CN117294449A - Identity authentication method and related equipment - Google Patents

Identity authentication method and related equipment Download PDF

Info

Publication number
CN117294449A
CN117294449A CN202311378409.2A CN202311378409A CN117294449A CN 117294449 A CN117294449 A CN 117294449A CN 202311378409 A CN202311378409 A CN 202311378409A CN 117294449 A CN117294449 A CN 117294449A
Authority
CN
China
Prior art keywords
algorithm
authentication
information
password
identity authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311378409.2A
Other languages
Chinese (zh)
Inventor
左捷
史艳霞
何永艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Technical Institute of Electronics and Information
Original Assignee
Shanghai Technical Institute of Electronics and Information
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Technical Institute of Electronics and Information filed Critical Shanghai Technical Institute of Electronics and Information
Priority to CN202311378409.2A priority Critical patent/CN117294449A/en
Publication of CN117294449A publication Critical patent/CN117294449A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/142Denial of service attacks against network infrastructure

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention provides an identity authentication method and related equipment, wherein the method comprises the following steps: registration request information is transmitted to complete user registration based on the registration request information, wherein the registration request includes user information and algorithm selection information. Authentication request information is determined based on the user information and the algorithm selection information to complete identity authentication based on the authentication request information. Therefore, double algorithms of SM3 and SHA256 are supported on the basis of a traditional S/Key one-time password system, two hash algorithms can meet different security requirements, the result values of the two algorithms are 32 bytes, the security is high, meanwhile, the double algorithms can effectively prevent denial of service attacks, namely if one algorithm is intentionally introduced into an error by an attacker, program breakdown or stop operation is caused, a user can select to use the other algorithm to avoid the attack, the security and controllability of the S/Key one-time password system are obviously improved, and the identity authentication process can be safely and effectively completed.

Description

Identity authentication method and related equipment
Technical Field
The present invention relates to the field of identity authentication technology, and more particularly, to an identity authentication method, an identity authentication device, an electronic apparatus, and a storage medium.
Background
The S/Key one-time password system is an identity authentication system for generating one-time passwords based on a hash function. It uses the user's password (pw) as a fixed factor, in combination with a random seed (seed), to generate a one-time password by a hashing algorithm. The S/Key one-time password system has simple implementation principle; the user password plaintext is not required to be transmitted in the network, and the user password is stored after being encrypted in the system; the generated password is disposable, and an attacker cannot attempt to crack the user password by recording the previous password, so that the identity authentication method with high security is realized.
However, with the continuous evolution and upgrading of network attacks and security threats, the security of the conventional S/Key one-time password system cannot meet the higher and higher security requirements. For example, it cannot resist fractional attacks, lacks an integrity protection mechanism, supports only one hashing algorithm, and the like. In practice, different systems and scenarios may require the use of different hashing algorithms to meet different security requirements. For example, fields of finance, government, military, etc. may require higher security and controllability, and thus more adoption of the national cryptographic algorithm; other areas, such as internet applications, may employ more international algorithms to ensure compatibility with international standards and free flow of information.
Thus, a new solution is needed to solve the above-mentioned technical problems.
Disclosure of Invention
In the summary, a series of concepts in a simplified form are introduced, which will be further described in detail in the detailed description. The summary of the invention is not intended to define the key features and essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
In a first aspect, the present invention proposes an identity authentication method, including:
transmitting registration request information to complete user registration based on the registration request information, wherein the registration request comprises user information and algorithm selection information;
authentication request information is determined based on the user information and the algorithm selection information to complete identity authentication based on the authentication request information.
Optionally, the method further comprises:
determining supportable hash algorithms, wherein the hash algorithms comprise a national cryptographic algorithm and an international algorithm;
determining algorithm selection information based on a supportable hash algorithm, wherein the algorithm selection information comprises at least one of a national cryptographic algorithm or an international algorithm;
based on the algorithm selection information, an iteration value of the selected algorithm is determined to include the iteration value information in the registration request.
Optionally, when the algorithm selection information is any one of a national cryptographic algorithm and an international algorithm, the method further includes:
sending a random seed;
calculating an authentication password of the selected algorithm;
based on the random seed, the user information, the selected algorithm, the authentication password of the selected algorithm and the iteration value of the selected algorithm, completing the user registration;
when the algorithm selection information contains a national cryptographic algorithm and an international algorithm, the method further comprises:
sending a random seed;
calculating a first authentication password of the national cryptographic algorithm and a second authentication password of the international algorithm;
user registration is completed based on the random seed, the user information, the national encryption algorithm and the international algorithm, the first authentication password, the second authentication password, and iteration values of the national encryption algorithm and the international algorithm.
Optionally, before the authentication is completed based on the authentication request information, the method further comprises:
and carrying out validity verification based on the authentication request information.
Optionally, the authentication request information is used for completing identity authentication, including:
searching a corresponding random seed, a current iteration value of the selected algorithm and an authentication password based on authentication request information;
based on the selected algorithm, a message authentication code based on a hash function is calculated.
Optionally, the method further comprises:
a first judgment password is determined based on the random seed, the current iteration value of the selected algorithm, the authentication password and the message authentication code based on the hash function, so that identity authentication is performed based on the first judgment password.
Optionally, the method further comprises:
performing hash operation on the first judgment password to determine a second judgment password;
based on the comparison result between the second judgment password and the authentication password, the identity authentication is completed.
In a second aspect, there is also provided an identity authentication device, including:
the client is used for sending registration request information, wherein the registration request comprises user information and algorithm selection information; the authentication request information is also used for determining the authentication request information based on the user information and the algorithm selection information;
the server side is used for finishing user registration based on the registration request information and finishing identity authentication based on the authentication request information.
In a third aspect, an electronic device is also presented, comprising a processor and a memory, wherein the memory has stored therein computer program instructions for performing the identity authentication method as described above when executed by the processor.
In a fourth aspect, a storage medium is also proposed, on which program instructions are stored, which program instructions are operative when executed to perform an identity authentication method as described above.
According to the technical scheme, the registration request information is sent to finish user registration based on the registration request information, wherein the registration request comprises user information and algorithm selection information. Authentication request information is determined based on the user information and the algorithm selection information to complete identity authentication based on the authentication request information. Therefore, double algorithms of SM3 and SHA256 are supported on the basis of a traditional S/Key one-time password system, two hash algorithms can meet different security requirements, the result values of the two algorithms are 32 bytes, the security is high, meanwhile, the double algorithms can effectively prevent denial of service attacks, namely if one algorithm is intentionally introduced into an error by an attacker, program breakdown or stop operation is caused, a user can select to use the other algorithm to avoid the attack, the security and controllability of the S/Key one-time password system are obviously improved, and the identity authentication process can be safely and effectively completed.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the specification. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
FIG. 1 shows a schematic flow chart of an identity authentication method according to one embodiment of the invention;
FIG. 2 shows a schematic diagram of an identity authentication process according to one embodiment of the invention;
FIG. 3 illustrates a registration flow diagram supporting a single algorithm during a user registration phase in accordance with one embodiment of the present invention;
FIG. 4 illustrates a registration flow diagram supporting a dual algorithm during a user registration phase in accordance with one embodiment of the present invention;
FIG. 5 shows a schematic diagram of an authentication flow during an authentication phase according to one embodiment of the invention;
FIG. 6 shows a schematic block diagram of an identity authentication device according to one embodiment of the present invention; and
fig. 7 shows a schematic block diagram of an electronic device according to an embodiment of the invention.
Detailed Description
The terms "first," "second," "third," "fourth" and the like in the description and in the claims of this application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application.
In order to solve the technical problems, the invention provides an identity authentication method. Fig. 1 shows a schematic flow chart of an identity authentication method 100 according to one embodiment of the invention. As shown in fig. 1, the method 100 may include the following steps.
Step S110, registration request information is sent to complete user registration based on the registration request information, wherein the registration request includes user information and algorithm selection information.
Fig. 2 shows a schematic diagram of an identity authentication procedure according to one embodiment of the invention. As shown in fig. 2, during the user registration phase, the client may send a registration request containing user information and algorithm selection information to the server side. The algorithm selection information may be represented by the lower 2 bits of 1 byte, and the remaining 6 bits are reserved bits for future expansion functions. It will be appreciated that assigning different values at different positions in the lower 2 bits may represent different selection algorithms, and is not specifically limited herein. After receiving the registration request of the client, the server can determine and complete a double-algorithm user registration process or a single-algorithm user registration process according to whether the client selects to support a single algorithm or a double algorithm. Specifically, a hash algorithm supportable by the client may be first determined, wherein the hash algorithm includes a national cryptographic algorithm SM3 and an international algorithm SHA256. Next, algorithm selection information is determined according to a hash algorithm supported by the client, wherein the algorithm selection information includes at least one of a national cryptographic algorithm or an international algorithm. It will be appreciated that either or both algorithms may be selected. For example, a 0 th position of "1" of the lower 2 bits in the byte may indicate that the national secret SM3 algorithm is supported, a 1 st position of "1" indicates that the international SHA256 algorithm is supported, and then, based on algorithm selection information, an iteration value of the selected algorithm is determined to include the iteration value information in the registration request. Alternatively, the iteration value is an integer greater than zero, e.g., N1 corresponds to the SM3 algorithm and N2 corresponds to the SHA256 algorithm.
Step S130, based on the user information and the algorithm selection information, determines authentication request information to complete identity authentication based on the authentication request information.
Referring again to fig. 2, the client may send an authentication request including algorithm selection information and user information to the server, and the server may verify whether the user is a legitimate user according to the received authentication request, and may send a prompt of authentication failure to the client when the user is not a legitimate user, and the client may re-send the authentication request after receiving the prompt of authentication failure, or may choose to end the identity authentication process. Otherwise, if the user is a legal user, the identity authentication of the user can be completed, so that the identity authentication flow is ended.
According to the technical scheme, the registration request information is sent to finish user registration based on the registration request information, wherein the registration request comprises user information and algorithm selection information. Authentication request information is determined based on the user information and the algorithm selection information to complete identity authentication based on the authentication request information. Therefore, double algorithms of SM3 and SHA256 are supported on the basis of a traditional S/Key one-time password system, two hash algorithms can meet different security requirements, the result values of the two algorithms are 32 bytes, the security is high, meanwhile, the double algorithms can effectively prevent denial of service attacks, namely if one algorithm is intentionally introduced into an error by an attacker, program breakdown or stop operation is caused, a user can select to use the other algorithm to avoid the attack, the security and controllability of the S/Key one-time password system are obviously improved, and the identity authentication process can be safely and effectively completed.
Fig. 3 is a schematic diagram showing a registration flow supporting a single algorithm in a user registration phase according to an embodiment of the present invention, and as shown in fig. 3, when algorithm selection information is any one of a national encryption algorithm and an international algorithm, the method may further include: sending a random seed; calculating an authentication password of the selected algorithm; user registration is completed based on the random seed, the user information, the selected algorithm, the authentication password of the selected algorithm, and the iteration value of the selected algorithm.
In particular, the server may send a random seed (seed) to the client, which may calculate an authentication password OTP for the selected algorithm M1 Or OTP M2 Wherein the OTP is One Time Password, i.e. one-time password, i.e. H is calculated N1 (pw seed) or H N2 (pw) wherein pw is a user password customized by the client, H is a hash function of the corresponding algorithm, the superscript of H is the number of hashes, the "|" identifier represents the connection, and then the authentication password OTP can be used M1 /OTP M2 And sending the data to a server side. The server creates and stores a user information record including user ID, random seed, supported algorithm, current iteration value M1/M2 of the selected algorithm (initial value of M1 is N1 minus 1, initial value of M2 is N2 minus 1), and current authentication password OTP of the selected algorithm M1 /OTP M2
Fig. 4 is a schematic diagram of a registration flow supporting a dual algorithm in a user registration phase according to an embodiment of the present invention, and when algorithm selection information includes a cryptographic algorithm and an international algorithm as shown in fig. 4, the method may further include: sending a random seed; calculating a first authentication password of the national cryptographic algorithm and a second authentication password of the international algorithm; user registration is completed based on the random seed, the user information, the national encryption algorithm and the international algorithm, the first authentication password, the second authentication password, and iteration values of the national encryption algorithm and the international algorithm.
Specifically, the server may send a random seed (seed) to the client, and the client calculates the authentication passwords OTP of the two algorithms respectively M1 And OTP M2 I.e. H N1 (pw) seed) and H N2 (pw seed) and then authenticate the password OTP M1 And OTP M2 And sending the data to a server side. The server creates and stores user information record including user ID, random seed, supported algorithm, current iteration values M1 and M2 of the two algorithms (initial value of M1 is N1 minus 1, initial value of M2 is N2 minus 1), and current authentication password OTP of the selected algorithm M1 And OTP M2
Therefore, double algorithm support is added on the basis of a traditional S/Key one-time password system, and the security of the system can be improved in a user registration stage.
Optionally, before the authentication is completed based on the authentication request information in step S130, the method may further include: step S120, based on the authentication request information, validity verification is performed.
For example, the validity verification may include: validity of user ID, validity of algorithm selection, validity of current iteration value of selected algorithm. Specifically, for the validity of the user ID: if the user ID is incorrect or unavailable, the authentication is not passed, and the authentication process is terminated. Legitimacy of algorithm selection: if the selected algorithm is not SM3 or SHA256, the authentication is failed, and the authentication process is terminated. Validity of the current iteration value for the selected algorithm: if the current iteration value (M1/M2) is smaller than 1 (i.e. equal to 0), the verification is not passed, the user is required to be registered again, and the identity verification process is terminated; if the verification is passed, the identity authentication process is carried out.
Therefore, the method can perform validity verification before identity authentication, and determine whether subsequent identity authentication is performed according to the validity verification result, so that the identity authentication efficiency is greatly improved.
Optionally, the step S130 of completing the identity authentication based on the authentication request information may include:
step S131, based on the authentication request information, searching the corresponding random seed, the current iteration value of the selected algorithm and the authentication password.
Fig. 5 shows a schematic diagram of an authentication flow during an authentication phase according to one embodiment of the invention. As shown in fig. 5, the server side may search for the corresponding random seed, the current iteration value M of the algorithm selected in the authentication request, and the stored authentication password OTP according to the authentication request sent by the client side M (M is M1 or M2, M1 corresponds to SM3 algorithm, and M2 corresponds to SHA256 algorithm).
Step S132, based on the selected algorithm, calculating a message authentication code based on the hash function.
Depending on the algorithm chosen, the information to be sent to the client may be hashed once after connection, i.e. hmac=h (speed M OTP is calculated M ) (MAC: message Authentication Code, message authentication code; HMAC: message authentication codes based on hash functions). Then the seed, M and OTP are combined M Along with the HMAC to the client.
Optionally, the method may further comprise: step S133, determining a first judgment password based on the random seed, the current iteration value of the selected algorithm, the authentication password and the message authentication code based on the hash function, so as to perform identity authentication based on the first judgment password.
Illustratively, the client may calculate a first judgment password OTP based on the received random seed, the current iteration value of the selected algorithm, the authentication password, and a hash function-based message authentication code M-1 I.e. H M-1 (pw||seed);OTP M I.e. H M (pw|seed); HMAC1, i.e. H (seed M OTP) M ). The client can compare the calculated HMAC1 with the received HMAC, if the HMAC is inconsistent, the client can indicate that the data sent by the server is tampered or the server is an illegal server, and the identity authentication process is terminated; if so, the first judgment password OTP can be used for M-1 And sending the data to a server.
Therefore, the server side sends the HMAC to realize authentication of the client side to the server side, and integrity protection is realized, so that data tampering, eavesdropping attack, replay attack and decimal attack can be effectively prevented, security holes existing in the traditional S/Key one-time password system are reduced, and the security of the system is improved.
Optionally, the method may further comprise:
in step S134, a hash operation is performed on the first judgment password to determine a second judgment password.
Illustratively, the server side receives the OTP M-1 Thereafter, the first determination password may be hashed once according to the selected algorithm, i.e., a second determination password H (OTP M-1 )。
And step S135, based on the comparison result between the second judgment password and the authentication password, the identity authentication is completed.
The second judgment password H (OTP M-1 ) With the previously stored authentication password OTP M Comparing, if the comparison result shows that the two are inconsistent, the identity authentication is proved to fail, and the identity authentication process is terminated; if the comparison result shows that the two are consistent, the value of the current iteration value M corresponding to the algorithm can be updated to be the original value M minus 1, and the current identification password OTP is obtained M Updating the value of OTP M-1 And the identity authentication is passed.
For easy understanding, the identity authentication method of the present invention will be further described below by taking a client supporting a dual algorithm as an example.
Specifically, in the user registration stage, the client sends registration request information to the server, including user information, algorithm selection information (0 x03, low 2 positions are all 1, indicating support of a dual algorithm), and an iteration value (N1 corresponds to SM3 algorithm, N2 corresponds to SHA256 algorithm). After receiving the registration request information of the client, the server may determine that the client supports the dual algorithm according to the algorithm selection information (0 x 03), and then generate a random seed (seed) to send to the client. After receiving seed sent by server, client calculates authentication password OTP of two algorithms M1 And OTP M2 I.e. H N1 (pw) seed) and H N2 (pw) seed (pw is a guestUser password customized by the user terminal). Then sends the authentication password OTP of two algorithms M1 And OTP M2 To the server side. The server calculates the current iteration values M1=N1-1 and M2=N2-1 of the two algorithms; creating and saving a user information record (comprising user ID, random seed, supported algorithm (0 x 03), current iteration values M1 and M2 of the selected algorithm, current authentication password OTP of both algorithms) M1 And OTP M2 ) And sending a registration success prompt to the client, and finishing the user registration.
In the authentication phase, the client may send an authentication request to the server side, including algorithm selection information (0 x01, low 1 position 1, indicating the selection of the national secret SM3 algorithm) and a user ID. The validity verification is performed on the client first, and the validity verification has been described in detail in the foregoing, which is not described in detail herein. After passing the validity verification, the server searches the corresponding current iteration value M1 of the seed and SM3 algorithm and the stored authentication password OTP M1 The information to be sent to the client is concatenated and then hashed once by SM3 algorithm, i.e. hmac=h (seed m1|otp is calculated M1 ) The seed, the current iteration value M1, and the HMAC are then sent to the client. Client calculates OTP by SM3 algorithm M1-1 I.e. H M1-1 (pw seed) and OTP M1 I.e. H M1 (pw) seed) (pw is a user password); hmac1, hmac1=h (seed m1||otp) was calculated with SM3 algorithm M1 ). Comparing the received HMAC with HMAC1, and if the received HMAC and HMAC1 are consistent, sending OTP M1-1 Feeding the server side; if the authentication is inconsistent, the authentication to the server fails, and the identity authentication is terminated. The server side receives the OTP M1-1 Hash of SM3 algorithm is done once, i.e. H (OTP is calculated M1-1 ) H (OTP) M1-1 ) OTP with stored authentication password M1 Comparing, if the iteration values are consistent, subtracting 1 from the current iteration value M1 corresponding to the SM3 algorithm, and using OTP M1-1 Value update authentication password OTP M1 The method comprises the steps of carrying out a first treatment on the surface of the And receiving authentication and prompting the authentication to the client, wherein the authentication is successful.
According to a second aspect of the present invention, an identity authentication device is also presented. Fig. 6 shows a schematic block diagram of an identity authentication device 600 according to one embodiment of the invention, as shown in fig. 6, the device 600 may comprise:
a client 610 for transmitting registration request information, wherein the registration request includes user information and algorithm selection information; the authentication request information is also used for determining the authentication request information based on the user information and the algorithm selection information;
the server 620 is configured to complete user registration based on the registration request information and complete identity authentication based on the authentication request information.
According to a third aspect of the present invention, an electronic device is also presented. Fig. 7 shows a schematic block diagram of an electronic device 700 according to an embodiment of the invention. As shown in fig. 7, an electronic device 700 may include a processor 710 and a memory 720. Wherein the memory 720 has stored therein computer program instructions which, when executed by the processor, are adapted to carry out the identity authentication method as described above. Processor 710 may be implemented in at least one hardware form of a microprocessor, a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA). Processor 710 may also be one or a combination of several Central Processing Units (CPUs), graphics Processors (GPUs), application Specific Integrated Circuits (ASICs), or other forms of processing units having data processing and/or instruction execution capabilities, and may control other components in electronic device 700 to perform the desired functions. Memory 720 may include one or more computer program products. The computer program product may include various forms of computer-readable storage media, such as volatile memory and/or nonvolatile memory. Volatile memory can include, for example, random Access Memory (RAM) and/or cache memory (cache) and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like. One or more computer program instructions may be stored on a computer readable storage medium that can be executed by the processor 710 to perform client functions and/or other desired functions in embodiments of the invention described below (implemented by the processor). Various applications and various data, such as various data used and/or generated by the applications, may also be stored in the computer readable storage medium.
According to a fourth aspect of the present invention, there is also provided a storage medium having stored thereon program instructions for performing, at run-time, an identity authentication method as described above. The storage medium may include, for example, a storage component of a tablet computer, a hard disk of a computer, read-only memory (ROM), erasable programmable read-only memory (EPROM), portable compact disc read-only memory (CD-ROM), USB memory, or any combination of the foregoing storage media. The computer-readable storage medium may be any combination of one or more computer-readable storage media.
Specific details, and advantages of the identity authentication system, the electronic device, and the storage medium will be understood by those of ordinary skill in the art from a reading of the above description of the identity authentication method, and are not repeated herein for brevity.
In several embodiments provided herein, it should be understood that the disclosed apparatus and/or device may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims (10)

1. An identity authentication method, comprising:
transmitting registration request information to complete user registration based on the registration request information, wherein the registration request comprises user information and algorithm selection information;
authentication request information is determined based on the user information and the algorithm selection information to complete identity authentication based on the authentication request information.
2. The identity authentication method of claim 1, wherein the method further comprises:
determining supportable hash algorithms, wherein the hash algorithms comprise a national cryptographic algorithm and an international algorithm;
determining the algorithm selection information based on the supportable hash algorithm, wherein the algorithm selection information includes at least one of the national cryptographic algorithm or the international algorithm;
based on the algorithm selection information, an iteration value of the selected algorithm is determined to include iteration value information in the registration request.
3. The identity authentication method according to claim 2, wherein when the algorithm selection information is any one of the national cryptographic algorithm and the international algorithm, the method further comprises:
sending a random seed;
calculating an authentication password of the selected algorithm;
completing the user registration based on the random seed, the user information, the selected algorithm, an authentication password for the selected algorithm, and an iteration value for the selected algorithm;
when the algorithm selection information includes the national cryptographic algorithm and the international algorithm, the method further includes:
transmitting the random seed;
calculating a first authentication password of the national encryption algorithm and a second authentication password of the international algorithm;
and completing the user registration based on the random seed, the user information, the national encryption algorithm and the international algorithm, the first authentication password, the second authentication password, and iteration values of the national encryption algorithm and the international algorithm.
4. The identity authentication method of claim 1, wherein before the authentication is completed based on the authentication request information, the method further comprises:
and carrying out validity verification based on the authentication request information.
5. The authentication method according to any one of claims 1 to 4, wherein the performing authentication based on the authentication request information includes:
searching a corresponding random seed, a current iteration value of the selected algorithm and an authentication password based on the authentication request information;
based on the selected algorithm, a message authentication code based on a hash function is calculated.
6. The identity authentication method of claim 5, wherein the method further comprises:
and determining a first judgment password based on the random seed, the current iteration value of the selected algorithm, the authentication password and the message authentication code based on the hash function, so as to perform identity authentication based on the first judgment password.
7. The identity authentication method of claim 6, wherein the method further comprises:
performing hash operation on the first judgment password to determine a second judgment password;
and based on the comparison result between the second judgment password and the authentication password, completing the identity authentication.
8. An identity authentication device, comprising:
the client is used for sending registration request information, wherein the registration request comprises user information and algorithm selection information; and further configured to determine authentication request information based on the user information and the algorithm selection information;
and the server side is used for finishing user registration based on the registration request information and finishing identity authentication based on the authentication request information.
9. An electronic device comprising a processor and a memory, wherein the memory has stored therein computer program instructions which, when executed by the processor, are adapted to carry out the identity authentication method of any one of claims 1 to 7.
10. A storage medium having stored thereon program instructions for performing the identity authentication method of any one of claims 1 to 7 when run.
CN202311378409.2A 2023-10-24 2023-10-24 Identity authentication method and related equipment Pending CN117294449A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311378409.2A CN117294449A (en) 2023-10-24 2023-10-24 Identity authentication method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311378409.2A CN117294449A (en) 2023-10-24 2023-10-24 Identity authentication method and related equipment

Publications (1)

Publication Number Publication Date
CN117294449A true CN117294449A (en) 2023-12-26

Family

ID=89251708

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311378409.2A Pending CN117294449A (en) 2023-10-24 2023-10-24 Identity authentication method and related equipment

Country Status (1)

Country Link
CN (1) CN117294449A (en)

Similar Documents

Publication Publication Date Title
US9281949B2 (en) Device using secure processing zone to establish trust for digital rights management
US10771264B2 (en) Securing firmware
JP4938673B2 (en) one-time password
US6950523B1 (en) Secure storage of private keys
US9432339B1 (en) Automated token renewal using OTP-based authentication codes
US8196186B2 (en) Security architecture for peer-to-peer storage system
TWI567579B (en) Method and apparatus for key provisioning of hardware devices
US20060005046A1 (en) Secure firmware update procedure for programmable security devices
JP5815525B2 (en) Information processing apparatus, controller, key issuing authority, revocation list validity determination method, and key issuance method
CN110443049B (en) Method and system for secure data storage management and secure storage management module
EP2023573A2 (en) Exchange of network access control information using tightly-constrained network access control protocols
CN101443774A (en) Optimized integrity verification procedures
CN106878009B (en) Key updating method and system
CN108616504B (en) Sensor node identity authentication system and method based on Internet of things
JP2007505408A (en) System and method for providing contactless authentication
TW201735578A (en) Controlled secure code authentication
US20020083325A1 (en) Updating security schemes for remote client access
JP6190404B2 (en) Receiving node, message receiving method and computer program
JP2007508765A (en) Maintaining privacy for processing that can be performed by user devices with security modules
US20080104403A1 (en) Methods and apparatus for data authentication with multiple keys
US8321671B2 (en) Method and apparatus for client-driven profile update in an enterprise wireless network
WO2002005475A2 (en) Generation and use of digital signatures
CN115514492A (en) BIOS firmware verification method, device, server, storage medium and program product
JP2023182857A (en) Information processing device, information processing system, method for controlling information processing device, and program
CN117692134A (en) Key update management system and key update management method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination