CN117009948A - Identity credential sharing method, device, equipment and storage medium - Google Patents

Identity credential sharing method, device, equipment and storage medium Download PDF

Info

Publication number
CN117009948A
CN117009948A CN202311043428.XA CN202311043428A CN117009948A CN 117009948 A CN117009948 A CN 117009948A CN 202311043428 A CN202311043428 A CN 202311043428A CN 117009948 A CN117009948 A CN 117009948A
Authority
CN
China
Prior art keywords
application
identity
signature value
key pair
credentials
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311043428.XA
Other languages
Chinese (zh)
Inventor
李子阳
张伟春
胡小利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Weway Shenzhen Network Technology Co ltd
Original Assignee
Weway Shenzhen Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Weway Shenzhen Network Technology Co ltd filed Critical Weway Shenzhen Network Technology Co ltd
Priority to CN202311043428.XA priority Critical patent/CN117009948A/en
Publication of CN117009948A publication Critical patent/CN117009948A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/543User-generated data transfer, e.g. clipboards, dynamic data exchange [DDE], object linking and embedding [OLE]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a sharing method, a device, equipment and a storage medium of identity credentials, wherein the method comprises the following steps: the first application determines the number information of the identity credentials of the second application, the first application determines the identity credentials to be synchronized according to the number information and acquires user information, the first application requests the background service to verify the user information, after the background service passes the verification, the first application returns a first signature value and original data corresponding to the first signature value to the first application, the first application requests the second application to verify the first signature value and the original data, after the second application passes the verification, the first application sends an authorization file of the identity credentials to be synchronized to the first application, and the first application requests the password service module to decrypt the authorization file of the identity credentials to obtain the plaintext of the identity credentials. The application can realize the sharing of the identity certificate among different applications.

Description

Identity credential sharing method, device, equipment and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a storage medium for sharing identity credentials.
Background
Currently, in some usage scenarios of user identity credentials (e.g., identity credentials of a trusted communication application), the identity credentials of the trusted communication application are only supported for use by the trusted communication application, while the identity credentials of the user may characterize the identity legitimacy of the user, and when the identity credentials of the user are downloaded to a terminal device of the user, the user is limited to use by the trusted communication application, and applications on the terminal device that integrate the SDK of the trusted communication cannot use the downloaded identity credentials.
Therefore, how to realize the sharing of the identity credentials has become a technical problem to be solved by those skilled in the art.
Disclosure of Invention
In view of the above, the present application provides a method, apparatus, device and storage medium for sharing identity credentials, which aims to solve the above technical problems.
In a first aspect, the present application provides a method for sharing identity credentials, the method comprising:
the first application determines the number information of the identity credentials of the second application;
the first application determines identity credentials to be synchronized according to the number information and acquires user information;
the first application requests the background service to verify the user information, so that after the background service passes the verification, the first signature value and the original data corresponding to the first signature value are returned to the first application;
the first application requests the second application to verify the first signature value and the original data, so that after the second application passes the verification, an authorization file of an identity certificate to be synchronized is sent to the first application;
the first application requests the password service module to decrypt the authorization file of the identity credential to obtain the plaintext of the identity credential.
In a second aspect, the present application provides a sharing device of identity credentials, the device comprising:
and a determination module: the method comprises the steps that a first application determines the number information of identity credentials of a second application;
the acquisition module is used for: the first application is used for determining identity credentials to be synchronized according to the number information and acquiring user information;
and (3) a verification module: the background service is used for verifying the user information by the first application request, so that after the background service passes the verification, a first signature value and original data corresponding to the first signature value are returned to the first application;
and a sending module: the first application is used for requesting the second application to verify the first signature value and the original data, so that after the second application passes the verification, an authorization file of an identity certificate to be synchronized is sent to the first application;
decryption module: the authorization file for the identity credential is decrypted by the password service module for the first application request to obtain the plaintext of the identity credential.
In a third aspect, the present application provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
and the processor is used for realizing the sharing method of the identity credentials according to any one of the embodiments of the first aspect when executing the program stored on the memory.
In a fourth aspect, a computer readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, implements a method of sharing identity credentials according to any of the embodiments of the first aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
the application realizes the sharing of the identity certificate between different applications because the authorization file is only transmitted between different applications on the same equipment, and ensures that the password service module and a plurality of applications must be on the same equipment because the first application and the second application use the same password service module, and double protection is realized when the different applications share the identity certificate through the key pair initialized by the authorization file and the independently operated password service module, thereby improving the safety of the identity certificate when the different applications share.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a flow chart of an embodiment of a method for sharing identity credentials according to the present application;
FIG. 2 is a flowchart illustrating a first downloading of identity credentials by a second application according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of a second application for non-first downloading identity credentials according to an embodiment of the present application;
FIG. 4 is a block diagram of a preferred embodiment of the identity credential sharing device of the present application;
FIG. 5 is a schematic diagram of an electronic device according to a preferred embodiment of the present application;
the achievement of the objects, functional features and advantages of the present application will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The following disclosure provides many different embodiments, or examples, for implementing different structures of the application. In order to simplify the present disclosure, components and arrangements of specific examples are described below. They are, of course, merely examples and are not intended to limit the application. Furthermore, the present application may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed.
The application provides a sharing method of identity credentials. Referring to fig. 1, a method flow diagram of an embodiment of a method for sharing identity credentials according to the present application is shown. The method may be performed by an electronic device (e.g., a terminal) that may be implemented in software and/or hardware. The method for sharing the identity certificate comprises the following steps:
step S11: the first application determines the number information of the identity credentials of the second application;
step S12: the first application determines identity credentials to be synchronized according to the number information and acquires user information;
step S13: the first application requests the background service to verify the user information, so that after the background service passes the verification, the first signature value and the original data corresponding to the first signature value are returned to the first application;
step S14: the first application requests the second application to verify the first signature value and the original data, so that after the second application passes the verification, an authorization file of an identity certificate to be synchronized is sent to the first application;
step S15: the first application requests the password service module to decrypt the authorization file of the identity credential to obtain the plaintext of the identity credential.
The first application of the present application may be an application program integrated with an SDK package of the second application, and if the second application is a trusted communication application program (for example, a trusted communication APP), the first application is an application program integrated with an SDK package of a trusted communication function, for example, an APP of a type such as a 5G sms, a 5G message, or the like of an SDK package integrated with a trusted communication function. Trusted communication applications refer to applications that have a high degree of reliability and security in the communication process. The application can realize that the first application shares the identity certificate of the second application. In the actual application scenario, the first application and the second application may be other types of application programs besides communication application programs, for example, electronic commerce application programs, information application programs, and the like, which are not limited herein.
After the first application is started, when the first application needs to use the identity credential, the first application detects whether the identity credential exists in the local storage space corresponding to the first application, and it can be understood that each application program has a corresponding local storage space in the operating system. If the local storage space corresponding to the first application does not have the identity credentials, the first application requests the second application to detect whether the identity credentials exist (namely, requests the second application to detect whether the identity credentials exist in the local storage space corresponding to the second application), and if the second application judges that the identity credentials exist in the local storage space, the second application returns the number information of the identity credentials to the first application, and at the moment, the first application can determine the number of the identity credentials of the second application.
After the first application determines the number information of the identity certificates of the second application, popping up the information of how many identity certificates are detected on a human-computer interaction interface of the terminal, prompting a user whether the identity certificates need to be synchronized, if the user selects to be synchronized, the interface jumps to an information input interface, the user can input user information in the interface so that the first application can acquire the user information, and the user information can be the name, the identity card number, the mobile phone number and the short message verification code of the user.
After the first application acquires the user information, requesting a background service to verify the user information, verifying the name, the identity card number, the mobile phone number and the short message verification code of the user by the background service, returning a background signature value (marked as a first signature value) and corresponding original data of the signature finger to the first application after the verification is passed, wherein the first signature value is obtained by signing the original data by a private key (generated during system deployment) of an identity certificate of a trusted communication system, and the original data corresponding to the first signature value comprises: and carrying out hash operation on the name, the identity card number, the mobile phone number and the timestamp by utilizing an sm3 algorithm to obtain a hash value, a timestamp, a key of the first application, a packet name of the first application, a signature value of the packet name of the first application and the like.
After the first application obtains a first signature value returned by the background service and original data corresponding to the first signature value, a second application is requested to verify the first signature value and the original data, and after the second application passes the verification, an authorization file of an identity certificate to be synchronized is sent to the first application.
After the first application obtains the authorization file of the identity credential, the first application requests the cryptographic service module to decrypt the authorization file of the identity credential to obtain a plaintext of the identity credential, for example, requests an initialized key in the cryptographic service module to decrypt the authorization file of the identity credential. The password service module comprises a super SIM card module, a secure element module or a password operation application module. The cryptographic service module refers to a software module or a hardware module which can independently run and provide functions of encryption algorithm, key generation and destruction.
Specifically, the first application requests the password service module to decrypt the authorization file of the identity credential to obtain a plaintext of the identity credential, including:
the first application request password service module decrypts the encrypted plaintext key in the authorization file of the identity credential by using the private key of the first key pair to obtain a decrypted plaintext key;
the first application request password service module decrypts the name information of the identity credential in the authorization file of the identity credential by using the decrypted plaintext key to obtain the plaintext of the name information of the identity credential.
The first key refers to a key pair (e.g., a public-private key pair named chaken) initialized in the cryptographic service module that has been generated before the second application downloads the identity credential. The password service module decrypts the encrypted plaintext key in the authorization file of the identity credential by using the private key of the first key pair (the encrypted plaintext key is a random key encrypted by using the sm4 algorithm, namely the encrypted sm4 key) to obtain a decrypted plaintext key (namely the decrypted sm4 key), then decrypts the name information of the identity credential by using the plaintext key to obtain the plaintext of the name information of the identity credential, and returns the plaintext to the first application.
The first application stores the data returned by the password service module into a local storage, wherein the returned data also comprises a hash value obtained by carrying out hash operation on the name, the identity card number, the mobile phone number and the timestamp by utilizing an sm3 algorithm, the timestamp, a key of the first application, a packet name of the first application, a signature value of the packet name of the first application and the like.
If the first application detects that the local storage space corresponding to the first application already has the identity credential, the step S40 may be executed regularly to update the identity credential.
The application realizes the sharing of the identity certificate between different applications because the authorization file is only transmitted between different applications on the same equipment, and ensures that the password service module and a plurality of applications must be on the same equipment because the first application and the second application use the same password service module, and double protection is realized when the different applications share the identity certificate through the key pair initialized by the authorization file and the independently operated password service module, thereby improving the safety of the identity certificate when the different applications share.
Fig. 2 is a schematic flow chart of the first downloading of identity credentials by the second application according to the embodiment of the present application. Before the first application determines the number information of the identity credentials of the second application, the method further comprises:
step S21: the second application requests the password service module to generate a first key pair;
step S22: the second application acquires the user information and requests the background service to verify the user information, so that the background service returns a second signature value to the second application after the user information passes the background service verification;
step S23: after the second application performs signature verification on the second signature value, requesting the password service module to generate a second key pair;
step S24: the second application requests a background service and acquires an identity credential corresponding to the second key pair;
step S25: and the second application generates an authorization file of the identity credential corresponding to the second key pair according to the first key pair.
Before the first application determines the number information of the identity credentials of the second application, the second application needs to detect whether the identity credentials exist in the local storage corresponding to the second application, and if not, the second application needs to download the identity credentials. When the second application downloads the identity credential for the first time, the second application requests the cryptographic service module to generate a first key pair (public-private key pair named chaken), and the cryptographic service module returns the public key of the first key pair to the second application.
After the second application obtains the public key of the first key pair, the user can input user information such as name, identification card number, mobile phone number, activation code, session code, company name and short message verification code and the like on the interface of the terminal, the second application obtains user information to request the background service to verify the user information, the background service firstly performs parameter verification (for example, whether the background service is empty, length and format are met or not) and then performs accuracy verification of the name, identification card, enterprise name, short message verification code, activation code and session code. And after successful verification, returning a background signature value (recorded as a second signature value) to a second application, wherein the second signature value is a signature value obtained by signing the user information by a private key corresponding to the identity credentials of the system.
The second application requests the password service module to generate a second key pair (named as a public-private key pair with the name S) after signing the second signature value through a public key corresponding to the identity credential of the system, and the password service module returns a P10 credential with the name S to the second application.
The second application sends the user information, the P10 certificate and the second signature value to the background service, and the background service requests the CA mechanism to generate an identity certificate corresponding to the name S of the second key pair after the second signature value passes verification and returns the identity certificate to the second application.
And the second application generates an authorization file of the identity credential corresponding to the name S according to the public key of the first key pair. Specifically, the second application generates an authorization file of the identity credential corresponding to the second key pair according to the first key pair, including:
the second application encrypts the name information of the identity credential by using the plaintext key;
the second application encrypts the plaintext key by using the public key of the first key pair;
and generating an authorization file of the identity credential corresponding to the second key pair according to the encrypted name information and the encrypted plaintext key.
The second application encrypts the name information of the identity credential by using the plaintext key, encrypts the plaintext key by using the public key of the first key pair, and generates an authorization file of the identity credential corresponding to the second key pair according to the encrypted name information and the encrypted plaintext key. Wherein, the content of the authorization file further includes: timestamp, hash value of user information (hash value obtained by performing hash operation on name+identification card number+mobile phone number+timestamp by sm3 algorithm), sm4key after encryption (sm 4key is encrypted by using public key of chakey), name of public and private key pair encrypted by sm4key, number information of identity certificates, name information of identity certificates, etc.
Referring to fig. 3, a flow chart of a second application for non-first downloading identity credentials in an embodiment of the present application is shown. After the second application generates the authorization file of the identity credential corresponding to the second key pair according to the first key pair, the method further includes:
step S31: the second application detects whether the identity credentials are not downloaded;
step S32: if yes, the second application requests the password service module to generate a third signature value by utilizing the private key of the first key pair;
step S33: the second application requests the background service to verify the third signature value, so that the background service returns a fourth signature value to the second application after passing the verification;
step S34: the second application verifies the fourth signature value, and after verification is passed, the second application requests the password service module to generate a third key pair;
step S35: the second application requests a background service and acquires an identity credential corresponding to the third key pair;
step S36: and the second application updates the authorization file of the identity certificate corresponding to the third key pair.
After the second application generates the authorization file of the identity credential corresponding to the second key pair according to the first key pair, detecting whether the identity credential which is not downloaded exists, namely, after the second application downloads the identity credential for the first time, the second application detects whether the identity credential which is not downloaded exists, if the identity credential which is not downloaded exists, the second application can request the password service module to generate a third signature value by using related data if the user actively clicks to download, and returns the third signature value to the second application, wherein the related data comprises: a timestamp, a terminal device unique identification, a key (e.g., APPkey) of the second application, etc.
The second application sends the related data and the third signature value to the background service, and requests the background service to verify the third signature value, and the background service verifies the third signature value by using an identity credential corresponding to the name S, and the verification returns the related information and the background signature value (marked as a fourth signature value) to the second application.
The second application uses the identity certificate of the system to verify the fourth signature value, after the verification is passed, the second application requests the password service module to generate a third key pair (named as a public and private key pair with the name of S1), and the password service module returns the P10 certificate with the name of S1 to the second application.
The second application sends the user information, the P10 certificate of the S1 and the fourth signature value to the background service, and the background service requests the CA mechanism to generate an identity certificate corresponding to the name S1 of the third key pair after the fourth signature value passes verification, and returns the identity certificate to the second application.
The second application updates the authorization file according to the identity credential corresponding to the name S1, and can update the number of the identity credentials in the authorization file, the name of the public and private key pair encrypted by sm4key, and information of each identity credential.
Referring to fig. 4, a functional block diagram of a sharing device 100 of identity credentials according to the present application is shown.
The identity credential sharing device 100 of the present application may be installed in an electronic device. Depending on the implemented functions, the identity credential sharing device 100 may include a determining module 110, an obtaining module 120, a verifying module 130, a sending module 140, and a decrypting module 150. The module of the application, which may also be referred to as a unit, refers to a series of computer program segments, which are stored in the memory of the electronic device, capable of being executed by the processor of the electronic device and of performing a fixed function.
In the present embodiment, the functions concerning the respective modules/units are as follows:
the determination module 110: the method comprises the steps that a first application determines the number information of identity credentials of a second application;
the acquisition module 120: the first application is used for determining identity credentials to be synchronized according to the number information and acquiring user information;
the verification module 130: the background service is used for verifying the user information by the first application request, so that after the background service passes the verification, a first signature value and original data corresponding to the first signature value are returned to the first application;
the sending module 140: the first application is used for requesting the second application to verify the first signature value and the original data, so that after the second application passes the verification, an authorization file of an identity certificate to be synchronized is sent to the first application;
decryption module 150: the authorization file for the identity credential is decrypted by the password service module for the first application request to obtain the plaintext of the identity credential.
The embodiment of the identity credential sharing device of the present application is substantially the same as the embodiment of the identity credential sharing method described above, and will not be described herein.
Referring to fig. 5, a schematic diagram of a preferred embodiment of the electronic device of the present application is shown.
The electronic device comprises a processor 111, a communication interface 112, a memory 113 and a communication bus 114, wherein the processor 111, the communication interface 112 and the memory 113 are communicated with each other through the communication bus 114;
a memory 113 for storing a computer program, for example, a sharing program of identity credentials;
processor 111 may be, among other things, a central processing unit (Central Processing Unit, CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments. The processor 111 is typically used to control the overall operation of the electronic device, such as performing data interaction or communication related control and processing, etc. In this embodiment, the processor 111 is configured to execute a program code stored in the memory 113 or process data, such as a program code of a shared program running an identity credential.
The communication interface 112 may alternatively comprise a standard wired or wireless interface, which communication interface 112 may also be used to establish a communication connection between the electronic device and other electronic devices.
The memory 113 includes at least one type of readable storage medium including flash memory, hard disk, multimedia card, card memory (e.g., SD or DX memory, etc.), random Access Memory (RAM), static Random Access Memory (SRAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), programmable Read Only Memory (PROM), magnetic memory, magnetic disk, optical disk, etc. In some embodiments, the storage 113 may be an internal storage unit of the electronic device, such as a hard disk or a memory of the electronic device. In other embodiments, the memory 113 may also be an external storage device of the electronic device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. that are equipped with the electronic device. Of course, the memory 113 may also include both an internal memory unit and an external memory device of the electronic device. In this embodiment, the memory 11 is typically used to store an operating system installed in the electronic device and various computer programs, such as program codes of a sharing program of identity credentials. In addition, the memory 113 may also be used to temporarily store various types of data that have been output or are to be output.
Fig. 5 shows only an electronic device having components 111-114, but it should be understood that not all of the illustrated components are required to be implemented and that more or fewer components may be implemented instead.
In one embodiment of the present application, the processor 111 is configured to implement the method for sharing identity credentials provided in any one of the foregoing method embodiments when executing the program stored in the memory 113, where the method includes:
the first application determines the number information of the identity credentials of the second application;
the first application determines identity credentials to be synchronized according to the number information and acquires user information;
the first application requests the background service to verify the user information, so that after the background service passes the verification, the first signature value and the original data corresponding to the first signature value are returned to the first application;
the first application requests the second application to verify the first signature value and the original data, so that after the second application passes the verification, an authorization file of an identity certificate to be synchronized is sent to the first application;
the first application requests the password service module to decrypt the authorization file of the identity credential to obtain the plaintext of the identity credential.
For a detailed description of the above steps, please refer to a specific embodiment of the method for sharing identity credentials.
Furthermore, the embodiment of the application also provides a computer readable storage medium, which can be nonvolatile or volatile. The computer readable storage medium comprises a storage data area and a storage program area, wherein the storage program area stores a sharing program of identity credentials, and the sharing program of the identity credentials realizes the following operations when being executed by a processor:
the first application determines the number information of the identity credentials of the second application;
the first application determines identity credentials to be synchronized according to the number information and acquires user information;
the first application requests the background service to verify the user information, so that after the background service passes the verification, the first signature value and the original data corresponding to the first signature value are returned to the first application;
the first application requests the second application to verify the first signature value and the original data, so that after the second application passes the verification, an authorization file of an identity certificate to be synchronized is sent to the first application;
the first application requests the password service module to decrypt the authorization file of the identity credential to obtain the plaintext of the identity credential.
The embodiment of the computer readable storage medium of the present application is substantially the same as the embodiment of the method for sharing identity credentials described above, and will not be described herein.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
From the above description of embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus a general purpose hardware platform, or may be implemented by hardware. Based on such understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the related art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the method described in the respective embodiments or some parts of the embodiments.
It should be noted that the description of "first", "second", etc. in this disclosure is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implying an indication of the number of technical features being indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present application.
It is to be understood that the terminology used herein is for the purpose of describing particular example embodiments only, and is not intended to be limiting. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. The terms "comprises," "comprising," "includes," "including," and "having" are inclusive and therefore specify the presence of stated features, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, elements, components, and/or groups thereof. The method steps, processes, and operations described herein are not to be construed as necessarily requiring their performance in the particular order described or illustrated, unless an order of performance is explicitly stated. It should also be appreciated that additional or alternative steps may be used.
The foregoing is only a specific embodiment of the application to enable those skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A method of sharing identity credentials, the method comprising:
the first application determines the number information of the identity credentials of the second application;
the first application determines identity credentials to be synchronized according to the number information and acquires user information;
the first application requests the background service to verify the user information, so that after the background service passes the verification, the first signature value and the original data corresponding to the first signature value are returned to the first application;
the first application requests the second application to verify the first signature value and the original data, so that after the second application passes the verification, an authorization file of an identity certificate to be synchronized is sent to the first application;
the first application requests the password service module to decrypt the authorization file of the identity credential to obtain the plaintext of the identity credential.
2. The method of sharing identity credentials of claim 1, wherein before the first application determines the number information of the identity credentials of the second application, the method further comprises:
the second application requests the password service module to generate a first key pair;
the second application acquires the user information and requests the background service to verify the user information, so that the background service returns a second signature value to the second application after the user information passes the background service verification;
after the second application performs signature verification on the second signature value, requesting the password service module to generate a second key pair;
the second application requests a background service and acquires an identity credential corresponding to the second key pair;
and the second application generates an authorization file of the identity credential corresponding to the second key pair according to the first key pair.
3. The method for sharing identity credentials of claim 2, wherein the second application generating an authorization file for the identity credentials corresponding to the second key pair from the first key pair comprises:
the second application encrypts the name information of the identity credential by using the plaintext key;
the second application encrypts the plaintext key by using the public key of the first key pair;
and generating an authorization file of the identity credential corresponding to the second key pair according to the encrypted name information and the encrypted plaintext key.
4. The method of sharing identity credentials of claim 2, wherein after the second application generates the authorization file for the identity credentials corresponding to the second key pair from the first key pair, the method further comprises:
the second application detects whether the identity credentials are not downloaded;
if yes, the second application requests the password service module to generate a third signature value by utilizing the private key of the first key pair;
the second application requests the background service to verify the third signature value, so that the background service returns a fourth signature value to the second application after passing the verification;
the second application verifies the fourth signature value, and after verification is passed, the second application requests the password service module to generate a third key pair;
the second application requests a background service and acquires an identity credential corresponding to the third key pair;
and the second application updates the authorization file of the identity certificate corresponding to the third key pair.
5. The method for sharing identity credentials of claim 1, wherein the first application requesting the cryptographic service module to decrypt the authorization file of the identity credentials to obtain plaintext of the identity credentials comprises:
the first application request password service module decrypts the encrypted plaintext key in the authorization file of the identity credential by using the private key of the first key pair to obtain a decrypted plaintext key;
the first application request password service module decrypts the name information of the identity credential in the authorization file of the identity credential by using the decrypted plaintext key to obtain the plaintext of the name information of the identity credential.
6. The method of claim 1, wherein the cryptographic service module comprises a super SIM card module, a secure element module, or a cryptographic operation application module.
7. The method for sharing identity credentials of claim 1, wherein the authorization file comprises: at least one of a timestamp, a hash value of user information, number information of identity credentials, and name information of the identity credentials.
8. A sharing apparatus of identity credentials, the apparatus comprising:
and a determination module: the method comprises the steps that a first application determines the number information of identity credentials of a second application;
the acquisition module is used for: the first application is used for determining identity credentials to be synchronized according to the number information and acquiring user information;
and (3) a verification module: the background service is used for verifying the user information by the first application request, so that after the background service passes the verification, a first signature value and original data corresponding to the first signature value are returned to the first application;
and a sending module: the first application is used for requesting the second application to verify the first signature value and the original data, so that after the second application passes the verification, an authorization file of an identity certificate to be synchronized is sent to the first application;
decryption module: the authorization file for the identity credential is decrypted by the password service module for the first application request to obtain the plaintext of the identity credential.
9. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method for sharing identity credentials of any of claims 1 to 7 when executing a program stored on a memory.
10. A computer readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements a method of sharing identity credentials as claimed in any of claims 1 to 7.
CN202311043428.XA 2023-08-17 2023-08-17 Identity credential sharing method, device, equipment and storage medium Pending CN117009948A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311043428.XA CN117009948A (en) 2023-08-17 2023-08-17 Identity credential sharing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311043428.XA CN117009948A (en) 2023-08-17 2023-08-17 Identity credential sharing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117009948A true CN117009948A (en) 2023-11-07

Family

ID=88561705

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311043428.XA Pending CN117009948A (en) 2023-08-17 2023-08-17 Identity credential sharing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117009948A (en)

Similar Documents

Publication Publication Date Title
US9930527B2 (en) Methods and apparatus for storage and execution of access control clients
JP6533203B2 (en) Mobile device supporting multiple access control clients and corresponding method
KR102502503B1 (en) Profile providing method and device
EP2255507B1 (en) A system and method for securely issuing subscription credentials to communication devices
US20060059547A1 (en) Method of verifying downloaded software and corresponding device
CA2879910C (en) Terminal identity verification and service authentication method, system and terminal
JP6471112B2 (en) COMMUNICATION SYSTEM, TERMINAL DEVICE, COMMUNICATION METHOD, AND PROGRAM
CN109981562B (en) Software development kit authorization method and device
CN109495268B (en) Two-dimensional code authentication method and device and computer readable storage medium
CN111434087A (en) Method and electronic device for providing communication service
CN109361681B (en) Method, device and equipment for authenticating national secret certificate
CN107332817B (en) Mobile device supporting multiple access control clients and corresponding method
CN111901287B (en) Method and device for providing encryption information for light application and intelligent equipment
WO2018018419A1 (en) Configuration file batch-obtaining and downloading method, and server and terminal
CN112348998A (en) Method and device for generating one-time password, intelligent door lock and storage medium
CN117009948A (en) Identity credential sharing method, device, equipment and storage medium
CN116566744B (en) Data processing method and security verification system
CN114143198B (en) Firmware upgrading method
US20240223370A1 (en) Method for authentication of a service provider device to a user device
WO2022238423A1 (en) Method for authentication of a service provider device to a user device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination