CN117909952A - Terminal identity credibility assessment method and device - Google Patents
Terminal identity credibility assessment method and device Download PDFInfo
- Publication number
- CN117909952A CN117909952A CN202311686107.1A CN202311686107A CN117909952A CN 117909952 A CN117909952 A CN 117909952A CN 202311686107 A CN202311686107 A CN 202311686107A CN 117909952 A CN117909952 A CN 117909952A
- Authority
- CN
- China
- Prior art keywords
- hash value
- value
- terminal
- information
- hash
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000013210 evaluation model Methods 0.000 claims abstract description 43
- 238000011156 evaluation Methods 0.000 claims abstract description 37
- 238000012795 verification Methods 0.000 claims description 51
- 238000004422 calculation algorithm Methods 0.000 claims description 33
- 238000004590 computer program Methods 0.000 claims description 16
- 238000005516 engineering process Methods 0.000 abstract description 5
- 230000000694 effects Effects 0.000 abstract description 2
- 210000000554 iris Anatomy 0.000 description 20
- 238000010586 diagram Methods 0.000 description 18
- 230000008569 process Effects 0.000 description 13
- 230000005540 biological transmission Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000012854 evaluation process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a terminal identity credibility assessment method and device. The method comprises the following steps: receiving hash values of various different dimensions sent by a terminal; comparing the hash values of the multiple different dimensions with corresponding hash values stored in a merck tree evaluation model of a server, and evaluating the credibility level of the terminal, wherein the credibility level comprises: high reliability, medium reliability, low reliability. According to the embodiment of the invention, the credibility of the terminal is evaluated through multiple dimensions, the evaluation result is more objective, and meanwhile, the user credibility level is refined, so that the authority range of the terminal is more definite, and the unauthorized access system and unauthorized use of resources can be avoided, therefore, the problems of unauthorized access system and unauthorized use of resources caused by single evaluation dimension and fuzzy authority limiting range of the terminal using identity evaluation method in the related technology can be solved, and the effect of accurately evaluating the credibility of the terminal is achieved.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a terminal identity credibility assessment method and device.
Background
In conventional end-user identity assessment, the end-use identity often has only two states: trusted, untrusted. In the trusted state, the end user may access any system resources, and in the state where the end user identity is not trusted, the end user may not access any system resources. However, as information systems become more complex, the functions provided by the systems become more and more, and there are often cases where an end user can access the system resource a under certain conditions; in the case of certain conditions, system resource B may be accessed; in the case of certain conditions, system resource C may be accessed.
In the traditional terminal identity evaluation method, user name password or short message authentication or double-factor authentication combining the user name password and the short message authentication is often adopted, but the password authentication-based mode takes whether a system can be accessed as a standard, the evaluation dimension is single, and the credibility of a terminal user cannot be evaluated sufficiently and objectively; and the terminal use identity is either trusted or untrusted, the authority limit range is fuzzy, the problems of unauthorized access to the system and unauthorized use of resources are easy to occur, and the risk of data leakage is further caused.
Disclosure of Invention
The embodiment of the invention provides a terminal identity credibility assessment method and device, which at least solve the problems of unauthorized access to a system and unauthorized use of resources caused by single assessment dimension and fuzzy permission limiting range of a terminal using the identity assessment method in the related technology.
According to one embodiment of the present invention, there is provided a terminal identity reliability evaluation method, including: receiving hash values of various different dimensions sent by a terminal; comparing the hash values of the multiple different dimensions with corresponding hash values stored in a merck tree evaluation model of a server, and evaluating the credibility level of the terminal, wherein the credibility level comprises: high reliability, medium reliability, low reliability.
In one exemplary embodiment, the hash values for the plurality of different dimensions include: hash value of identity credibility value, hash value of biological feature dimension value, hash value of password dimension value, hash value of hardware key dimension value.
In an exemplary embodiment, before receiving the hash values of the plurality of different dimensions sent by the terminal, the method further includes: the acquired following identity characteristic information of the terminal: user fingerprint information, voiceprint information, iris information, user name password information, verification code information and hardware key verification information; initializing each identity characteristic information based on an SM3 algorithm to obtain a fingerprint information hash value, a voiceprint information hash value, an iris information hash value, a user name password information hash value, a verification code information hash value and a hardware key verification information hash value; and constructing a primary node, a secondary node and a tertiary node of the server-side merck tree assessment model based on the fingerprint information hash value, the voiceprint information hash value, the iris information hash value, the user name password information hash value, the verification code information hash value and the hardware key verification information hash value.
In an exemplary embodiment, the third-level node for constructing the merck tree evaluation model of the server side includes: and storing the fingerprint information hash value, the voiceprint information hash value, the iris information hash value, the user name password information hash value, the verification code information hash value and the hardware key verification information hash value into a plurality of three-level nodes of the server-side merck tree assessment model respectively to construct three-level nodes of the merck tree assessment model.
In an exemplary embodiment, the second level node for constructing the merck tree evaluation model of the server side includes: connecting the fingerprint information hash value, the voiceprint information hash value and the iris information hash value in a character string form to obtain a biological characteristic dimension value; according to the SM3 algorithm, the biological characteristic dimension value is converted into a hash value of the biological characteristic dimension value; connecting the user name password information hash value and the short message verification code information hash value in a character string form to obtain a password dimension value; according to the SM3 algorithm, the password dimension value is converted into a hash value of the password dimension value; taking the hash value of the hardware key verification information as a hardware key dimension value; according to the SM3 algorithm, converting the hardware key dimension value into a hash value of the hardware key dimension value; and respectively storing the hash value of the biological feature dimension value, the hash value of the password dimension value and the hash value of the hardware key dimension value into a plurality of secondary nodes of the merck tree assessment model of the server so as to construct the secondary nodes of the merck tree assessment model.
In an exemplary embodiment, the first level node for constructing the merck tree evaluation model of the server side includes: connecting the hash value of the biological characteristic dimension value, the hash value of the password dimension value and the hash value of the hardware key dimension value in a character string form to obtain an identity credibility value of the terminal; converting the hardware key dimension value into a hash value of the identity credibility value according to an SM3 algorithm; and storing the hash value of the identity credibility value into a primary node of the server-side merck tree assessment model to construct the primary node of the server-side merck tree assessment model.
In an exemplary embodiment, comparing the hash values of the plurality of different dimensions with corresponding hash values stored in a server-side merck tree evaluation model, evaluating the reliability level of the terminal includes: comparing the hash value of the identity credibility value, the hash value of the biological feature dimension value, the hash value of the password dimension value, the hash value of the hardware key dimension value with the corresponding hash value stored in the server-side merck tree evaluation model; under the condition that hash values of the identity credibility values are equal, evaluating the terminal to be high credibility; in the hash value of the biological feature dimension value, the hash value of the password dimension value and the hash value of the hardware key dimension value, if two hash values are equal, the terminal is evaluated to be medium-reliability; and if the hash values are equal, evaluating the terminal as medium-low reliability.
According to another embodiment of the present invention, there is provided a terminal identity reliability evaluation device including: the receiving module is used for receiving hash values of various different dimensions sent by the terminal; the evaluation module is used for comparing the hash values of the plurality of different dimensions with corresponding hash values stored in a merck tree evaluation model of the server, and evaluating the credibility level of the terminal, wherein the credibility level comprises: high reliability, medium reliability, low reliability.
According to a further embodiment of the invention, there is also provided a storage medium having stored therein a computer program, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
According to a further embodiment of the invention, there is also provided an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
According to the embodiment of the invention, the credibility of the terminal is evaluated through multiple dimensions, the evaluation result is more objective, and meanwhile, the user credibility level is refined, so that the authority range of the terminal is more definite, and the unauthorized access system and unauthorized use of resources can be avoided, therefore, the problems of unauthorized access system and unauthorized use of resources caused by single evaluation dimension and fuzzy authority limiting range of the terminal using identity evaluation method in the related technology can be solved, and the effect of accurately evaluating the credibility of the terminal is achieved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a block diagram of the hardware architecture of a computer terminal running a terminal identity trust evaluation method according to an embodiment of the present invention;
FIG. 2 is a flow chart of a terminal identity trust evaluation method according to an embodiment of the invention;
FIG. 3 is a block diagram of a terminal identity reliability assessment apparatus according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of MERKLETREE terminal identity reliability assessment model according to an embodiment of the present invention;
Fig. 5 is a schematic diagram of a server MERKLETREE evaluation model of a stored hash value according to an embodiment of the present invention;
FIG. 6 is a flow chart of a build server MERKLETREE evaluation model according to an alternative embodiment of the present invention;
FIG. 7 is a schematic diagram of a biometric dimension value initialization process, according to an embodiment of the invention;
FIG. 8 is a schematic diagram of a password dimension value initialization process according to an embodiment of the invention;
FIG. 9 is a schematic diagram of a hardware key dimension value initialization process according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of an identity confidence value initialization process in accordance with an embodiment of the present invention;
FIG. 11 is a schematic diagram of a high confidence assessment process in accordance with an embodiment of the present invention;
FIG. 12 is a schematic diagram of a hash value comparison process for biometric dimension values, in accordance with an embodiment of the present invention;
FIG. 13 is a schematic diagram of a hash value comparison process for password dimension values in accordance with an embodiment of the invention;
FIG. 14 is a schematic diagram of a hardware key dimension value hash value comparison process according to an embodiment of the present invention;
FIG. 15 is a schematic diagram of a medium reliability sum comparison process according to an embodiment of the invention;
Fig. 16 is a schematic diagram of a low confidence sum comparison process in accordance with an embodiment of the invention.
Detailed Description
The application will be described in detail hereinafter with reference to the drawings in conjunction with embodiments. It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.
The following is a description of the relevant terms in the embodiments of the invention:
Zero trust, zero trust concept: assuming a security model, the traditional boundary is disappearing, the workflow is moving to the cloud, the mobile terminal access is becoming a specification for the application, the core idea of which is "Nerver Trust, ALWAYS VERIFY". The zero trust core architecture comprises two mutually isolated data planes and a control plane, wherein the control plane comprises a policy engine unit and a policy management unit, the data planes comprise access requests, policy execution points and accessed resources, and data flows in the data planes. The control plane and the data plane interact through a policy management unit.
The policy engine unit is responsible for determining whether each of the principals is authorized to access the resource. The policy management unit is responsible for generating credentials such as an identity token for the client to access the server. The policy enforcement point manages the access procedure of the client to the service including start, administration and stop.
Merck tree MERKLE TREE, a binary tree structure, is composed of binary tree nodes and hash values, MERKLE RALF is widely used in file systems and P2P systems.
The hash algorithm is a one-way password mechanism for ensuring that transaction information is not tampered in a blockchain. The SHA-256 algorithm is typically used in blockchains to generate digest information, i.e., 256 bits in length, and output 32 bytes of random hash data.
SM3, cryptographic hash algorithm, is a basic tool of modern cryptography, which is able to compress messages of arbitrary length into digests of fixed length. Hash values are also called hash codes, message digests, digital fingerprints. Cryptographic hashing algorithms are often informally referred to as hashing algorithms. The importance of the hash algorithm is that it can give each message a unique digital fingerprint (identifier), even if one letter of the message is changed, the corresponding hash value will become a distinct fingerprint, it is most commonly used in digital signature and data integrity protection, the hash algorithm is the core technology of digital signature, when a public key algorithm such as SM2 is used to digitally sign, it is not usually to directly sign a message, but to sign the hash value of the message, so that the calculation amount can be reduced, the efficiency can be improved, some algebraic structures of the digital signature algorithm can be destroyed, and the security can be ensured.
The method according to the first embodiment of the present application may be implemented in a mobile terminal, a computer terminal or a similar computing device. Taking the example of running on a computer terminal, fig. 1 is a block diagram of the hardware structure of the computer terminal running the terminal identity reliability evaluation method according to the embodiment of the present application. As shown in fig. 1, the computer terminal may include one or more (only one is shown in fig. 1) processors 102 (the processors 102 may include, but are not limited to, a microprocessor or a processing means such as a programmable logic device) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those skilled in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the computer terminal described above. For example, the computer terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a computer program, for example, a software program of application software and a module, such as a computer program corresponding to a terminal identity reliability evaluation method in an embodiment of the present invention, and the processor 102 executes the computer program stored in the memory 104 to perform various functional applications and data processing, that is, implement the above-mentioned method. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely located relative to the processor 102, which may be connected to the computer terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of a computer terminal. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as a NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is configured to communicate with the internet wirelessly.
In this embodiment, a terminal identity reliability assessment method running on the computer terminal is provided, and the invention is based on a zero trust policy, and constructs a terminal user identity assessment model for judging the user identity for the server, so as to help the server to quantitatively judge the terminal user identity.
Fig. 2 is a flowchart of a terminal identity reliability assessment method according to an embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
step S202, receiving hash values of various different dimensions sent by a terminal;
Step S204, comparing the hash values of the multiple different dimensions with corresponding hash values stored in a merck tree evaluation model of the server, and evaluating a reliability level of the terminal, where the reliability level includes: high reliability, medium reliability, low reliability.
In one exemplary embodiment, the hash values for the plurality of different dimensions include: hash value of identity credibility value, hash value of biological feature dimension value, hash value of password dimension value, hash value of hardware key dimension value.
Prior to step S202 of the present embodiment, the method further includes: the acquired following identity characteristic information of the terminal: user fingerprint information, voiceprint information, iris information, user name password information, verification code information and hardware key verification information; initializing each identity characteristic information based on an SM3 algorithm to obtain a fingerprint information hash value, a voiceprint information hash value, an iris information hash value, a user name password information hash value, a verification code information hash value and a hardware key verification information hash value; and constructing a primary node, a secondary node and a tertiary node of the server-side merck tree assessment model based on the fingerprint information hash value, the voiceprint information hash value, the iris information hash value, the user name password information hash value, the verification code information hash value and the hardware key verification information hash value.
In an exemplary embodiment, the third-level node for constructing the merck tree evaluation model of the server side includes: and storing the fingerprint information hash value, the voiceprint information hash value, the iris information hash value, the user name password information hash value, the verification code information hash value and the hardware key verification information hash value into a plurality of three-level nodes of the server-side merck tree assessment model respectively to construct three-level nodes of the merck tree assessment model.
In an exemplary embodiment, the second level node for constructing the merck tree evaluation model of the server side includes: connecting the fingerprint information hash value, the voiceprint information hash value and the iris information hash value in a character string form to obtain a biological characteristic dimension value; according to the SM3 algorithm, the biological characteristic dimension value is converted into a hash value of the biological characteristic dimension value; connecting the user name password information hash value and the short message verification code information hash value in a character string form to obtain a password dimension value; according to the SM3 algorithm, the password dimension value is converted into a hash value of the password dimension value; taking the hash value of the hardware key verification information as a hardware key dimension value; according to the SM3 algorithm, converting the hardware key dimension value into a hash value of the hardware key dimension value; and respectively storing the hash value of the biological feature dimension value, the hash value of the password dimension value and the hash value of the hardware key dimension value into a plurality of secondary nodes of the merck tree assessment model of the server so as to construct the secondary nodes of the merck tree assessment model.
In an exemplary embodiment, the first level node for constructing the merck tree evaluation model of the server side includes: connecting the hash value of the biological characteristic dimension value, the hash value of the password dimension value and the hash value of the hardware key dimension value in a character string form to obtain an identity credibility value of the terminal; converting the hardware key dimension value into a hash value of the identity credibility value according to an SM3 algorithm; and storing the hash value of the identity credibility value into a primary node of the server-side merck tree assessment model to construct the primary node of the server-side merck tree assessment model.
In an exemplary embodiment, comparing the hash values of the plurality of different dimensions with corresponding hash values stored in a server-side merck tree evaluation model, evaluating the reliability level of the terminal includes: comparing the hash value of the identity credibility value, the hash value of the biological feature dimension value, the hash value of the password dimension value, the hash value of the hardware key dimension value with the corresponding hash value stored in the server-side merck tree evaluation model; under the condition that hash values of the identity credibility values are equal, evaluating the terminal to be high credibility; in the hash value of the biological feature dimension value, the hash value of the password dimension value and the hash value of the hardware key dimension value, if two hash values are equal, the terminal is evaluated to be medium-reliability; and if the hash values are equal, evaluating the terminal as medium-low reliability.
Through the steps, the credibility of the terminal is evaluated through multiple dimensions, the evaluation result is more objective, and meanwhile, the user credibility level is refined, so that the authority range of the terminal is more definite, and the unauthorized access system and unauthorized use of resources can be avoided.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The embodiment also provides a terminal identity reliability evaluation device, which is used for implementing the above embodiment and the preferred implementation manner, and the description is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 3 is a block diagram of a terminal identity reliability assessment apparatus according to an embodiment of the present invention, as shown in fig. 3, the apparatus includes: a receiving module 10 and an evaluating module 20.
A receiving module 10, configured to receive hash values of multiple different dimensions sent by a terminal;
The evaluation module 20 is configured to compare the hash values of the multiple different dimensions with corresponding hash values stored in a server merck tree evaluation model, and evaluate a reliability level of the terminal, where the reliability level includes: high reliability, medium reliability, low reliability.
It should be noted that each of the above modules may be implemented by software or hardware, and for the latter, it may be implemented by, but not limited to: the modules are all located in the same processor; or the above modules may be located in different processors in any combination.
In order to facilitate understanding of the technical solutions provided by the present invention, the following details will be described in connection with embodiments of specific scenarios.
The embodiment of the invention provides a terminal (user) identity credibility assessment method based on a zero trust strategy, which can assess the terminal identity credibility from three assessment dimensions of biological feature dimension, password dimension and hardware key dimension; meanwhile, the terminal identity credibility grade is divided into three grades of high credibility, medium credibility and low credibility, so that fine granularity assessment of the terminal identity credibility is realized; by adopting MERKLETREE (merck tree), based on the characteristic that the hash value of the MERKLETREE upper node is tightly linked with the hash value of the lower node, a MERKLETREE-based terminal identity reliability assessment model is constructed, the terminal identity reliability is assessed by utilizing a judgment path from a root node to a leaf node, the terminal identity reliability assessment efficiency is greatly improved, and the quantitative assessment of the terminal user identity is realized. The method solves the problems that the identity of the terminal user is evaluated in a single dimension, the identity of the terminal user cannot be evaluated quantitatively, and the identity of the terminal user is evaluated slowly.
Specifically, the biometric dimensions include: fingerprint information, voiceprint information, and iris information; the password dimensions include: logging in the user name and password of the terminal and the short message verification code information; the hardware key dimension includes hardware key verification information, such as: key information in the USBKey.
Specifically, the terminal identity credibility level is divided into three levels of high credibility, medium credibility and low credibility, including: when the credibility of the terminal identity passes through any one of the three evaluation dimensions, the credibility level of the terminal identity is low credibility; when the credibility of the terminal identity passes through any two of the three evaluation dimensions, the credibility level of the terminal identity is medium credibility; when the credibility of the terminal identity passes through three evaluation dimensions, the credibility level of the terminal identity is high credibility.
In the embodiment of the present invention, before terminal identity evaluation, a MERKLETREE evaluation model is further required to be constructed, fig. 4 is a schematic diagram of a MERKLETREE terminal identity reliability evaluation model according to an embodiment of the present invention, and as shown in fig. 4, the evaluation model includes a primary node, a secondary node and a tertiary node, where the primary to tertiary nodes are mapped against the tertiary reliability levels, so as to correlate the terminal identity reliability with the system security level.
Based on the MERKLETREE evaluation model, the collected hash value of the identity feature information of the terminal is stored in the MERKLETREE evaluation model of the server (i.e. the server MERKLETREE evaluation model is built) for the identity evaluation process initiated when the terminal accesses the system or uses the resource, and fig. 5 is a schematic diagram of the server MERKLETREE evaluation model with stored hash values according to an embodiment of the present invention, as shown in fig. 5, hash values of different dimensions are stored in one to three levels of nodes of the MERKLETREE evaluation model.
Specifically, the constructing the server MERKLETREE evaluation model includes:
Step S601, constructing a three-level node of a server MERKLETREE evaluation model;
1. Initializing a biological feature dimension value, and generating a fingerprint information hash value, a voiceprint information hash value and an iris information hash value;
as shown in fig. 7, a user inputs fingerprint, voiceprint and iris information at a terminal, an initialization program generates a hash value of a biometric dimension value and sends the hash value to a server, and the server stores the hash value of the biometric dimension value sent by the terminal.
Specifically, fingerprint information fingerprintValue, voiceprint information voiceprintValue and iris information irisValue of the user are collected; the information of the acquisition terminal can be recorded and acquired through the related information input equipment.
And adopting an SM3 algorithm to respectively generate a fingerprint information hash value, a voiceprint information hash value and an iris information hash value:
Fingerprint information hash value: fingerprintHashValue = SM3 (fingerprintValue).
Voiceprint information hash value: voiceprintHashValue = SM3 (voiceprintValue).
Iris information hash value: irisHashValue = SM3 (irisValue).
The fingerprint information hash value, the voiceprint information hash value, and the iris information hash value are stored in three-level nodes in the MERKLETREE evaluation model of fig. 5, as shown in fig. 6.
2. Initializing a password dimension value, and generating a user name password information hash value and a short message verification code information hash value;
As shown in fig. 8, the server generates user name password information, generates a user name password information hash value, sends the user name password information hash value to the terminal, and the terminal stores the user name password information hash value sent by the server; the terminal requests a short message verification code from the server through the mobile phone number, and generates a short message verification code information hash value after receiving the short message verification code; the terminal initialization program generates a hash value of the password dimension value and sends the hash value to the server, and the server stores the hash value of the password dimension value sent by the terminal.
Specifically, user name password information usernameandpasswordValue and short message verification code information messageValue corresponding to the terminal are collected.
And adopting an SM3 algorithm to respectively generate a user name password information hash value and a short message verification code information hash value.
User name password information hash value: usernameandpasswordHashValue = SM3 (usernameandpasswordValue).
Short message verification code information hash value: messageHashValue = SM3 (messageValue).
The user name password information hash value and the short message verification code information hash value are stored in three-level nodes in the MERKLETREE evaluation model of fig. 4, as shown in fig. 5.
3. Initializing a hardware key dimension value to generate a USBKey verification information hash value;
as shown in fig. 9, a terminal inserts a hardware key, a hardware key client communicates with a server to initiate an authentication request, the server verifies whether the hardware key is trusted, and sends a verification result to the terminal, and the terminal saves the verification result sent by the server and the hash value of the USBKey verification information (i.e. the hash value of the hardware key verification information).
Specifically, USBKey verification information USBKeyProofValue corresponding to the terminal is collected.
And generating a hash value of the USBKey verification information by adopting an SM3 algorithm.
The USBKey verifies the hash value of the information: USBKeyProofHashValue = SM3 (USBKeyProofValue).
The USBKey verification information hash value is stored in the three-level node in MERKLETREE evaluation model of fig. 4, as shown in fig. 5.
Based on the biological characteristics, the password, the hardware key and other technologies, the problem of single dimension of end user identity evaluation can be solved. The identity credibility of the terminal user is evaluated from three aspects of biological feature dimension, password dimension and hardware key dimension, so that the evaluation result is more objective.
In step S602, a secondary node of the evaluation model of the server MERKLETREE is built.
1. Generating a biological feature dimension hash value;
and sequentially connecting the fingerprint information hash value, the voiceprint information hash value and the iris information hash value stored in the three-level nodes in a character string form to form a biological feature dimension value biometricsValue, and generating the hash value of the biological feature dimension value by adopting an SM3 algorithm.
Biological feature dimension value: biometricsValue =combination (fingerprint information hash value, voiceprint information hash value, iris information hash value).
Hash value of biometric dimension value: biometricsHashValue = SM3 (biometricsValue).
The hash value of the biometric dimension value is stored into a secondary node in the MERKLETREE evaluation model of fig. 4, as shown in fig. 5.
2. Hash value for generating password dimension value
And sequentially connecting the user name of the three-level node of the MERKLETREE terminal user identity credibility assessment model with the password hash value and the short message verification code hash value in a character string form to form a password dimension value commandValue, and generating the hash value of the password dimension value by adopting an SM3 algorithm.
Password dimension value: commandValue = combination (username and password hash value, short message authentication code hash value);
Hash value of password dimension value: commandHashValue = SM3 (commandValue).
The hash value of the password dimension value is stored into a secondary node in the MERKLETREE evaluation model of fig. 4, as shown in fig. 5.
3. Generating hash values for hardware key dimension values
And taking the USBKey verification information hash value of the three-level node as a hardware key dimension value keyValue, and generating the hash value of the hardware key dimension value by adopting an SM3 algorithm.
Hash value of hardware key dimension value: keyHashValue = SM3 (keyValue).
The hash value of the hardware key dimension value is stored into a secondary node in the MERKLETREE evaluation model of fig. 4, as shown in fig. 5.
In step S603, a primary node of the evaluation model of the server MERKLETREE is built.
And sequentially connecting the biological characteristic dimension hash value, the password dimension hash value and the hardware key dimension hash value in the secondary node in a character string form to form an identity credibility value userTrustValue of the terminal, and generating the hash value of the identity credibility value of the terminal by adopting an SM3 algorithm.
Identity confidence value: userTrustValue = combination (biometric dimension hash value, password dimension hash value, hardware key dimension hash value);
Hash value of identity trustworthiness value: userTrustHashValue = SM3 (userTrustValue);
The hash value of the identity trustworthiness value is stored into a secondary node in the MERKLETREE evaluation model of fig. 4, as shown in fig. 5.
In this embodiment, through the above three steps of the initialization of the biometric dimension value, the initialization of the password dimension value, and the initialization of the hardware key dimension value, the server and the terminal both store the biometric dimension value hash value, the password dimension value hash value, and the hardware key dimension value hash value of the terminal, as shown in fig. 10.
The server and the terminal respectively adopt a combination connection algorithm and a sm3 abstract algorithm to generate a hash value of the identity credibility of the terminal user.
In the steps of the invention, MERKLETREE is adopted, based on the characteristic that the hash value of the MERKLETREE upper node is tightly connected with the hash value of the lower node, an end user identity credibility assessment model based on MERKLETREE is constructed, and the problem that the end user identity cannot be quantitatively assessed can be solved. In addition, by adopting the judging path from the root node to the leaf node, the reliability evaluation efficiency of the identity of the terminal user can be greatly improved, and the problem of slow identity evaluation of the terminal user is solved.
After the server MERKLETREE evaluation model is built, when the terminal user needs to access the system or use the resource, identity reliability evaluation needs to be performed in advance according to the system requirement, specifically, the identity reliability evaluation comprises three levels of high, medium and low evaluation, so as to achieve the purpose of fine-grained evaluation of the identity of the terminal user:
The high-reliability assessment process comprises the following steps:
As shown in fig. 11, in the process of system access or resource use by the terminal user, the terminal or the server initiates terminal identity reliability assessment, the terminal sends a terminal identity reliability hash value to the server, and the server compares whether the terminal identity reliability hash value stored by the server is equal to the hash value of the terminal identity reliability value sent by the terminal. If so, the user of the terminal is rated as high in credibility. If not, no evaluation value is given, and the ongoing reliability evaluation is required to be continued.
The credibility evaluation process comprises the following steps:
12-15, when in-process reliability assessment is performed, the terminal sends a terminal user biological feature dimension value hash value, a password dimension value hash value and a hardware key dimension value hash value to the server. The server side sequentially checks whether the user biological feature dimension value hash value, the password dimension value hash value and the hardware key dimension value hash value stored by the server side are equal to the user biological feature dimension value hash value, the password dimension value hash value and the hardware key dimension value hash value sent by the terminal.
If the server-side user biometric dimension value hash value is equal to the end-user biometric dimension value hash value, biometricsHashValueCompare =1.
If the service port makes the dimension value hash value equal to the terminal password dimension value hash value, commandHashValue Compare =1.
If the server hardware key dimension value hash value is equal to the terminal hardware key dimension value hash value, keyHashValue Compare =1.
And adding biometricsHashValueCompare, commandHashValue, keyHashValue results, and if the results are equal to 2, evaluating the identity credibility of the end user as medium credibility. If not, no evaluation value is given, and the downward evaluation is required.
As can be seen from the MERKLETREE characteristics, when all leaf nodes are equal, MERKLETREE root nodes are equal, and as can be seen from fig. 5, the hash value of the terminal identity reliability value is stored in the primary node (root node) of the MERKLETREE evaluation model, the hash value of the biometric dimension value, the hash value of the password dimension value, and the hash value of the hardware key dimension value are stored in the secondary node (leaf node), so if biometricsHashValueCompare, commandHashValue, keyHashValue results are added, the result is 3, and the terminal user identity reliability is evaluated as high reliability.
The low confidence assessment process includes:
As shown in fig. 16, if biometricsHashValueCompare =1 or commandHashValue Compare =1 or keyHashValue Compare =1, the end user is rated as low in reliability. If neither is 1, no evaluation value is given.
Through the embodiment of the invention, the method and the device for evaluating the identity credibility of the terminal user creatively provide a technical framework for evaluating the identity credibility of the terminal user by adopting MERKLETREE to construct the identity credibility evaluating model of the terminal user, dividing the model into three levels, enabling a primary node of the model to correspond to a high-credibility user, enabling a secondary node of the model to correspond to a middle-credibility user and a tertiary node of the model to correspond to a low-credibility user, and associating fingerprints, voiceprints, irises, usernames, passwords, short message verification codes and USBKey to the tertiary node of the model, so that the technical framework for evaluating the identity credibility of the terminal user is realized, and the problem of modeling the identity evaluation of the terminal user is solved. Meanwhile, it is also proposed to construct an end user identity reliability assessment model by adopting MERKLETREE. Based on MERKLETREE characteristics, when all leaf nodes are equal, MERKLETREE nodes are equal, and the like, and the upper level node values are equal, the lower level nodes are equal, so that whether the terminal user has higher credibility identity can be quickly judged, and the identity judging speed of the terminal user is improved under the condition of judging the credibility of massive terminal user identities.
An embodiment of the invention also provides a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
Alternatively, in the present embodiment, the storage medium may include, but is not limited to: a usb disk, a read-only memory (ROM), a random access memory (Random Access Memory RAM), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing a computer program.
An embodiment of the invention also provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, where the transmission device is connected to the processor, and the input/output device is connected to the processor.
It will be appreciated by those skilled in the art that the modules or steps of the invention described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may alternatively be implemented in program code executable by computing devices, so that they may be stored in a memory device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than that shown or described, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps within them may be fabricated into a single integrated circuit module for implementation. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. The terminal identity credibility assessment method is characterized by comprising the following steps:
Receiving hash values of various different dimensions sent by a terminal;
Comparing the hash values of the multiple different dimensions with corresponding hash values stored in a merck tree evaluation model of a server, and evaluating the credibility level of the terminal, wherein the credibility level comprises: high reliability, medium reliability, low reliability.
2. The method of claim 1, wherein the hash values for the plurality of different dimensions comprise: hash value of identity credibility value, hash value of biological feature dimension value, hash value of password dimension value, hash value of hardware key dimension value.
3. The method of claim 1, wherein prior to receiving the hash values for the plurality of different dimensions transmitted by the terminal, the method further comprises:
The acquired following identity characteristic information of the terminal: user fingerprint information, voiceprint information, iris information, user name password information, verification code information and hardware key verification information;
Initializing each identity characteristic information based on an SM3 algorithm to obtain a fingerprint information hash value, a voiceprint information hash value, an iris information hash value, a user name password information hash value, a verification code information hash value and a hardware key verification information hash value;
and constructing a primary node, a secondary node and a tertiary node of the server-side merck tree assessment model based on the fingerprint information hash value, the voiceprint information hash value, the iris information hash value, the user name password information hash value, the verification code information hash value and the hardware key verification information hash value.
4. The method of claim 3, wherein constructing the three-level node of the server-side merck tree evaluation model comprises:
and storing the fingerprint information hash value, the voiceprint information hash value, the iris information hash value, the user name password information hash value, the verification code information hash value and the hardware key verification information hash value into a plurality of three-level nodes of the server-side merck tree assessment model respectively to construct three-level nodes of the merck tree assessment model.
5. The method of claim 3, wherein constructing the secondary node of the server-side merck tree assessment model comprises:
Connecting the fingerprint information hash value, the voiceprint information hash value and the iris information hash value in a character string form to obtain a biological characteristic dimension value; according to the SM3 algorithm, the biological characteristic dimension value is converted into a hash value of the biological characteristic dimension value;
connecting the user name password information hash value and the short message verification code information hash value in a character string form to obtain a password dimension value; according to the SM3 algorithm, the password dimension value is converted into a hash value of the password dimension value;
Taking the hash value of the hardware key verification information as a hardware key dimension value; according to the SM3 algorithm, converting the hardware key dimension value into a hash value of the hardware key dimension value;
And respectively storing the hash value of the biological feature dimension value, the hash value of the password dimension value and the hash value of the hardware key dimension value into a plurality of secondary nodes of the merck tree assessment model of the server so as to construct the secondary nodes of the merck tree assessment model.
6. The method of claim 5, wherein constructing the primary node of the server-side merck tree assessment model comprises:
Connecting the hash value of the biological characteristic dimension value, the hash value of the password dimension value and the hash value of the hardware key dimension value in a character string form to obtain an identity credibility value of the terminal;
Converting the hardware key dimension value into a hash value of the identity credibility value according to an SM3 algorithm;
And storing the hash value of the identity credibility value into a primary node of the server-side merck tree assessment model to construct the primary node of the server-side merck tree assessment model.
7. The method of claim 2, wherein comparing the hash values of the plurality of different dimensions with corresponding hash values stored in a server-side merck tree evaluation model, evaluates the trust level of the terminal, comprising:
comparing the hash value of the identity credibility value, the hash value of the biological feature dimension value, the hash value of the password dimension value, the hash value of the hardware key dimension value with the corresponding hash value stored in the server-side merck tree evaluation model;
under the condition that hash values of the identity credibility values are equal, evaluating the terminal to be high credibility;
In the hash value of the biological feature dimension value, the hash value of the password dimension value and the hash value of the hardware key dimension value, if two hash values are equal, the terminal is evaluated to be medium-reliability; and if the hash values are equal, evaluating the terminal as medium-low reliability.
8. A terminal identity reliability assessment device, characterized by comprising:
the receiving module is used for receiving hash values of various different dimensions sent by the terminal;
The evaluation module is used for comparing the hash values of the plurality of different dimensions with corresponding hash values stored in a merck tree evaluation model of the server, and evaluating the credibility level of the terminal, wherein the credibility level comprises: high reliability, medium reliability, low reliability.
9. A computer readable storage medium, characterized in that the storage medium has stored therein a computer program, wherein the computer program is arranged to perform the method of any of the claims 1 to 7 when run.
10. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the method of any of the claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311686107.1A CN117909952A (en) | 2023-12-08 | 2023-12-08 | Terminal identity credibility assessment method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311686107.1A CN117909952A (en) | 2023-12-08 | 2023-12-08 | Terminal identity credibility assessment method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117909952A true CN117909952A (en) | 2024-04-19 |
Family
ID=90692835
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311686107.1A Pending CN117909952A (en) | 2023-12-08 | 2023-12-08 | Terminal identity credibility assessment method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117909952A (en) |
-
2023
- 2023-12-08 CN CN202311686107.1A patent/CN117909952A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2020134942A1 (en) | Identity verification method and system therefor | |
| US11063928B2 (en) | System and method for transferring device identifying information | |
| KR102002509B1 (en) | Privite blockchain system including notarizing center and notarial method thereof | |
| US20040010697A1 (en) | Biometric authentication system and method | |
| US20100132019A1 (en) | Redundant multifactor authentication in an identity management system | |
| CN112527912B (en) | Data processing method and device based on block chain network and computer equipment | |
| CN111010367A (en) | Data storage method and device, computer equipment and storage medium | |
| CN115842680B (en) | Network identity authentication management method and system | |
| CN113676447A (en) | Block chain-based scientific and technological service platform cross-domain identity authentication scheme | |
| CN107347073B (en) | A kind of resource information processing method | |
| CN112235301A (en) | Method and device for verifying access authority and electronic equipment | |
| CN110266653A (en) | A kind of method for authenticating, system and terminal device | |
| CN112422516B (en) | Trusted connection method and device based on power edge calculation and computer equipment | |
| CN109257381A (en) | A kind of key management method, system and electronic equipment | |
| Durán et al. | An architecture for easy onboarding and key life-cycle management in blockchain applications | |
| CN113630255B (en) | Lightweight bidirectional authentication method and system based on SRAM PUF | |
| CN106603547B (en) | Unified login method | |
| CN117909952A (en) | Terminal identity credibility assessment method and device | |
| CN114172742A (en) | Layered authentication method for power internet of things terminal equipment based on node map and edge authentication | |
| CN113987451B (en) | Security authentication method and system for notebook terminal equipment | |
| CN114615279B (en) | Trusted multiparty data collaboration method and system based on blockchain technology | |
| CN112989398B (en) | Data processing method and device for block chain network, computer equipment and medium | |
| KR102392150B1 (en) | Method for a peer terminal to transmit block data to a client terminal in Hyperledger Fabric Architecture | |
| US20230231837A1 (en) | Authentication Risk-Scoring in an Authentication System Based on User-Specific and Organization-Specific Risk Models | |
| CN108241803A (en) | A kind of access control method of heterogeneous system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |