It is to be appreciated that generally, the application and generation of trusted credentials is preformed and optional prior to the user requesting identity verification. After the user requests identity verification, the trusted credential is simply utilized as part of the first identity information that needs verification.
In one embodiment, in the case that the user requests identity verification according to the requirement of the service party, the trusted application itself first authenticates and accesses the user, and judges from the application level whether the user has authority to perform the identity verification.
As shown in fig. 3, in step S201, the user issues a verification request to the trusted application, for example, opens a payment device, enters a "card package" service, and invokes an electronic identification card therein.
In step S2011, the trusted application issues an application authentication request to the user, for example, an interface is presented to the user that requires the user to input authentication information. The authentication information may be, for example, an account password, a face, a fingerprint, etc.
Next, in step S2012, authentication information input by the user is received, for example, the user manually inputs an account password, or a face is photographed with a camera, or a fingerprint is entered, or the like.
Then, in step S2013, the trusted application performs application authentication on the current operation of the user based on the authentication information entered by the user. For example, it is compared whether the information entered by the user is the same as the information previously recorded in the trusted application.
If the application authentication is not passed, the user is denied access. In one embodiment, a prompt is also returned to the user, such as "no access rights" or "login failed".
In case the application authentication passes, the subsequent steps are performed. This includes, in step S202, acquiring first identity information, followed by steps S203-S216. The implementation manner of these steps is the same as that shown in fig. 2, and will not be described here again.
As described above, in the method of fig. 2, interconnection and interworking with a plurality of applications and a plurality of service parties are achieved through a common registration platform. In practice, the registration platform may be located in the same physical entity as the service end of a particular application, for example integrated into a payment instrument server. However, the registration platform may still receive registration information of other applications, for which two-dimensional codes are generated.
Fig. 4 illustrates a method of acquiring secure identity information according to another embodiment. In the embodiment of fig. 4, the registry is located in the same physical entity as a particular application and is therefore simply shown as a trusted application + registration platform. The entity where the trusted application and the registration platform are located together is hereinafter referred to as a unified server.
In such cases, the registration platform may still interface with multiple trusted applications, including specific applications locally, and other applications. Each trusted application still initiates a registration request for verification of a certain user identity to the registration platform via the registration information. In one embodiment, the registration information may include a specific field (hereinafter referred to as a first field) for indicating whether the trusted application that originated the request is a trusted application local to the registration platform.
Assume that the registration platform receives registration information from a first application, the registration information including a first field. In case the first field has a first value (e.g. a value of 1) it is indicated that the first application is a specific application local to the registration platform, and in case the first field has a second value (e.g. a value of 0) it is indicated that the first application is not a specific application local.
If the first field has a second value, i.e. the registration information received by the registration platform is from a non-native trusted application, then the subsequent steps are performed in accordance with the communication interaction as shown in fig. 2.
If the first field has a first value, i.e. the registration information received by the registration platform is from a trusted application in the home, the interaction between the registration platform and the trusted application may be performed locally, i.e. inside the unified service as shown in fig. 4.
Specifically, after the registration platform generates the two-dimensional code, the two-dimensional code information may be provided locally to application logic of the trusted application. Accordingly, steps S206 to S208 in fig. 2 may be performed inside the unified service, and the step of generating the two-dimensional code is shown in fig. 4.
After the registration platform receives the identity request information from the business party, the request may be provided locally to the application logic of the trusted application. After the trusted application prepares the secure identity information in its application logic, the registration platform obtains the secure identity information locally from the trusted application's application logic. That is, steps S211 to S214 in fig. 2 may be performed inside the unified service as shown in fig. 4.
Other steps except this, such as the identity verification steps of S201 to S205, and the interaction steps with the business party, are the same as those shown in fig. 2, and will not be repeated.
By the method in the embodiment shown in fig. 2 to fig. 4, in the case that identity verification is required, a user displays the two-dimensional code generated by the registration platform for the user through a trusted application, and a service party obtains required identity information from the registration platform by scanning the two-dimensional code. Before the two-dimension code is requested to be generated, the trusted application firstly sends the identity information of the user to a third party verification source for verification, so that the accuracy and the authority of the identity information are ensured. In the process, interconnection and intercommunication between different service parties and different trusted applications are realized through the registration platform, so that the service parties do not need to pay attention to which application is used by a user to provide identity information, and verification is more flexible and convenient.
In the process of acquiring the safety identity information, the multi-party interaction of the trusted application, the registration platform and the business party is involved. The device constitution of each of the above is described below.
Fig. 5 shows a schematic block diagram of an apparatus for providing secure identity information, which apparatus is deployed at a trusted application server according to one embodiment. As shown in fig. 5, the apparatus 500 includes:
a first information acquisition unit 51 configured to acquire first identity information required for verification in response to a first request for requesting identity verification from a user;
a first information transmitting unit 52 configured to transmit the first identity information to a third party trusted verification source for verification;
a registration information transmitting unit 53 configured to transmit registration information for registration to a registration platform, the registration information including an identity index of the user, the identity index being generated based on at least a part of the first identity information that has been verified;
the two-dimensional code receiving unit 54 is configured to receive two-dimensional code information returned by the registration platform and is used for displaying the corresponding two-dimensional code for scanning;
a second request receiving unit 55, configured to receive a second request sent by the registration platform, where the second request includes the identity index, identification information of a first service party that scanned the two-dimensional code, second identity information required by the first service party, and a public key of the first service party;
An identity information generating unit 56 configured to generate secure identity information, where the secure identity information includes identification information of the first service party and encryption information, where the encryption information is obtained by encrypting second identity information of the user corresponding to the identity index by using a public key of the first service party;
an identity information sending unit 57 configured to send the secure identity information to the registration platform, so that the registration platform routes the encrypted information to the first service party according to the identification information of the first service party.
In one embodiment, the apparatus 500 further comprises an authentication unit (not shown) configured to: sending an application authentication request of a trusted application to the user; receiving authentication information input by a user; and carrying out application authentication based on the authentication information. In such a case, the first information acquisition unit 51 is configured to acquire the first identity information in the case where the application authentication by the authentication unit passes.
In one embodiment, the first information obtaining unit 51 is configured to collect the first identity information through a terminal where a client of the trusted application is located.
Further, the first information obtaining unit 51 may collect face information through a camera on the terminal; and/or reading the identity card information through the NFC function of the terminal and the control on the NFC function of the terminal.
In yet another embodiment, the first information obtaining unit 51 is configured to receive, by a client of the trusted application, input information of a user, where the input information includes a user name and an identification card number.
In another embodiment, the first information obtaining unit 51 may also read a pre-generated trusted credential.
According to one embodiment, the apparatus 500 may further comprise a credential acquisition unit 50, the trusted credential being pre-generated by the credential acquisition unit 50, the credential acquisition unit 50 being configured to: acquiring verification identity information of a user; sending the verification identity information to a third party trusted verification source; and receiving the trusted credential generated by a third party trusted verification source based on the verification identity information.
According to one embodiment, the third party trusted verification source comprises a first verification source and a second verification source; the credential acquisition unit 50 is configured to:
acquiring first verification information and second verification information as verification identity information;
Transmitting the first verification information to the first verification source and transmitting the second verification information to a second verification source;
receiving a first credential from the first verification source and a second credential from the second verification source;
the first credential and the second credential are combined, thereby generating the trusted credential.
In one embodiment, the apparatus 500 further comprises a registration information generating unit (not shown) that generates an identity index by:
taking the verified first identity information as the identity index;
taking a part of the verified first identity information as the identity index;
encrypting or hashing the verified first identity information, and taking an operation result as the identity index;
and encrypting or hashing a part of the verified first identity information, and taking the operation result as the identity index.
In one embodiment, the identity information generating unit 56 is configured to determine the corresponding user according to the identity index; acquiring second identity information of the user; and encrypting the second identity information of the user by using the public key of the first service party to obtain the encrypted information.
Fig. 6 shows a schematic block diagram of an apparatus for obtaining secure identity information, the apparatus deployed at a registry, according to one embodiment. As shown in fig. 6, the apparatus 600 includes:
a registration information receiving unit 61 configured to receive registration information from a first application, the registration information including an index of identity of a user in the first application, the index of identity being generated based on at least a part of first identity information of the user verified by a third party trusted verification source;
a two-dimensional code generating unit 62 configured to generate two-dimensional code information according to the identity index and the application information of the first application, and return the two-dimensional code information to the first application;
an identity request receiving unit 63 configured to receive identity request information from a first service party, where the identity request information is generated by the first service party by scanning a two-dimensional code corresponding to the two-dimensional code information, and includes the two-dimensional code information and service index information of the first service party, where the service index information corresponds to service registration information submitted by the first service party to the registration platform in advance;
a determining unit 64, configured to determine, according to the two-dimensional code information included in the identity request information, application information of the identity index and the first application, and determine, according to the service index information, service registration information of a first service party, including identification information of the first service party, second identity information required by the first service party, and a public key of the first service party;
A second request sending unit 65 configured to send a second request to the first application, the second request including the identity index, the identification information of the first service party, the second identity information, and a public key of the first service party;
an identity information receiving unit 66 configured to receive, from the first application, secure identity information, the secure identity information including identification information of the first service party, and encryption information obtained by encrypting, by the first application, second identity information of a user corresponding to the identity index using a public key of the first service party;
an encryption information transmitting unit 67 configured to transmit the encryption information to the first service party according to the identification information of the first service party.
In one embodiment, the two-dimensional code information generated by the two-dimensional code generation unit 62 includes:
a URL address pointing to the identity index and application information of the first application; or alternatively
And encoding a code string, wherein the identity index and the application information of the first application are loaded.
According to one embodiment, the determining unit 64 is configured to determine, according to a URL address included in the two-dimensional code information, an identity index to which the URL address points and application information of the first application; or analyzing the code string included in the two-dimensional code information to obtain the identity index and the application information of the first application.
According to one embodiment, the registration information received by the registration information receiving unit 61 further includes a timeout time; in this case, the two-dimensional code generating unit 62 is configured to regenerate the two-dimensional code information every the timeout period.
In one embodiment, the encryption information transmitting unit 67 is configured to:
extracting identification information of the first service party and encryption information from the security identity information received by the identity information receiving unit 66;
determining a destination address of the first service party according to the identification information of the first service party;
and sending the encryption information to the terminal corresponding to the first service party according to the destination address.
According to one embodiment, the apparatus 600 is located in the same physical entity as the server side of the particular application (e.g., the apparatus 500 of FIG. 5).
In this case, the registration information received by the registration information receiving unit 61 includes a first field indicating that the first application is the specific application located in the same physical entity as the apparatus 600 in the case where the first field has a first value, and indicating that the first application is not the specific application in the case where the first field has a second value.
In one embodiment, the first field has a first value, that is, the apparatus 600 and the server side of the first application are located in the same physical entity, in which case the two-dimensional code generating unit 62 is configured to provide the two-dimensional code information locally to the application logic of the first application; the second request sending unit 65 is configured to provide locally a second request to the application logic of the first application; and, the identity information receiving unit 66 is configured to obtain the secure identity information locally from the application logic of the first application.
Fig. 7 shows a schematic block diagram of an apparatus for obtaining secure identity information, deployed at a business party requiring secure identity information, according to one embodiment. As shown in fig. 7, the apparatus 700 includes:
a two-dimensional code reading unit 71 configured to read a user two-dimensional code displayed by a first application by a user, and obtain corresponding two-dimensional code information, wherein the two-dimensional code information is generated by a registration platform according to an identity index of the user and application information of the first application, and the identity index is generated based on at least a part of first identity information of the user verified by a third party trusted verification source;
An identity request sending unit 72, configured to send identity request information to the registration platform, where the identity request information includes the two-dimensional code information and service index information of the service party, where the service index information corresponds to service registration information that is submitted in advance to the registration platform by the service party, and the service registration information includes identification information of the service party, second identity information required by the service party, and a public key of the service party;
an encrypted information receiving unit 73 configured to receive encrypted information from a registration platform, the encrypted information being obtained by encrypting, by the first application, second identity information of the user using the public key;
a decryption unit 74 configured to decrypt the encrypted information to obtain second identity information of the user.
In one embodiment, the identity request sending unit 72 is configured to:
determining a platform address of the registration platform by analyzing the user two-dimensional code;
combining the two-dimensional code information and the service index information of the service party into the identity request information;
and sending the identity request information to the registration platform according to the platform address.
According to one embodiment, the decryption unit 74 is configured to decrypt the encrypted information using the private key of the service party.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 2 to 4.
According to an embodiment of yet another aspect, there is also provided a computing device including a memory having executable code stored therein and a processor that, when executing the executable code, implements the method described in connection with fig. 2-4.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.
Claims (15)
1. A method of providing secure identity information, the method performed by a trusted application server, comprising:
responding to a first request from a user for requesting identity verification, and acquiring first identity information required by verification;
the first identity information is sent to a third party trusted verification source for verification;
based on the verified information, registering the user with a registration platform, so as to obtain a two-dimensional code for the user;
receiving an identity request which is sent by a service party through a registration platform by scanning the two-dimension code and is aimed at the user, and requesting to acquire the required second identity information;
and returning second identity information to the service party through the registration platform.
2. The method of claim 1, wherein prior to obtaining the first identity information required for the verification, further comprising:
sending an application authentication request of the trusted application to the user;
receiving authentication information input by a user;
performing application authentication based on the authentication information;
and under the condition that the application authentication passes, acquiring the first identity information.
3. The method of claim 1, wherein the obtaining the first identity information required for verification includes collecting the first identity information by a terminal at which a client of the trusted application is located.
4. A method according to claim 3, wherein collecting the first identity information comprises one or more of:
acquiring face information through a camera on the terminal;
and reading the identity card information through the NFC function of the terminal and the control on the NFC function.
5. The method of claim 1, wherein obtaining the first identity information required for verification comprises receiving, by a client of the trusted application, input information of a user.
6. The method of any of claims 1-5, wherein the obtaining the first identity information required for verification includes reading a pre-generated trusted credential.
7. A method of obtaining secure identity information, the method performed by a registration platform, comprising:
receiving registration information, wherein the registration information is sent based on verified information after the trusted application sends first identity information of a user to a third party verification source for verification;
generating a two-dimensional code for the user, and returning the two-dimensional code to the trusted application;
responding to the two-dimension code scanned by the service party, sending an identity request aiming at the user to the trusted application, and requesting to acquire the required second identity information;
And returning second identity information from the trusted application to the service party.
8. The method of claim 7, wherein the registration information includes a timeout time, and the generating the two-dimensional code for the user includes regenerating the two-dimensional code every the timeout time.
9. The method of claim 7, wherein the registration platform is located in the same physical entity as the server side of the trusted application;
returning the two-dimensional code to the trusted application comprises locally providing the two-dimensional code to application logic of the trusted application;
issuing an identity request for the user to a trusted application includes locally providing the identity request to application logic of the trusted application;
returning the second identity information from the trusted application to the business party includes locally obtaining the second identity information from application logic of the trusted application and returning it to the business party.
10. A method of obtaining secure identity information, the method performed by a business party, comprising:
the method comprises the steps of sending an identity request aiming at a user to a trusted application through a registration platform by scanning a user two-dimensional code displayed by the user through the trusted application, and requesting to acquire second identity information; the two-dimensional code is generated by the registration platform in response to the trusted application registering with the registration platform based on verified information, wherein the verified information is identity information verified by a third party trusted verification source;
And obtaining second identity information returned by the trusted application through the registration platform.
11. A method of providing secure identity information, comprising:
the trusted application acquires first identity information of the user and sends the first identity information to a third party verification source for verification;
after the verification is passed, the trusted application registers with a registration platform based on verified information, so that a two-dimensional code for the user is obtained;
the service party scans the two-dimensional code, and sends an identity request aiming at the user to the trusted application through the registration platform based on the two-dimensional code to request for acquiring the required second identity information;
the trusted application returns second identity information to the business party via the registration platform.
12. An apparatus for providing secure identity information, deployed in a trusted application server, comprising:
a first information acquisition unit configured to acquire first identity information required for verification in response to a first request for requesting identity verification from a user;
the first information sending unit is configured to send the first identity information to a third party trusted verification source for verification;
the registration unit is configured to register with the registration platform based on the verified information, so that a two-dimensional code for the user is obtained;
The request receiving unit is configured to receive an identity request which is sent by the service party through the registration platform by scanning the two-dimensional code and is aimed at the user, and request to acquire the required second identity information;
and the sending unit is configured to return the second identity information to the business party through the registration platform.
13. An apparatus for obtaining secure identity information deployed in a registration platform, comprising:
a registration receiving unit configured to receive registration information, wherein the registration information is sent based on verified information after a trusted application sends first identity information of a user to a third party verification source for verification;
the two-dimensional code generation unit is configured to generate a two-dimensional code for the user and return the two-dimensional code to the trusted application;
the request unit is configured to respond to the two-dimensional code scanned by the service party, send an identity request aiming at the user to the trusted application and request to acquire the required second identity information;
and the information return unit is configured to return second identity information from the trusted application to the service party.
14. An apparatus for obtaining secure identity information, deployed in a service party, comprising:
the request unit is configured to send an identity request aiming at the user to the trusted application through the registration platform by scanning the user two-dimensional code displayed by the user through the trusted application, and request to acquire second identity information; the two-dimensional code is generated by the registration platform in response to the trusted application registering with the registration platform based on verified information, wherein the verified information is identity information verified by a third party trusted verification source;
And the receiving unit is configured to obtain second identity information returned by the trusted application through the registration platform.
15. A computing device comprising a memory and a processor, wherein the memory has executable code stored therein, which when executed by the processor, implements the method of any of claims 1-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310777349.5A CN116723027A (en) | 2018-11-16 | 2018-11-16 | Method and device for providing and acquiring safety identity information |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811365789.5A CN109598663B (en) | 2018-11-16 | 2018-11-16 | Method and device for providing and acquiring safety identity information |
| CN202310777349.5A CN116723027A (en) | 2018-11-16 | 2018-11-16 | Method and device for providing and acquiring safety identity information |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811365789.5A Division CN109598663B (en) | 2018-11-16 | 2018-11-16 | Method and device for providing and acquiring safety identity information |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116723027A true CN116723027A (en) | 2023-09-08 |
Family
ID=65957584
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310777349.5A Pending CN116723027A (en) | 2018-11-16 | 2018-11-16 | Method and device for providing and acquiring safety identity information |
| CN201811365789.5A Active CN109598663B (en) | 2018-11-16 | 2018-11-16 | Method and device for providing and acquiring safety identity information |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811365789.5A Active CN109598663B (en) | 2018-11-16 | 2018-11-16 | Method and device for providing and acquiring safety identity information |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN116723027A (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111639956B (en) * | 2018-11-16 | 2023-04-28 | 创新先进技术有限公司 | Method and device for providing and acquiring safety identity information |
| CN110519294B (en) * | 2019-09-12 | 2021-08-31 | 创新先进技术有限公司 | Identity authentication method, device, equipment and system |
| CN110675170A (en) * | 2019-09-27 | 2020-01-10 | 支付宝(杭州)信息技术有限公司 | Credit-based certificate guarantee method and device |
| CN111010395B (en) * | 2019-12-17 | 2021-09-24 | 支付宝(杭州)信息技术有限公司 | Credit-based information identifier generation method and device |
| CN111192183A (en) * | 2019-12-25 | 2020-05-22 | 北京中盾安信科技发展有限公司 | Certificate network identity management method based on electronic identity certificate network mapping |
| CN111131263B (en) * | 2019-12-26 | 2022-02-01 | 支付宝(杭州)信息技术有限公司 | Data viewing method and device |
| CN111430039B (en) * | 2020-02-24 | 2024-04-02 | 数字广东网络建设有限公司 | Epidemic prevention information acquisition system, method, device, computer equipment and storage medium |
| CN111371762B (en) * | 2020-02-26 | 2021-03-16 | 广东工业大学 | Identity authentication method and device, electronic equipment and storage medium |
| CN111563243A (en) * | 2020-04-29 | 2020-08-21 | 中国人民解放军海军航空大学 | Credible identity authentication platform based on WeChat applet |
| CN112632516A (en) * | 2020-12-24 | 2021-04-09 | 航天信息股份有限公司 | User login method and device, storage medium and electronic equipment |
| CN112926969B (en) * | 2021-02-07 | 2022-07-05 | 新大陆(福建)公共服务有限公司 | Payment method and device based on trusted digital identity two-dimensional code |
| CN112861107B (en) * | 2021-02-07 | 2022-06-21 | 新大陆(福建)公共服务有限公司 | Application method for storing credible digital identity file in IC card medium |
| CN114978764B (en) * | 2022-06-29 | 2023-06-30 | 平安银行股份有限公司 | Identity authentication method and system based on CTID (computer-aided design) network card and electronic equipment |
| CN115168827B (en) * | 2022-08-19 | 2023-03-28 | 中关村科学城城市大脑股份有限公司 | Two-dimensional code generation method containing identity information and two-dimensional code reading method |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9159064B1 (en) * | 2014-03-24 | 2015-10-13 | Cellum Innovacios es Szolgaltato Zrt. | Systems and methods for an issuer certified card |
| CN103942688A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive system |
| CN104869127B (en) * | 2015-06-24 | 2018-09-04 | 郑州悉知信息科技股份有限公司 | A kind of Website logging method, barcode scanning client and server |
| WO2017084013A1 (en) * | 2015-11-16 | 2017-05-26 | 华为技术有限公司 | Transaction authentication method, device, mobile terminal, pos terminal and server |
| CN105721165A (en) * | 2016-02-22 | 2016-06-29 | 阿里巴巴集团控股有限公司 | Method for verifying identity, server and client |
| US10467624B2 (en) * | 2016-06-29 | 2019-11-05 | Paypal, Inc. | Mobile devices enabling customer identity validation via central depository |
| CN107220751A (en) * | 2017-05-16 | 2017-09-29 | 廊坊市新思维科技有限公司 | Field Force's management system based on Quick Response Code |
| CN107689019A (en) * | 2017-08-22 | 2018-02-13 | 福建省中电网络科技有限公司 | A kind of source of houses checking method and system |
-
2018
- 2018-11-16 CN CN202310777349.5A patent/CN116723027A/en active Pending
- 2018-11-16 CN CN201811365789.5A patent/CN109598663B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109598663A (en) | 2019-04-09 |
| CN109598663B (en) | 2023-05-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109598663B (en) | Method and device for providing and acquiring safety identity information | |
| CN111639956B (en) | Method and device for providing and acquiring safety identity information | |
| US11838425B2 (en) | Systems and methods for maintaining decentralized digital identities | |
| KR101883156B1 (en) | System and method for authentication, user terminal, authentication server and service server for executing the same | |
| US8892871B2 (en) | System and method for issuing digital certificate using encrypted image | |
| JP7083892B2 (en) | Mobile authentication interoperability of digital certificates | |
| US7069440B2 (en) | Technique for obtaining a single sign-on certificate from a foreign PKI system using an existing strong authentication PKI system | |
| US9548997B2 (en) | Service channel authentication processing hub | |
| CN109413086B (en) | Method and device for checking identity information on line | |
| KR20050083594A (en) | Biometric private key infrastructure | |
| CN109684801A (en) | The generation of electronic certificate is signed and issued and verification method and device | |
| US20240214392A1 (en) | Unified authentication system for decentralized identity platforms | |
| WO2021107755A1 (en) | A system and method for digital identity data change between proof of possession to proof of identity | |
| GB2580635A (en) | System for authentification | |
| KR102123405B1 (en) | System and method for providing security membership and login hosting service | |
| JP3793042B2 (en) | Electronic signature proxy method, apparatus, program, and recording medium | |
| CN112182628B (en) | Privacy information security access method and device | |
| KR20170010691A (en) | Authentication System and method without secretary Password | |
| JP2023181362A (en) | Authentication information signature system, authentication information signature program, and authentication information signature method | |
| CN114398620A (en) | Single sign-on method, system, electronic device and readable medium | |
| Costa | Reducing fraud in authentication systems using attribute certificates |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |