CN117675182A

CN117675182A - Identity authentication method, system, equipment and medium

Info

Publication number: CN117675182A
Application number: CN202311341558.1A
Authority: CN
Inventors: 何全
Original assignee: Shanghai Wumi Technology Co ltd
Current assignee: Shanghai Wumi Technology Co ltd
Priority date: 2023-10-16
Filing date: 2023-10-16
Publication date: 2024-03-08

Abstract

The application discloses an identity authentication method, an identity authentication system, identity authentication equipment and an identity authentication medium, and relates to the technical field of data interaction, wherein the identity authentication method is applied to a client and comprises the following steps: deriving a key based on the mnemonic, the key comprising a private key and a comparison public key; combining the public key with the original data to obtain signature data; signing the signature data by adopting a private key to obtain a signature character string; and sending the signature data and the signature character string to a server for identity authentication by the server. The method can ensure that the server can authenticate the identity of the client after the data is sent to the server, thereby preventing the identity of the client from being falsified. In addition, the client does not send the mnemonic and the private key generated by the client to the server, so that the private key and the mnemonic can be prevented from being revealed in the server or the identity authentication process, and the data security after signing and encryption through the private key is ensured.

Description

Identity authentication method, system, equipment and medium

Technical Field

The present disclosure relates to the field of data interaction technologies, and in particular, to an identity authentication method, system, device, and medium.

Background

With the rapid development of internet technology, computer network applications have penetrated into various industries, and global informatization has become a major trend of human development. In recent years, the network security problem is particularly serious, and the user is frequently attacked by hackers, trojans and malicious software, so that bank accounts are stolen, funds are stolen, the identity of the user is falsified and the like are common.

Therefore, in the data interaction process, when the server is attacked or the identity of the client is faked, the data can be leaked or tampered, so that hidden danger exists in the data safety.

Disclosure of Invention

The embodiment of the application provides an identity authentication method, an identity authentication system, identity authentication equipment and an identity authentication medium, which are used for solving or partially solving the problems of data leakage and potential safety hazards in the data interaction process.

The first object of the present application is to provide an identity authentication method.

An identity authentication method applied to a client side comprises the following steps:

deriving a key based on the mnemonic, the key comprising a private key and a comparison public key;

combining the public key with the original data to obtain signature data;

signing the signature data by adopting a private key to obtain a signature character string;

and sending the signature data and the signature character string to a server for identity authentication by the server.

The present application may be further configured in a preferred example to: the method is applied to the client, based on the mnemonic, a key is derived, the key comprises a private key and a contrast public key, and the method comprises the following steps:

deriving a plurality of private keys based on the mnemonic words, and deriving corresponding contrast public keys by the plurality of private keys;

any one of the derived private keys is used as a main private key, and the main private key is used for signing or encrypting data.

The present application may be further configured in a preferred example to: the method is applied to the client, combines the public key with the original data to obtain signature data, and comprises the following steps:

encrypting the original data by adopting a secret key to obtain encrypted data;

and combining the public key with the encrypted data to obtain signature data.

An identity authentication method applied to a server comprises the following steps:

receiving signature data and a signature character string sent by a client, wherein the signature data comprises a comparison public key;

restoring the signature data and the signature character string to obtain an authentication public key;

the comparison public key is used for authenticating the identity of the client.

The present application may be further configured in a preferred example to: applied to the server, further comprising:

deriving an authentication address corresponding to the authentication public key through a derivation algorithm;

And the comparison authentication address and the comparison address corresponding to the comparison public key are used for authenticating the identity of the client.

The present application may be further configured in a preferred example to: the method is applied to the server, and after comparing the public key with the authentication public key, the method further comprises the following steps:

if the comparison public key is consistent with the authentication public key, storing signature data and signature character strings sent by the client;

and if the comparison public key is inconsistent with the authentication public key, refusing to store the signature data and the signature character string sent by the client.

The present application may be further configured in a preferred example to:

the second purpose of the application is to provide an identity authentication system.

The second object of the present application is achieved by the following technical solutions:

an identity authentication system, a client comprising:

the key generation module is used for deriving a key based on the mnemonic, and the key comprises a private key and a contrast public key;

the signature data generation module is used for combining the comparison public key and the original data to obtain signature data;

the signature character string generation module is used for signing the signature data by adopting a private key to obtain a signature character string;

the data sending module is used for sending the signature data and the signature character string to the server and carrying out identity authentication on the server;

An identity authentication system, a server comprising:

the data receiving module is used for receiving signature data and signature character strings sent by the client, wherein the signature data comprises a comparison public key;

the restoring module is used for restoring the signature data and the signature character string to obtain an authentication public key;

and the comparison authentication module is used for comparing the comparison public key with the authentication public key and authenticating the identity of the client.

The third object of the present application is to provide an electronic device.

An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing an identity authentication method as described above when executing the computer program.

A fourth object of the present application is to provide a computer-readable storage medium.

A computer readable storage medium storing a computer program which when executed by a processor implements the above-described authentication method.

In summary, the present application includes the following beneficial technical effects:

the identity authentication method is applied to a client and comprises the following steps: deriving a key based on the mnemonic, the key comprising a private key and a comparison public key; combining the public key with the original data to obtain signature data; signing the signature data by adopting a private key to obtain a signature character string; and sending the signature data and the signature character string to a server for identity authentication by the server. The method can ensure that the server can authenticate the identity of the client after the data is sent to the server, thereby preventing the identity of the client from being falsified. In addition, the client does not send the private key and the mnemonic generated by the client to the server, so that the private key and the mnemonic can be prevented from being revealed in the server or in the identity authentication process, and the data security after signing and encryption through the private key is ensured.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments of the present application will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person of ordinary skill in the art.

FIG. 1 is a diagram showing an application environment of an authentication method according to an embodiment of the present application;

FIG. 2 is a flow chart of an identity authentication method according to an embodiment of the present application;

FIG. 3 is a flowchart of an identity authentication method according to an embodiment of the present application;

FIG. 4 is a block diagram of an authentication system according to an embodiment of the present application;

fig. 5 is a schematic diagram of an electronic device according to an embodiment of the application.

Detailed Description

In order to make the above objects, features and advantages of the present application more comprehensible, embodiments accompanied with figures are described in detail below. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application. This application is, however, susceptible of embodiment in many other forms than those described herein and similar modifications can be made by those skilled in the art without departing from the spirit of the application, and therefore the application is not to be limited to the specific embodiments disclosed below.

The terminology used in the following embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification and the appended claims, the singular forms "a," "an," "the," and "the" are intended to include the plural forms as well, unless the context clearly indicates to the contrary. It should also be understood that the term "and/or" as used in this application refers to and encompasses any or all possible combinations of one or more of the listed items.

The identity authentication method provided by the embodiment of the invention can be applied to an application environment as shown in fig. 1, and is applied to an identity authentication system which comprises a client and a server, wherein the client communicates with the server through a network. The client is also called a client, and refers to a program corresponding to a server and providing local services for the client. Further, the client is a computer-side program, an APP program of the intelligent device or a third party applet embedded with other APP. The client may be installed on, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, portable wearable devices, and the like. The server may be implemented as a stand-alone server or as a cluster of servers.

The identity authentication method provided by the embodiment of the application can be applied to an application environment as shown in fig. 1, and the identity authentication method is applied to an identity authentication system, wherein the identity system comprises a client and a server, and the client can communicate with the server through a network.

The identity authentication method comprises the following steps executed by a client:

combining the public key with the original data to obtain signature data;

The identity authentication method comprises the following steps executed by a server:

Embodiments of the present application are described in further detail below with reference to the drawings attached hereto.

Example 1

In an embodiment, as shown in fig. 2, an identity authentication method is provided in the embodiment of the present application, which can be applied to a client and a server as shown in fig. 1 for illustration, and specifically includes the following steps:

S11, deriving a secret key based on the mnemonic, wherein the secret key comprises a private key and a contrast public key.

The mnemonic is mainly applied to the field of the encrypted digital currency wallet, and the embodiment applies the mnemonic to identity authentication. For example: in general, when the system performs user login identity authentication, most of the user login identity authentication uses combinations of a user name, a mailbox, a mobile phone number, a verification code, a password and the like to enter the system. In addition, when data interaction is performed between the client and the server, the server needs to request the client to sign data in order to ensure the identity of the client, and then verify the signature. The data security level is also closely related to the key length, so the key of this embodiment may have a maximum length of 256 bits, i.e. 32 bytes.

The client may generate a mnemonic based on the BIP39 protocol, where the client typically has a mnemonic, and the mnemonic of each client has uniqueness and randomness, and is unlikely to be acquired by an eavesdropper or server, except the client or user. After the client generates the mnemonic, the client can derive an infinite number of keys according to the mnemonic. The key may be a private key and a contrast public key (public key to which the private key corresponds). Specifically, the mnemonic derives a private key, and the private key derives a public key. The private keys include a master private key and other private keys. The public key includes a master public key (the master private key derived from the master public key) and other public keys. The private key is not public and is private to itself. The public key may be public.

In addition, the client generates the mnemonic based on the BIP39 protocol, and the mnemonic can be determined and generated by the client. Specifically, in response to a mnemonic generating instruction sent by a user, a word phrase is sent to the user, and a mnemonic is generated and stored based on a target word determined by the user. The mnemonic is stored only in the device, and neither the mnemonic nor the private key may be sent to the server.

The step S11 has the effect that the client generates the private key and the public key through the mnemonic, so that the private key and the public key of the client are random and unique, the subsequent operation of the client based on the private key and the public key can be ensured to a large extent, the data security and the identity of the client are ensured to be falsified, and the possibility of the leakage of the client data is greatly reduced.

S12, combining the public key with the original data to obtain signature data.

The original data can be plaintext data or ciphertext data, and the signature data comprises a comparison public key.

Specifically, the comparison public key derives a corresponding comparison address through a derivation algorithm, and the client combines the comparison address with the original data and sends the combination to the server.

The step S12 is to send the address of the client to the server, so that the server can confirm the identity of the client by comparing the public key with the corresponding comparison address.

S13, signing the signature data by adopting a private key to obtain a signature character string.

Wherein the signature may be an asymmetric key encryption.

Specifically, the client in this embodiment may use a signature function and sign the signature data with a private key to obtain a signature string.

For example: in the JAVA environment, the signature data dataStr: = { "addr": "0x555284984816489484 gyvrdyhujno."; one of the private keys Privatekey obtained through mnemonics: = { "k142fyxxxxxxxx."; the signature string may be passed through the signature function signature: crypto. Sign (datahash. Bytes (), privatekey), etc.

In the process of multiple data interactions, the client can sign data through the main private key to obtain signature data. The signature of the master private key is used, so that a subsequent server is beneficial to storing and managing signature character strings, signature data, master public keys and other received data of the same client.

The step S13 has the effect of preventing the identity of the client from being faked, the client signs the data through the private key, the server verifies the signature on the data, and if the verification signature is successful, the server can ensure that the data is actually sent by the client.

S14, the signature data and the signature character string are sent to a server for identity authentication by the server.

Specifically, the signature data and the signature string are packaged into a combined parameter, and the combined parameter is transmitted to the server without encryption. The content of the combined parameters may also include time stamps, other parameters, random strings, etc. For the mnemonics, the private keys and the like generated by the client, the client does not need to send to the server, and other public keys and private keys also do not need to send to the server.

Therefore, in the data interaction (identity authentication) process, the embodiment can ensure that the server can authenticate the identity of the client after the data is sent to the server by the aid of the mnemonic and signing the original data, thereby preventing the identity of the client from being falsified. In addition, the client does not send the private key and the mnemonic generated by the client to the server, so that the private key and the mnemonic can be prevented from being revealed in the server or in the identity authentication process, and the data security after signing and encryption through the private key is ensured. The server is attacked by an illegal user or in the identity authentication process, the illegal user obtains the leaked transmission data, larger loss can not be caused to the client, and the data security is higher.

S21, receiving signature data and signature character strings sent by the client, wherein the signature data comprises a comparison public key.

Specifically, the client packages the signature data and the signature character string as a combination parameter, sends the combination parameter to the server, and the server receives the combination parameter sent by the client. The server may identify a contrasting public key or contrasting address in the signature data.

S22, restoring the signature data and the signature character string to obtain an authentication public key.

Among them, signature and restoration algorithms include, but are not limited to, the secp256k1 algorithm and the ed25519 algorithm. The ECDSA (elliptic Curve) algorithm, which may be in particular secp256k 1. Compared with the RSA algorithm, the secp256k1 algorithm can use a shorter key length, so that the secp256k1 algorithm can achieve greater safety, and is high in recovery and verification speed and better in identity authentication effect.

Specifically, after receiving the client-side signature data and the signature character string, the server restores the whole signature data and the signature character string through a restoration algorithm, and restores an authentication public key corresponding to the comparison public key in the signature data or restores an authentication address corresponding to the comparison address in the signature data.

S23, comparing the public key with the authentication public key for authenticating the identity of the client.

After receiving the signature data and the signature character string, the server identifies the signature data and extracts a comparison public key in the signature data. The server compares the authentication public key with the comparison public key, if the authentication public key is consistent with the comparison public key, the identity of the client is confirmed to be real or legal, and the server processes or stores the data sent by the client; if the authentication public key is inconsistent with the comparison public key, the identity of the client is confirmed to be wrong or illegal, and the server refuses to process or store the data sent by the client.

Specifically, the client corresponds to a comparison address, the server restores an authentication address, if the comparison address is the same as the authentication address, the identity of the client is correct, and the client sends data instead of masquerading by other clients. If other clients impersonate, the authentication address restored by the server is different from the comparison address. Therefore, the embodiment can prevent the identity of the client from being faked and the data from being revealed or tampered in the data interaction process, thereby ensuring the safety of data transmission.

The identity authentication method is applied to the server, so that the server can authenticate the identity of the client, the client data which is successfully authenticated is stored, and meanwhile, the server is convenient for managing the client data through private key signature authentication. The server does not receive and store the mnemonics and private keys of the client. Therefore, the server fails, server data is revealed, or eavesdropped and impersonated in identity authentication, and real mnemonic and private key data of a user cannot be truly revealed, so that the security is extremely high.

Example 2

In some embodiments, as shown in fig. 3, in step S11, that is, based on the mnemonic, a key is derived, where the key includes a private key and a comparison public key, and specifically further includes the following steps:

s111, deriving a plurality of private keys based on the mnemonics, and deriving corresponding contrast public keys by the plurality of private keys.

S112, taking any one of the derived private keys as a main private key, wherein the main private key is used for signing or encrypting data.

Wherein the key comprises a private key comprising a master private key and a public key (comparison public key) comprising a master public key.

An mnemonic can derive an infinite number of private keys by which data can be signed, encrypted, and decrypted. Therefore, each client only needs one mnemonic to meet all the requirements of the user. A private key may derive a public key corresponding thereto, which may be used to sign-encrypt the data. Namely, private key encryption, private key decryption, public key encryption and private key decryption; the private key is signed, and the public key is checked. The public key can be disclosed, the private key is private and cannot be disclosed.

Specifically, according to the mnemonic, the embodiment derives an infinite number of private keys, and the private keys derive corresponding public keys. The private key is directly connected with the mnemonic words, and the public key is not greatly connected with the private key. The method can take any private key derived from the mnemonic as a main private key. For example: the first private key derived from the mnemonic may be used as the master private key. The public key derived from the master private key is the master public key. The mnemonic derivative private key has unidirectionality and cannot be reversed. Therefore, only the signature string, signature data, and other data are stored in the server. Even if the server data is leaked, no important loss is caused. The data taken by other people to the server is not lost, and the data cannot be decrypted because the private key is not available.

The client signs the signature data through the main private key, so that the server can conveniently and properly process each piece of data related to the main private key through the main private key unique to the client.

The effect of steps S111 to S112 is that the client can derive a plurality of private keys and a comparison public key through mnemonics.

Example 3

In an embodiment, as shown in fig. 3, the embodiment of the present application provides an identity authentication method, which can be applied to the client as shown in fig. 1 for illustration, and in step S12, signature data is obtained by combining the public key with the original data, and specifically includes the following steps:

s121, encrypting the original data by adopting a secret key to obtain encrypted data.

S122, combining the public key with the encrypted data to obtain signature data.

The data encryption is to process the original file or data in plaintext according to a certain algorithm to make the file or data into a section of code (also called ciphertext) which is not readable clearly, so as to achieve the purpose of protecting the data from being stolen and read illegally. The data decryption is to decrypt the ciphertext by using a corresponding algorithm and a key, and decrypt the ciphertext into plaintext. The encryption technology is applied to identity authentication between the client and the server, so that data security in the identity authentication process is protected.

Encryption algorithms include, but are not limited to, the chacha20 algorithm and the aes encryption algorithm. The keys include private keys and public keys. The original data comprises common electronic data such as passwords, scripts, messages, files and the like. In addition, the present embodiment encrypts data mainly by a private key or a public key.

Specifically, the client side encrypts the original data for multiple times by adopting different private keys and different encryption algorithms based on the mnemonic words, so that the encrypted data is obtained, the encryption process is safer, and meanwhile, the encryption speed is higher, and the encryption performance is better. The client may then combine the encrypted data with the comparison public key and send the same to the server. The server does not need to decrypt the encrypted data or signed data, nor is it likely to decrypt the encrypted data or signed data without the private key. For example: the data is encrypted for the first time by the chacha20 algorithm and the primary private key, encrypted for the second time by the aes encryption algorithm and the other private key, and encrypted again by the other algorithm and the other private key.

Specifically, the client combines (packages) the public key and the encrypted data to obtain the signature data. For example: signature data ciphertrext2= { ciphertrext 1: "user's encrypted data", publicKey: "user's master public key"; and finally packaging the signature data and the signature character string into a combination parameter, and sending the combination parameter to a server. For example: the combination parameter text= { cipherertext 2: "user signature data", signature: "user's signature string" }. The client may also send a timestamp, other parameters, random strings, etc. to the server.

The server receives the combination parameters sent by the client. The combination parameter comprises a signature character string, signature data carrying encryption data and a comparison public key. The server can identify and extract the comparison public key in the combination parameters, and the comparison public key can be used for generating the corresponding comparison address. The server restores the combination parameters to obtain an authentication address, and matches the authentication address with the comparison address. If the authentication address is the same as the comparison address, confirming that the identity of the client is real or legal, and processing or storing data sent by the client by the server; if the authentication address is inconsistent with the comparison address, the identity of the client is confirmed to be wrong or illegal, and the server refuses to process or store the data sent by the client.

In contrast to conventional data encryption, decryption, and authentication, the server issues an encrypted private key to the client, which the server retains. Or the client generates a private key by itself, then sends the private key to the server, and the server can decrypt the private key. The server of this embodiment does not need to store the private key, nor does it need to decrypt the signature data (encrypted data), nor does the server need to know and store the client specific original data and mnemonics. When the server is monitored and attacked, the data stored in the server is revealed without any substantial loss to the client. The user can store the mnemonic words, the private key, the original data and the like in the self equipment, so that the confidentiality of the data is better, and the security is higher.

The authentication method has wider application scenes, can be applied to application scenes with higher requirements on data confidentiality, such as password management, banks and the like, and can also be applied to application scenes, such as data backup, social chat, electronic business operation, personnel management, engineering management and the like.

For example: in the password manager, the password manager may store all passwords of one user, which may include other APP login passwords, website passwords, bank card passwords, and the like. The password has very high requirements on data security, and if the password leaks, the password can cause great loss. Therefore, when the identity of the password manager is registered, the user can register and log in by using the mnemonic words, and the password manager has higher security than the mode of using the mobile phone number, the user name and the password. The mnemonic is also stored in the device, so that the leakage possibility of the mnemonic is low. The client derives a private key through the mnemonic words, and the private key derives a public key.

When the website password stored in the inside of the client of the password manager is used for performing jump login on the website, the client encrypts the password through a secret key (private key) to obtain an encrypted password, and signs the encrypted password through the private key to obtain a signature character string. The client side and the server conduct data interaction, the client side sends the encrypted password, the public key and the signature character string to the server, the server restores the encrypted password, the public key and the signature character string to obtain a restored verification public key, the verification public key and the public key are matched, if the verification public key and the public key are consistent, the password is confirmed to be used by the password holder, and the server can conduct operations such as processing, storage or synchronization on the encrypted password data.

Therefore, the server fails and data are revealed, or the server is eavesdropped and impersonated in identity authentication, so that the real password data and private key data of the user cannot be truly revealed, and the security of the password manager is higher. Therefore, the user can store all passwords in the password manager, any human brain memory is not needed for the passwords, the passwords cannot be forgotten, the use is convenient, and the safety coefficient is extremely high.

Example 4

In some embodiments, as shown in fig. 3, in step S14, signature data and signature strings are sent to a server for the server to perform identity authentication, and specifically further includes the following steps:

s141, combining the signature data with the signature character string to generate a combination parameter, and sending the combination parameter to the server for identity authentication by the server.

When the client encrypts the original data, the client generates encrypted data, and the client can combine the comparison public key, the encrypted data and the signature character string to generate a combination parameter and send the combination parameter to the server. In the process of data interaction, the embodiment not only realizes the confirmation of the identity of the client, but also encrypts the related data to be sent.

Example 5

In some embodiments, the identity authentication method is applied to a server, and specifically further includes the following steps:

s24, deriving an authentication address corresponding to the authentication public key through a derivation algorithm.

S25, comparing the authentication address with a comparison address corresponding to the comparison public key, and authenticating the identity of the client.

Among them, the derivative algorithm includes, but is not limited to, the secp256k1 algorithm and the ed25519 algorithm. The ECDSA (elliptic Curve) algorithm, which may be in particular secp256k 1.

Specifically, the public key can derive an address, the client can send the comparison address to the server, the server restores the authentication address through a restoration algorithm, and the authentication address and the comparison address are compared and matched, so that the identity of the client is confirmed.

Example 6

In some embodiments, the identity authentication method, as shown in fig. 3, is applied to the server, and after step S23, that is, after comparing the comparison public key with the authentication public key, further includes:

s231, if the comparison public key is consistent with the authentication public key, storing signature data and signature character strings sent by the client.

S232, if the comparison public key is inconsistent with the authentication public key, refusing to store the signature data and the signature character string sent by the client.

Specifically, the server compares the authentication public key with the comparison public key, if the authentication public key is consistent with the comparison public key, the identity of the client is confirmed to be real or legal, and the server processes or stores data sent by the client; if the authentication public key is inconsistent with the comparison public key, the identity of the client is confirmed to be wrong or illegal, and the server refuses to process or store the data sent by the client.

Example 7

In some embodiments, the method applied to the client, before step S10, that is, before deriving the key based on the mnemonic, specifically further includes the following steps:

s11, responding to a mnemonic word generation instruction sent by a user, sending word phrases to the user, and generating and storing mnemonic words based on target words determined by the user.

The embodiment can perform identity authentication of user information on a user when the user logs in a client platform. When the traditional user logs in the identity authentication, the system often adopts an account system combining a user name, a mobile phone number and the like with a password to log in, the server needs to confirm the identity of the account system, and after the server confirms the identity, the user can enter the system to access own data. Data such as the user account system is often stored in the server. However, in this way, once the server is attacked, the server fails to send, or the password is revealed during identity authentication, etc., all data of the user is revealed, which is highly likely to cause potential safety hazards of the data.

Specifically, the mnemonic words may be composed of 12, 15, 18, 21, 24 or other english words, and may be derived from a word stock, and the mnemonic words may be infinite. When a user logs on a certain system platform for the first time, the client sends a set of English phrases to the user according to some algorithm protocols (such as the secp256k1 algorithm of the BIP39 protocol). Meanwhile, the words, the sequence, the number and the like of the English phrases sent by each user can be different. The user can select the English phrase, and the word can also select multiple times, so that the user can determine the mnemonic word of the user. Typically, each user has and has only one mnemonic, which has uniqueness and randomness. The mnemonic is stored in the device and is not sent to the server. Therefore, only the user manages the mnemonic of the user himself, even if the server has data leakage, the server does not have related mnemonic storage, the mnemonic is only known by himself, and the server, the system developer and the like cannot know. Even if eavesdropping and the like occur in the data interaction process of the server and the client, the mnemonic words are not transmitted to the server as data, important data, core data and sensitive data are not easy to leak, the possibility of leakage is extremely low, and the data security is extremely high. The embodiment can be applied to application scenes with higher requirements on data confidentiality, such as password management, banks and the like, and also can be applied to application scenes, such as data backup, social chat, electronic business operation, personnel management, engineering management and the like.

When the user logs in a certain system platform for the second time, the user can directly input the mnemonic word to enter the system.

The private key derived from the mnemonic is also stored in the client, and is not transmitted to the server, but is a public key that can be disclosed.

The step S11 has the effects that identity authentication is performed through the mnemonic, the mnemonic is stored in the client, and the memory is irrelevant to the server, so that the data security is high.

Example 8

In some embodiments, the identity authentication method is applied to a server, and specifically further comprises the following steps:

s26, based on the data acquisition request sent by the client, sending data corresponding to the client authentication public key.

Specifically, the server restores the master public key, the encryption parameter and the signature string, and the successfully restored authentication public key is the same as the master public key, and the corresponding data such as the master public key, the encryption parameter and the signature string can also be stored in the server. When the client performs multiple data interactions with the server, and the identity of the client is determined to be legal in the data interaction process. And according to the fact that the client has a main public key, the main public keys of all the clients are different, and all data related to the main public keys of the clients are integrated and stored. When the client wants the data sent to the server before, the client can also directly send the data acquisition request to the server and sign the data acquisition request, and the server acquires the data acquisition request and verifies the signature. If the verification is successful, all the data which are stored in a collating way and are related to the client can be directly sent to the client. The client derives a private key and a corresponding public key, and can decrypt encrypted data or signed data and other data.

The function of step S26 is that the server can archive and save the data of each client based on the master public key, and when the client needs the data, the server can send the data to the client.

In another embodiment of the present application, an identity authentication system is disclosed. The identity authentication system corresponds to the identity authentication method in the embodiment one by one. As shown in fig. 4, the body authentication system includes a client and a server. The client includes a key generation module 11, a signature data generation module 12, a signature string generation module 13, and a data transmission module 14. The server comprises a data receiving module 21, a restoring module 22 and a contrast authentication module 23. The details of each functional module are as follows:

the key generation module 11 is configured to derive a key based on the mnemonic, where the key includes a private key and a contrast public key.

The signature data generating module 12 is configured to combine the comparison public key and the original data to obtain signature data.

The signature string generation module 13 is configured to sign the signature data by using a private key, so as to obtain a signature string.

The data transmitting module 14 is configured to transmit the signature data and the signature string to the server, and the server is configured to perform identity authentication.

A data receiving module 21, configured to receive signature data and a signature string sent by a client, where the signature data includes a comparison public key;

a restoring module 22, configured to restore the signature data and the signature string to obtain an authentication public key;

the contrast authentication module 23 is configured to compare the contrast public key with the authentication public key, and is configured to authenticate the identity of the client.

Further, the identity authentication system further comprises:

and the private key generation sub-module is used for deriving a plurality of private keys based on the mnemonic, and the private keys derive corresponding contrast public keys.

And the main private key generation sub-module is used for taking any one of the derived private keys as a main private key, and the main private key is used for signing or encrypting data.

Further, the identity authentication system further comprises:

and the data encryption module is used for encrypting the original data by adopting the secret key to obtain encrypted data.

And the data signature sub-module is used for combining the comparison public key and the encrypted data to obtain signature data.

Further, the identity authentication system further comprises:

and the combination parameter generation module is used for combining the signature data with the signature character string to generate combination parameters, and sending the combination parameters to the server for identity authentication by the server. Further, the identity authentication system further comprises:

The authentication address deriving module is used for deriving an authentication address corresponding to the authentication public key through a deriving algorithm;

and the comparison authentication sub-module is used for comparing the authentication address with the comparison address corresponding to the comparison public key and is used for authenticating the identity of the client.

Further, the identity authentication system further comprises:

the comparison and authentication subunit is used for storing signature data and signature character strings sent by the client if the comparison public key is consistent with the authentication public key;

and the comparison and authentication subunit is used for refusing to store the signature data and the signature character string sent by the client if the comparison public key is inconsistent with the authentication public key.

The identity authentication system provided in this embodiment can achieve the same technical effects as the foregoing embodiments due to the functions of the modules and the logic connections between the modules, and therefore, principle analysis can see the relevant descriptions of the steps of the foregoing identity authentication method, which are not repeated here.

For specific limitations of the authentication system, reference may be made to the above limitations of the authentication method, and no further description is given here. The modules in the identity authentication system may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or independent of a processor in the device, or may be stored in software in a memory in the device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, an electronic device is provided, as shown in FIG. 5. The electronic device includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the processor implements the identity authentication method of the above embodiment when executing the computer program, for example, S11 to S14, S21 to S23 of fig. 2. Alternatively, the functions of each module/unit of the identity authentication system in the above embodiment, such as the modules 11 to 14 and the modules 21 to 23 shown in fig. 4, are not repeated here for avoiding repetition.

The electronic device may include a processor, an external memory interface, an internal memory, a universal serial bus (universal serial bus, USB) interface, a charge management module, a power management module, a battery, an antenna, a wireless communication module, an audio module, a speaker, a receiver, a microphone, an earphone interface, a sensor module, keys, an indicator, a camera, a display screen, and the like. Wherein the sensor module comprises an ambient light sensor. In addition, the sensor module may further include a pressure sensor, a gyroscope sensor, a barometric pressure sensor, a magnetic sensor, an acceleration sensor, a distance sensor, a proximity light sensor, a fingerprint sensor, a temperature sensor, a touch sensor, a bone conduction sensor, and the like. In other embodiments, the electronic device in embodiments of the present application may further include a mobile communication module, a subscriber identity module (subscriber identification module, SIM) card interface, and the like. The function of the above modules or devices is prior art and will not be described here in detail.

In an embodiment, a computer readable storage medium is provided, where a computer program is stored on the computer readable storage medium, where the computer program when executed by a processor implements the method for identity authentication according to the above embodiment, or where the computer program when executed by a processor implements the functions of each module/unit in the identity authentication system according to the above system embodiment. To avoid repetition, no further description is provided here.

It will be apparent to those skilled in the art that embodiments of the present application may be implemented in hardware, or firmware, or a combination thereof. When implemented in software, the functions described above may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a computer. Taking this as an example but not limited to: computer readable media can include RAM, ROM, electrically erasable programmable read-Only memory (electrically erasable programmable read Only memory, EEPROM), compact-disk-read-Only memory (CD-ROM) or other optical disk storage, magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.

Furthermore, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (digital subscriber line, DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the fixing of the medium. As used in the embodiments of the present application, discs (disks) and disks include Compact Discs (CDs), laser discs, optical discs, digital versatile discs (digital video disc, DVDs), floppy disks, and blu-ray discs where disks usually reproduce data magnetically, while disks reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.

It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the system is divided into different functional units or modules to perform all or part of the above-described functions.

The above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.

Claims

1. An identity authentication method applied to a client, comprising the following steps:

combining the comparison public key with the original data to obtain signature data;

signing the signature data by adopting the private key to obtain a signature character string;

2. The identity authentication method according to claim 1, applied to a client, wherein a key is derived based on a mnemonic, the key including a private key and a contrast public key, comprising:

Deriving a plurality of private keys based on the mnemonics, and deriving corresponding contrast public keys by the plurality of private keys;

and taking any one of the derived private keys as a main private key, wherein the main private key is used for signing or encrypting data.

3. The identity authentication method of claim 1, applied to a client, wherein combining the comparison public key and the original data to obtain signature data comprises:

encrypting the original data by adopting the key to obtain encrypted data;

and combining the comparison public key and the encrypted data to obtain signature data.

4. An identity authentication method applied to a server is characterized by comprising the following steps:

and comparing the comparison public key with the authentication public key for authenticating the identity of the client.

5. The identity authentication method of claim 4, applied to a server, further comprising:

and comparing the authentication address with the comparison address corresponding to the comparison public key, and authenticating the identity of the client.

6. The identity authentication method of claim 4, applied to a server, further comprising, after comparing the comparison public key with the authentication public key:

if the comparison public key is consistent with the authentication public key, storing the signature data and the signature character string sent by the client;

7. An identity authentication system comprising a client, wherein:

the client comprises:

the signature character string generation module is used for signing the signature data by adopting the private key to obtain a signature character string;

and the data sending module is used for sending the signature data and the signature character string to a server and carrying out identity authentication on the server.

8. An identity authentication system comprising a server, wherein:

The server includes:

9. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the authentication method according to any one of claims 1 to 3 when executing the computer program or the processor implements the authentication method according to any one of claims 4 to 6 when executing the computer program.

10. A computer-readable storage medium, characterized in that the computer-readable storage medium has a computer program which, when executed by a processor, implements the identity authentication method according to any one of claims 1 to 3 or which, when executed by a processor, implements the identity authentication method according to any one of claims 4 to 6.