CN117176332A - Identity authentication method, system, terminal equipment and storage medium - Google Patents

Abstract

The invention discloses an identity authentication method, system, terminal equipment and storage medium. The method includes: setting a public-private key pair for a preset business participant to obtain a public-private key pair set, wherein the public-private key pair set includes a card public-private key pair and a terminal public-private key pair; based on the card public-private key pair The key pair and the end public and private key pair are used to generate a combined public and private key pair; when the first preset request is received, the first public and private key pair are verified based on the public and private key pair set and the combined public and private key pair. Identity information corresponding to a preset request. The invention aims to solve the problem of terminal card separation, improve the security of business processes, and reduce the complexity of business processes.

Description

Identity authentication method, system, terminal device and storage medium

Technical field

The present invention relates to the field of network security technology, and in particular to an identity authentication method, system, terminal equipment and storage medium.

Background technique

The Internet of Vehicles based on mobile networks has the security risk of "end-card separation", which may cause the SIM (Subscriber Identity Module, User Identity Card)/USIM (Universal Subscriber Identity Module, Global User Identity Card) cards used in the Internet of Vehicles to be abused, and , the mobile terminal also has the situation of "terminal card separation"; among them, terminal card separation means that the SIM/USIM card in the vehicle communication terminal may be pulled out and used for other purposes. Therefore, a terminal card binding mechanism needs to be established to prevent this situation from happening. At the mobile network level, settings or signaling can be bound through IMSI (International Mobile Subscriber Identity, International Mobile Subscriber Identity)/SUPI (Subscription Permanent Identifier, User Hidden Identifier) and IMEI (International Mobile Subscriber Identity, International Mobile Subscriber Identity) Analytical methods are used to detect and confirm the terminal card binding relationship; at the Internet of Vehicles level, there is currently neither a corresponding binding relationship detection nor binding relationship confirmation mechanism, nor can it directly utilize the capabilities of the mobile network layer. If you indirectly use the capabilities at the mobile network level, you need to call the service interface, which increases the complexity of the business process to a certain extent.

Contents of the invention

The main purpose of the embodiments of the present invention is to provide an identity authentication method, system, terminal device and storage medium, aiming to solve the problem of terminal card separation, improve the security of business processes, and reduce the complexity of business processes.

To achieve the above object, an embodiment of the present invention provides an identity authentication method, which includes:

Set public and private key pairs for the preset business participants to obtain a public and private key pair set, wherein the public and private key pair set includes a card public and private key pair and a terminal public and private key pair;

Generate a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair;

When the first preset request is received, the identity information corresponding to the first preset request is verified based on the public and private key pair set and the combined public and private key pair.

Optionally, the preset service participants include an initiator and a receiver, and the identity information corresponding to the first preset request is verified based on the public and private key pair set and the combined public and private key pair. Steps include:

Based on the public-private key pair set and the combined public-private key pair, the initiator encrypts the first preset request to obtain decision information;

Based on the public-private key pair set and the combined public-private key pair, the identity information corresponding to the decision-making information is verified by the recipient.

Optionally, the step of generating a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair includes:

When the recipient receives the second preset request, the recipient sends the second preset request to the initiator;

Receive the first preset request generated by the initiator based on the second preset request, and perform the steps of: verifying the first preset request based on the public and private key pair set and the combined public and private key pair Corresponding identity information.

Optionally, the recipient includes a first participant and a second participant, and based on the public-private key pair set and the combined public-private key pair, the recipient verifies the decision information corresponding to The steps for identity information include:

Verify, by the first participant, the signature information generated based on the public-private key pair of the first participant in the decision-making information;

If the verification passes, the decision information is sent to the second participant through the first participant;

The second party verifies the signature information generated based on the combined public and private key pair of the second party in the decision information.

Optionally, the step of obtaining the decision information by encrypting the first preset request by the initiator based on the public-private key pair set and the combined public-private key pair includes:

Based on the first preset request, generate a first random number and a second random number;

Generate combined information based on the first preset request and the second random number;

The decision information is obtained based on the first random number, the second random number, the combination information, the first preset request, the public-private key pair set, and the combined public-private key pair.

Optionally, the step of sending the decision information to the second participant through the first participant includes:

Based on the decision information, generate a third random number;

Based on the combined public and private key pair of the second participant, the third random number is encrypted to obtain the first signature;

Based on the first signature, the decision information is updated.

Optionally, the step of generating a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair includes:

Send the public key of the public-private key pair set to the preset service participant;

Send the public key of the combined public-private key pair to the preset participant.

In addition, to achieve the above objectives, the present invention also provides an identity authentication system, which includes:

The key set generation module is used to set public and private key pairs for preset business participants to obtain a public and private key pair set, wherein the public and private key pair set includes a card public and private key pair and a terminal public and private key pair;

A combined key generation module, configured to generate a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair;

An identity verification module, configured to, when receiving the first preset request, verify the identity information corresponding to the first preset request based on the public and private key pair set and the combined public and private key pair.

In addition, in order to achieve the above object, the present invention also provides a terminal device. The terminal device includes: a memory, a processor, and an identity authentication method stored on the memory and operable on the processor. When the authentication program is executed by the processor, the steps of the identity authentication method as described above are implemented.

In addition, in order to achieve the above object, the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores an identity authentication program, and when the identity authentication program is executed by the processor, the above-mentioned Steps of the authentication method.

The identity authentication method, system, terminal device and storage medium proposed by the embodiment of the present invention obtain a public and private key pair set by setting a public and private key pair for the preset business participants, so as to encrypt information according to the public and private key pair set, and improve Security of information transmission, wherein the set of public and private key pairs includes a card public and private key pair and a terminal public and private key pair; based on the card public and private key pair and the terminal public and private key pair, a combined public and private key is generated Yes, to confirm the end card binding relationship and reduce the frequency of card abuse of the end device; when receiving the first preset request, based on the public and private key pair set and the combined public and private key pair, verify the third The identity information corresponding to a preset request is used to confirm the identity information of the first preset request and provide a basis for judgment in response to the first preset request. The invention aims to solve the problem of terminal card separation, improve the security of business processes, and reduce the complexity of business processes.

Description of drawings

Figure 1 is a schematic diagram of the functional modules of the terminal equipment to which the identity authentication device of the present invention belongs;

Figure 2 is a schematic flow chart of the first embodiment of the identity authentication method of the present invention;

Figure 3 is a schematic diagram of the first application scenario of the identity authentication method of the present invention;

Figure 4 is a schematic flow chart of the fourth embodiment of the identity authentication method of the present invention;

Figure 5 is a schematic diagram of the second application scenario of the identity authentication method of the present invention;

Figure 6 is a schematic diagram of the third application scenario of the identity authentication method of the present invention;

Figure 7 is an interactive schematic diagram of the Internet of Vehicles remote control business scenario of the identity authentication method of the present invention;

Figure 8 is an interactive schematic diagram of the Internet of Vehicles service ordering business scenario of the identity authentication method of the present invention;

Figure 9 is a schematic diagram of the functional modules of the identity authentication system of the present invention.

The realization of the purpose, functional features and advantages of the present invention will be further described with reference to the embodiments and the accompanying drawings.

Detailed ways

It should be understood that the specific embodiments described here are only used to explain the present invention and are not intended to limit the present invention.

The main solution of the embodiment of the present invention is to set a public and private key pair for the preset business participants to obtain a public and private key pair set, wherein the public and private key pair set includes a card public and private key pair and a terminal public and private key pair. ; Based on the card public and private key pair and the terminal public and private key pair, generate a combined public and private key pair; when receiving the first preset request, based on the public and private key pair set, the combined public and private key pair Yes, verify the identity information corresponding to the first preset request.

Technical terms involved in the embodiments of the present invention:

SIM: (Subscriber Identity Module, subscriber identification card) is an IC card held by mobile users of the GSM system. The GSM system identifies GSM users through SIM cards. The same SIM card can be used on different mobile phones. GSM mobile phones can only be used online after inserting a SIM card.

USIM: (Universal Subscriber Identity Module, Global Subscriber Identity Card), Global Subscriber Identity Module (USIM), also called upgrade SIM, is a component of the UMTS (Universal Mobile Telecommunication System, Universal Wireless Communication System) 3G network. In addition to supporting multiple applications, the USIM card has also upgraded its security algorithm and added a card-to-network authentication function. This two-way authentication can effectively prevent hackers from attacking the card.

OBU: (On board Unit, on-board unit) is a microwave device that uses DSRC (Dedicated Short Range Communication) technology to communicate with RSU. In the ETC system, the OBU is placed on the vehicle, and the RSU-Road Side Unit is set up on the roadside to communicate with each other through microwaves.

T-BOX: (Travel-box, travel box) is a complete removable travel box developed through the accumulation of outdoor life experience and technological innovation.

IMSI: (International Mobile Subscriber Identity, International Mobile Subscriber Identity) is an identification code that is used to distinguish different users in cellular networks and is not repeated in all cellular networks. The mobile phone stores the IMSI in a 64-bit field and sends it to the network. IMSI can be used to query the user's information in the Home Location Register (HLR, Home Location Register) or the Visitor Location Register (VLR, Visitor Location Register).

SUPI: (Subscription Permanent Identifier, User Hidden Identifier) SUPI consists of 15 decimal digits, of which the first three digits are the country code MCC, the middle 2-3 digits are the operator code MNC, and the remaining 9-10 digits are the mobile subscriber identification code MSIN represents users and operators together; SUPI is equivalent to the IMSI that uniquely identifies ME, and is also a 15-digit string.

IMEI: (International Mobile Subscriber Identity, International Mobile Subscriber Identity) is an identification code that is used to distinguish different users in cellular networks and is not repeated in all cellular networks. The mobile phone stores the IMSI in a 64-bit field and sends it to the network. IMSI can be used to query the user's information in the Home Location Register (HLR, Home Location Register) or the Visitor Location Register (VLR, Visitor Location Register).

ECU: (Electronic Control Unit, electronic control unit), also known as "driving computer", "vehicle computer", etc. Like an ordinary computer, it consists of a microcontroller (MCU), memory (ROM, RAM), input/output interface (I/O), analog-to-digital converter (A/D), and large-scale integrated circuits such as shaping and driving. composition.

IVI: (In-Vehicle Infotainment, in-vehicle infotainment system) is an in-vehicle integrated information processing system that uses a dedicated in-vehicle central processor and is based on the body bus system and Internet services. IVI can realize a series of applications including 3D navigation, real-time traffic conditions, IPTV, assisted driving, fault detection, vehicle information, body control, mobile office, wireless communications, online-based entertainment functions and TSP services.

APP: (application, mobile software), mobile software, mainly refers to software installed on smart phones, which improves the deficiencies and personalization of the original system. It is the main means to improve the functions of mobile phones and provide users with a richer experience. The operation of mobile phone software requires a corresponding mobile phone system. As of June 1, 2017, the main mobile phone systems are: Apple's iOS, Google's Android system, Symbian platform and Microsoft platform.

Internet of Vehicles: Internet of Vehicles mainly refers to the on-board equipment on vehicles using wireless communication technology to effectively utilize all vehicle dynamic information in the information network platform and provide different functional services during vehicle operation.

Device fingerprint: Device fingerprint refers to device characteristics or unique device identification that can be used to uniquely identify the device.

Asymmetric encryption: Symmetric encryption algorithms use the same secret key for encryption and decryption; asymmetric encryption algorithms require two keys for encryption and decryption. These two keys are public keys (Public Key for short). Public key) and private key (Private Key, referred to as private key).

Elliptic Curve Cryptography: (Elliptic Curve Cryptography, ECC) is an algorithm that establishes public key encryption, which is asymmetric encryption. Similar algorithms include RSA and ElGamal. ECC is recognized as the most secure asymmetric encryption algorithm for a given key length.

National secret standard public key cryptography algorithm SM2: National secret standard public key cryptography algorithm SM2 algorithm and RSA algorithm are both public key cryptography algorithms. The SM2 algorithm is a more advanced and secure algorithm and is used to replace it in our national commercial cryptography system. RSA algorithm.

With the development of cryptography and computer technology, the currently commonly used 1024-bit RSA algorithm faces serious security threats. After research, our national cryptography management department decided to use the SM2 elliptic curve algorithm to replace the RSA algorithm.

Identity cryptography technology: Identity-Based Cryptograph (IBC) is an asymmetric public key cryptography system. The main point of identification password is that no certificate is required in the system, and the user's identification such as name, IP address, email address, mobile phone number, etc. is used as the public key. The user's private key is calculated by the Key Generate Center (KGC) based on the system master key and user ID. The user's public key is uniquely determined by the user's identity, so the user does not need a third party to ensure the authenticity of the public key.

Combined Public Key (CPK): In the field of information security, CPK is the abbreviation of "Combined Public Key", that is, combined public key. It is an encryption algorithm that can generate large-scale keys with very small resources. The combined public key CPK is an identity-based digital signature protocol and key exchange protocol.

Message digest algorithm: The message digest algorithm is a very important branch of cryptography algorithms. It extracts fingerprint information from all data to implement functions such as data signature and data integrity verification. Due to its irreversibility, it is sometimes used Encryption of sensitive information. Message digest algorithm is also called hash algorithm, hash algorithm or hash algorithm.

The message digest algorithm does not have the problem of key management and distribution, and is mainly used in the field of "digital signature" as a digest algorithm for plaintext.

National Secret Standard Crypto Hash Algorithm SM3: The SM3 Crypto Hash Algorithm is China’s commercial cryptographic hash algorithm standard announced by the State Cryptometry Administration of China in 2010. This algorithm was released as the cryptographic industry standard (GM/T 0004-2012) in 2012 and as the national cryptographic hash algorithm standard (GB/T32905-2016) in 2016.

SM3 is suitable for digital signature and verification in commercial cryptographic applications. It is an algorithm improved on SHA-256, and its security is equivalent to SHA-256. The iterative processes of SM3 and MD5 are similar and also use the Merkle-Damgard structure. The message packet length is 512 bits and the digest value length is 256 bits.

The Internet of Vehicles based on mobile networks has the security risk of "end-card separation", which may cause the SIM/USIM cards used for the Internet of Vehicles to be abused. Moreover, there is also the situation of "end-card separation" on the mobile side; among them, end-card separation is It means that the SIM/USIM card in the vehicle communication terminal (OBU/T-BOX) may be pulled out and used for other purposes. Therefore, a terminal card binding mechanism needs to be established to prevent this situation from happening. At the mobile network level, the terminal card binding relationship can be detected and confirmed through IMSI/SUPI and IMEI binding settings or signaling analysis methods; at the Internet of Vehicles level, there is currently neither a corresponding binding relationship detection nor a binding relationship confirmation mechanism. , and cannot directly utilize the capabilities at the mobile network level. If you indirectly use the capabilities at the mobile network level, you need to call the service interface, which increases the complexity of the business process to a certain extent.

The present invention provides a solution, aiming to solve the problem of terminal card separation, improve the security of the business process, and reduce the complexity of the business process.

Specifically, refer to Figure 1, which is a schematic diagram of the functional modules of the terminal equipment to which the identity authentication device of the present invention belongs. The identity authentication device can be a device that is independent of the terminal device and capable of image processing and network model training. It can be carried on the terminal device in the form of hardware or software. The terminal device can be a smart mobile terminal with data processing functions such as a mobile phone or a tablet computer, or a fixed terminal device or server with data processing functions.

In this embodiment, the terminal device to which the identity authentication device belongs includes at least an output module 110, a processor 120, a memory 130 and a communication module 140.

The memory 130 stores operating methods and identity authentication programs; the output module 110 can be a display screen, etc. The communication module 140 may include a WIFI module, a mobile communication module, a Bluetooth module, etc., and communicates with external devices or servers through the communication module 140 .

When the identity authentication program in the memory 130 is executed by the processor, the following steps are implemented: setting a public and private key pair for the preset business participant to obtain a public and private key pair set, wherein the public and private key pair set includes the card's public and private key pairs. Key pair, end public and private key pair;

Generate a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair;

When the first preset request is received, the identity information corresponding to the first preset request is verified based on the public and private key pair set and the combined public and private key pair.

Further, when the identity authentication program in the memory 130 is executed by the processor, the following steps are also implemented:

Based on the public-private key pair set and the combined public-private key pair, the initiator encrypts the first preset request to obtain decision information;

Based on the public-private key pair set and the combined public-private key pair, the identity information corresponding to the decision-making information is verified by the recipient.

Further, when the identity authentication program in the memory 130 is executed by the processor, the following steps are also implemented:

When the recipient receives the second preset request, the recipient sends the second preset request to the initiator;

Receive the first preset request generated by the initiator based on the second preset request, and perform the steps of: verifying the first preset request based on the public and private key pair set and the combined public and private key pair Corresponding identity information.

Further, when the identity authentication program in the memory 130 is executed by the processor, the following steps are also implemented:

Verify, by the first participant, the signature information generated based on the public-private key pair of the first participant in the decision-making information;

If the verification passes, the decision information is sent to the second participant through the first participant;

The second party verifies the signature information generated based on the combined public and private key pair of the second party in the decision information.

Further, when the identity authentication program in the memory 130 is executed by the processor, the following steps are also implemented:

Based on the first preset request, generate a first random number and a second random number;

Generate combined information based on the first preset request and the second random number;

The decision information is obtained based on the first random number, the second random number, the combination information, the first preset request, the public-private key pair set, and the combined public-private key pair.

Further, when the identity authentication program in the memory 130 is executed by the processor, the following steps are also implemented:

Based on the decision information, generate a third random number;

Based on the combined public and private key pair of the second participant, the third random number is encrypted to obtain the first signature;

Based on the first signature, the decision information is updated.

Further, when the identity authentication program in the memory 130 is executed by the processor, the following steps are also implemented:

Send the public key of the public-private key pair set to the preset service participant;

Send the public key of the combined public-private key pair to the preset participant.

In this embodiment, through the above solution, specifically by setting public and private key pairs for preset business participants, a public and private key pair set is obtained, wherein the public and private key pair set includes a card public and private key pair and a terminal public and private key pair; Based on the card public and private key pair and the terminal public and private key pair, a combined public and private key pair is generated; when the first preset request is received, based on the public and private key pair set and the combined public and private key pair , verify the identity information corresponding to the first preset request. The invention aims to solve the problem of terminal card separation, improve the security of business processes, and reduce the complexity of business processes.

Based on the above terminal device architecture but not limited to the above architecture, method embodiments of the present invention are proposed.

Referring to Figure 2, Figure 2 is a schematic flow chart of the first embodiment of the identity authentication method of the present invention. The identity authentication methods include:

Step S101: Set a public-private key pair for the preset service participant to obtain a public-private key pair set, where the public-private key pair set includes a card public-private key pair and a terminal public-private key pair.

The execution subject of the method in this embodiment may be an identity authentication system, or an identity authentication terminal device or server. This embodiment takes an identity authentication system as an example. The identity authentication system includes preset business participants, and the preset business participants include an initiator and a receiver; the receiver includes a first participant and a second participant.

In order to solve the problem of terminal card separation, improve the security of business processes, and reduce the complexity of business processes, it is necessary to set public and private key pairs for preset business participants to obtain a set of public and private key pairs. In this embodiment, the Internet of Vehicles service is used as the above-mentioned default service.

Specifically, first, based on the elliptic curve algorithm, identity-based public and private key pairs are generated for all Internet of Vehicles business participants, and identity-based card public and private key pairs and end public and private key pairs are generated for end devices with mobile communication capabilities. , a public-private key pair set is composed of a public-private key pair, a card public-private key pair, and a terminal public-private key pair, and the public keys of each participant are distributed to relevant participants, and the keys are distributed to the corresponding participants.

For example, participants in the Internet of Vehicles business include Internet of Vehicles service platforms, car enterprise service platforms, and Internet of Vehicles terminal devices (including car terminals and mobile terminals). The mobile terminal is used as the above-mentioned initiator, and the Internet of Vehicles service platform, car enterprise service platform, and car terminal are used as the above-mentioned receivers.

Based on the elliptic curve algorithm, public and private key pairs are generated for the Internet of Vehicles service platform, car enterprise service platform and Internet of Vehicles end devices (including car terminals and mobile terminals), and the public keys are distributed. Each party has the public key of the party associated with it. For terminal devices with mobile communication capabilities, it is necessary to generate identity-based card (SIM/USIM card) public and private key pairs and terminal (car terminal/mobile terminal) public and private key pairs respectively.

As a result, based on the elliptic curve algorithm, a public-private key pair is generated for the preset business participants to improve the security of data transmission. In addition, a terminal public and private key pair and a card public and private key pair are generated for the terminal device with mobile communication capabilities to confirm the binding relationship of the terminal card and prevent SIM/USIM in the vehicle communication terminal (OBU/T-BOX). The card may be pulled out and used for other purposes.

Step S102: Generate a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair.

Step S103: When receiving the first preset request, verify the identity information corresponding to the first preset request based on the public and private key pair set and the combined public and private key pair.

Based on the card public and private key pair and the terminal public and private key pair, a combined public and private key pair is generated through the elliptic curve algorithm.

Specifically, the key combination characteristics of the elliptic curve algorithm are used to combine the card public and private key pairs with the end public and private key pairs, generate a new combined public and private key pair for the end device, and confirm the end card (car end) through the combined key Bind the relationship with the corresponding SIM/USIM card and the mobile terminal with the corresponding SIM/USIM card), and distribute the public key to the device associated with the terminal device.

Therefore, based on the card public and private key pair and the end public and private key pair, a combined public and private key pair is generated through the elliptic curve algorithm, and the combined key pair is used to directly determine the end card (car end and SIM/USIM card and mobile end and SIM/ USIM card) to prevent the SIM/USIM card in the vehicle communication terminal (OBU/T-BOX) from being pulled out and used for other purposes.

Further, when the first preset request is received, the identity information corresponding to the first preset request is verified based on the public and private key pair set and the combined public and private key pair. Among them, the first preset request includes starting the engine/air conditioner, remotely unlocking/locking the car door, remotely searching for the car, etc.

Specifically, during the interaction process of the Internet of Vehicles business, when the first preset request is received, the identification key, digital signature and corresponding encryption technology are used to establish a multi-participation system based on the public-private key pair set and the combined public-private key pair. Identity authentication of the mutual trust relationship between parties (assumed to be N parties), as well as verification methods of security requirements such as data confidentiality, integrity, anti-replay and behavioral non-repudiation related to business processing, and verify the identity information corresponding to the first preset request ; Among them, the number of identity authentication processes is kept at the N level, and the N level is N×(N-1)/2.

Further, when the recipient receives the second preset request, the recipient sends the second preset request to the initiator; receives the first preset request generated by the initiator based on the second preset request, and executes step S103 : Based on the public-private key pair set and the combined public-private key pair, verify the identity information corresponding to the first preset request. Among them, the second preset request includes subscription information services such as traffic information subscription and audio and video service on demand.

Specifically, when the recipient receives the second preset request, the recipient sends the second preset request to the initiator; the initiator displays the second preset request to the user, and the user responds by sending the user's response information. As the first preset request, step S103 is executed: based on the public and private key pair set and the combined public and private key pair, verify the identity information corresponding to the first preset request.

Therefore, identification keys, digital signatures and corresponding encryption technologies are used to satisfy the identity authentication of the mutual trust relationship between multiple participants (assumed to be N parties) and the confidentiality, integrity, anti-replay and behavioral non-repudiation of related data. Security requirements.

In this embodiment, through the above solution, specifically by setting public and private key pairs for preset business participants, a public and private key pair set is obtained, wherein the public and private key pair set includes a card public and private key pair and a terminal public and private key pair; Based on the card public and private key pair and the terminal public and private key pair, a combined public and private key pair is generated; when the first preset request is received, based on the public and private key pair set and the combined public and private key pair , verify the identity information corresponding to the first preset request. The invention generates a terminal public and private key pair and a card public and private key pair for terminal equipment with mobile communication capabilities, thereby confirming the binding relationship of the terminal card and preventing SIM/USIM in the vehicle-mounted communication terminal (OBU/T-BOX). The card may be pulled out and used for other purposes, which improves the security of the business process and reduces the complexity of the business process.

Based on the above embodiment shown in Figure 2, a second embodiment of the identity authentication method of the present invention is proposed. In this embodiment, as shown in Figure 3, the Internet of Vehicles business participants include decision-makers, forwarders and executors. It is necessary to generate public and private key pairs for all participants and distribute the public and private key pairs to the corresponding participants. And distribute the public keys of each party to other participants (publicly or perform key exchange with relevant participants). Among them, the decision-maker decides whether to perform a certain operation in a certain business interaction and documents the execution results; the role of the forwarder is to forward the decision-making information (through the next forwarder) to the executor and return the result returned by the executor. The execution result (through the next forwarder) is forwarded to the decision-maker, and the forwarding process is certified; the executor: completes the operation specified by the decision-making information, returns the execution result, and certifies the decision-making information.

In different application scenarios, the objects of decision makers, forwarders, and executors are not exactly the same. For example, in the application example of remote control of the Internet of Vehicles, the decision-maker is the mobile terminal (car owner), the forwarder is the Internet of Vehicles service platform and the car enterprise service platform, the executor is the vehicle terminal (ECU), and the car owner sends requests to the vehicle terminal through the mobile terminal. Send the operation command, the Internet of Vehicles service platform and the car enterprise service platform forward the operation command to the car, and the ECU of the car executes the operation command. In the application example of Internet of Vehicles business ordering, the decision-maker is the mobile terminal (car owner), the forwarder is the vehicle terminal (IVI) and the car company service platform, the executor is the Internet of Vehicles service platform, and the car owner will use the mobile terminal to order the business. The decision information is sent to the car, and the IVI of the car and the car company service platform forward the decision information to the Internet of Vehicles service platform (specific business processes may allow drivers and passengers to intervene, such as directly terminating business subscriptions), and the Internet of Vehicles service platform makes decisions based on Information to process business subscriptions (such as confirming or canceling subscriptions).

In this embodiment, the elliptic curve algorithm is used to generate a public-private key pair based on the identification of each participant based on specific parameter definitions (for example, refer to the parameter definition of SM2), and key distribution is completed through the existing key management system. Each participant obtains his or her own public key and private key, and obtains (knows) the public keys of other participants. The private key must be kept strictly confidential and can be stored securely using a hardware cryptographic module (such as an encryption chip) or a software cryptographic module (such as a soft shield). Suppose k is a private key and K is a public key. The public-private key pair obtained by the decision-maker is (k _d , K _d ), the public-private key pair obtained by the forwarder is (k _f , K _{f ), and the public-private key pair obtained by the executor is (k f , K f} ). The key pair is (k _e ,K _e ).

Specifically, in this embodiment, four Internet of Vehicles services will be involved: the Internet of Vehicles service platform (platform cloud), the car enterprise service platform (Car Enterprise Cloud), the car terminal (driver and passenger) and the mobile terminal (car owner). participants.

The Internet of Vehicles service platform may be either a forwarder or an executor. A public-private key pair can be generated based on the platform identification (such as operator code) of the Internet of Vehicles service platform. For example, the public-private key pair obtained by the Internet of Vehicles service platform is (k ₀₁ , k ₀₁ ).

The car company service platform plays the role of forwarder. A public-private key pair can be generated based on the platform identification (such as enterprise code) of the car enterprise service platform. For example, the public-private key pair obtained by the Internet of Vehicles service platform is (k ₀₂ , K ₀₂ ).

The car end may be either a forwarder or an executor. The car end is an end device with mobile communication capabilities. The communication module has a removable SIM/USIM card. It can generate public and private key pairs based on the card identification and the terminal (car) identification. The card identification can be a unique identification such as ICCID. The terminal identifier can be OBU/T-BOX system characteristic information, vehicle frame number, or vehicle terminal device fingerprint generated based on vehicle terminal multi-dimensional information. For example: the public and private key pair based on the card identification obtained by the car terminal is (k ₁₁ , K ₁₁ ), and the public and private key pair based on the terminal identification (k ₁₂ , K ₁₂ ).

The mobile terminal is the decision-maker. The mobile terminal is a terminal device with mobile communication capabilities. Its SIM/USIM card is detachable and can generate public and private key pairs based on the card identification and terminal (mobile device/mobile phone) identification. The card identification can be a unique identification such as ICCID. The terminal identifier can be Device ID, MAC or mobile device fingerprint generated based on multi-dimensional information of the mobile terminal. For example: the public and private key pair based on the card identification obtained by the mobile terminal is (k ₂₁ , K ₂₁ ), and the public and private key pair based on the terminal identification (k ₂₂ , K ₂₂ ).

Therefore, the elliptic curve algorithm is used to generate a public-private key pair based on the identification of each participant based on specific parameter definitions (for example, refer to the parameter definition of SM2), and key distribution is completed through the existing key management system, so that each party can Participants obtain their own public and private keys, and obtain (know) the public keys of other participants. In order to improve the security of the information transmission process, the authentication of identity information is completed through key pairs.

In the Internet of Vehicles business, terminal devices usually have terminal card binding requirements. Based on the above embodiment shown in Figure 2, a third embodiment of the identity authentication method of the present invention is proposed. In this embodiment, the elliptic curve algorithm is used to generate two pairs of public and private key pairs for the terminal device (car terminal and mobile terminal), which are a public and private key pair based on the card identification and a public and private key pair based on the terminal identification.

Since the public and private key pairs generated by the elliptic curve algorithm have combination characteristics, that is, m pairs of public and private key pairs generated by the elliptic curve algorithm (k ₁ ,K ₁ ),…,(k _i ,K _i ),…,(k _m , K _m ) can be combined to generate a new public-private key pair (k _c , K _c ). The calculation method for generating a combined public-private key pair is as follows:

k _c =(k ₁ +…+k _i +…+k _m )mod(n)

Among them: n is the order of the base point G, n and G are both defined elliptic curve algorithm parameters, and the calculation methods of kc and Kc are not exactly the same.

According to the combination characteristics of the elliptic curve algorithm, the card identification public and private key pair of the terminal device and the terminal identification public and private key pair can be combined to generate a combined public and private key pair of the terminal device, so as to use the combined key pair to prove the terminal device's terminal The card binding relationship, when the combined public and private key pair is generated, proves the end card binding relationship of the end device.

For the car terminal, assuming that the combined public and private key pair is (k ₁₃ , K ₁₃ ), then:

k ₁₃ = (k ₁₁ + k ₁₂ ) mod (n)

For the mobile terminal, assuming that the combined public and private key pair is (k ₂₃ , K ₂₃ ), then:

k ₂₃ = (k ₂₁ + k ₂₂ ) mod (n)

Through the existing key management system, the car terminal distributes the combined public key K ₁₃ to the Internet of Vehicles service platform, the car enterprise service platform and the mobile terminal, and the mobile terminal distributes the combined public key K ₂₃ to the Internet of Vehicles service platform and the car enterprise service platform. and car end.

Therefore, by setting a combined public and private key pair for the end device, the combined key pair is used to directly determine the binding relationship between the end card (the car end and the SIM/USIM card and the mobile end and the SIM/USIM card), preventing the vehicle communication terminal ( The SIM/USIM card in the OBU/T-BOX may be pulled out and used for other purposes.

Referring to Figure 4, Figure 4 is a schematic flow chart of the fourth embodiment of the identity authentication method of the present invention. Based on the above embodiment shown in Figure 2, in this embodiment, the preset service participants include the initiator and the receiver. Step S103: Based on the public and private key pair set and the combined public and private key pair, verify all The identity information corresponding to the first preset request includes:

Step S1031: Based on the public-private key pair set and the combined public-private key pair, the initiator encrypts the first preset request to obtain decision information.

As an implementation manner, in this embodiment, based on the public and private key pair set and the combined public and private key pair, the initiator encrypts the first preset request to obtain the decision information.

Specifically, based on the first preset request, the first random number and the second random number are generated; based on the first preset request and the second random number, the combination information is generated; based on the first random number, the second random number, and the combination information , the first preset request, the public-private key pair set, the combined public-private key pair, and the decision-making information is obtained.

For example, the receiving party includes a first party and a second party. The first random number is encrypted using the public key of the public-private key pair of the first participant to obtain the first signature; the first random number is encrypted using the private key of the combined public-private key pair of the initiator to obtain the second signature. ;Use the public key of the second party's combined public-private key pair to encrypt the first preset request and the second random number to obtain the third signature and the fourth signature; based on the first preset request and the second random number, Obtain the combined information; use the private key of the initiator's combined public-private key pair to encrypt the information digest of the combined information to obtain the fifth signature; combine the first signature, second signature, third signature, fourth signature, and fifth signature , as the above decision-making information.

Therefore, based on the public-private key pair set and the combined public-private key pair, the first preset request is encrypted, and the public key of each participant is used to encrypt it, and the corresponding signature information is generated for subsequent use of the participant's private key. Verify signature information to improve data security. And, through random numbers, the validity of decision-making information is judged.

Step S1032: Based on the public-private key pair set and the combined public-private key pair, the recipient verifies the identity information corresponding to the decision-making information.

In this embodiment, based on the public-private key pair set and the combined public-private key pair, the identity information corresponding to the decision-making information is verified by the recipient.

Specifically, the first participant verifies the signature information generated based on the public-private key pair of the first participant in the decision information; if the verification fails, the request corresponding to the decision information is rejected; if the verification passes, the signature information generated by the first participant is passed. The first party sends the decision information to the second party; the second party verifies the signature information generated based on the combined public and private key pair of the second party in the decision information; if the verification is passed, the request corresponding to the decision information is executed; if If the verification fails, the request corresponding to the decision information will be rejected.

For example, the decision information is decrypted using the private key of the first party's public-private key pair to obtain the first random number; the decision information is verified using the public key of the initiator's combined public-private key pair; if verified If it fails, the request corresponding to the decision-making information is rejected; if the signature verification passes, the decision-making information is sent to the second participant through the first participant. Decrypt the decision-making information through the private key of the second party's combined public-private key pair, and verify the signature of the decision-making information through the public key of the first party's public-private key pair to verify the decision-making information; if the verification passes , then the request corresponding to the decision information is executed; if the verification fails, the request corresponding to the decision information is rejected.

Before executing the step of: before sending the decision information to the second participant through the first participant, a third random number is generated based on the decision information; based on the combined public and private key pair of the second participant, the third random number is generated based on the decision information. Three random numbers are encrypted to obtain the first signature; based on the first signature, the decision-making information is updated.

For example, a third random number is generated based on the decision-making information; the third random number is encrypted using the public key of the second party's combined public-private key pair to obtain a fifth signature; the fifth signature is obtained through the public key of the first party's public-private key pair The private key encrypts the information digest of the third random number to obtain the sixth signature. Based on the fifth signature and the sixth signature, the decision information is updated.

As a result, participants use their own public and private keys to decrypt, judge, and update decision-making information, thereby improving the efficiency of the encryption and decryption process and improving the security of the information transmission process.

In this embodiment, through the above solution, specifically by setting public and private key pairs for preset business participants, a public and private key pair set is obtained, wherein the public and private key pair set includes a card public and private key pair and a terminal public and private key pair; Based on the card public and private key pair and the terminal public and private key pair, a combined public and private key pair is generated; when the first preset request is received, based on the public and private key pair set and the combined public and private key pair , verify the identity information corresponding to the first preset request. The present invention aims to solve the problem of terminal card separation, encrypt it using the public key of each participant, and generate corresponding signature information, so that the signature information can be subsequently verified through the private key of the participant, thereby improving the security of the data and reducing the risk of Business process complexity.

Based on the above embodiment shown in Figure 4, a fifth embodiment of the identity authentication method of the present invention is proposed. In this embodiment, a collaborative identity authentication method for the Internet of Vehicles based on the elliptic curve algorithm is provided. During the interaction process of the Internet of Vehicles business, identification keys, digital signatures and corresponding encryption technologies are used to satisfy multiple participants (assumed to be N (Party) identity authentication to establish a mutual trust relationship, as well as security requirements such as data confidentiality, integrity, anti-replay, and behavioral non-repudiation related to business processing. The number of identity authentication processes is maintained at the N level, and the combined key is used to prove the end. The device’s terminal card binding relationship.

As shown in Figure 5, the actual Internet of Vehicles business scenario may involve business participants including a decision-maker, an executor, and zero, one or more (for example, m) forwarders.

The collaborative identity authentication method for the Internet of Vehicles proposed in this embodiment uses the elliptic curve algorithm to encrypt and decrypt the relevant information (decision information: REQ; execution result: RES; random number: RAND) transmitted between each business participant, and satisfies For security requirements such as identity authentication (signature/signature verification), data confidentiality, anti-replay and behavioral non-repudiation, the preset E is encryption processing and D is decryption processing; the information digest algorithm is used to meet the data integrity requirements, and the preset H is Information digest algorithm. The specific information digest algorithm can be selected as SHA, SM3, etc. as needed; the combined key of the end device is used to meet the end card binding requirements.

As shown in Figure 6, the business participants involved in the following considerations include a decision-maker (remote control and business ordering: mobile terminal/car owner), an executor (remote control: car-end; business ordering: Internet of Vehicles service platform) and two The situation of forwarders (remote control: Internet of Vehicles service platform and car company service platform; business ordering: car terminal and car company service platform).

After being processed by the Internet of Vehicles collaborative identity authentication method, the decision information sent by the decision maker to forwarder #1 is transformed into:

{E(K _f1 ,RAND _f1 ),E(k _d ,H(RAND _f1 )),E(K _e ,RAND _e ),E(K _e ,REQ),E(k _d ,H(REQ,RAND _e ))}

Among them, K _f1 is the public key of forwarder #1, RAND _f1 is the random number generated by the decision-maker for forwarder #1, and RAND _e is the random number generated by the decision-maker for the executor. Because the decision maker is the mobile terminal, k _d is the combined key (private key); if the forwarder #1 is the car terminal, then K _f1 is the combined key (public key); if the executor is the car terminal, then K _e is Combined key (public key).

After forwarder #1 receives the decision message, he uses his own private key k _f1 to decrypt it to obtain RAND _f1 , and uses the decision maker’s public key K _d to perform signature verification. If

H(D(k _f1 ,E(K _f1 ,RAND _f1 )))=D(K _d ,E(k _d ,H(RAND _f1 ))

Then forwarder #1 can complete the identity authentication of the decision-maker and confirm that the decision-making information comes from the decision-maker. Forwarder #1 does not need to know the specific content of the decision-making information, but can record the encrypted decision-making information as evidence.

After forwarder #1 uses the Internet of Vehicles collaborative identity authentication method to process the decision information, it forwards the decision information to forwarder #2. The decision information is transformed into:

{E(K _f2 ,RAND _f2 ),E(k _f1 ,H(RAND _f2 )),E(K _e ,RAND _e ),E(K _e ,REQ),E(k _d ,H(REQ,RAND _e ))}

Among them, K _f2 is the public key of forwarder #2, and RAND _f2 is the random number generated by forwarder #1 for forwarder #2. If forwarder #1 is the car, then k _f1 is the combined key (private key).

After forwarder #2 receives the decision message, he uses his own private key k _f2 to decrypt it and obtain

RAND _f2 , use forwarder #1’s public key K _f1 for signature verification, if

H(D(k _f2 , E(K _f2 , RAND _f2 )))=D(K _f1 , E(k _f1 , H(RAND _f2 ))

Then forwarder #2 can complete the identity authentication of forwarder #1 and confirm that the decision information comes from forwarder #1. Forwarder #2 does not need to know the specific content of the decision-making information, but can record the encrypted decision-making information as evidence.

Forwarder #2 uses the Internet of Vehicles collaborative identity authentication method proposed in this application proposal to process the decision information, and then forwards the decision information to the executor. The decision information is transformed into:

{E(K _e ,RAND _fe ),E(k _f2 ,H(RAND _fe )),E(K _e ,RAND _e ),E(K _e ,REQ),E(k _d ,H(REQ,RAND _e) ))}

Among them, RAND _fe is the random number generated by forwarder #2 for the executor. If the executor is the car, then K _e is the combined key (public key).

After receiving the decision message, the executor uses his own private key K _e to decrypt to obtain RAND _fe , and uses forwarder #2’s public key K _f2 to perform signature verification. If

H(D(k _e ,E(K _e ,RAND _fe )))=D(K _f2 ,E(k _f2 ,H(RAND _fe ))

Then the executor can complete the identity authentication of forwarder #2 and confirm that the decision information comes from forwarder #2.

The executor uses his own private key k _e to decrypt to obtain RAND _e and REQ, and uses the decision maker's public key K _d to perform signature verification. If

H(D(k _e ,E(K _e ,REQ)),D(k _e ,E(K _e ,RAND _e )))=D(K _d ,E(k _d ,H(REQ,RAND _e )) )

Then the executor can complete the identity authentication of the decision maker and confirm that the original decision information REQ comes from the decision maker and has not been tampered with or replayed.

After the executor completes the relevant operations according to the requirements of the decision information REQ, the original execution result RES can be notified to the decision maker through the response processing process. The execution results are transmitted from the executor to the decision-maker along the reverse path of decision-making information transmission. Except for the corresponding parameter replacement, the processing method is the same as the transmission of decision-making information, which will not be described again here.

During the process of reverse transmission of execution results, the identity authentication of forwarder #2 to the executor, forwarder #1 to forwarder #2, the decision-maker to forwarder #1, and the decision-maker to the executor are completed in sequence, thus completing the All two-way identity authentication processes required during this business interaction ensure the mutual trust relationship between the four parties, while completing the storage of the execution results by forwarder #1 and forwarder #2, and ensuring the confidentiality and integrity of the original execution result information RES performance and replay resistance.

In summary, the collaborative identity authentication method for the Internet of Vehicles based on the elliptic curve algorithm meets the security requirements of identity authentication for multiple participants to establish mutual trust relationships and the confidentiality, integrity, anti-replay and behavioral non-repudiation of related data, and The number of identity authentication processes is kept at the N level; at the same time, the combined key is used to prove the end-card binding relationship of the end device.

Referring to Figure 7, Figure 7 is an interactive schematic diagram of the remote control business scenario of the Internet of Vehicles based on the identity authentication method of the present invention. In this embodiment, the end device has a combined public and private key pair, and the Internet of Vehicles remote control application allows car owners to use the remote control APP to remotely operate and control their vehicles, enabling remote starting of the engine/air conditioner, remote unlocking/locking of car doors, and remote search. car and other functions.

Assume that the car owner registers the remote control service on the Internet of Vehicles service platform and downloads and installs the remote control APP on the mobile phone (mobile terminal). The Internet of Vehicles service platform provides unified service management, but may not provide specific remote control services. It is to connect with the corresponding car company service platform to achieve service delivery. In the application example of the Internet of Vehicles remote control business scenario, the mobile terminal (car owner) is the decision-maker, the Internet of Vehicles service platform (Platform Cloud) and the car enterprise service platform (Car Enterprise Cloud) are the forwarders, and the vehicle terminal (ECU) is the executor. , the application process is as follows:

First, the car owner starts the remote control APP on the mobile phone (mobile terminal), selects the operation he wishes to perform, such as turning on the air conditioner, starting the engine, remotely unlocking/locking the door, etc., as the operation command, and confirms that the operation command is sent.

Further, the mobile phone uses a collaborative identity authentication method to process the operation instructions. generate two

Random numbers RAND ₁ and RAND ₂ , use the public key K ₀₁ of the Internet of Vehicles service platform (platform cloud) to encrypt RAND ₁ to get E (K ₀₁ , RAND ₁ ), use the mobile terminal (mobile phone)

The private key k ₂₃ (combined key) encrypts the information digest of RAND ₁ and obtains the mobile phone to the platform

Cloud's signature E(k ₂₃ , H(RAND ₁ )); use the car-end public key K ₁₃ (combined key) to encrypt RAND ₂ and decision information REQ (operation instructions) respectively to obtain E(K ₁₃ , RAND ₂ ) and E(K ₁₃ , REQ), use the mobile phone's private key k ₂₃ to encrypt the information digest of the combined information of REQ and RAND ₂ , and obtain the signature E(k ₂₃ , H(REQ, RAND ₂₎ from the mobile phone to the vehicle end (ECU) )).

As a result, the operation instructions are transformed through the mobile phone to obtain the transformation information of the operation instructions, and the transformation information of the operation instructions is sent to the platform cloud; where, the transformation information of the operation instructions is:

{E(K ₀₁ , RAND ₁ ), E(k ₂₃ , H(RAND ₁ )), E(K ₁₃ , RAND ₂ ), E(K ₁₃ , REQ), E(k ₂₃ , H(REQ, RAND ₂ ))} Secondly, the platform cloud processes the transformation information of the received operation instructions.

Specifically, use the private key k ₀₁ of the platform cloud to decrypt the transformation information of the operation instruction to obtain RAND ₁ , and use the mobile phone public key K ₂₃ (combined key) to verify the transformation information of the operation instruction. If

H(D(k ₀₁ , E(K ₀₁ , RAND ₁ )))=D(K ₂₃ , E(k _{23 ,} H(RAND ₁ ))

Then the platform cloud completes the identity authentication of the mobile phone and confirms that the operation command comes from the mobile phone. If the identity verification fails, the above operation instructions will be rejected. Therefore, the platform cloud does not need to know the specific content of the operation instruction, but can record information including E(K ₁₃ , REQ) as evidence.

Further, based on the transformation information of the operation instructions, a random number RAND ₃ is generated, using the car company's

The public key K ₀₂ of the service platform (car enterprise cloud) encrypts RAND ₃ to obtain E (K ₀₂ , RAND ₃ ). The platform cloud private key k ₀₁ is used to encrypt the information summary of RAND ₃ to obtain the platform cloud and give it to the automobile enterprise. The signature of the cloud is E(k ₀₁ , H(RAND ₃ )).

As a result, the initiator of the operation instruction can be verified through random numbers without parsing the internal information, improving efficiency.

Further, the platform cloud updates the transformation information of the operation instructions and sends it to the car enterprise cloud. The transformation information of the operation instructions is updated as:

{E(K ₀₂ , RAND ₃ ), E(k ₀₁ , H(RAND ₃ )), E(K ₁₃ , RAND ₂ ), E(K ₁₃ , REQ), E(k ₂₃ , H(REQ, RAND ₂ ))}

Thirdly, Cheqi Cloud processes the received operation instructions. Use the Cheqi cloud private key k ₀₂ to decrypt to obtain RAND ₃ , and use the platform cloud public key K ₀₁ for signature verification. If

H(D(k ₀₂ , E(K ₀₂ , RAND ₃ )))=D(K ₀₁ , E(k _{01 ,} H(RAND ₃ ))

Then Cheqi Cloud completes the identity authentication of the platform cloud and confirms that the operation instruction comes from the platform cloud. If the identity verification fails, the above operation instructions will be rejected. Therefore, Cheqi Cloud does not need to know the specific content of the operation instruction, but can record information including E(K ₁₃ , REQ) as evidence. Based on the transformation information of the operation instructions, a random number RAND ₄ is generated. The car-end public key K ₁₃ is used to encrypt RAND ₄ to obtain E(K ₁₃ , RAND ₄ ). The car enterprise cloud private key k ₀₂ is used to summarize the information of RAND ₄ . Encrypt and obtain the signature E(k ₀₂ , H(RAND ₄ )) from the car cloud to the car.

The Cheqi Cloud updates the operation instruction transformation information and sends it to the car terminal. The operation instruction transformation information is updated as:

{E(K ₁₃ , RAND ₄ ), E(k ₀₂ , H(RAND ₄ )), E(K ₁₃ , RAND ₂ ), E(K ₁₃ , REQ).E(k ₂₃ , H(REQ, RAND ₂ ))}

Finally, the vehicle terminal processes the received operation instructions. Use car-side private key k ₁₃ (combined key)

Decrypt to obtain RAND ₄ , and use the car cloud public key K ₀₂ for signature verification. If

H(D(k ₁₃ , E(K ₁₃ , RAND ₄ )))=D(K ₀₂ , E(k _{02 ,} H(RAND ₄ ))

Then the car terminal completes the identity authentication of the Cheqi Cloud and confirms that the decision-making information comes from the Cheqi Cloud. If the identity verification fails, the above operation instructions will be rejected. Use the car-end private key k ₁₃ to decrypt to obtain RAND ₂ and REQ, and use the mobile phone public key K ₂₃ to perform signature verification. If

H(D(k ₁₃ , E(K ₁₃ , REQ)), D(k ₁₃ , E(K ₁₃ , RAND ₂ )))=D(K ₂₃ , E(k ₂₃ , H(REQ, RAND ₂ )) ), the car terminal completes the identity authentication of the mobile phone and confirms that the original operation command REQ comes from the mobile phone and has not been tampered with or replayed. If the identity verification fails, the above operation instructions will be rejected. The vehicle end hands over the operation instructions to the ECU for execution, such as turning on the air conditioner, starting the engine, remotely unlocking/locking the doors, etc.

After the car terminal completes the relevant operations according to the requirements of the operation command REQ, it can notify the mobile terminal (mobile phone/car owner) of the execution result RES through the response processing process. Generate two random numbers RAND ₅ and RAND ₆ , use the car cloud public key K ₀₂ to encrypt RAND ₅ to get E(K ₀₂ , RAND ₅ ), use the car end private key k ₁₃ to encrypt the information summary of RAND ₅ , obtain the signature E(k ₁₃ , H(RAND ₅ )) from the car terminal to the car enterprise cloud; use the mobile phone public key K ₂₃ to encrypt RAND ₆ and the execution result RES respectively, and obtain E(K ₂₃ , RAND ₆ ) and E (K ₂₃ , RES), use the vehicle-side private key k ₁₃ to encrypt the information digest of the combined information of RES and RAND ₆ , and obtain the signature E(k ₁₃ , H(REQ, RAND ₆ )) from the vehicle-side to the mobile phone.

Further, the car terminal sends the execution result transformation information processed by the collaborative identity authentication method to the car enterprise cloud. The execution result transformation information is:

{E(K ₀₂ , RAND ₅ ), E(k ₁₃ , H(FAND ₅ )), E(K ₂₃ , RAND ₆ ), E(K ₂₃ , RES), E(k ₁₃ , H(RES, RAND ₆ ))}

Cheqi Cloud processes the received execution results. Use the car cloud private key k ₀₂ to decrypt and obtain

RAND ₅ , use the car-end public key K ₁₃ for signature verification processing, if

H(D(k ₀₂ , E(K ₀₂ , RAND ₅ )))=D(K ₁₃ , E(k ₁₃ , H(RAND ₅ ))

Then Cheqi Cloud completes the identity authentication of the car terminal and confirms that the execution result comes from the car terminal. If the identity verification fails, the above operation instructions will be rejected. Cheqi Cloud does not need to know the specific content of the execution results, but it can record information including E(K ₂₃ , RES) as evidence. Generate a random number RAND ₇ , use the platform cloud public key K ₀₁ to encrypt RAND ₇ , and get E(K ₀₁ , RAND ₇ ), use the Cheqi Cloud private key k ₀₂ to encrypt the information summary of RAND ₇ , and get the Cheqi Cloud Give the signature to the platform cloud E(k ₀₂ , H(RAND ₇ )).

Cheqi Cloud sends the execution result transformation information processed by the collaborative identity authentication method to the platform cloud, and the execution result transformation information is updated to:

{E(K ₀₁ , RAND ₇ ), E(k ₀₂ , H(RAND ₇ )), E(K ₂₃ , RAND ₆ ), E(K ₂₃ , RES), E(k ₁₃ , H(RES, RAND ₆ ) ))}Further, the platform cloud processes the received execution results. Use the platform cloud private key k ₀₁ to decrypt to obtain RAND ₇ , and use the car enterprise cloud public key K ₀₂ for signature verification. If

H(D(k ₀₁ , E(K ₀₁ , RAND ₇ )))=D(K ₀₂ , E(k ₀₂ , H(RAND ₇ ))

Then the platform cloud completes the identity authentication of the Cheqi Cloud and confirms that the execution result comes from the Cheqi Cloud. The platform cloud does not need to know the specific content of the execution result, but can record information including E(K ₂₃ , RES) as evidence. If the identity verification fails, the above operation instructions will be rejected. Generate a random number RAND ₈ based on the execution result, use the mobile phone public key K ₂₃ to encrypt RAND _B to obtain E (K ₂₃ , RAND ₈ ), and use the platform cloud private key k ₀₁ to encrypt the information summary of RAND ₈ to obtain the platform cloud The signature given to the mobile phone is E(k ₀₁ , H(RAND ₈ )).

Further, the platform cloud sends the execution result transformation information processed by the collaborative identity authentication method to the mobile phone, and the execution result transformation information is updated to:

{E(K ₂₃ , RAND ₈ ), E(k ₀₁ , H(RAND ₈ )), E(K ₂₃ , RAND ₆ ), E(K ₂₃ , RES), E(k ₁₃ , H(RES, RAND ₆ ) ))}The mobile phone processes the received execution results. Use the mobile phone private key k ₂₃ to decrypt to obtain RAND ₈ , and use the platform cloud public key K ₀₁ to perform signature verification. If

H(D(k ₂₃ , E(K ₂₃ , RAND ₈ )))=D(K ₀₁ , E(k ₀₁ , H(RAND ₈ ))

Then the mobile phone completes the identity authentication of the platform cloud and confirms that the execution result comes from the platform cloud. If the identity verification fails, the above operation instructions will be rejected. Use the mobile phone's private key k ₂₃ to decrypt to obtain RAND ₆ and RES, and use the car's public key K ₁₃ to perform signature verification. If

H(D(k ₂₃ , E(K ₂₃ , RES)), D(k ₂₃ , E(K ₂₃ , RAND ₆ )))=D(K ₁₃ , E(k ₁₃ , H(RES, RAND ₆ )) )

Then the mobile phone completes the identity authentication of the car terminal and confirms that the original execution result RES comes from the car terminal and has not been tampered with or replayed. The mobile phone can record the execution results and/or the mobile phone can display the execution results to the car owner.

As a result, through the transmission of operation instructions and execution results, the four two-way identity authentication processes required in the remote control business interaction process are completed, ensuring the mutual trust relationship between the four parties, and at the same time completing the remote control between the platform cloud and the car enterprise cloud. Store evidence of behavior and ensure the confidentiality, integrity and resistance to replay of original operation instructions and execution result information. For mobile terminals (mobile phones) and car terminals, the combined key is used to prove their terminal-card binding relationship.

Since the Internet of Vehicles remote control application must ensure security and trust between relevant business participants, in this embodiment, a collaborative identity authentication method for the Internet of Vehicles based on the elliptic curve algorithm is used to meet the requirements of relevant business participants to establish a mutual trust relationship. Security requirements such as identity authentication and related data confidentiality, integrity, anti-replay and behavioral non-repudiation, and keep the number of identity authentication processes at the N level; at the same time, the combined key is also used to prove the end-card binding of the end device relation.

Referring to Figure 8, Figure 8 is an interactive schematic diagram of the Internet of Vehicles service ordering business scenario of the identity authentication method of the present invention. In this embodiment, through the in-vehicle infotainment system (IVI), drivers and passengers can order information services on the car company service platform, or order information services on the Internet of Vehicles service platform through the car company service platform, such as traffic information subscription, audio Video services on demand, etc. The driver and passenger who actually performs the service ordering operation may not be the car owner (for example, a child riding in the car or a friend borrowing the car, etc.), so the service ordering (especially the paid service ordering) should be confirmed by the car owner.

Drivers and passengers use IVI to browse and purchase the infotainment services of the car company service platform (Cheqi Cloud). If the business that the driver and passengers browse or choose to order is not provided by Cheqi Cloud, but the Internet of Vehicles service platform (Platform Cloud) ), Cheqi Cloud will guide drivers and passengers to the platform cloud to perform corresponding operations. Because the driver or passenger may not be the car owner, specific operations (such as paying service subscriptions) must be confirmed by the car owner.

In the business order confirmation process of the Internet of Vehicles service ordering business scenario application example, the mobile terminal (car owner) is the decision-maker, the vehicle terminal (IVI) and the car enterprise service platform (Car Enterprise Cloud) are the forwarders, and the Internet of Vehicles service platform (platform Cloud) is the executor. Although drivers and passengers are the initiators of business ordering, they cannot interfere with the normal business ordering confirmation processing process (of course, the actual business ordering process can allow drivers and passengers to terminate the business ordering at any time), so they are not considered in the flow chart. A brief description of the application process is as follows:

First, drivers and passengers interact with the car enterprise cloud and platform cloud through the car-side IVI to browse and purchase infotainment services. Assume that the driver and passenger choose to subscribe to the audio and video on-demand service provided by the platform cloud. When the platform cloud requires the driver and passenger to confirm the service subscription, the driver and passenger confirm the service subscription (of course, they can also refuse and terminate the service subscription).

After the driver and passenger choose to confirm the service order, because the service order needs to be confirmed by the car owner, the vehicle terminal (IVI) sends a confirmation service order request to the car owner's mobile phone (mobile terminal). The mobile phone will display the confirmation service ordering request to the car owner; the car owner makes a decision (such as agreeing or rejecting) on the confirmation service ordering request as an ordering decision.

Secondly, the mobile phone uses a collaborative identity authentication method to process the car owner’s ordering decision. Generate two random numbers RAND ₁ and RAND ₂ , use the car-end public key K ₁₃ (combined key) to encrypt RAND ₁ , and obtain E(K ₁₃ , RAND ₁ ), use the mobile-end (mobile phone) private key k ₂₃ ( Combined key) to encrypt the information digest of RAND ₁ to obtain the signature E(k ₂₃ , H(RAND ₁ )) from the mobile phone to the car terminal; use the platform public key K ₀₁ to separately encrypt RAND ₂ and decision information REQ (ordering decision) Encrypt, get E(K ₀₁ , RAND ₂ ) and E(K ₀₁ , REQ), use the mobile phone private key k ₂₃ to encrypt the information digest of the combined information of REQ and RAND ₂ , and get the signature E(k ₂₃ from the mobile phone to the platform cloud) ,H(REQ,RAND ₂ )).

Further, the mobile phone sends the ordering decision transformation information processed by the collaborative identity authentication method to the car end, and the ordering decision transformation information is updated to:

{E(K ₁₃ , RAND ₁ ), E(k ₂₃ , H(RAND ₁ )), E(K ₀₁ , RAND ₂ ), E(K ₀₁ , REQ), E(k ₂₃ , H(REQ, RAND ₂ ) ))}

The vehicle terminal processes the received ordering decision. Use the car's private key k ₁₃ (combined key) to decrypt to obtain RAND ₁ , and use the mobile phone's public key K ₂₃ (combined key) to perform signature verification. If

H(D(k ₁₃ , E(K ₁₃ , RAND ₁ )))=D(K ₂₃ , E(k ₂₃ , H(RAND ₁ ))

Then the car terminal completes the identity authentication of the mobile phone and confirms that the ordering decision comes from the mobile phone. If the identity verification fails, the above ordering decision will be rejected. The car end does not need to know the specific content of the ordering decision, but can record information including E(K ₀₁ , REQ) as evidence. Generate a random number RAND ₃ , use the public key K ₀₂ of the car company service platform (car company cloud) to encrypt RAND ₃ to obtain E (K ₀₂ , RAND ₃ ), and use the car end private key k ₁₃ to summarize the information of RAND ₃ Encrypt and obtain the signature E(k ₁₃ , H(RAND ₃ )) from the car end to the car enterprise cloud.

Further, the car terminal sends the ordering decision transformation information processed by the collaborative identity authentication method to the car enterprise cloud, and the ordering decision transformation information is updated to:

{E(K ₀₂ , RAND ₃ ), E(k ₁₃ , H(RAND ₃ )), E(K _{01 ,} RAND ₂ ), E(K ₀₁ , REQ), E(k ₂₃ , H(REQ, RAND ₂ ) ))}

Cheqi Cloud processes the received order decision. Use the car cloud private key k ₀₂ to decrypt to obtain RAND ₃ , and use the car end public key K ₁₃ for signature verification. If

H(D(k ₀₂ , E(K ₀₂ , RAND ₃ )))=D(K ₁₃ , E(k ₁₃ , H(RAND ₃ ))

Then Cheqi Cloud completes the identity authentication of the car terminal and confirms that the ordering decision comes from the car terminal. If the identity verification fails, the above ordering decision will be rejected. Therefore, Cheqi Cloud does not need to know the specific content of the ordering decision, but can record information including E(K ₀₁ , REQ) as evidence. Generate a random number RAND ₄ , use the platform cloud public key K ₀₁ to encrypt RAND ₄ , and obtain E(K ₀₁ , RAND ₄ ), use the Cheqi Cloud private key k ₀₂ to encrypt the information summary of RAND ₄ , and obtain the Cheqi Cloud Give the signature to the platform cloud E(k ₀₂ , H(RAND ₄ )).

Further, Cheqi Cloud sends the ordering decision transformation information processed by the collaborative identity authentication method to the platform cloud, and the ordering decision transformation information is updated as:

{E(K ₀₁ , RAND ₄ ), E(k ₀₂ , H(RAND ₄ )), E(K ₀₁ , RAND ₂ ), E(K ₀₁ , REQ), E(k ₂₃ , H(REQ, RAND ₂ ))}The platform cloud processes the received ordering decision. Use the platform cloud private key k ₀₁ to decrypt to obtain RAND ₄ , and use the car enterprise cloud public key K ₀₂ for signature verification. If

H(D(k ₀₁ , E(K ₀₁ , RAND ₄ )))=D(K ₀₂ , E(k ₀₂ , H(RAND ₄ ))

Then the platform cloud completes the identity authentication of Cheqi Cloud and confirms that the ordering decision comes from Cheqi Cloud. If the identity verification fails, the above ordering decision will be rejected. Use the platform cloud private key k ₀₁ to decrypt to obtain RAND ₂ and REQ, and use the mobile phone public key K ₂₃ for signature verification. If

H(D(k ₀₁ , E(K ₀₁ , REQ)), D(k ₀₁ , E(K ₀₁ , RAND ₂ )))=D(K ₂₃ , E(k ₂₃ , H(REQ, RAND ₂ )) )

Then the platform cloud completes the identity authentication of the mobile phone and confirms that the original ordering decision REQ comes from the mobile phone and has not been tampered with or replayed. If the identity verification fails, the above ordering decision will be rejected. The platform cloud will process the business order according to the ordering decision, such as confirming the order and activating it.

After the platform cloud completes relevant operations according to the requirements of the ordering decision REQ, it can notify the mobile terminal (mobile phone/car owner) of the ordering result RES through the response processing process. Generate two random numbers RAND ₅ and RAND ₆ , use the Cheqi cloud public key K ₀₂ to encrypt RAND ₅ to obtain E(K ₀₂ , RAND ₅ ), and use the platform cloud private key k ₀₁ to encrypt the information summary of RAND ₅ , obtain the signature E(k ₀₁ , H(RAND ₅ )) from the platform cloud to the car enterprise cloud; use the mobile phone public key K ₂₃ to encrypt RAND ₆ and the order result RES respectively, and obtain E(K ₂₃ , RAND ₆ ) and E (K ₂₃ , RES), use the platform cloud private key K ₀₁ to encrypt the information digest of the combined information of RES and RAND ₆ , and obtain the signature E (k ₀₁ , H (REQ, RAND ₆ )) from the platform cloud to the mobile phone.

Further, the platform cloud sends the ordering result transformation information processed by the collaborative identity authentication method to the car enterprise cloud, and the execution result transformation information is updated to:

{E(K ₀₂ , RAND ₅ ), E(k ₀₁ , H(RAND ₅ )), E(K ₂₃ , RAND ₆ ), E(K ₂₃ , RES), E(k ₀₁ , H(RES, RAND ₆ ) ))}Cheqi Cloud processes the received order results. Use the Cheqi cloud private key k ₀₂ to decrypt to obtain RAND ₅ , and use the platform cloud public key K ₀₁ for signature verification. If

H(D(k ₀₂ , E(K ₀₂ , RAND ₅ )))=D(K ₀₁ , E(k ₀₁ , H(RAND ₅ ))

Then Cheqi Cloud completes the identity authentication of the platform cloud and confirms that the order result comes from the platform cloud. If the identity verification fails, the above ordering decision will be rejected. Cheqi Cloud does not need to know the specific content of the order result, but it can record information including E(K ₂₃ , RES) as evidence. Generate a random number RAND ₇ , use the car-side public key K ₁₃ to encrypt RAND ₇ , and get E(K ₁₃ , RAND ₇ ). Use the Cheqi Cloud private key k ₀₂ to encrypt the information summary of RAND ₇ , and get the Cheqi Cloud The signature given to the car end is E(k ₀₂ , H(RAND ₇ )).

Further, Cheqi Cloud sends the transformation information of the ordering results processed by the collaborative identity authentication method to the car terminal, and the transformation information of the execution results is updated to:

{E(K ₁₃ , RAND ₇ ), E(k ₀₂ , H(RAND ₇ )), E(K ₂₃ , RAND ₆ ), E(K ₂₃ , RES), E(k ₀₁ , H(RES, RAND ₆ ))}

The car terminal processes the received order results. Use the car-side private key k ₁₃ to decrypt to obtain RAND ₇ , and use the car cloud public key K ₀₂ to perform signature verification. If

H(D(k ₁₃ , E(K ₁₃ , RAND ₇ )))=D(K ₀₂ , E(k ₀₂ , H(RAND ₇ ))

Then the car terminal completes the identity authentication of Cheqi Cloud and confirms that the order result comes from Cheqi Cloud. If the identity verification fails, the above ordering decision will be rejected. The vehicle end does not need to know the specific content of the order result, but can record information including E(K ₂₃ , RES) as a certificate. Generate a random number RAND ₈ , use the mobile phone's public key K ₂₃ to encrypt RAND ₈ , and obtain E(K ₂₃ , RAND ₈ ). Use the car's private key k ₁₃ to encrypt the information summary of RAND ₈ , and obtain the information summary given by the car to the mobile phone. Signature E(k ₁₃ , H(RAND ₈ ))

The car terminal sends the transformation information of the ordering result processed by the collaborative identity authentication method to the mobile phone. The transformation information of the ordering result is:

{E(K ₂₃ , RAND ₈ ), E(k ₁₃ , H(RAND ₈ )), E(K ₂₃ , RAND ₆ ), E(K ₂₃ , RES), E(k ₀₁ , H(RES, RAND ₆ ))}

Further, the mobile phone processes the received order result. Use the mobile phone's private key k ₂₃ to decrypt to obtain RAND ₈ , and use the car's public key K ₁₃ to perform signature verification. If

H(D(k ₂₃ , E(K ₂₃ , RAND ₈ )))=D(K ₁₃ , E(k ₁₃ , H(RAND ₈ ))

Then the mobile phone completes the identity authentication of the car terminal and confirms that the order result comes from the car terminal. If the identity verification fails, the above ordering decision will be rejected. Use the mobile phone private key k ₂₃ to decrypt to obtain RAND ₆ and RES, and use the platform cloud public key K ₀₁ for signature verification. If

H(D(k ₂₃ , E(K ₂₃ , RES)), D(k ₂₃ , E(K ₂₃ , RAND ₆ )))=D(K ₀₁ , E(k ₀₁ , H(RES, RAND ₆ )) )

Then the mobile phone completes the identity authentication of the platform cloud and confirms that the original order result RES comes from the platform cloud and has not been tampered with or replayed. The mobile phone can record the order results and other processing.

Finally, the mobile phone displays the order results to the car owner. If the car owner’s ordering decision is to agree to the subscription service, and the platform cloud successfully completes the service order processing and service activation, the driver and passengers can start using the service, such as starting to play on-demand audio and video programs.

Through the transmission of ordering decisions and ordering results, the business ordering car owner confirmation process required in the business ordering business interaction process is completed. Through four two-way identity authentication processes, the mutual trust relationship between the four parties is ensured, and the mutual trust between the car enterprise cloud and the car terminal is completed at the same time. This business order confirmation behavior is documented and the confidentiality, integrity and anti-replay of the original order decision and order result information are guaranteed. For mobile terminals (mobile phones) and car terminals, the combined key is used to prove their terminal-card binding relationship.

Since the Internet of Vehicles remote control application must ensure security and trust between relevant business participants, in this embodiment, a collaborative identity authentication method for the Internet of Vehicles based on the elliptic curve algorithm is used to meet the requirements of relevant business participants to establish a mutual trust relationship. Security requirements such as identity authentication and related data confidentiality, integrity, anti-replay and behavioral non-repudiation, and keep the number of identity authentication processes at the N level; at the same time, the combined key is also used to prove the end-card binding of the end device relation.

Referring to Figure 9, Figure 9 is a schematic diagram of the functional modules of the identity authentication system of the present invention. Identity authentication systems include:

The key set generation module 10 is used to set public and private key pairs for preset business participants to obtain a public and private key pair set, wherein the public and private key pair set includes a card public and private key pair and a terminal public and private key pair;

The combined key generation module 20 is configured to generate a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair;

The identity verification module 30 is configured to, when receiving the first preset request, verify the identity information corresponding to the first preset request based on the public and private key pair set and the combined public and private key pair.

For the principle and implementation process of identity authentication in this embodiment, please refer to the above embodiments and will not be described in detail here.

In addition, an embodiment of the present invention also proposes a terminal device. The terminal device includes a memory, a processor, and an identity authentication program stored on the memory and executable on the processor. The identity authentication program is When the processor is executed, the steps of implementing the identity authentication method as described above are implemented.

Since this identity authentication program adopts all the technical solutions of all the foregoing embodiments when executed by the processor, it has at least all the beneficial effects brought by all the technical solutions of all the foregoing embodiments, which will not be described again one by one.

In addition, embodiments of the present invention also provide a computer-readable storage medium, the computer-readable storage medium stores an identity authentication program, and when the identity authentication program is executed by a processor, the steps of the identity authentication method as described above are implemented. .

Since this identity authentication program adopts all the technical solutions of all the foregoing embodiments when executed by the processor, it has at least all the beneficial effects brought by all the technical solutions of all the foregoing embodiments, which will not be described again one by one.

Compared with the existing technology, the present invention provides an identity authentication method, system, terminal device and storage medium. By setting public and private key pairs for preset business participants, a public and private key pair set is obtained, wherein the public and private key pairs are The key pair set includes a card public and private key pair and a terminal public and private key pair; based on the card public and private key pair and the terminal public and private key pair, a combined public and private key pair is generated; when the first preset request is received, Based on the public-private key pair set and the combined public-private key pair, the identity information corresponding to the first preset request is verified. The invention aims to solve the problem of terminal card separation, improve the security of business processes, and reduce the complexity of business processes.

It should be noted that, as used herein, the terms "include", "comprises" or any other variation thereof are intended to cover a non-exclusive inclusion, such that a process, method, article or method that includes a list of elements includes not only those elements, but It also includes other elements not expressly listed or inherent in the process, method, article or method. Without further limitation, an element defined by the statement "comprises a..." does not exclude the presence of other identical elements in the process, method, article or method that includes the element.

The above serial numbers of the embodiments of the present invention are only for description and do not represent the advantages and disadvantages of the embodiments.

Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is better. implementation. Based on this understanding, the technical solution of the present invention can be embodied in the form of a software product in essence or that contributes to the existing technology. The computer software product is stored in one of the above storage media (such as ROM/RAM, magnetic disc, optical disk), including several instructions to cause a terminal device (which can be a mobile phone, a computer, a server, a controlled terminal, or a network device, etc.) to execute the method of each embodiment of the present invention.

The above are only preferred embodiments of the present invention, and do not limit the patent scope of the present invention. Any equivalent structure or equivalent process transformation made using the description and drawings of the present invention may be directly or indirectly used in other related technical fields. , are all similarly included in the scope of patent protection of the present invention.

Claims (10)

1. An identity authentication method, characterized in that the method includes the following steps: Set public and private key pairs for the preset business participants to obtain a public and private key pair set, wherein the public and private key pair set includes a card public and private key pair and a terminal public and private key pair; Generate a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair; When the first preset request is received, the identity information corresponding to the first preset request is verified based on the public and private key pair set and the combined public and private key pair. 2. The identity authentication method according to claim 1, characterized in that the preset service participants include an initiator and a receiver, and based on the public and private key pair set and the combined public and private key pair, The step of verifying the identity information corresponding to the first preset request includes: Based on the public-private key pair set and the combined public-private key pair, the initiator encrypts the first preset request to obtain decision information; Based on the public-private key pair set and the combined public-private key pair, the identity information corresponding to the decision-making information is verified by the recipient. 3. The identity authentication method according to claim 2, wherein the step of generating a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair includes: When the recipient receives the second preset request, the recipient sends the second preset request to the initiator; Receive the first preset request generated by the initiator based on the second preset request, and perform the steps of: verifying the first preset request based on the public and private key pair set and the combined public and private key pair Corresponding identity information. 4. The identity authentication method according to claim 2, characterized in that the recipient includes a first participant and a second participant, and the method is based on the public and private key pair set and the combined public and private key pair. , the step of verifying the identity information corresponding to the decision-making information through the receiver includes: Verify, by the first participant, the signature information generated based on the public-private key pair of the first participant in the decision-making information; If the verification passes, the decision information is sent to the second participant through the first participant; The second party verifies the signature information generated based on the combined public and private key pair of the second party in the decision information. 5. The identity authentication method according to claim 2, wherein the first preset request is encrypted by the initiator based on the public and private key pair set and the combined public and private key pair, Steps to obtain decision-making information include: Based on the first preset request, generate a first random number and a second random number; Generate combined information based on the first preset request and the second random number; The decision information is obtained based on the first random number, the second random number, the combination information, the first preset request, the public-private key pair set, and the combined public-private key pair. 6. The identity authentication method according to claim 4, wherein the step of sending the decision information to the second participant through the first participant includes: Based on the decision information, generate a third random number; Based on the combined public and private key pair of the second participant, the third random number is encrypted to obtain the first signature; Based on the first signature, the decision information is updated. 7. The identity authentication method according to claim 1, wherein the step of generating a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair includes: Send the public key of the public-private key pair set to the preset service participant; Send the public key of the combined public-private key pair to the preset participant. 8. An identity authentication system, characterized by including: The key set generation module is used to set public and private key pairs for preset business participants to obtain a public and private key pair set, wherein the public and private key pair set includes a card public and private key pair and a terminal public and private key pair; A combined key generation module, configured to generate a combined public and private key pair based on the card public and private key pair and the terminal public and private key pair; An identity verification module, configured to, when receiving the first preset request, verify the identity information corresponding to the first preset request based on the public and private key pair set and the combined public and private key pair. 9. A terminal device, characterized in that the terminal device includes a memory, a processor, and an identity authentication method stored on the memory and executable on the processor, and the identity authentication program is performed by the When executed by the processor, the steps of the identity authentication method according to any one of claims 1-7 are implemented. 10. A computer-readable storage medium, characterized in that an identity authentication program is stored on the computer-readable storage medium. When the identity authentication program is executed by a processor, the identity authentication program implements any one of claims 1-7. The steps of the identity authentication method described in the item.