CN117035793A

CN117035793A - Resource transaction authentication method, device, equipment and storage medium

Info

Publication number: CN117035793A
Application number: CN202311060243.XA
Authority: CN
Inventors: 李宗金; 章永望; 韩岱桥; 踪训杰; 张健
Original assignee: China Resources Digital Technology Co Ltd
Current assignee: China Resources Digital Technology Co Ltd
Priority date: 2023-08-22
Filing date: 2023-08-22
Publication date: 2023-11-10

Abstract

The embodiment of the application provides a resource transaction authentication method, a device, equipment and a storage medium, belonging to the technical field of financial science and technology. The method comprises the following steps: generating a public key and a private key fragment according to a registration request, and distributing the encrypted private key fragment to a user side, a resource storage side and an authentication auxiliary side; when receiving a transaction request sent by a user terminal, sending the transaction request passing authentication to a resource storage terminal, so that the resource storage terminal obtains a preliminary authentication result according to the transaction request and the user terminal authentication; acquiring a preliminary authentication result, wherein the authentication failure times of authentication failure are larger than a preset threshold value, and requesting authentication of an authentication auxiliary end and a user end to acquire an updated authentication result; if the updated authentication result characterizes the authentication to pass, the private key fragments sent by the user side and the authentication auxiliary side are combined to generate a transaction signature, and the resource transaction authentication is completed according to the transaction signature. The embodiment of the application can reduce the occurrence of unilateral refusal of the transaction authentication of the resource storage end, and ensures that the resource transaction authentication is more convenient.

Description

Resource transaction authentication method, device, equipment and storage medium

Technical Field

The present application relates to the technical field of financial science and technology, and in particular, to a method and apparatus for authenticating resource transaction, a device and a storage medium.

Background

Currently, the resource transaction can be completed after authentication, and the authentication of the resource transaction is generally completed between the resource storage end and the user end. The user terminal and the resource storage terminal respectively hold the private key fragments. Each resource transaction operation must be performed by simultaneously obtaining the consent of the user end and the resource storage end, and if the resource storage ends are not matched, the resource transaction cannot be completed. In addition, only authentication is performed through the resource storage end and the user end, so that the situation that the resource storage end independently freezes the resource can occur. Therefore, how to reduce the situation that the resource storage end unilaterally blocks the resource transaction and improve the convenience of the resource transaction authentication becomes a technical problem to be solved urgently.

Disclosure of Invention

The embodiment of the application mainly aims to provide a method, a device, equipment and a storage medium for authenticating resource transaction, which aim to reduce the situation that a resource storage end unilaterally obstructs resource transaction and improve the convenience between resource transaction authentications.

To achieve the above object, a first aspect of an embodiment of the present application provides a method for authenticating a resource transaction, the method including:

When a registration request sent by a user side is received, generating a public key and a private key fragment according to the registration request, sending the public key and the encrypted private key fragment to the user side, and distributing the private key fragment to a resource storage side and an authentication auxiliary side;

when receiving a transaction request sent by the user side, sending the transaction request passing authentication to a resource storage side so that the resource storage side authenticates the user side according to the transaction request to obtain a preliminary authentication result; wherein the transaction request includes: a public key and the encrypted private key fragment;

acquiring the authentication failure times of the preliminary authentication result, which is characterized as authentication failure, and if the authentication failure times are larger than a preset threshold value, requesting the authentication auxiliary end to conduct transaction authentication with the user end to obtain an updated authentication result;

and if the updated authentication result represents authentication, combining and calculating the private key fragments sent by the authentication auxiliary end and the private key fragments of the user end to generate a transaction signature, and completing resource transaction authentication according to the transaction signature.

In some embodiments, when receiving a registration request sent by a user terminal, generating a public key and a private key fragment according to the registration request, sending the public key and the encrypted private key fragment to the user terminal, and distributing the private key fragment to a resource storage terminal and an authentication auxiliary terminal, including:

When receiving a registration request sent by the user side, generating a public key and three private key fragments; any two private key fragments can generate the transaction signature;

and respectively carrying out encryption processing on the three private key fragments, sending the encrypted private key fragments, the public key and the preset resource storage address to a user terminal, and then respectively sending the two private key fragments and the preset user information to the resource storage terminal and the authentication auxiliary terminal.

In some embodiments, when receiving the transaction request sent by the user side, sending the transaction request that passes authentication to a resource storage side, so that the resource storage side performs authentication with the user side according to the transaction request to obtain a preliminary authentication result, including:

receiving a transaction request sent by the user side; wherein the transaction request includes: requesting user information, a public key, and encrypted private key fragments;

analyzing the public key and the encrypted private key fragments to obtain analysis information;

if the analysis information passes verification, an authentication request is generated, the authentication request and the request user information are sent to the resource storage end, so that the resource storage end and the user end perform identity authentication to obtain first verification information, and the first verification information is sent to the user end;

And receiving second verification information fed back by the user side according to the first verification information, and forwarding the second verification information to the resource storage side so that the resource storage side generates a preliminary authentication result according to the first verification information and the second verification information.

In some embodiments, the receiving the second verification information fed back by the user side according to the first verification information, and forwarding the second verification information to the resource storage side, so that the resource storage side generates a preliminary authentication result according to the first verification information and the second verification information, includes:

receiving second verification information fed back by the user side according to the first verification information;

comparing the first verification information with the second verification information to obtain comparison information;

and if the comparison information is characterized as consistent, forwarding the second verification information to the resource storage end so that the resource storage end can compare the first verification information with the second verification information to generate the preliminary authentication result.

In some embodiments, the obtaining the preliminary authentication result is characterized by an authentication failure number of authentication failures, and if the authentication failure number is greater than a preset threshold, requesting the authentication auxiliary to perform transaction authentication with the user to obtain an updated authentication result includes:

Acquiring authentication failure times of the preliminary authentication result, wherein the authentication failure times are characterized as authentication failures, and if the authentication failure times are larger than a preset threshold value, receiving a third party verification request sent by the user side;

transmitting the authentication request and the request user information to the authentication auxiliary terminal according to the third party authentication request so that the authentication auxiliary terminal transmits third authentication information to the user terminal;

and receiving fourth verification information sent by the user side according to the third verification information, and forwarding the fourth verification information to the authentication auxiliary side so that the authentication auxiliary side performs transaction authentication according to the third verification information and the fourth verification information to obtain the updated authentication result.

In some embodiments, if the updated authentication result indicates that the authentication passes, the private key fragment of the user terminal and the private key fragment sent by the authentication auxiliary terminal are combined and calculated to generate a transaction signature, and the resource transaction authentication is completed according to the transaction signature, including:

if the updated authentication result represents that authentication passes, decrypting the encrypted private key fragments sent by the user side and the authentication auxiliary side according to the public key;

And combining and calculating the decrypted two private key fragments to generate the transaction signature, and sending the transaction request of the user side to a server side according to the transaction signature so as to finish the authentication of the resource transaction.

In some embodiments, after the two decrypted private key fragments are combined to generate the transaction signature, and the transaction request of the user side is sent to a server side according to the transaction signature, so as to complete the authentication of the resource transaction, the method further includes:

the transaction signature is sent to the user side, a server and other servers are requested to conduct resource transaction according to the transaction signature, and the server feedback resource transaction credential information is received;

and sending the resource transaction credential information to the user side.

To achieve the above object, a second aspect of an embodiment of the present application provides a resource transaction authentication device, including:

the key generation module is used for generating a public key and a private key fragment according to a registration request when receiving the registration request sent by a user terminal, sending the public key and the encrypted private key fragment to the user terminal, and distributing the private key fragment to a resource storage terminal and an authentication auxiliary terminal;

The primary authentication module is used for sending the transaction request which passes authentication to a resource storage end when receiving the transaction request sent by the user end, so that the resource storage end authenticates the user end according to the transaction request to obtain a primary authentication result; wherein the transaction request includes: a public key and the encrypted private key fragment;

the auxiliary authentication module is used for acquiring authentication failure times of the preliminary authentication result, which are characterized as authentication failures, and requesting the authentication auxiliary end to conduct transaction authentication with the user end to obtain updated authentication results if the authentication failure times are larger than a preset threshold value;

and the transaction signature generation module is used for combining and calculating the private key fragments sent by the authentication auxiliary end and the private key fragments of the user end to generate a transaction signature if the updated authentication result represents authentication pass, and completing resource transaction authentication according to the transaction signature.

To achieve the above object, a third aspect of the embodiments of the present application proposes an electronic device, including a memory storing a computer program and a processor implementing the method according to the first aspect when the processor executes the computer program.

To achieve the above object, a fourth aspect of the embodiments of the present application proposes a computer-readable storage medium storing a computer program which, when executed by a processor, implements the method of the first aspect.

The application provides a resource transaction authentication method, a device, equipment and a storage medium, which are used for carrying out resource transaction authentication between an authentication auxiliary end and a user end under the condition that the user end and a resource storage end try authentication for many times and the authentication is not passed through by setting the authentication auxiliary end of a third party. Therefore, a double authentication mode is set during resource exchange, and convenience of resource transaction authentication is improved.

Drawings

FIG. 1 is a system architecture diagram of a resource transaction authentication method provided by an embodiment of the present application;

FIG. 2 is a flow chart of a method for authenticating a resource transaction provided by an embodiment of the present application;

fig. 3 is a flowchart of step S201 in fig. 2;

fig. 4 is a flowchart of step S202 in fig. 2;

fig. 5 is a flowchart of step S404 in fig. 4;

fig. 6 is a flowchart of step S203 in fig. 2;

fig. 7 is a flowchart of step S204 in fig. 2;

FIG. 8 is a flow chart of a method for authenticating a resource transaction according to another embodiment of the present application;

Fig. 9 is a schematic structural diagram of a resource transaction authentication device according to an embodiment of the present application;

fig. 10 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

It should be noted that although functional block division is performed in a device diagram and a logic sequence is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the block division in the device, or in the flowchart. The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.

First, several nouns involved in the present application are parsed:

two-factor authentication (2 FA): is an authentication mechanism for enhancing the security of an account. It is based on the use of two different authentication factors to confirm the identity of the user. The use of 2FA may provide greater security because even if the password is compromised, a hacker may still be unable to log into the user's account unless they are also able to obtain the second authentication factor. Thus, 2FA has become a standard security feature for many online services and applications.

Multiparty computing (Multi-Party Computation, MPC): is a secure computing protocol intended to allow multiple parties to make computations without revealing private inputs. The goal of MPC is to protect the privacy and data security of the participants. In traditional computing, data is typically transmitted in the clear between the parties, which can lead to risks of data disclosure and privacy violations. MPC solves these problems by using cryptographic techniques and distributed computing. The participants encrypt their input and split the key into parts using a key sharing protocol, which parts are then distributed to the other participants. In the calculation process, each participant can only access partial keys and encrypted data, and complete input information cannot be obtained.

Open TSS (Open Trusted Computing Software Stack): is an open-source trusted computing software stack. Open TSS provides a series of software components and APIs for building and managing trusted computing environments. Trusted computing is a technology aimed at protecting computing devices and data, which relies on the security of hardware and software. Open TSS aims to provide an Open and customizable platform that enables developers to build secure and reliable applications and services.

Key generation phase (KeyGenPhase): is a term in cryptography that is commonly used to describe a phase in a key agreement or key exchange protocol. In key agreement or key exchange protocols, the participants need to generate a shared key for use in subsequent communication procedures. KeyGenPhase is a phase in the protocol that aims to have the participants generate and exchange keys.

In order to enter the web3 from the web2, the resource storage end (e.g. the money Bao Duan) is provided with a low threshold resource storage end, and authentication between the resource storage end and the user end mainly adopts 2FA authentication, and then the cooperative signature is completed by the multiparty security calculation module by using the two-party cipher key fragmentation combination. The 2FA authentication is that when a user logs in to an account on a new device, the web2 application usually performs additional authentication, such as mailbox authentication, sms authentication, device authentication, face recognition authentication, etc., on the user. The multiparty security calculation module realizes a 2/2 operation model, and the two parties can directly generate private key fragments in respective devices, and directly generate signatures in cooperation with each other during operation, instead of firstly aggregating into a complete private key and then signing. The 2/2 operation model means that all the user operations must be performed with the consent of the specified two parties. If two parties are respectively allocated as a user end and a resource storage end (for example, the money Bao Duan), one private key is stored in the user end, and the other private key is stored in a server of the resource storage end, and the two private keys need to be combined when in use. Storing private key fragments at the multiparty secure computing module, the use is not direct combination, but requires secure computing to directly generate signature information, which means that the resource storage end (e.g., the money Bao Duan) does not agree and one operation cannot be completed. Therefore, each transaction operation needs to be performed after the agreement of the user side and the resource storage side, and if the resource storage side is not matched, the user cannot perform any operation. In addition, there may be situations where the resource storage may freeze the user resources individually.

Based on the above, the embodiments of the present application provide a method, an apparatus, a device, and a storage medium for authenticating a resource transaction, which aim to set an authentication auxiliary for a third party, and after a plurality of attempts by a user end and a resource storage end do not pass, authentication of the resource transaction is completed by the authentication auxiliary and the user end. The unilateral obstruction of the resource transaction by the resource storage end is prevented, so that the user end can finish the resource transaction more conveniently, and the experience of the user is improved.

The method, the device, the equipment and the storage medium for authenticating the resource transaction provided by the embodiment of the application are specifically described through the following embodiment, and the method for authenticating the resource transaction in the embodiment of the application is described first.

The embodiment of the application can acquire and process the related data based on the artificial intelligence technology. Among these, artificial intelligence (Artificial Intelligence, AI) is the theory, method, technique and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend and extend human intelligence, sense the environment, acquire knowledge and use knowledge to obtain optimal results.

Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.

The embodiment of the application provides a resource transaction authentication method, which relates to the technical field of financial science and technology. The resource transaction authentication method provided by the embodiment of the application can be applied to the terminal, the server side and software running in the terminal or the server side. In some embodiments, the terminal may be a smart phone, tablet, notebook, desktop, etc.; the server side can be configured as an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligent platforms and the like; the software may be an application or the like that implements the resource transaction authentication method, but is not limited to the above form.

The application is operational with numerous general purpose or special purpose computer system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

It should be noted that, in each specific embodiment of the present application, when related processing is required according to user information, user behavior data, user history data, user location information, and other data related to user identity or characteristics, permission or consent of the user is obtained first, and the collection, use, processing, and the like of the data comply with related laws and regulations and standards. In addition, when the embodiment of the application needs to acquire the sensitive personal information of the user, the independent permission or independent consent of the user is acquired through popup or jump to a confirmation page and the like, and after the independent permission or independent consent of the user is definitely acquired, the necessary relevant data of the user for enabling the embodiment of the application to normally operate is acquired.

Referring to fig. 1, fig. 1 is a system architecture diagram of a resource authentication method, and fig. 1 illustrates a resource storage end, a user end, a multiparty security computation module, and an authentication auxiliary end.

The resource storage end is connected with the multiparty safety calculation module through wireless communication or wired communication. The resource storage end is connected with the server, the server stores the resources, and after the resource storage end and the user end finish the resource transaction authentication, the server is informed to send the stored resources to other servers so as to finish the resource transaction.

The user end is connected with the multiparty security calculation module through wireless communication, and the user end is also connected with the resource storage end and the authentication auxiliary end through wireless communication. The user terminal is used for initiating a resource transaction authentication request and verifying with the resource storage terminal or the multiparty security calculation module.

The authentication auxiliary end is connected with the multiparty security calculation module and the user end through wireless communication. And the authentication auxiliary end is used as a third party system, and when the user end and the resource storage end cannot finish the authentication of the resource transaction, the authentication auxiliary end and the user end finish the authentication of the resource transaction so as to finish the resource transaction.

The multiparty security calculation module is connected with the resource storage end, the user end and the authentication auxiliary end through wireless communication. The multiparty security calculation module user carries out information forwarding, authentication and adjustment, so that resource transaction can be completed rapidly and accurately.

Referring to fig. 2, fig. 2 is an optional flowchart of a resource transaction authentication method according to an embodiment of the present application, where the resource transaction authentication method is applied to a multiparty security computing module. The method in fig. 2 may include, but is not limited to including, step S201 to step S204.

Step S201, when a registration request sent by a user terminal is received, a public key and a private key fragment are generated according to the registration request, the public key and the encrypted private key fragment are sent to the user terminal, and the private key fragment is distributed to a resource storage terminal and an authentication auxiliary terminal;

step S202, when receiving a transaction request sent by a user terminal, sending the transaction request passing authentication to a resource storage terminal so that the resource storage terminal authenticates with the user terminal according to the transaction request to obtain a preliminary authentication result; wherein the transaction request includes: the public key and the encrypted private key are fragmented;

step S203, obtaining the authentication failure times of the initial authentication result as authentication failure, and if the authentication failure times are larger than a preset threshold, requesting the authentication auxiliary end to conduct transaction authentication with the user end to obtain an updated authentication result;

step S204, if the updated authentication result represents that the authentication passes, the private key fragments sent by the user side and the authentication auxiliary side are combined and calculated to generate a transaction signature, and the resource transaction authentication is completed according to the transaction signature.

Step S201 to step S204 shown in the embodiment of the application are that after receiving a registration request sent from a user terminal through a multiparty security calculation module, a public key and three private key fragments are generated according to the registration request, the public key and one encrypted private key fragment are sent to the user terminal, and then the two encrypted private key fragments are respectively sent to a resource storage terminal and an authentication auxiliary terminal. When two unencrypted private key fragment combinations are provided, the resource transaction can be authenticated. When the user side initiates a transaction request, the multiparty security calculation module sends the authenticated transaction request to the resource storage side, so that the resource storage side completes authentication according to the transaction request and the user side and obtains a preliminary authentication result. Because each authentication between the resource storage end and the user end passes through the multiparty security calculation module, the multiparty security calculation module obtains the authentication failure times of the resource storage end and the user end in the authentication process. When the authentication failure times reach a preset threshold value, which means that the authentication between the resource storage end and the user end fails for multiple times, the single party of the resource storage end is judged to reject the recommended signature, so that the request is made to carry out transaction authentication between the authentication auxiliary end and the user end to obtain an updated authentication result, if the updated authentication result is characterized as authentication passing, the private key fragments from the authentication auxiliary end are received, and the private key fragments of the user end and the private key fragments sent by the authentication auxiliary end are combined to generate a transaction signature, so that the resource transaction authentication is completed according to the transaction signature, and then the server takes the transaction signature and other servers to complete the resource transaction. Therefore, when the resource storage end cannot conduct the resource transaction authentication, the authentication auxiliary end and the user end complete the transaction authentication so as to ensure that the resource transaction can be completed, and the condition that the resource transaction fails because the resource storage end cannot authenticate is reduced. Meanwhile, the problem that the resource storage end single party obstructs resource traffic authentication is reduced, so that the resource traffic authentication is more convenient, and the experience of a user is improved.

Referring to fig. 3, in some embodiments, step S201 may include, but is not limited to, steps S301 to S302:

step S301, when receiving a registration request sent by a user terminal, generating a public key and three private key fragments; any two private key fragments can generate a transaction signature;

step S302, the three private key fragments are respectively encrypted, the encrypted private key fragments, the public key and the preset resource storage address are sent to the user terminal, and then the two private key fragments and the preset user information are respectively sent to the resource storage terminal and the authentication auxiliary terminal.

In step S301 of some embodiments, when the user side needs to register with the resource storage side of the multiparty security computing module, the multiparty security computing module receives a registration request from the user side, and creates a KeyGenPhase object according to the registration request, so as to generate a public key and three private key fragments through the KeyGenPhase object. The public key is used for verifying the transaction signature of the resource transaction and the address information of the user, and the three private key fragments are set to meet the requirement of two-part combined calculation to generate the transaction signature.

In step S302 of some embodiments, the generated three private key fragments are encrypted, and then the encrypted private key fragments and the resource storage address are sent to the user side, where the resource storage address is the address of the resource storage side. The two private key fragments and the user information are respectively sent to the resource storage end and the authentication auxiliary end, so that the resource storage end and the authentication auxiliary end respectively hold one private key fragment.

In steps S301 to S302 illustrated in this embodiment, after receiving a registration request sent by a user terminal through a multiparty security computing module, a public key and three private key fragments are generated. And respectively sending the three private key fragments to the user terminal, the resource storage terminal and the authentication auxiliary terminal. The multiparty storage private key fragments are convenient for authentication between the user side and the resource storage side or the authentication auxiliary side, so that the authentication of the resource transaction can be completed.

Referring to fig. 4, in some embodiments, step S202 may include, but is not limited to, steps S401 to S404:

step S401, receiving a transaction request sent by a user terminal; wherein the transaction request includes: requesting user information, a public key, and encrypted private key fragments;

step S402, analyzing the public key and the encrypted private key fragments to obtain analysis information;

step S403, if the analysis information passes verification, an authentication request is generated, and the authentication request and the request user information are sent to the resource storage end, so that the resource storage end and the user end perform identity authentication to obtain first verification information, and the first verification information is sent to the user end;

step S404, receiving second verification information fed back by the user side according to the first verification information, and forwarding the second verification information to the resource storage side so that the resource storage side generates a preliminary authentication result according to the first verification information and the second verification information.

In step S401 and step S402 of some embodiments, the multiparty security computing module receives a transaction request sent from a user, where the transaction request includes a public key and an encrypted private key fragment, and obtains analysis information by analyzing the transaction request. It should be noted that, the analysis information is a public key and an encrypted private key fragment, that is, the public key and the private key fragment sent by the user terminal are obtained by analyzing the transaction request.

In step S403 of some embodiments, the parsing information is checked, that is, the encrypted private key fragments are decrypted by the public key to obtain decrypted private key fragments, and the decrypted private key fragments are checked to determine whether the private key fragments are correct. And if the decrypted private key fragments pass the verification after the verification, generating an authentication request. The multiparty security calculation module sends an authentication request to the resource storage end so that the resource storage end and the user end perform identity authentication, the authentication between the resource storage end and the user end mainly generates first authentication information, and the first authentication information is sent to the user end according to the user information.

In step S404 of some embodiments, after receiving the first verification information, the user side feeds back the second verification information according to the first verification information, so that the multiparty security calculation module receives the second verification information and sends the second verification information to the resource storage side, so that the resource storage side compares the first verification information with the second verification information to obtain a preliminary authentication result. The authentication between the user side and the resource storage side is performed by generating the first authentication information and the second authentication information, so that the resource transaction authentication operation is simple.

Referring to fig. 5, in some embodiments, step S404 may include, but is not limited to, steps S501 to S503:

step S501, receiving second verification information fed back by the user side according to the first verification information;

step S502, comparing the first verification information and the second verification information to obtain comparison information;

step S503, if the comparison information is characterized as consistent, the second verification information is forwarded to the resource storage end, so that the resource storage end performs comparison according to the first verification information and the second verification information to generate a preliminary authentication result.

In steps S501 to S503 illustrated in this embodiment, when the multiparty security computing module receives the second authentication information fed back from the user side according to the first authentication information, the first authentication information and the second authentication information are compared to obtain comparison information. The comparison information is characterized as consistent if the first authentication information and the second authentication information are consistent, and the comparison information is characterized as different if the first authentication information and the second authentication information are different. If the comparison information is characterized as consistent, the multiparty security calculation module sends second verification information to the resource storage end for further judgment. After the resource storage end receives the second verification information, the resource storage end compares the first verification information with the second verification information to obtain a preliminary authentication result. Therefore, after the multiparty security calculation module compares the first verification information with the second verification information, the second verification information is sent to the resource storage end, so that the resource storage end obtains a preliminary authentication result by comparing the first verification information with the second verification information, and whether the resource storage end is normally verified or not can be judged according to the preliminary authentication result, and whether verification errors exist or not can be judged.

Referring to fig. 6, in some embodiments, step S203 includes, but is not limited to, steps S601 to S603:

step S601, obtaining authentication failure times of which the initial authentication result is characterized as authentication failure, and if the authentication failure times are larger than a preset threshold, receiving a third party verification request sent by a user side;

step S602, sending the authentication request and the request user information to the authentication auxiliary terminal according to the third party authentication request, so that the authentication auxiliary terminal sends the third authentication information to the user terminal;

step S603, receiving fourth verification information sent by the user side according to the third verification information, and forwarding the fourth verification information to the authentication auxiliary side, so that the authentication auxiliary side performs transaction authentication according to the third verification information and the fourth verification information to obtain an updated authentication result.

In step S601 of some embodiments, the number of authentication failures, where the preliminary authentication result is characterized as authentication failure, is obtained, because before the preliminary authentication result is generated, the multiparty security computation module determines that the first authentication information and the second authentication information are consistent, and then sends the second authentication information to the resource storage. If the primary authentication result represents authentication failure, representing authentication errors of the resource storage end. If the number of errors is excessive, determining that the single party of the resource storage end refuses the transaction authentication. Therefore, the authentication switching prompt information is fed back to the user side, and the authentication switching prompt information is shown in a popup window mode. If the user terminal performs the resource transaction authentication again according to the authentication switching prompt information, the multiparty security calculation module receives a third party verification request sent by the user terminal.

In step S602 of some embodiments, after the multiparty security computing module receives the third party verification request, the authentication request and the request user information are sent to the authentication auxiliary according to the third party verification request, so as to request the authentication auxiliary of the third party and the user to perform the resource transaction authentication. Because the authentication auxiliary end carries the encrypted private key fragments, the transaction signature can be generated only by combining two private key fragments, so as to finish the authentication of the resource transaction. And when the authentication auxiliary end receives the authentication request, generating third authentication information, and sending the third authentication information to the user end according to the request user information, so that the user end feeds back fourth authentication information according to the third authentication information.

In step S603 of some embodiments, when the multiparty security computing module receives the fourth verification information, the fourth verification information is forwarded to the authentication auxiliary, and the authentication auxiliary performs transaction authentication according to the third verification information and the fourth verification information, that is, compares the third verification information and the fourth verification information to obtain an updated authentication result. If the third verification information and the fourth verification information are consistent, the updated authentication result is determined to pass the authentication, and if the third verification information and the fourth verification information are inconsistent, the updated authentication result is determined to be authentication failure.

In steps S601 to S603 illustrated in this embodiment, in the case where the resource storage end (e.g., the bank Bao Duan) has a single party for rejecting the resource transaction authentication, authentication is completed between the auxiliary authentication end and the user end, and authentication information is forwarded by the multiparty security calculation module, so that the auxiliary authentication end and the user end can accurately complete authentication, thereby not only ensuring the security of the resource transaction authentication, but also improving the efficiency of the resource transaction authentication, and also reducing the occurrence probability of single party freezing of the resource storage end.

Referring to fig. 7, in some embodiments, step S204 may include, but is not limited to, steps S701 to S702:

step S701, if the updated authentication result characterizes authentication passing, decrypting the encrypted private key fragments sent by the user side and the authentication auxiliary side according to the public key;

step S702, the decrypted two private key fragments are combined and calculated to generate a transaction signature, and a transaction request of the user side is sent to the server side according to the transaction signature so as to finish the resource transaction authentication.

In steps S701 to S702 illustrated in this embodiment, after the authentication result is characterized as passing through the authentication by updating, the multiparty security computation module receives the encrypted private key fragment sent from the authentication auxiliary. Decrypting the encrypted private key fragments sent by the user terminal according to the public key sent by the user terminal, and decrypting the encrypted private key fragments sent by the auxiliary authentication terminal according to the public key. And then combining and calculating the decrypted two private key fragments to generate a transaction signature so as to finish the authentication of the resource transaction. Updating the transaction request according to the transaction signature, wherein the updated transaction request comprises the transaction signature, and then sending the transaction request to the server, so that the server can complete resource transaction according to the transaction request and other servers.

Referring to fig. 8, in some embodiments, the resource transaction authentication method may further include, but is not limited to, steps S801 to S802:

step S801, a transaction signature is sent to a user side, a server and other servers are requested to conduct resource transaction according to the transaction signature, and the server is received to feed back resource transaction credential information;

step S802, the resource transaction credential information is sent to the user side.

After the transaction signature is generated by the multiparty security calculation module, the transaction signature is sent to the user terminal, and the resource transaction is performed between the request server and other servers according to the transaction signature in steps S801 to S802 illustrated in the present embodiment. And after the resource transaction is completed, receiving transaction credential information fed back from the server after the resource transaction is completed. And then the resource transaction credential information is sent to the user side to complete resource exchange, so that the resource exchange operation is more efficient, and the experience of the user in resource exchange can be improved.

Referring to fig. 9, an embodiment of the present application further provides a resource transaction authentication device, which can implement the above-mentioned resource transaction authentication method, where the device includes:

the key generation module 901 is configured to generate a public key and a private key fragment according to a registration request when receiving the registration request sent by the user, send the public key and the encrypted private key fragment to the user, and distribute the private key fragment to the resource storage end and the authentication auxiliary end;

The preliminary authentication module 902 is configured to send a transaction request that passes authentication to the resource storage end when receiving a transaction request sent by the user end, so that the resource storage end performs authentication with the user end according to the transaction request to obtain a preliminary authentication result; wherein the transaction request includes: the public key and the encrypted private key are fragmented;

the auxiliary authentication module 903 is configured to obtain an authentication failure number that the preliminary authentication result represents authentication failure, and if the authentication failure number is greater than a preset threshold, request the authentication auxiliary end to perform transaction authentication with the user end to obtain an updated authentication result;

and the transaction signature generation module 904 is configured to, if the updated authentication result characterizes the authentication, combine and calculate the private key fragment of the user side and the private key fragment sent by the authentication auxiliary side to generate a transaction signature, and complete the resource transaction authentication according to the transaction signature.

The specific implementation manner of the resource transaction authentication device is basically the same as the specific embodiment of the resource transaction authentication method, and is not described herein.

The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the resource transaction authentication method when executing the computer program. The electronic equipment can be any intelligent terminal including a tablet personal computer, a vehicle-mounted computer and the like.

Referring to fig. 10, fig. 10 illustrates a hardware structure of an electronic device according to another embodiment, the electronic device includes:

the processor 1001 may be implemented by using a general-purpose CPU (central processing unit), a microprocessor, an application-specific integrated circuit (ApplicationSpecificIntegratedCircuit, ASIC), or one or more integrated circuits, etc. to execute related programs to implement the technical solution provided by the embodiments of the present application;

the memory 1002 may be implemented in the form of read-only memory (ReadOnlyMemory, ROM), static storage, dynamic storage, or random access memory (RandomAccessMemory, RAM). The memory 1002 may store an operating system and other application programs, and when the technical solutions provided in the embodiments of the present disclosure are implemented by software or firmware, relevant program codes are stored in the memory 1002, and the processor 1001 invokes a resource transaction authentication method for executing the embodiments of the present disclosure;

an input/output interface 1003 for implementing information input and output;

the communication interface 1004 is configured to implement communication interaction between the present device and other devices, and may implement communication in a wired manner (e.g. USB, network cable, etc.), or may implement communication in a wireless manner (e.g. mobile network, WIFI, bluetooth, etc.);

A bus 1005 for transferring information between the various components of the device (e.g., the processor 1001, memory 1002, input/output interface 1003, and communication interface 1004);

wherein the processor 1001, the memory 1002, the input/output interface 1003, and the communication interface 1004 realize communication connection between each other inside the device through the bus 1005.

The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the resource transaction authentication method when being executed by a processor.

The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The embodiments described in the embodiments of the present application are for more clearly describing the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application, and those skilled in the art can know that, with the evolution of technology and the appearance of new application scenarios, the technical solutions provided by the embodiments of the present application are equally applicable to similar technical problems.

It will be appreciated by persons skilled in the art that the embodiments of the application are not limited by the illustrations, and that more or fewer steps than those shown may be included, or certain steps may be combined, or different steps may be included.

The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

Those of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.

The terms "first," "second," "third," "fourth," and the like in the description of the application and in the above figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

It should be understood that in the present application, "at least one (item)" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.

In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is merely a logical function division, and there may be another division manner in actual implementation, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including multiple instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing a program.

The preferred embodiments of the present application have been described above with reference to the accompanying drawings, and are not thereby limiting the scope of the claims of the embodiments of the present application. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and spirit of the embodiments of the present application shall fall within the scope of the claims of the embodiments of the present application.

Claims

1. A method of authenticating a resource transaction, applied to a multiparty secure computing module, the method comprising:

2. The method according to claim 1, wherein when receiving a registration request sent by a user terminal, generating a public key and a private key fragment according to the registration request, sending the public key and the encrypted private key fragment to the user terminal, and distributing the private key fragment to a resource storage terminal and an authentication auxiliary terminal, includes:

3. The method of claim 1, wherein when receiving the transaction request sent by the user terminal, sending the transaction request that passes authentication to a resource storage terminal, so that the resource storage terminal performs authentication with the user terminal according to the transaction request to obtain a preliminary authentication result, including:

4. The method of claim 3, wherein the receiving the second authentication information fed back by the user side according to the first authentication information and forwarding the second authentication information to the resource storage side, so that the resource storage side generates a preliminary authentication result according to the first authentication information and the second authentication information, includes:

5. The method of claim 3, wherein the obtaining the preliminary authentication result is characterized by an authentication failure number of authentication failures, and if the authentication failure number is greater than a preset threshold, requesting the authentication auxiliary to perform transaction authentication with the user to obtain an updated authentication result comprises:

6. The method according to any one of claims 1 to 5, wherein if the updated authentication result indicates that authentication is passed, calculating a combination of the private key fragments sent by the user side and the private key fragments sent by the authentication auxiliary side to generate a transaction signature, and completing resource transaction authentication according to the transaction signature, including:

7. The method according to any one of claims 1 to 5, wherein after the combining the decrypted two private key fragments to generate the transaction signature, and sending the transaction request of the user side to a server side according to the transaction signature, the method further comprises:

And sending the resource transaction credential information to the user side.

8. A resource transaction authentication device, the device comprising:

9. An electronic device comprising a memory storing a computer program and a processor implementing the resource transaction authentication method of any of claims 1 to 7 when the computer program is executed by the processor.

10. A computer readable storage medium storing a computer program, characterized in that the computer program, when executed by a processor, implements the resource transaction authentication method of any one of claims 1 to 7.