TWI673621B - Information registration, authentication method and device - Google Patents

Abstract

This application discloses an information registration and authentication method and device. The registration method includes: sending a standard information registration request to an authentication server, receiving first authentication information returned by the authentication server, generating a standard information acquisition request, and acquiring standard information. The request and the first authentication information are sent to the security information application to obtain the signed standard information and the identification information of the standard information returned by the security information application after passing the authentication of the first authentication information, wherein the signed standard information The security information application uses the second authentication information for signing, and sends the signed standard information, the identification information of the standard information, and the first authentication information to the authentication server, so that the authentication server The device registers the standard information and the identity of the standard information after passing the first authentication information and passing the second authentication information according to the signed standard information.

Description

   Information registration and authentication method and device   

The present application relates to the field of computer technology, and more particularly to a method and device for information registration and authentication.

With the development of information technology, users can conveniently obtain various types of applications (hereinafter referred to as business applications) from service providers (such as software developers, websites, etc.) installed in terminals (such as mobile phones, tablets, etc.). Business services. For the business services provided in business applications, certain types of business services have a higher level of security, such as: payment business, transfer business, and so on. Business services with higher security levels often require users to provide corresponding security information (such as passwords, biometric information, etc.) and authenticate the security information provided by users before completing business services.

For the above-mentioned business services that require users to provide security information, usually before the user uses the business service for the first time, the user's security information is obtained as standard information (the standard information will be used as the authentication standard for the subsequent authentication process) to facilitate the subsequent The security information entered by the user is compared. In the process of obtaining the user's security information, the business application needs to use the security information application (such as a biological information management application) in the terminal to collect and store the biometric information entered by the user. The biological information management application is installed by the terminal manufacturer. The terminal) to obtain security information of the user.

In order to make calling and transferring information between business applications and security information applications more convenient, in the prior art, terminal systems (such as the Android M system) run security information applications in a type called Rich Execution Environment (Rich Execution Environment, REE). REE has rich call support, making the security information application running in REE more convenient to be called by different business applications, and it is also more convenient to transmit the information required by each business application.

However, REE does not belong to a secure environment. In the process of information transmission between security information applications and business applications, security information is easily intercepted and tampered by illegal operators during transmission. Especially for standard information, since the service provider has not saved the standard information provided by the user before, it cannot identify the authenticity of the standard information. Once the standard information is tampered during transmission, the service provider still The tampered standard information will be received and used as the authentication standard in the subsequent authentication process. Obviously, this will cause illegal operators to obtain various business services in the name of the user.

The embodiments of the present application provide an information registration and authentication method and device, which are used to solve the problem of low security when using secure information for registration in the prior art.

An information registration method provided in an embodiment of the present application includes: sending a standard information registration request to an authentication server; receiving first authentication information returned by the authentication server; generating a standard information acquisition request, and combining the standard information acquisition request and The first authentication information is sent to a security information application to obtain the signed standard information and the identity information of the standard information returned by the security information application after passing the authentication of the first authentication information, wherein the signature The subsequent standard information is signed by the security information application using the second authentication information; the signed standard information, the identity of the standard information, and the first authentication information are sent to the authentication server, so that After the authentication server authenticates the first authentication information and authenticates the second authentication information according to the signed standard information, the authentication server registers the standard information and the identity of the standard information.

An embodiment of the present application further provides an information registration method, including: receiving a first authentication information and a standard information acquisition request sent by a business application; authenticating the first authentication information, and using the second authentication after the authentication is passed The standard information after the information is signed and the identity of the standard information are returned to the business application, so that the business application sends the signed standard information and the identity of the standard information to the authentication server, so that After the authentication server authenticates the first authentication information and authenticates the second authentication information according to the signed standard information, the authentication server registers the standard information and the identity of the standard information.

An embodiment of the present application further provides an information registration method, including: an authentication server receiving a standard information registration request sent by a business application; generating the first authentication information and returning to the business application according to the standard information registration request; The signed standard information sent by the business application, the identity of the standard information, and the first authentication information; wherein the signed standard information is the security information application using the second authentication information to sign and sends to the For the business application; authenticating the first authentication information, and authenticating the second authentication information according to the signed standard information; authenticating both the first authentication information and the second authentication information After passing, the standard information and the identity of the standard information are registered.

An embodiment of the present application further provides an information authentication method, which includes: sending a verification request for the information to be authenticated to the authentication server; receiving the first authentication information returned by the authentication server; generating a request for obtaining the information to be authenticated; The request for obtaining authentication information and the first authentication information are sent to a security information application, and the information to be authenticated returned by the security information application after passing the authentication of the first authentication information and the information to be authenticated for the information to be authenticated are obtained. Identity identification; sending the to-be-authenticated information, the to-be-authenticated identification, and the first authentication information to the authentication server, so that the authentication server sends the first authentication information, the to-be-authenticated The identity and the information to be authenticated are authenticated, and an authentication result is generated and fed back to the business application.

An embodiment of the present application further provides an information authentication method, including: receiving a request for obtaining information to be authenticated sent by a service application and carrying first authentication information; authenticating the first authentication information, and after the authentication is passed, The information to be authenticated and the identity of the information to be authenticated are sent to an authentication server through the business application, so that the authentication server authenticates the first authentication information, the identity to be authenticated, and the information to be authenticated. To generate an authentication result and feed it back to the business application.

An embodiment of the present application further provides an information authentication method, including: an authentication server receives a verification request for information to be authenticated sent by a business application; and generates, according to the verification request, first authentication information and returns it to the business application Receiving the to-be-authenticated information, the to-be-authenticated identity of the to-be-authenticated information, and the first to-be-authenticated information sent by the business application; The information is authenticated, and an authentication result is generated and fed back to the business application.

An embodiment of the present application further provides an information registration device, including: a registration request module for sending a standard information registration request to an authentication server; and a receiving module for receiving first authentication information returned by the authentication server; An acquisition module, configured to generate a standard information acquisition request, send the standard information acquisition request and the first authentication information to a security information application, and obtain the security information application to return after passing the first authentication information authentication The signed standard information and the identity of the standard information, wherein the signed standard information is signed by the security information application using the second authentication information; and the sending module is configured to send the signed standard information Information, the identity of the standard information, and the first authentication information are sent to the authentication server, so that the authentication server authenticates the first authentication information and passes the signature information to the authentication server. After the second authentication information is passed, the standard information and the identity of the standard information are registered.

An embodiment of the present application further provides an information registration device, including: a receiving module for receiving first authentication information and a standard information acquisition request sent by a business application; a signature module for authenticating the first authentication information And after the authentication is passed, the standard information signed using the second authentication information and the identity of the standard information are returned to the business application, so that the business application sends the signed standard information and the standard The identity of the information is sent to the authentication server, so that after the authentication server authenticates the first authentication information and authenticates the second authentication information according to the signed standard information, the authentication information The identification of the standard information is registered.

An embodiment of the present application further provides an information registration device, including: a registration request receiving module for receiving a standard information registration request sent by a business application; a feedback module for generating a first authentication according to the standard information registration request Information and feedback to the business application; registration information receiving module for receiving the signed standard information, the identity of the standard information, and the first authentication information sent by the business application; wherein the signature The subsequent standard information is signed by the security information application using the second authentication information and is sent to the business application; the authentication module is used to authenticate the first authentication information, and the The second authentication information is used for authentication; and the registration module is configured to register the standard information and the identity of the standard information after the first authentication information and the second authentication information are both authenticated.

An embodiment of the present application further provides an information authentication device, including: a registration request module for sending a verification request for an information to be authenticated to an authentication server; and a receiving module for receiving a first response from the authentication server. An authentication information; an acquisition module, configured to generate an information acquisition request to be authenticated, and send the information acquisition request to be authenticated and the first authentication information to a security information application, and acquire the security information application to the first The information to be authenticated returned after the authentication information is authenticated and the identification to be authenticated of the information to be authenticated; a sending module configured to send the information to be authenticated, the identification to be authenticated, and the first authentication information to The authentication server, so that the authentication server authenticates the first authentication information, the identity to be authenticated, and the information to be authenticated, and generates an authentication result to feed back the business application.

An embodiment of the present application further provides an information authentication device, including: a receiving module for receiving a request for obtaining information to be authenticated sent by a business application and carrying first authentication information; and a signature module for authenticating the first The authentication information is authenticated, and after the authentication is passed, the information to be authenticated and the identity of the information to be authenticated are sent to the authentication server through the business application, so that the authentication server verifies the first authentication information, The identity to be authenticated and the information to be authenticated are authenticated, and an authentication result is generated and fed back to the business application.

An embodiment of the present application further provides an information authentication device, including: an authentication request receiving module for receiving a verification request for information to be authenticated sent by a business application; a feedback module for generating a verification request based on the verification request The first authentication information is fed back to the business application; the authentication information receiving module is configured to receive the to-be-authenticated information sent by the business application, the to-be-identified identity of the to-be-authenticated information, and the first authentication information; authentication A module configured to authenticate the first authentication information, the identity to be authenticated, and the information to be authenticated, respectively, and generate an authentication result to feed back to the business application.

The embodiments of the present application provide an information registration and authentication method and device. When a user needs to register standard information when using a business service, a business application initiates a standard information registration request to the authentication server and receives the first authentication returned by the authentication server. After that, the business application generates a standard information acquisition request and sends the first authentication information to the security information application. After the security information application authenticates the first authentication information, it uses its own second authentication information to the standard information. Sign and determine the identity of the standard information, and then return the signed standard information and the identity of the standard information to the business application, so that the business application will return the security information application and the first authentication information. Sent to the authentication server, so that after the authentication server performs authentication, the standard information and its identity are registered. It can be seen from the above method that the first authentication information, as a kind of identification of the authentication server, can make the security information application determine the identity of the standard information registrant; return the first authentication information of the authentication server so that the authentication server can determine the information Whether it has been tampered with during transmission and returned the signed standard information of the authentication server, so that the authentication server can determine whether the standard information is provided by the security information application in the terminal. This method can effectively ensure that the authentication server can accurately The standard information that has been tampered with during transmission is effectively identified, which effectively improves the security when registering standard information.

901‧‧‧Registration Request Module

902‧‧‧Receiving module

903‧‧‧Get Module

904‧‧‧ sending module

1001‧‧‧Receiving module

1002‧‧‧ Signature Module

1101‧‧‧Registration request receiving module

1102‧‧‧Feedback Module

1103‧‧‧Registration information receiving module

1104‧‧‧Certified Module

1105‧‧‧Registered Module

1201‧‧‧Authentication Request Module

1202‧‧‧Receiving module

1203‧‧‧Get Module

1204‧‧‧Send Module

1301‧‧‧Receiving module

1302‧‧‧Signed Module

1401‧‧‧Authentication request receiving module

1402‧‧‧Feedback Module

1403‧‧‧Authentication Information Receiving Module

1404‧‧‧Certified Module

The drawings described here are used to provide a further understanding of the present application and constitute a part of the present application. The schematic embodiments of the present application and the description thereof are used to explain the present application, and do not constitute an improper limitation on the present application. In the drawings: FIG. 1 to FIG. 3 are information registration processes provided by embodiments of the present application; FIG. 4 is information registration processes provided by embodiments of the present application under actual application scenarios; and FIGS. 5 to 7 are embodiments of the present application Information authentication process provided; FIG. 8 is an information authentication process in an actual application scenario provided by an embodiment of the present application; FIG. 9 to FIG. 11 are schematic structural diagrams of an information registration device provided by an embodiment of the present application; The structure diagram of the information authentication device provided in the application example.

In order to make the purpose, technical solution, and advantages of the present application clearer, the technical solution of the present application will be clearly and completely described in combination with specific embodiments of the present application and corresponding drawings. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all the embodiments. Based on the embodiments in the present application, all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

As mentioned earlier, when a service provider receives standard information for the first time, it has not previously stored security information related to the standard information, so it is impossible to accurately determine whether the standard information was transmitted during transmission. Tampered. And if a series of authentication information is agreed in advance between the service provider and the terminal, and the standard information is used to authenticate the standard information, it can be identified whether the standard information has been tampered with during transmission. Based on this, the following information registration and authentication methods are provided in this application.

In the embodiment of the present application, an information registration method is provided. As shown in FIG. 1, the method includes the following steps:

S101: Send a standard information registration request to the authentication server.

In actual application scenarios, when users use business services with higher security levels (such as fingerprint payment services) provided in business applications, users are usually required to provide corresponding security information (such as fingerprint information), especially for users first. In the case of using the business service for the second time, the user is usually required to enter security information as standard information to compare and verify the security information entered by the user when the user subsequently uses the business service.

That is, when the user first uses the business service, the standard information provided by the user needs to be registered in the corresponding authentication service through a business application. Therefore, in the above steps of the embodiment of the present application, the business application running in the terminal sends a standard information registration request to the authentication server.

The terminals described in this application include, but are not limited to, mobile terminals such as mobile phones, tablet computers, and smart watches. In some scenarios, the terminals may also be computer terminals. The authentication server may be a server used for security authentication in the background service system of the service provider, or a third-party server specifically used for security authentication. Of course, this does not constitute a limitation on this application.

S102: Receive the first authentication information returned by the authentication server.

The first authentication information is identification information returned by the authentication server to a business application that sends a standard information registration request, and is used to indicate the identity of the authentication server. In a scenario of the embodiment of the present application, the first authentication information may include a certificate of the authentication service itself.

S103: Generate a standard information acquisition request, send the standard information acquisition request and the first authentication information to a security information application, and obtain a signature returned by the security information application after passing the first authentication information authentication. Standard information and the identity of said standard information.

Wherein, the signed standard information is signed by the security information application using the second authentication information.

When the business application receives the first authentication information returned by the authentication server, it will generate a standard information acquisition request to request the security information application in the terminal to provide the standard information required for registration.

It should be noted that the security information application in this application is a local application running in a terminal and is used to provide security information (including standard information) required by a business service to a business application. The security information belongs to the user's own key information. In order to prevent an illegal operator from requesting the user's security information from the security information application, the security information application will authenticate the user identity of the standard information. Based on this, when the business application sends the standard information acquisition request to the security information application, it also sends the first authentication information to the security information, so that the security information application will authenticate the first authentication information to determine the authentication server. identity of. Standard information will only be provided after the security information application has passed the first certification information certification.

Considering that in practical applications, the standard information provided by the security information application may be tampered with during transmission. Therefore, in this application, before the security information application returns the standard information, it will perform a signature operation on the standard information. In order to indicate that the standard information is sent by the security information application in the terminal. At the same time, considering that the standard information is provided by the user, the identity of the standard information can be determined for the standard information to indicate that the standard information is provided by the user. In this way, the standard information returned by the security information application to the business application also has two kinds of identifiers: they are used to indicate that the standard information is sent by the security information application in the terminal, and the standard information is provided by the user .

Specifically, the security information application in this application uses the second authentication information to sign the standard information to indicate that the standard information is sent by the security information application. Of course, in this application, the second authentication information may be the second key information agreed in advance between the authentication server and the security information application (or the terminal itself) in the terminal, which is not specifically limited here. The identity of the standard information is also determined by the security information application. In this application, the identity of the standard information includes identity key information that can indicate the standard information, and the identity key information is usually associated with the user's account information. That is, a pair of identity key information uniquely corresponds to an account information, so that it can also indicate that the standard information belongs to the user. Of course, there is no specific limit here.

S104: Send the signed standard information, the identity of the standard information, and the first authentication information to the authentication server, so that the authentication server authenticates the first authentication information and passes, and After the second authentication information is authenticated according to the signed standard information, the standard information and the identity of the standard information are registered.

When the business application receives the feedback from the security information application, it will send the signed standard information returned by the security information application, the identity of the standard information, and the first authentication information sent by the authentication server to the authentication together. The server authenticates and registers.

After the authentication server receives the above information sent by the business application, it will authenticate the received information. If the authentication is passed, it also indicates that the standard information sent by the security information application has not been tampered with during transmission, so that the authentication server can register the standard information and its identity. The registered standard information and identity can also be used to authenticate and identify the security information provided by subsequent users.

Through the above steps, when a user needs to register standard information when using business services, the business application will initiate a standard information registration request to the authentication server and receive the first authentication information returned by the authentication server. After that, the business application will generate standard information The acquisition request is sent to the security information application together with the first authentication information. After the security information application authenticates the first authentication information, it uses its own second authentication information to sign the standard information and determines the standard information. Identity, and then return the signed standard information and the identity of the standard information to the business application, so that the business application will send back the security information application and the first authentication information to the authentication server for the authentication server After authentication, the standard information and its identity are registered. It can be seen from the above method that the first authentication information, as a kind of identification of the authentication server, can make the security information application determine the identity of the standard information registrant; return the first authentication information of the authentication server, so that the authentication server can determine the information Whether it has been tampered with during transmission and returned the signed standard information of the authentication server, so that the authentication server can determine whether the standard information is provided by the security information application in the terminal. This method can effectively ensure that the authentication server can accurately The standard information that has been tampered with during transmission is effectively identified, which effectively improves the security when registering standard information.

For the above first authentication information, the first authentication information is an identifier of the authentication server, which is used to indicate the identity of the authentication server. Specifically, the certificate of the authentication server itself can be used as the first authentication information. Of course, considering For security during transmission, the authentication server can use its own key information to sign its certificate. Then, as an optional manner in the embodiment of the present application, the above step S102: receiving the first authentication information returned by the authentication server, specifically: receiving the authentication server sent by the authentication server and adopting the authentication server itself A signed certificate with a first encryption key, and the signed certificate is used as the first authentication information.

In addition, in some scenarios in practical applications, the first authentication information returned by the authentication server to the business application also contains a challenge code. When the business application sends a request to the authentication server, the authentication server generates a unique challenge code, which is carried back to the business application in the first authentication information. It can be considered that one challenge code corresponds to one service request. The challenge code method can prevent replay attacks.

The above content is described based on the perspective of the business application in the terminal. For security information applications that provide standard information, an embodiment of the present application also provides an information registration process. As shown in FIG. 2, the process includes the following steps:

S201: Receive a first authentication information and standard information acquisition request sent by a business application.

The first authentication information and standard information acquisition request in this embodiment are as described above. No longer here.

S202: Authenticate the first authentication information, and after the authentication is passed, return the standard information signed by using the second authentication information and the identity of the standard information to the service application, so that the service The application sends the signed standard information and the identity of the standard information to an authentication server, so that the authentication server authenticates the first authentication information and passes the second authentication according to the signed standard information. After the information authentication is passed, the standard information and the identity of the standard information are registered.

When the security information application receives the first authentication information and the standard information acquisition request sent by the business application, it first authenticates the first authentication information in order to determine the identity of the registrant of the standard information. Only after the security information application determines the identity of the authentication server, the security information application will sign the standard information provided by the user, determine the identity of the standard information, and then sign the signed standard information and the standard information. The identity is fed back to the business application. Therefore, the business application sends a series of information returned by the security information application to the authentication server together with the first authentication information. Subsequent authentication is performed by the authentication server, and the standard information and the identity of the standard information are registered after the authentication is passed. The content here is the same as the process in the above method, so it will not be repeated here.

Through the above steps, the first authentication information provided by the authentication server can indicate the identity of the authentication server, and the authentication of the first authentication information by the security information application can prevent an illegal operator from obtaining standard information from the security information application. The security information application signs the standard information provided by the user to indicate that the standard information is sent by the security information application. At the same time, the identity of the standard information is determined to indicate that the standard information is provided by the user. Obviously, the standard information that the security information application feeds back to the business application contains two types of identification, and if the standard information is tampered with during transmission, then both types of identification of the standard information will change. This method can effectively reflect whether the standard information has been tampered with during transmission, and thus ensure the security of the final authentication server during registration.

Returning the standard information signed with the second authentication information and the identity of the standard information to the business application are specifically: receiving the standard information input by the user, and using the second authentication information to sign the standard information And, for the standard information, determining the identity of the standard information, and returning the signed standard information and the identity of the standard information to the business application.

As mentioned above, the identity of the standard information in this application may specifically include the identity key information of the standard information, which is usually associated with the user's account information. During transmission, in order to ensure the security of the identity key information, in an optional manner in the embodiments of the present application, the security information application may also use the second authentication information to the identity key information (that is, Standard Information Identity). Of course, this does not constitute a limitation on this application.

Similarly, as mentioned above, the first authentication information may indicate the identity of the authentication server. In one mode of the present application, the first authentication information includes the certificate of the authentication server itself. At this time, the first authentication information is The authentication is specifically: decrypting and authenticating the signed certificate by using a first decryption key that matches the first encryption key of the authentication server.

As for the second authentication information, in one manner in the embodiments of the present application, the second authentication information includes second key information agreed with the authentication server in advance, and the second key information includes The second encryption key and the second decryption key. In this scenario, using the second authentication information to sign the standard information is specifically: using the second encryption agreed in advance with the authentication server for the standard information. Key for signing.

Of course, in a case where the identity information of the standard information includes the identity key information of the standard information, the above-mentioned second authentication information may also be used to sign the identity key information. This is similar to the content category in the above manner, so it will not be repeated here.

The above content is based on the description of the security information application running in the terminal. For the authentication server, an embodiment of the present application also provides an information registration process, as shown in FIG. 3, which specifically includes the following steps:

S301: The authentication server receives a standard information registration request sent by a business application.

S302: Generate first authentication information according to the standard information registration request and return it to the business application.

S303: Receive the signed standard information, the identity information of the standard information, and the first authentication information sent by the business application; wherein the signed standard information is that the security information application uses the second authentication information to sign And send it to the business application.

S304: Authenticate the first authentication information, and authenticate the second authentication information according to the signed standard information.

S305: After the first authentication information and the second authentication information are both authenticated, register the standard information and the identity of the standard information.

Similar to the method shown in Figures 1 and 2 above, after receiving the standard information registration request sent by the business application, the authentication server will return to the business application the first authentication information that can indicate the identity of the authentication server itself. So that after the business application sends a standard information acquisition request to the security information, the security information application can determine the identity of the authentication server based on the first authentication information, so that the security information application can return to the business application with the second authentication information signature Standard information and the identity of that standard information. When the authentication server receives the signed standard information and the first authentication information returned by the business application, it will authenticate the first authentication information and authenticate the second authentication information according to the signed standard information. Pass, then, it also shows that the standard information has not been tampered with during transmission. Therefore, the authentication server will register the standard information and its identity for subsequent identification.

As mentioned above, the authentication server's own certificate can effectively prove the identity of the authentication server, and in order to ensure the validity of the certificate received by the security information application, the authentication server usually signs its own certificate, thereby If the certificate is tampered with during the transmission process, the security information application can be identified, so for the above step S302, according to the standard information registration request, the first authentication information is generated and returned to the business application, specifically : According to the standard information registration request, retrieve the certificate of the authentication server itself, use its own first encryption key to sign the certificate as the first authentication information, and return it to the business application.

Similar to the content in the foregoing method, in a scenario of the embodiment of the present application, the authentication server may also carry the challenge code in the first authentication information, and use its own first encryption key to sign and send it to the service. application. This does not constitute a limitation on this application.

After the business application returns the signed standard information and the first authentication information to the authentication server, the authentication server also authenticates the first authentication information and authenticates the second authentication information according to the signed standard information.

Specifically, authenticating the first authentication information specifically includes: decrypting and authenticating the first authentication information by using a first decryption key. The authentication server will use its own first decryption key to decrypt and authenticate the first authentication information. If the decrypted certificate (or challenge code) is changed, it indicates that it is highly likely to be tampered during transmission. Accordingly, the authentication server determines that the authentication has failed. And if the certificate (or challenge code) does not change after the authentication server decrypts, then it passes the authentication.

For the second authentication information, similar to the content in the foregoing method, the second authentication information includes second key information agreed in advance by the authentication server and the security information application; wherein the first authentication information The two key information includes: a second encryption key and a second decryption key. In addition, the signed standard information is signed by the security application using a second encryption key. In this scenario, authenticating the second authentication information according to the signed standard information is specifically: using a second decryption key that is pre-agreed with the security information according to the pre-approved second key information. To decrypt the signed standard information in order to authenticate the second authentication information.

If the authentication server uses the agreed second decryption key to decrypt the signed standard information and obtains the standard information, then it can be considered that the standard information has not been tampered with during the transmission process, and thus passed the authentication. If the information obtained after decryption is unusable, it means that the signed information is not signed with a pre-agreed second encryption key, which is likely to be tampered information and the authentication will fail. .

Only after the authentication server passes the authentication, the authentication server will register the standard information and the identity of the standard information.

Through the above-mentioned information registration method as shown in Figs. 1 to 3, the authentication server can effectively identify whether the standard information has been tampered with during the transmission process, thereby ensuring that the user can not be illegally operated by the user when using business services. Affected.

Of course, the foregoing information registration method may be applicable to a scenario in which any terminal obtains a business service through a business application, and the authentication server may be a server with an authentication function in a service provider's back-end service system. In consideration of practical application scenarios, for service providers that can provide business services with high security requirements, such as payment services and transfer services, a service called Internet Finance Authentication Alliance (Internet Finance Authentication Alliance, IFAA) network identity authentication architecture, to achieve the identity authentication support required for business services with high security levels. That is, the authentication server is provided by IFAA to implement the above registration process.

In such a scenario, different equipment manufacturers will also use the identity authentication architecture provided by IFAA to provide the interfaces or services necessary for identity authentication in the terminals they produce.

In order to clearly illustrate the above-mentioned registration method in this application, the registration in the identity authentication framework provided by IFAA is taken as an example for detailed description.

As shown in FIG. 4, this is an actual application process of registration between the terminal and the IFAA authentication server in this example. Among them, the terminal runs business applications and security information applications. As a service provider's business service access port, the business application can provide various business services for users using the terminal, and the security information application is used to provide business applications with all services. Required security information (standard information in this example). The process shown in Figure 4 specifically includes the following steps:

S401: The business application sends a standard information registration request to the IFAA authentication server.

When a user uses a business service in the business application for the first time in the terminal, the user's biological information needs to be registered in the IFAA authentication server as standard information. At this point, the business application sends a standard information registration request to the IFAA authentication server.

S402: The IFAA authentication server returns the signed data package containing the challenge code and certificate to the business application.

Among them, the challenge code can prevent replay attacks, and the certificate is used to indicate the identity of the IFAA authentication server itself. It can be considered that the signed data package is the first authentication information described in the above registration method.

In addition, it should be noted that, in this step, the IFAA authentication server uses the IFAAS key information to sign the aforementioned data package, and the IFAAS key information is generated by the IFAA authentication server itself. The IFAA authentication server's own certificate is signed by BIOM key information, which is used to indicate the type of service provider that provides the business service.

S403: The business application generates a standard information acquisition request, and sends the standard information acquisition request and the signed data package to the security information application through the IFAAService.

Among them, IFAAService is a service provided by the IFAA identity authentication framework set in the terminal. Of course, in one way in the actual application scenario, business applications can call IFAAService through IFAASDK (a communication tool based on the IFAA identity authentication architecture), which is not specifically limited here.

S404: The security information application authenticates the signed data packet. After the authentication is passed, the standard information is signed.

It should be noted that the security information application must first decrypt the signed data package (specifically, it can be decrypted using IFAA key information, which is not specifically limited here). After decryption, the certificate in the authentication data package (BIOM can be used) The key information decrypts the certificate) to verify whether IFAA will register the standard information.

After the authentication is passed, the security information application will obtain the biological information entered by the user as the standard information, and use the DA key information to sign the standard information. The DA key information is used to indicate the identity of the terminal (in one case, the DA key information can indicate the identity of the security information application, and the security application information is set in the terminal by the device manufacturer. Therefore, the DA secret information The key information also indicates the identity of the terminal).

S405: Determine the identity key information of the standard information according to the signed standard information.

In this example, the identity key information of the standard information is usually associated with the account information used by the user in the business application to indicate the user to which the standard information belongs. In actual application, the generation of the identity key information of the standard information can be called by the IFAAService through the KeyStore (a standard storage interface for secure storage under the REE environment) KeyMaster (a secure storage module), and the KeyMaster generates the identity key information.

It should be noted that in order to ensure the security of the identity key information during transmission, the security information application can use the DA key information to sign the identity key information.

S406: The security information application returns the terminal certificate, the signed standard information, and the signed identity key information to the business application.

S407: Send the terminal certificate, signed standard information, and signed identity key information to the IFAA authentication server through IFAAService.

It should be noted that the terminal certificate is also called the authenticator certificate, which is set by the device manufacturer participating in the IFAA identity authentication framework for the equipment produced by the device manufacturer. That is, the terminal certificate can indicate whether the terminal uses the IFAA identity authentication framework. .

Of course, in one way of this example, the challenge code and the certificate of the IFAA authentication server itself are also returned to the IFAA authentication server at the same time. In this way, the IFAA authentication server can also respond to the challenge code and the IFAA authentication server. Own certificate for authentication.

S408: The IFAA authentication server authenticates the received information. After the authentication is passed, the standard information and its identity key information are registered.

It should be noted that the IFAA authentication server will first authenticate the terminal certificate. Specifically, the IFAA key information can be used to decrypt the received information and verify the legitimacy of the terminal certificate. After passing, the DA key information pair will be used. The identity key information is decrypted and authenticated. After passing the authentication, the signed standard information is decrypted and authenticated using DA key information. After passing the authentication, the standard information can be considered to have not been tampered with during transmission. Standard information and its identity key information are registered.

S409: feedback the registration result to the business application.

It can be seen from the above example that in actual application scenarios, multiple key information can be used to accurately determine whether the standard information has been tampered with during transmission.

The above is the registration method of standard information. After the standard information is registered, users can use the corresponding business services. When users use business services, they need to provide the user's security information. Accordingly, the authentication server can Users are authenticated with security information provided when using business services. Therefore, in the embodiment of the present application, an information authentication method is also provided. As shown in FIG. 5, the method includes the following steps:

S501: Send a verification request for the information to be authenticated to the authentication server.

When users use business services (such as fingerprint payment services) in business applications, users often need to provide their own security information (such as fingerprint information) to compare with previously registered standard information. At this time, the business application will obtain the user's security information as the information to be authenticated, and then send it to the authentication server for authentication verification.

In the above case, the business application sends a verification request to the authentication server for the information to be authenticated.

S502: Receive the first authentication information returned by the authentication server.

Similar to the aforementioned registration method, the first authentication information indicates the identity of the authentication server. I won't go into too much detail here.

S503: Generate, according to the first authentication information, a request for obtaining information to be authenticated and send it to a security information application, to obtain the information to be authenticated provided by the security information application, and an identification identifier for the information to be authenticated.

Similarly, the security information application will determine the identity of the authenticator according to the first authentication information. After the identity of the authenticator is determined to be valid, the authentication will pass the authentication, and then return the information to be authenticated provided by the user and the identity identifier to be authenticated together. Business Applications.

Different from the aforementioned registration method, for the information to be authenticated, there is no need to use the second authentication information for signature.

S504: Send the to-be-authenticated information, the to-be-authenticated identification, and the first authentication information to the authentication server, so that the authentication server sends the first authentication information and the to-be-authenticated identity to The identification and the information to be authenticated are authenticated, and an authentication result is generated and fed back to the business application.

It can be seen from the above that, through the first authentication information and the identification to be authenticated, it can be identified whether the information to be authenticated has been tampered with during transmission. After the authentication is passed, the authentication server will authenticate the authentication information.

In the embodiment of the present application, an information authentication method is also provided. As shown in FIG. 6, the method includes the following steps:

S601: Receive a to-be-authenticated information acquisition request sent by a service application and carrying first authentication information.

S602: According to the standard information acquisition request carrying the first authentication information, send the information to be authenticated and the identity of the information to be authenticated to the authentication server through the business application, so that the authentication server sends the first authentication information to the first authentication information. An authentication information, the identity to be authenticated and the information to be authenticated are authenticated, and an authentication result is generated and fed back to the business application.

For the above step S602, according to the standard information acquisition request carrying the first authentication information, returning the information to be authenticated and the identity of the information to be authenticated to the business application are specifically: carrying the standard information acquisition request with The first authentication information is used for authentication. After the authentication is passed, the information to be authenticated received by the user is received, the standard information to which the information to be authenticated belongs is identified, and an identity standard matching the standard information is determined as the to-be-authenticated The to-be-authenticated identity of the information, and return the to-be-authenticated identity and the to-be-authenticated identity of the to-be-authenticated information to the business application.

In the embodiment of the present application, an information authentication method is also provided. As shown in FIG. 7, the method includes the following steps:

S701: The authentication server receives a verification request for information to be authenticated sent by a business application.

S702: Generate first authentication information according to the verification request and feed it back to the business application.

S703: Receive the information to be authenticated, the identity of the information to be authenticated, and the first authentication information sent by the service application.

S704: Authenticate the first authentication information, the identity, and the information to be authenticated separately, and generate an authentication result to feed back to the business application.

It should be noted that, for the above step S704, the authentication server separately authenticates the information sent by the business application. Specifically, the first authentication information, the identity, and the information to be authenticated are separately authenticated. The authentication is specifically: for the first authentication information, decrypting the first authentication information by using its own first decryption key, authenticating the decrypted certificate, and authenticating the identity according to the registered information. The identification information of the standard information is used to determine whether the identification information matches the identification information of the registered identification information, and for the information to be authenticated, comparison and authentication is performed with the registered standard information.

In an actual application scenario, during the authentication process of the authentication server, if any of the information fails to pass the authentication, the authentication server can return a failure notification, and only after all the information passes the authentication, will the feedback be successful. Notice. Then, specifically, generating an authentication result to feed back to the business application, specifically: for the first authentication information, if the authentication is passed, the information to be authenticated and the identity to be authenticated are authenticated; otherwise, the authentication is returned Failure notification; for the identity, if the authentication is passed, the information to be authenticated is authenticated; otherwise, an authentication failure notification is returned; for the information to be authenticated, a success notification is returned; otherwise, it is returned Notification of authentication failure.

Corresponding to the above registration process, in order to clearly explain the above authentication method in this application, the authentication in the identity authentication framework provided by IFAA is taken as an example for detailed description.

As shown in FIG. 8, this is an actual application process of authentication between the terminal and the IFAA authentication server in this example. The process shown includes the following steps:

S801: The business application sends a verification request of the information to be authenticated to the IFAA authentication server.

S802: The IFAA authentication server returns the signed data package containing the challenge code and certificate to the business application.

S803: The business application generates a request for obtaining the information to be authenticated, and sends the request for obtaining the information to be authenticated and the signed data package to the secure information application through the IFAAService.

S804: The security information application authenticates the signed data package. After the authentication is passed, the information to be authenticated is signed using the identity key information during the registration process.

S805: The security information application returns the signed information to be authenticated to the business application.

S806: Send the signed information to be authenticated to the IFAA authentication server through the IFAAService.

S807: The IFAA authentication server uses the registered identity key information to authenticate the signed to-be-certified information for the received signed to-be-certified information, and after passing, compares the to-be-certified information with the registered standard information. .

S808: Return the authentication result to the business application.

The above is the information transmission method provided by the embodiment of the present application. Based on the same idea, the embodiment of the present application also provides an information registration device. As shown in FIG. 9, the device includes:

The registration request module 901 is configured to send a standard information registration request to an authentication server.

The receiving module 902 is configured to receive first authentication information returned by the authentication server.

The acquisition module 903 is configured to generate a standard information acquisition request, send the standard information acquisition request and the first authentication information to a security information application, and obtain the security information application after passing the first authentication information authentication. The returned signed standard information and the identity of the standard information, wherein the signed standard information is signed by the security information application using the second authentication information.

A sending module 904 is configured to send the signed standard information, the identity of the standard information, and the first authentication information to the authentication server, so that the authentication server is performing authentication on the first authentication. After the information authentication is passed, and after the authentication of the second authentication information is passed according to the signed standard information, the standard information and the identity of the standard information are registered.

The receiving module 902 is specifically configured to receive a certificate sent by the authentication server and signed by using the first encryption key of the authentication server, and use the signed certificate as the first authentication information. .

As shown in FIG. 10, an embodiment of the present application further provides an information registration device. The device includes: a receiving module 1001, configured to receive first authentication information and a standard information acquisition request sent by a business application; a signature module 1002, After the first authentication information is authenticated, and after the authentication is passed, the standard information signed by using the second authentication information and the identity of the standard information are returned to the business application, so that the business application Sending the signed standard information and the identity of the standard information to an authentication server, so that the authentication server authenticates the first authentication information and passes the second authentication information according to the signed standard information After the authentication is passed, the standard information and the identity of the standard information are registered.

The signature module 1002 is specifically configured to receive standard information input by a user, use the second authentication information to sign the standard information, and determine the identity of the standard information for the standard information, and sign the signed information. The standard information and the identity of the standard information are returned to the business application.

It should be noted that the identity information of the standard information includes the identity key information of the standard information, and the identity key information is associated with the account information of the user.

In a scenario where the first authentication information includes a certificate signed by an authentication server, the signature module 1002 is specifically configured to use a first decryption key that matches the first encryption key of the authentication server. The key performs decryption authentication on the signed certificate.

The second authentication information includes second key information previously agreed with the authentication server, wherein the second key information includes a second encryption key and a second decryption key, and the signature module 1002, Specifically, it is used to sign the standard information by using a second encryption key agreed in advance with the authentication server.

As shown in FIG. 11, an embodiment of the present application further provides an information registration device. The device includes: a registration request receiving module 1101 for receiving a standard information registration request sent by a business application; and a feedback module 1102 for The standard information registration request generates the first authentication information and returns it to the business application. The registration information receiving module 1103 is configured to receive the signed standard information, the identification information of the standard information, and the identity information sent by the business application. The first authentication information; wherein the signed standard information is signed by the security information application using the second authentication information and sent to the business application; and the authentication module 1104 is used for the first authentication information Perform authentication, and authenticate the second authentication information according to the signed standard information; the registration module 1105 is configured to verify the first authentication information and the second authentication information after passing the authentication Standard information and the identification of said standard information are registered.

Specifically, the feedback module 1102 is specifically configured to retrieve the certificate of the authentication server according to the standard information registration request, and use the first encryption key to sign the certificate as the first authentication. Information and feedback to the business application.

The authentication module 1104 is specifically configured to perform decryption authentication on the first authentication information by using a first decryption key.

The second authentication information includes second key information agreed in advance by the authentication server and the security information application; wherein the second key information includes: a second encryption key and a second decryption key ; The signed standard information is signed by the security application using a second encryption key. In this scenario, the authentication module 1104 is specifically configured to use the second decryption key that is pre-agreed with the security information to decrypt the signed standard information according to the pre-agreed second key information, so that Performing authentication on the second authentication information.

As shown in FIG. 12, an embodiment of the present application further provides an information authentication device. The device includes: an authentication request module 1201 for sending a verification request for authentication information to an authentication server; and a receiving module 1202 for Receiving the first authentication information returned by the authentication server; an obtaining module 1203, configured to generate a request for obtaining information to be authenticated, and send the obtaining request for information to be authenticated and the first authentication information to a security information application to obtain The security information application returns the to-be-authenticated information and the to-be-authenticated identification of the to-be-authenticated information after passing the authentication of the first authentication information; and a sending module 1204 is configured to send the to-be-authenticated information, the The authentication identity and the first authentication information are sent to the authentication server, so that the authentication server authenticates the first authentication information, the identity to be authenticated, and the information to be authenticated, and generates an authentication result feedback. To the business application.

As shown in FIG. 13, an embodiment of the present application further provides an information authentication device. The device includes: a receiving module 1301 for receiving a request for obtaining information to be authenticated sent by a business application and carrying first authentication information; a signature module Group 1302 is configured to authenticate the first authentication information, and after the authentication is passed, send the information to be authenticated and the identity of the information to be authenticated to the authentication server through the service application, so that the authentication The server authenticates the first authentication information, the identity to be authenticated, and the information to be authenticated, and generates an authentication result to feed back to the business application.

Specifically, the signature module 1302 is specifically configured to authenticate the first authentication information carried in the standard information acquisition request, and after the authentication is passed, identify the standard information to which the information to be authenticated belongs, and The identity standard matching the standard information is determined to be the identification to be authenticated of the information to be authenticated, and the information to be authenticated and the identification to be authenticated of the information to be authenticated are returned to the business application.

As shown in FIG. 14, an embodiment of the present application further provides an information authentication device. The device includes an authentication request receiving module 1401 for receiving a verification request for information to be authenticated sent by a business application, and a feedback module 1402. It is configured to generate first authentication information according to the verification request and return it to the business application. The authentication information receiving module 1403 is configured to receive the information to be authenticated and the information to be authenticated sent by the business application. An identity and the first authentication information; an authentication module 1404, configured to authenticate the first authentication information, the identity to be authenticated, and the information to be authenticated, respectively, and generate an authentication result to feed back to the business application .

The authentication module 1404 is specifically configured to decrypt the first authentication information by using its own first decryption key for the first authentication information, and authenticate the decrypted certificate; Authentication identity, according to the identity of the registered standard information, determining whether the identity to be authenticated matches the identity of the registered identification information; comparing the information to be authenticated with the registered standard information Certified.

The authentication module 1404 is specifically configured for the first authentication information. If the authentication is passed, the authentication to be authenticated and the identification to be authenticated are performed; otherwise, an authentication failure notification is returned; and for the identification, If the authentication is passed, the information to be authenticated is authenticated; otherwise, an authentication failure notification is returned; for the information to be authenticated, a successful notification is returned if the authentication is successful; otherwise, an authentication failure notification is returned.

In a typical configuration, a computing device includes one or more processors (CPUs), input / output interfaces, network interfaces, and memory.

Memory may include non-persistent memory, random access memory (RAM), and / or non-volatile memory in computer-readable media, such as read-only memory (ROM) or flash memory (flash) RAM). Memory is an example of a computer-readable medium.

Computer-readable media includes permanent and non-permanent, removable and non-removable media. Information can be stored by any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), and other types of random access memory (RAM) , Read-only memory (ROM), electrically erasable and programmable read-only memory (EEPROM), flash memory or other memory technologies, read-only disc read-only memory (CD-ROM), digital multifunction Optical discs (DVDs) or other optical storage, magnetic tape cartridges, magnetic tape storage or other magnetic storage devices or any other non-transmitting media may be used to store information that can be accessed by computing devices. As defined herein, computer-readable media does not include computer-readable temporary media, such as modulated data signals and carrier waves.

It should also be noted that the terms "including," "including," or any other variation thereof are intended to encompass non-exclusive inclusion, so that a process, method, product, or device that includes a range of elements includes not only those elements, but also Other elements not explicitly listed, or those that are inherent to such a process, method, product, or device. Without more restrictions, the elements defined by the sentence "including a ..." do not exclude the existence of other identical elements in the process, method, product or equipment including the elements.

Those skilled in the art should understand that the embodiments of the present application may be provided as a method, a system or a computer program product. Therefore, this application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Moreover, this application may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to magnetic disk memory, CD-ROM, optical memory, etc.) containing computer-usable code. .

The above are only examples of the present application and are not intended to limit the present application. For those skilled in the art, this application may have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included in the scope of the patent application for this application.

Claims (34)

    An information registration method, characterized in that the method comprises: sending a standard information registration request to an authentication server; receiving a first authentication information returned by the authentication server; generating a standard information acquisition request, the standard information acquisition request and the first A certification information is sent to the security information application to obtain the signed standard information returned by the security information application after passing the authentication of the first certification information and the identity of the standard information, wherein the signed standard information is the security The information application uses the second authentication information for signing; and sends the signed standard information, the identity of the standard information, and the first authentication information to the authentication server, so that the authentication server is using the second authentication information. After the authentication is passed, and after the second authentication information is authenticated according to the signed standard information, the standard information and the identity of the standard information are registered.         The method according to item 1 of the scope of patent application, wherein receiving the first authentication information returned by the authentication server specifically includes receiving the first encryption key sent by the authentication server using the first encryption key of the authentication server itself. The signed certificate, and the signed certificate is used as the first authentication information.         An information registration method, characterized in that the method includes: receiving a first authentication information and a standard information acquisition request sent by a business application; authenticating the first authentication information, and using the second authentication information after the authentication is passed. The signed standard information and the identity of the standard information are returned to the business application, so that the business application sends the signed standard information and the identity of the standard information to the authentication server, so that the authentication server After the first authentication information is authenticated, and after the second authentication information is authenticated according to the signed standard information, the standard information and the identity of the standard information are registered.         The method according to item 3 of the scope of patent application, wherein returning the standard information signed with the second authentication information and the identity of the standard information to the business application specifically include: receiving standard information input by the user; Use the second authentication information to sign the standard information, and determine the identity of the standard information for the standard information; return the signed standard information and the identity of the standard information to the business application.         The method according to item 4 of the scope of patent application, wherein the identity of the standard information includes identity key information of the standard information, and the identity key information is associated with the account information of the user.         The method according to item 3 of the scope of patent application, wherein the first authentication information includes a certificate signed by the authentication server; authenticating the first authentication information specifically includes: using the first authentication information with the authentication server; The first decryption key matching the encryption key performs decryption authentication on the signed certificate.         The method according to item 4 of the scope of patent application, wherein the second authentication information includes second key information previously agreed with the authentication server; wherein the second key information includes the second encryption key and the first A second decryption key; using the second authentication information to sign the standard information specifically includes: for the standard information, using a second encryption key agreed in advance with the authentication server to sign.         An information registration method, characterized in that the method includes: an authentication server receives a standard information registration request sent by a business application; according to the standard information registration request, generates first authentication information and returns it to the business application; and receives the business application sent The signed standard information, the identity of the standard information, and the first authentication information; wherein the signed standard information is signed by the security information application using the second authentication information and sent to the business application; The first authentication information is authenticated, and the second authentication information is authenticated according to the signed standard information. After both the first authentication information and the second authentication information are passed, the standard information and the standard information are authenticated. Identity registration.         The method according to item 8 of the scope of patent application, wherein the first authentication information is generated and returned to the business application according to the standard information registration request, which specifically includes: calling the authentication server itself according to the standard information registration request Sign the certificate using its own first encryption key as the first authentication information and return it to the business application.         The method according to item 8 of the scope of patent application, wherein authenticating the first authentication information specifically includes: decrypting and authenticating the first authentication information using a first decryption key.         The method according to item 8 of the scope of patent application, wherein the second authentication information includes second key information agreed in advance by the authentication server and the security information application; wherein the second key information includes: Two encryption keys and a second decryption key; the signed standard information is signed by the security application using the second encryption key; and the second authentication information is authenticated according to the signed standard information, specifically including: The pre-approved second key information uses the second decryption key agreed in advance with the security information application to decrypt the signed standard information in order to authenticate the second authentication information.         An information authentication method, characterized in that the method comprises: sending a verification request for the information to be authenticated to the authentication server; receiving the first authentication information returned by the authentication server; generating a request for obtaining information to be authenticated, and making the information to be authenticated The information acquisition request and the first authentication information are sent to a security information application, and the information to be authenticated returned by the security information application after passing the authentication of the first authentication information and the identification identifier of the information to be authenticated are obtained; Information, the identity to be authenticated, and the first authentication information are sent to the authentication server, so that the authentication server authenticates the first authentication information, the identity to be authenticated, and the information to be authenticated, and generates authentication result feedback The business application.         An information authentication method, which is characterized in that the method includes: receiving a request for obtaining information to be authenticated that is sent by a business application and carrying first authentication information; authenticating the first authentication information; Information and the identity of the information to be authenticated are sent to the authentication server through the business application, so that the authentication server authenticates the first authentication information, the identity to be authenticated and the information to be authenticated, and generates an authentication result to feed back to the Business Applications.         The method according to item 13 of the scope of patent application, wherein, according to the standard information acquisition request carrying the first authentication information, returning the information to be authenticated and the identity of the information to be authenticated to the business application specifically include: The first authentication information carried in the standard information acquisition request is used for authentication; after the authentication is passed, the information to be authenticated input by the user is received; the standard information to which the information to be authenticated belongs is identified, and the identity standard matching the standard information is determined as The identity to be authenticated of the information to be authenticated; and the identity to be authenticated and the information to be authenticated of the information to be authenticated are returned to the business application.         An information authentication method, characterized in that the method includes: an authentication server receives a verification request for information to be authenticated sent by a business application; and generates, according to the verification request, first authentication information and returns it to the business application; receiving the The to-be-authenticated information sent by the business application, the to-be-authenticated identity of the to-be-authenticated information, and the first to-be-authenticated information; authenticate the first authentication information, the to-be-authenticated identity, and the to-be-authenticated information, respectively, and generate authentication result feedback to The business application.         The method according to item 15 of the scope of patent application, wherein authenticating the first authentication information, the identity, and the information to be authenticated separately includes: using the first decryption key of the first authentication information for the first authentication information. The key decrypts the first authentication information and authenticates the decrypted certificate. For the identity to be authenticated, according to the identity of the registered standard information, it is determined whether the identity to be authenticated is related to the registered identity information. The identity matches; for the information to be authenticated, the authentication is compared with the registered standard information.         The method according to item 16 of the scope of patent application, wherein generating the authentication result and returning it to the business application specifically includes: for the first authentication information, if the authentication is passed, authenticating the information to be authenticated and the identification to be authenticated ; Otherwise, return an authentication failure notification; for the identity, if the authentication is passed, authenticate the information to be authenticated; otherwise, return an authentication failure notification; for the information to be authenticated, return a success notification if the authentication is successful; otherwise, An authentication failure notification is returned.         An information registration device, characterized in that the device includes: a registration request module for sending a standard information registration request to an authentication server; a receiving module for receiving first authentication information returned by the authentication server; an acquisition module Group for generating a standard information acquisition request, sending the standard information acquisition request and the first authentication information to a security information application, and obtaining the signed standard information returned by the security information application after passing the first authentication information authentication And the identification information of the standard information, wherein the signed standard information is signed by the security information application using the second authentication information; and the sending module is configured to use the signed standard information, the identification information of the standard information, and The first authentication information is sent to the authentication server, so that the authentication server authenticates the first authentication information and passes the second authentication information according to the signed standard information, and then passes the standard information and the authentication information to the authentication server. Standard Information's identity is registered.         The device according to item 18 of the scope of patent application, wherein the receiving module is specifically configured to receive a certificate sent by the authentication server and signed by using the first encryption key of the authentication server itself, and The signed certificate is used as the first authentication information.         An information registration device, characterized in that the device includes: a receiving module for receiving first authentication information and a standard information acquisition request sent by a business application; a signature module for authenticating the first authentication information, and After the authentication is passed, the standard information signed with the second authentication information and the identity of the standard information are returned to the business application, so that the business application sends the signed standard information and the identity of the standard information to the business application. The authentication server, so that after the authentication server authenticates the first authentication information and authenticates the second authentication information according to the signed standard information, the authentication server registers the standard information and the identity of the standard information.         The device according to item 20 of the scope of patent application, wherein the signature module is specifically configured to receive standard information input by a user, use the second authentication information to sign the standard information, and determine the standard for the standard information. The identity of the information returns the signed standard information and the identity of the standard information to the business application.         The device according to item 21 of the scope of patent application, wherein the identity information of the standard information includes identity key information of the standard information, and the identity key information is associated with the account information of the user.         The device according to item 20 of the scope of patent application, wherein the first authentication information includes a certificate signed by the authentication server; and the signature module is specifically configured to use a phase corresponding to the first encryption key of the authentication server. The matched first decryption key performs decryption authentication on the signed certificate.         The device according to item 21 of the patent application scope, wherein the second authentication information includes second key information previously agreed with the authentication server; wherein the second key information includes the second encryption key and the first Two decryption keys; the signature module is specifically used to sign the standard information using a second encryption key agreed with the authentication server in advance.         An information registration device, characterized in that the device includes: a registration request receiving module for receiving a standard information registration request sent by a business application; a feedback module for generating first authentication information according to the standard information registration request and Feedback to the business application; a registered information receiving module for receiving the signed standard information, the identity of the standard information, and the first authentication information sent by the business application; wherein the signed standard information is security information The application uses the second authentication information to sign and sends it to the business application; the authentication module is used to authenticate the first authentication information and authenticate the second authentication information according to the signed standard information; the registration module A group for registering the standard information and the identity of the standard information after both the first authentication information and the second authentication information have passed the authentication.         The device according to item 25 of the scope of patent application, wherein the feedback module is specifically configured to retrieve the certificate of the authentication server according to the standard information registration request, and use the first encryption key of the certificate to authenticate the certificate. Sign it as the first authentication information and return it to the business application.         The device according to item 25 of the scope of patent application, wherein the authentication module is specifically configured to perform decryption authentication on the first authentication information by using a first decryption key.         The device according to item 25 of the scope of patent application, wherein the second authentication information includes second key information agreed in advance by the authentication server and the security information application; wherein the second key information includes: The second encryption key and the second decryption key; the signed standard information is signed by the security application using the second encryption key; the authentication module is specifically used to use the pre-agreed second key information to use A second decryption key agreed in advance with the security information is used to decrypt the signed standard information in order to authenticate the second authentication information.         An information authentication device, characterized in that the device includes: a registration request module for sending a verification request for information to be authenticated to an authentication server; and a receiving module for receiving a first authentication returned by the authentication server. Information; an acquisition module for generating a request for obtaining information to be authenticated, sending the request for obtaining information to be authenticated and the first authentication information to a safety information application, and obtaining the safety information application and returning after passing the authentication of the first authentication information The to-be-authenticated information and the to-be-authenticated identification of the to-be-authenticated information; a sending module for sending the to-be-authenticated information, the to-be-authenticated identification, and the first authentication information to the authentication server, so that the authentication server The server authenticates the first authentication information, the identity to be authenticated, and the information to be authenticated, and generates an authentication result and feeds back the service application.         An information authentication device, characterized in that the device includes: a receiving module for receiving a request for obtaining information to be authenticated sent by a business application and carrying first authentication information; and a signature module for receiving the first authentication information. Perform authentication, and after the authentication is passed, send the information to be authenticated and the identity of the information to be authenticated to the authentication server through the business application, so that the authentication server sends the first authentication information, the identity to be authenticated, and The authentication information is authenticated, and the authentication result is generated and fed back to the business application.         The device according to item 30 of the scope of patent application, wherein the signature module is specifically used for authenticating the first authentication information carried in the standard information acquisition request, and after the authentication is passed, identifying the information to be authenticated belongs to In the standard information, the identity standard matching the standard information is determined as the identification to be authenticated of the information to be authenticated, and the information to be authenticated and the identification to be authenticated of the information to be authenticated are returned to the business application.         An information authentication device, characterized in that the device includes: an authentication request receiving module for receiving a verification request for information to be authenticated sent by a business application; and a feedback module for generating a first according to the verification request. The authentication information is fed back to the business application; the authentication information receiving module is used to receive the to-be-authenticated information sent by the business application, the to-be-identified identity of the to-be-authenticated information, and the first authentication information; the authentication module is used to separately The first authentication information, the identity to be authenticated, and the information to be authenticated are authenticated, and an authentication result is generated and fed back to the service application.         The device according to item 32 of the scope of patent application, wherein the authentication module is specifically configured to use the first decryption key of the first authentication information to decrypt the first authentication information, and decrypt the decrypted The certificate is authenticated; for the identity to be authenticated, it is determined whether the identity to be authenticated matches the identity of the registered identity information according to the identity of the registered standard information; for the information to be authenticated, it is registered with the Comparison of standard information.         The device according to item 33 of the scope of patent application, wherein the authentication module is specifically used for the first authentication information, and if the authentication is passed, the information to be authenticated and the identification to be authenticated are authenticated; otherwise, return Authentication failure notification; for the identity, if the authentication is passed, the information to be authenticated is authenticated; otherwise, an authentication failure notification is returned; for the information to be authenticated, the success notification is returned; otherwise, the authentication failure is returned Notice.