CN117097472A - Identity authentication method of collaborative signature - Google Patents
Identity authentication method of collaborative signature Download PDFInfo
- Publication number
- CN117097472A CN117097472A CN202311229985.0A CN202311229985A CN117097472A CN 117097472 A CN117097472 A CN 117097472A CN 202311229985 A CN202311229985 A CN 202311229985A CN 117097472 A CN117097472 A CN 117097472A
- Authority
- CN
- China
- Prior art keywords
- password
- cooperative
- collaborative
- service
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 239000012634 fragment Substances 0.000 claims abstract description 18
- 230000002195 synergetic effect Effects 0.000 claims abstract description 12
- 238000012545 processing Methods 0.000 claims abstract description 10
- 238000012795 verification Methods 0.000 claims abstract description 8
- 230000004044 response Effects 0.000 claims abstract description 7
- 230000008569 process Effects 0.000 description 5
- 230000003993 interaction Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The application discloses an identity authentication method of a collaborative signature, which comprises the following steps: generating an authentication Token by the cooperative password client according to the service sequence number Sn, the cooperative password server identifier B and the signature data sSA, and sending a service request and the authentication Token to the cooperative password server; calculating a public key Pa of the private key fragment inverse of the corresponding cooperative password client according to the found private key fragment of the server by the cooperative password server, performing signature verification processing on signature data sSA in the authentication Token by using the public key Pa, and verifying the correctness of the service serial number Sn in the authentication Token and the cooperative password server identifier B; and after the verification is passed, the service request is signed in a synergic mode through the private key fragments of the service end which are found by the synergic password service end, and synergic signature response data are generated and sent to the synergic password client. The application ensures the information security and reduces the risk.
Description
Technical Field
The application relates to the technical field of computer information security, in particular to an identity authentication method of a collaborative signature.
Background
With the rapid development of the mobile internet, more and more people carry out online office entertainment through the mobile terminal, and then the people face a security threat. The traditional certificate security medium needs to be subjected to security protection through security media such as USBKE, SD card, TF card and the like in various forms, but the cost of enterprise users is increased, and popularization and promotion are not facilitated. The collaborative cryptographic module client is a software security cryptographic module developed on the basis of the traditional field, and ensures the security of users without external hardware facilities. However, the identity authentication method between the collaboration client and the collaboration server is a problem to be solved urgently, and the conventional method generally needs to preset certificates or interact for many times, which is quite inconvenient and has poor security.
To this end, the present inventors have found a method for solving the above-mentioned problems through beneficial studies and studies, and the technical solutions to be described below are made in this context.
Disclosure of Invention
The technical problems to be solved by the application are as follows: aiming at the defects of the prior art, a safe and simple identity authentication method with cooperative signature is provided.
The technical problems to be solved by the application can be realized by adopting the following technical scheme:
an identity authentication method of collaborative signature, comprising:
acquiring a service request transmitted by an application program terminal through a cooperative password client, and generating a user cooperative key, wherein the user cooperative key comprises a user public key and a user private key;
generating a service sequence number Sn and acquiring a cooperative password server identifier B through a cooperative password client, and carrying out signature processing on the service sequence number Sn and the cooperative password server identifier B by using the inverse of a user private key to obtain signature data sSA;
generating an authentication Token by the cooperative password client according to the service sequence number Sn, the cooperative password server identifier B and the signature data sSA, and sending a service request and the authentication Token to the cooperative password server;
analyzing the service request through the collaborative password service end to obtain a user public key of the service, and searching a corresponding service end private key fragment according to the user public key;
calculating a public key Pa of the private key fragment inverse of the corresponding cooperative password client according to the found private key fragment of the server by the cooperative password server, performing signature verification processing on signature data sSA in the authentication Token by using the public key Pa, and verifying the correctness of the service serial number Sn in the authentication Token and the cooperative password server identifier B;
after the verification is passed, the service request is signed in a synergic mode through the private key fragments of the service end which are found by the synergic password service end, and synergic signature response data are generated and sent to the synergic password client; and
and analyzing and processing the collaborative signature response data returned by the collaborative password server through the collaborative password client to obtain a final collaborative signature result, and returning the final collaborative signature result to the application program terminal.
In a preferred embodiment of the present application, the service sequence number Sn is a unique sequence number of the public key of the user.
In a preferred embodiment of the present application, the cooperative cryptographic server identifier B is an identifier negotiated between the cooperative cryptographic server and the cooperative cryptographic client or a service address of the cooperative server to the outside.
In a preferred embodiment of the present application, the verifying the correctness of the service serial number Sn and the cooperative cryptographic server identifier B in the authentication Token includes:
judging whether the serial number of the corresponding server public key in the cache of the collaborative password server is the same as the service serial number Sn in the authentication Token; and
and judging whether the cooperative password server side identifier in the cache of the cooperative password server side is the same as the cooperative password server side identifier B in the authentication Token.
In a preferred embodiment of the present application, the cooperative cryptographic client sends the service request and the authentication Token to the cooperative cryptographic server through the national cryptographic SSLVPN protocol.
Due to the adoption of the technical scheme, the application has the beneficial effects that:
1. the application carries out one-way authentication based on the user key fragment with the cooperative signature, and does not need additional interaction;
2. the private key used for signing in the identity authentication process is generated by the reverse of the private key fragment of the original user, and no additional generation or presetting of certificates is needed;
3. the application does not need to preset a shared key or a client key certificate in the identity authentication process, thereby ensuring the information security and reducing the risk;
4. the application combines the data interaction with the original business data in the identity authentication process, reduces the network interaction times, reduces the network operation of the cooperative process, and does not influence the performance while achieving the purpose of identity authentication.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a network upon which the present application is implemented.
Fig. 2 is a flow chart of the present application.
Detailed Description
The application is further described with reference to the following detailed drawings in order to make the technical means, the creation characteristics, the achievement of the purpose and the effect of the implementation of the application easy to understand.
The application discloses a collaborative signature identity authentication method, which relates to a collaborative password client, a collaborative password server and an application program terminal in implementation, as shown in figure 1. And the collaborative password client and the collaborative password server are in data link through a network.
The application program terminal in the application can adopt a mobile phone, a tablet personal computer, a PDA or a PC terminal and the like. Before the login method is implemented, the application program terminal needs to integrate the collaborative password client, and the PIN setting and collaborative key initialization are completed. The cooperative password client is mainly used for realizing safe passing between the cooperative password client and the cooperative password server and authenticating identity authentication.
Referring to fig. 2, a method for authenticating a collaborative signature is provided, which includes the following steps:
step S10, a service request transmitted by an application program terminal is acquired through a cooperative password client, and a user cooperative key is generated. The user cooperative key comprises a user public key and a user private key. The service request will vary depending on the particular application scenario.
Step S20, generating a service sequence number Sn and acquiring a cooperative password server identifier B through a cooperative password client, and carrying out signature processing on the service sequence number Sn and the cooperative password server identifier B by using the inverse of a user private key to obtain signature data sSA; the service serial number Sn is the unique serial number of the user public key, and ensures that the serial numbers in the same user public key have certain time sequence and uniqueness. The cooperative password server side identifier B is an identifier negotiated between the cooperative password server side and the cooperative password client side or an external service address of the cooperative server side.
Step S30, generating an authentication Token by the cooperative password client according to the service serial number Sn, the cooperative password server identifier B and the signature data sSA, and sending a service request and the authentication Token to the cooperative password server, wherein the authentication token=Sn|B| sSA; the cooperative password client sends the service request and the authentication Token to the cooperative password server through a national password SSLVPN protocol.
And S40, analyzing the service request through the collaborative password service end to obtain a user public key of the service, and searching a corresponding service end private key fragment according to the user public key.
Step S50, the cooperative cipher server calculates a public key Pa of the reverse of the private key fragment of the corresponding cooperative cipher client according to the found private key fragment of the server, and uses the public key Pa to carry out signature verification processing on signature data sSA in the authentication Token, and at the same time, the correctness of the service serial number Sn in the authentication Token and the cooperative cipher server identifier B is verified.
And step S60, after the verification is passed, the service request is signed cooperatively by the cooperative password server by using the found private key fragment of the server, and cooperative signature response data is generated and sent to the cooperative password client.
And step S70, analyzing and processing the collaborative signature response data returned by the collaborative password server through the collaborative password client to obtain a final collaborative signature result, and returning the final collaborative signature result to the application program terminal.
In step S50, the correctness of the service serial number Sn and the cooperative cryptographic server identifier B in the authentication Token is verified, which includes the following steps:
step S51, judging whether the serial number of the corresponding server public key in the cache of the collaborative password server is the same as the service serial number Sn in the authentication Token;
step S52, judging whether the cooperative password service end identifier in the cache of the cooperative password service end is the same as the cooperative password service end identifier B in the authentication Token.
The application adopts the user key fragment based on the collaborative signature to carry out one-way authentication, the collaborative password client does not need to additionally generate or preset certificates, and does not need to additionally carry out network connection operation, thereby reducing network operation in the collaborative process, achieving the purpose of identity authentication and simultaneously not affecting the performance.
The foregoing has shown and described the basic principles and main features of the present application and the advantages of the present application. It will be understood by those skilled in the art that the present application is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present application, and various changes and modifications may be made without departing from the spirit and scope of the application, which is defined in the appended claims. The scope of the application is defined by the appended claims and equivalents thereof.
Claims (5)
1. A method of identity authentication with a collaborative signature, comprising:
acquiring a service request transmitted by an application program terminal through a cooperative password client, and generating a user cooperative key, wherein the user cooperative key comprises a user public key and a user private key;
generating a service sequence number Sn and acquiring a cooperative password server identifier B through a cooperative password client, and carrying out signature processing on the service sequence number Sn and the cooperative password server identifier B by using the inverse of a user private key to obtain signature data sSA;
generating an authentication Token by the cooperative password client according to the service sequence number Sn, the cooperative password server identifier B and the signature data sSA, and sending a service request and the authentication Token to the cooperative password server;
analyzing the service request through the collaborative password service end to obtain a user public key of the service, and searching a corresponding service end private key fragment according to the user public key;
calculating a public key Pa of the private key fragment inverse of the corresponding cooperative password client according to the found private key fragment of the server by the cooperative password server, performing signature verification processing on signature data sSA in the authentication Token by using the public key Pa, and verifying the correctness of the service serial number Sn in the authentication Token and the cooperative password server identifier B;
after the verification is passed, the service request is signed in a synergic mode through the private key fragments of the service end which are found by the synergic password service end, and synergic signature response data are generated and sent to the synergic password client; and
and analyzing and processing the collaborative signature response data returned by the collaborative password server through the collaborative password client to obtain a final collaborative signature result, and returning the final collaborative signature result to the application program terminal.
2. The collaborative signed identity authentication method of claim 1 wherein said service sequence number Sn is a unique sequence number of a user public key.
3. The collaborative signed identity authentication method of claim 1 wherein the collaborative password server identifier B is an identifier negotiated between the collaborative password server and the collaborative password client or a service address of the collaborative server to the outside.
4. The method for authenticating a co-signed identity according to claim 1, wherein verifying the correctness of the service sequence number Sn and the co-password server identifier B in the authentication Token comprises:
judging whether the serial number of the corresponding server public key in the cache of the collaborative password server is the same as the service serial number Sn in the authentication Token; and
and judging whether the cooperative password server side identifier in the cache of the cooperative password server side is the same as the cooperative password server side identifier B in the authentication Token.
5. The collaborative signed identity authentication method of claim 1 wherein the collaborative password client sends the service request and authentication Token to the collaborative password server via the national secret SSLVPN protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311229985.0A CN117097472A (en) | 2023-09-22 | 2023-09-22 | Identity authentication method of collaborative signature |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311229985.0A CN117097472A (en) | 2023-09-22 | 2023-09-22 | Identity authentication method of collaborative signature |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117097472A true CN117097472A (en) | 2023-11-21 |
Family
ID=88771705
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311229985.0A Pending CN117097472A (en) | 2023-09-22 | 2023-09-22 | Identity authentication method of collaborative signature |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117097472A (en) |
-
2023
- 2023-09-22 CN CN202311229985.0A patent/CN117097472A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11223614B2 (en) | Single sign on with multiple authentication factors | |
| CN108810029B (en) | Authentication system and optimization method between micro-service architecture services | |
| US9992189B2 (en) | Generation and validation of derived credentials | |
| JP6012125B2 (en) | Enhanced 2CHK authentication security through inquiry-type transactions | |
| JP6105721B2 (en) | Start of corporate trigger type 2CHK association | |
| US8627424B1 (en) | Device bound OTP generation | |
| US8527758B2 (en) | Systems and methods for facilitating user identity verification over a network | |
| US20070162961A1 (en) | Identification authentication methods and systems | |
| CN112487778A (en) | Multi-user online signing system and method | |
| TW200818838A (en) | Mutual authentication and secure channel establishment between two parties using consecutive one-time passwords | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| CN114531277B (en) | User identity authentication method based on blockchain technology | |
| CN112989309B (en) | Login method, authentication method and system based on multi-party authorization and computing equipment | |
| CN112953970A (en) | Identity authentication method and identity authentication system | |
| CN104202163A (en) | Password system based on mobile terminal | |
| TWM595792U (en) | Authorization system for cross-platform authorizing access to resources | |
| CN113872989B (en) | SSL protocol-based authentication method, SSL protocol-based authentication device, computer equipment and storage medium | |
| CN104657860A (en) | Mobile banking security authentication method | |
| CN111651745A (en) | Application authorization signature method based on password equipment | |
| CN1697376A (en) | Method and system for authenticating or enciphering data by using IC card | |
| CN110572392A (en) | Identity authentication method based on HyperLegger network | |
| CN117336092A (en) | Client login method and device, electronic equipment and storage medium | |
| CN116527341A (en) | Client-side calling rear-end interface authentication authorization security method | |
| CN112738005A (en) | Access processing method, device, system, first authentication server and storage medium | |
| WO2018113508A1 (en) | Ciphertext-based identity verification method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |