WO2016177052A1

WO2016177052A1 - User authentication method and apparatus

Info

Publication number: WO2016177052A1
Application number: PCT/CN2016/075243
Authority: WO
Inventors: 孙向东; 龙卉; 李涛
Original assignee: 中兴通讯股份有限公司
Priority date: 2015-08-21
Filing date: 2016-03-01
Publication date: 2016-11-10
Also published as: CN106470201A

Abstract

Disclosed are a user authentication method and apparatus. The method comprises, at a mobile terminal side: when attempting to log onto an application server, sending, to an authentication server, logon information, a logon information signature and a personal digital certificate stored in a TF card; and receiving an authentication result fed back by the authentication server. The method comprises, at an authentication server side: on the basis of a personal digital certificate, logon information and a logon information signature from a mobile terminal, executing user authentication; and sending an authentication result to the mobile terminal. The method at a CA centre side comprises: after connecting to a TF card, acquiring user information about a legitimate user; calling the TF card to generate a key pair in the TF card for the legitimate user; according to the user information and a public key in the key pair, generating a personal digital certificate; and storing the personal digital certificate in the TF card. The present invention may avoid the problem of low security of static password user authentication, and a private key stored in a TF card cannot be acquired, counterfeited and tampered with, and is highly secure.

Description

User authentication method and device

Technical field

The present invention relates to the field of communications technologies, and in particular, to a user authentication method and apparatus.

Background technique

With the rapid development of the communications industry and the IT industry, network security is becoming more and more important. End users accessing networks, such as local area networks, need to pass user authentication. However, the user authentication mode of existing terminal users is based on static passwords. Security low.

For example, mobile office is gradually popularized in more and more enterprises by virtue of its convenience and high efficiency. In order to protect the information security of enterprise networks, the secure access of end users has begun to receive attention from enterprises. Although the existing user authentication methods are simple, However, it is difficult to resist attacks such as password guessing, replay, and stealing, which leads to security problems such as leakage of information inside the enterprise.

Summary of the invention

The embodiment of the invention provides a user authentication method and device, which is used to solve the problem that the existing static password user authentication method has low security.

The embodiments of the present invention are solved by the following technical solutions in response to the above technical problems.

The embodiment of the present invention provides a user authentication method, where the step of the mobile terminal side includes: when attempting to log in to the application server, acquiring login information, and acquiring a personal digital certificate stored in the TF card; using the TF card to store The private key performs signature processing on the login information to obtain a login information signature; and sends the personal digital certificate, the login information, and the login information signature to an authentication server, so that the authentication server is based on the personal digital certificate, The login information and the login information signature perform user authentication; and the authentication result fed back by the authentication server is received, and if the authentication passes, the application server is allowed to log in.

The step of the mobile terminal side further includes: after the authentication is passed, receiving an encryption key encrypted by the authentication server by using the personal digital certificate; using the private key stored in the TF card to the encryption key Performing a decryption process; encrypting the application password input by the user by using the decrypted encryption key; and transmitting the encrypted application password to the authentication server, so that the authentication server performs password verification on the application password Receiving the verification result fed back by the authentication server, if the verification is passed, the application service provided by the application server is allowed to be used.

The embodiment of the present invention further provides a user authentication method, where the step of the authentication server includes: receiving a personal digital certificate, login information, and login information signature from the mobile terminal; wherein the personal digital certificate is the mobile terminal The login information signature obtained in the TF card is that the mobile terminal uses the private key stored in the TF to register the Obtaining information obtained by performing signature processing; performing user authentication on the mobile terminal based on the personal digital certificate, login information, and login information signature; and transmitting an authentication result to the mobile terminal.

The step of the authentication server side further includes: generating an encryption key if the authentication result is the authentication pass; encrypting the encryption key by using the personal digital certificate; and encrypting the encrypted key The encryption key is sent to the mobile terminal.

The step of the authentication server side further includes: after transmitting the encrypted encryption key to the mobile terminal, receiving an application password that is sent by the mobile terminal and encrypted by using the encryption key; After decrypting the application password, performing password verification on the application password; and transmitting the password verification result to the mobile terminal.

The embodiment of the present invention further provides a user authentication method. The step of the CA center side includes: acquiring user information of a legal user after connecting the TF card; calling the TF card as the legal user in the TF card Generating a key pair; generating a personal digital certificate according to the user information and the public key in the key pair; storing the personal digital certificate into the TF card, so that the mobile terminal inserts its interface The personal digital certificate and the key pair are obtained in the TF card for user authentication.

The embodiment of the present invention further provides a user authentication apparatus, where the apparatus configured in the mobile terminal includes: an obtaining module, configured to acquire login information, and obtain a personal digital certificate stored in the TF card when attempting to log in to the application server. a signature module, configured to perform signature processing on the login information by using a private key stored in the TF card to obtain a login information signature; the first sending module is configured to set the personal digital certificate, the login information, and the Sending the login information signature to the authentication server, so that the authentication server performs user authentication based on the personal digital certificate, the login information, and the login information signature; the first receiving module is configured to receive the authentication fed back by the authentication server As a result, if the authentication is passed, it is allowed to log in to the application server.

The device provided in the mobile terminal further includes a first encryption and decryption module; the first receiving module is further configured to: after the authentication is passed, receive the encryption key encrypted by the authentication server by using the personal digital certificate Key; the first encryption and decryption module is configured to decrypt the encryption key by using a private key stored in the TF card; and encrypt the application password input by the user by using the decrypted encryption key; The first sending module is further configured to send the encrypted application password to the authentication server, so that the authentication server performs password verification on the application password; the first receiving module is further configured to receive The verification result fed back by the authentication server is allowed to use the application service provided by the application server if the verification is passed.

The embodiment of the present invention further provides a user authentication apparatus, where the apparatus disposed in the authentication server includes: a second receiving module, configured to receive a personal digital certificate, login information, and login information signature from the mobile terminal; The personal digital certificate is obtained by the mobile terminal from its TF card, and the login information signature is obtained by the mobile terminal performing signature processing on the login information by using a private key stored in the TF; an authentication module, And being configured to perform user authentication on the mobile terminal based on the personal digital certificate, login information, and login information signature; and the second sending module is configured to send the authentication result to the mobile terminal.

The device that is set in the authentication server further includes: a first generation module and a second encryption and decryption module; and the first generation module is configured to generate an encryption key if the authentication result is authenticated The second addition And the secret module is configured to perform encryption processing on the encryption key by using the personal digital certificate; and the second sending module is further configured to send the encrypted encryption key to the mobile terminal.

The second receiving module is further configured to: after transmitting the encrypted encryption key to the mobile terminal, receive an application password that is sent by the mobile terminal and encrypted by using the encryption key. The second encryption and decryption module is further configured to perform password verification on the application password after decrypting the application password; the second sending module is further configured to move the password verification result to the mobile The terminal sends.

The embodiment of the present invention further provides a user authentication apparatus, where the apparatus disposed in the CA center includes: a connection module, configured to acquire user information of a legitimate user after connecting the TF card; and calling the module, and setting the call to the The TF card generates a key pair for the legal user in the TF card; the second generating module is configured to generate a personal digital certificate according to the user information and the public key in the key pair; and a storage module, It is arranged to store the personal digital certificate into the TF card, so that the mobile terminal acquires the personal digital certificate and the key pair from the TF card inserted into its interface for user authentication.

The beneficial effects of the embodiments of the present invention are as follows:

In the embodiment of the present invention, the key pair (public key and private key) and the personal digital certificate of the legal user are stored in a separate TF card in advance through the CA center, and then the TF card is inserted into the mobile terminal, and the user is authenticated at the authentication server. The side performs user authentication based on the personal digital certificate inserted into the TF card of the mobile terminal. The invention can avoid the problem that the static password user authentication mode is low in security, and the private key stored in the TF card cannot be obtained, counterfeited, and tampered with, and the security of the user authentication is high.

DRAWINGS

1 is a flowchart of a user authentication method according to a first embodiment of the present invention;

2 is a flowchart of a user authentication method according to a second embodiment of the present invention;

3 is a flowchart of a user authentication method according to a third embodiment of the present invention;

4 is a flowchart of a password verification step on an authentication server side according to a fourth embodiment of the present invention;

FIG. 5 is a flowchart of a password verification step on the mobile terminal side according to the fourth embodiment of the present invention; FIG.

6 is a schematic structural diagram of a user authentication system according to a fifth embodiment of the present invention;

Figure 7 is a structural diagram of a user authentication apparatus according to a sixth embodiment of the present invention;

Figure 8 is a structural diagram of a user authentication apparatus according to a seventh embodiment of the present invention;

Figure 9 is a structural diagram of a user authentication apparatus according to an eighth embodiment of the present invention.

detailed description

The invention will be further described in detail below with reference to the drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

Embodiment 1

This embodiment provides a user authentication method, and FIG. 1 is a flowchart of a user authentication method according to the first embodiment of the present invention. This embodiment is executed on the mobile terminal side.

In step S110, when attempting to log in to the application server, the login information is acquired, and the personal digital certificate stored in the TF card of the mobile terminal is obtained, and the login information is signed and processed by using the private key stored in the TF card to obtain the login information signature.

A personal digital certificate is a legal user's identity mark and is used to represent a legitimate user.

The personal digital certificate includes: user information of the legitimate user, the public key of the legitimate user, the user information of the legitimate user and the signature of the public key, and the validity period of the personal digital certificate. The signature of the user information and the public key is obtained by the certificate authority (CA) center using the CA center private key to perform signature processing on the user information and the public key of the legitimate user.

TF card is Micro SD Card, TF card is a chip with built-in encryption module and storage module. TF card supports asymmetric, symmetric, and hash algorithms, supports personal digital certificate and key storage, and provides signature encryption interface. The package form is TF. The personal digital certificate in the TF card is generated on the CA center side. For details, refer to Embodiment 3.

The mobile terminal is a portable intelligent terminal such as a mobile phone, a tablet computer or a notebook that supports a peripheral interface of a TF (Trans-Flash) card. The TF card storing the personal digital certificate can be inserted into the TF card interface of the mobile terminal to enable the connection between the mobile terminal and the TF card to obtain the personal digital certificate from the TF card.

In order to improve the accuracy of user authentication, when attempting to log in to the application server, it is also necessary to obtain the login information of the user and generate a login information signature. The login information includes: an Internet Protocol Address (IP) of the mobile terminal, a Media Access Control (MAC) address, and a time of attempting to log in.

After obtaining the login information, the mobile terminal invokes the cryptographic module of the TF card to sign the login information, and generates a login information signature. Further, the TF card further stores a key pair of a legitimate user, where the key pair includes a public key and a private key of the legitimate user. The public key of the legitimate user is the same as the public key in the personal digital certificate. The cryptographic module of the TF card can perform signature processing on the login information by using the private key in the key pair to obtain the login information signature.

In step S120, the personal digital certificate, the login information, and the login information signature are sent to the authentication server, so that the authentication server performs the user authentication using the personal digital certificate, the login information, and the login information signature.

Step S130: Receive an authentication result fed back by the authentication server, and if the authentication passes, be allowed to log in to the application server; otherwise, end the process.

Specifically, the mobile terminal can communicate with the application server, and the application server can communicate with the authentication server; the mobile terminal sends the personal digital certificate, the login information, and the login information signature to the authentication server through the application server; after the authentication server obtains the authentication result, The application server sends the authentication result to the mobile terminal, so that the user identity is authenticated, and the application server can know at the first time that if the user identity passes the authentication, the mobile terminal is allowed to log in to the application server, and vice versa, the mobile terminal is denied to log in.

Embodiment 2

This embodiment provides a user authentication method, and FIG. 2 is a flowchart of a user authentication method according to a second embodiment of the present invention. This embodiment is executed on the authentication server side.

Step S210, receiving a personal digital certificate, login information, and login information signature from the mobile terminal.

The personal digital certificate is obtained by the mobile terminal from its TF card, and the login information signature is obtained by the mobile terminal signing the login information by using the private key of the legal user in the TF card.

Step S220, performing user authentication on the mobile terminal based on the personal digital certificate, the login information, and the login information signature.

Specifically, the Lightweight Directory Access Protocol (LDAP) server stores information related to legitimate users, including: user information, personal digital certificates, revocation records of personal digital certificates, and CA center public keys.

Using the user information included in the personal digital certificate as a retrieval condition, obtaining a personal digital certificate A containing the user information from the LDAP server; based on the personal digital certificate B from the mobile terminal, and the personal digital certificate A obtained from the LDAP server, Perform user authentication.

According to the personal digital certificate A obtained from the LDAP server, the personal digital certificate B from the mobile terminal is validated. If the validity verification fails, the authentication fails; if the validity verification is passed, the signature is signed according to the login information. The login information is used for integrity verification. If the integrity verification fails, the authentication fails. If the integrity verification passes, the authentication passes.

The validity verification includes: judging whether the public key in the personal digital certificate A and the public key in the personal digital certificate B are the same. If not, the validity verification fails, and if so, the CA central public key is obtained from the LDAP server, and the utilization is performed. The CA central public key de-signs the signature of the user information and the public key in the personal digital certificate B, and performs signature verification. If the signature verification fails, the validity verification fails; if the signature verification is passed, the personal digital certificate is used. The validity period in B determines whether the personal digital certificate B is within the validity period. If not, the validity verification fails. If yes, the revocation record of the personal digital certificate is obtained from the LDAP server to determine whether the personal digital certificate B is revoked. If yes, the validity verification fails, and if not, the personal digital certificate B is legal and the validity verification is passed.

The signature verification is, for example, determining whether the user information and the public key after de-signing are the same as the user information in the personal digital certificate B and the public key of the legal user. If they are all the same, the signature verification is passed; otherwise, the signature verification is not by.

The integrity verification includes: using the personal digital certificate A or B to de-sign the login information signature, that is, using the public key of the legal user in the personal digital certificate A or B to de-sign the login information signature, and verify the login information signature. . For example, according to the login information obtained after the de-signature is obtained; whether the login information of the de-signature and the login information from the mobile terminal are the same, if the same, the integrity verification is passed, and if different, the integrity verification fails.

Step S230, transmitting an authentication result to the mobile terminal.

That is to say, the authentication server transmits the message that the authentication is passed or the message that the authentication fails, to the mobile terminal through the application server.

Embodiment 3

This embodiment provides a user authentication method, and FIG. 3 is a flowchart of a user authentication method according to a third embodiment of the present invention. This embodiment is performed on the CA center side and is performed before user authentication.

Step S310, after connecting the TF card, obtain user information of the legal user.

The CA center connects to the TF card of the mobile terminal, and obtains the user information of the legitimate user according to the operation of the legitimate user.

Specifically, the user registers with the CA center and registers as a legitimate user. The legal user inserts a separate TF card into the TF card interface provided by the CA center to implement the connection between the TF card and the CA center. The legal user inputs the user in the CA center. The information is used to log in to the CA center, and the CA center obtains the user information input by the legitimate user.

Step S320, calling the TF card to generate a key pair in the TF card for the legitimate user.

The CA center invokes the encryption module in the TF card to generate a key pair for the legitimate user, and the key pair includes the public key and the private key of the legitimate user. The encryption module in the TF card directly generates a key pair in the TF card, which ensures the security of the key pair.

Step S330, generating a personal digital certificate according to the user information and the public key in the key pair.

The CA Center uses the CA center private key to sign the user information and the public key, and generates a personal digital certificate based on the user information, the public key, and the signature of the user information and the public key. Of course, the personal digital certificate also includes the validity period of the personal digital certificate.

Step S340, storing the personal digital certificate into the TF card, and transmitting the personal digital certificate to the LDAP server.

After storing the personal digital certificate in the TF card, the TF card includes a personal digital certificate and a key pair. Inserting a TF card storing a personal digital certificate and a key pair into an interface provided by the mobile terminal, so that the mobile terminal can acquire the personal digital certificate, the public key, and the private key from the TF card inserted into its interface For use in user authentication.

In this embodiment, after the personal digital certificate is generated, the personal digital certificate and the key pair are directly stored in the TF card, thereby avoiding the personal digital certificate and the key pair security problem caused by the communication process, and storing in the TF card. The private key cannot be obtained, spoofed, and tampered with. As a trusted center, the CA Center has high security, and the personal digital certificate generated by the CA Center is also unthrowable. Therefore, the validity of the validity verification of the personal digital certificate is high. The private key stored in the TF card is not readable The signature of the login information signed by the private key cannot be imitated, so the security of the login information integrity verification is high. Therefore, the user authentication result of this embodiment is highly secure.

Embodiment 4

The application password can be set for the application service provided by the application service, and the application service can be used only after the correct application password is entered. Then, after the mobile terminal is allowed to log in to the application server, further user authentication may be performed on the mobile terminal, which is password verification of the application password.

4 is a flow chart showing the steps of password verification on the authentication server side according to the fourth embodiment of the present invention.

Step S410: When the authentication result is that the authentication is passed, an encryption key is generated.

The encryption key is used to encrypt the application password input by the user on the mobile terminal side. The decryption key opposite the encryption key is stored in the authentication server.

The application password corresponds to a legitimate user. A legitimate user can use the application service provided by the application server only by using the correct application password. Further, the application server can set an initial application password for the legitimate user, so that the legitimate user can use the application service for the first time, and the legal user can subsequently set the application password. The application password is sent by the application server to the LDAP server through the authentication server, and the application password and the user information are stored in the LDAP server.

Step S420, encrypting the encryption key by using a personal digital certificate.

In order to ensure the security of the encryption key during transmission, on the authentication server side, the encryption key is encrypted by using the public key of the legitimate user in the personal digital certificate.

Step S430, the encrypted encryption key is sent to the mobile terminal.

The authentication server transmits the encrypted encryption key to the mobile terminal through the application server.

Step S440, receiving an application password sent by the mobile terminal and encrypted by using an encryption key.

On the mobile terminal side, the mobile terminal collects the application password input by the user, decrypts the encryption key by using the private key of the legal user in the TF card, and encrypts the application password by using the decrypted encryption key.

Step S450, after decrypting the application password, performing password verification on the application password.

The application password is decrypted using a decryption key as opposed to the encryption key.

After the user authenticates the user through the second embodiment, the authentication server has obtained the user information in the personal digital certificate of the legal user. When performing the password verification, the authentication server obtains the user information in the LDAP server according to the user information. Corresponding application password, determining whether the application password sent by the mobile terminal is the same as the correct application password in the LDAP server, and if so, the password verification is passed, and if not, the password verification fails.

Step S460, transmitting a password verification result to the mobile terminal.

If the password verification is passed, the mobile terminal is allowed to use the application service corresponding to the application password, and vice versa, the mobile terminal is denied to use the application service corresponding to the application password.

FIG. 5 is a flowchart of a password verification step on the mobile terminal side according to the fourth embodiment of the present invention.

Step S510, receiving an encryption key encrypted by the authentication server by using a personal digital certificate.

Further, the mobile terminal receives an encryption key sent by the authentication server through the application server.

Step S520, decrypting the encryption key using a private key stored in the TF card.

The private key stored in the TF card is opposite to the public key in the personal digital certificate and, therefore, can be used to decrypt the encryption key.

Step S530, encrypting the application password input by the user by using the decrypted encryption key.

In the user interface, the user is prompted to input an application password, and the application password is collected in the process of inputting the application password, and the decrypted encryption key is used for encryption processing.

Step S540: Send the encrypted application password to the authentication server, so that the authentication server performs password verification on the application password.

The encrypted application password is sent to the authentication server through the application server.

Step S550, receiving the verification result fed back by the authentication server, if the verification is passed, the application service provided by the application server is allowed to be used, otherwise, the process ends.

Embodiment 5

In order to make the present invention clearer, this embodiment provides a specific user authentication system to describe the interaction process of each end of the present invention. FIG. 6 is a schematic structural diagram of a user authentication system according to a fifth embodiment of the present invention.

The system includes a mobile terminal, an LDAP server, an authentication server, a CA center, and an application server.

Authentication server, set to perform user user authentication. The authentication server can perform validity verification of the personal digital certificate, integrity verification of the login information, verification of the correctness of the application password, and the like.

The LDAP server is configured to store user information of a legitimate user, a personal digital certificate, an application password, a CA center public key, and the like.

The CA Center is set up to generate key pairs, issue and maintain personal digital certificates for legitimate users.

The application server is configured to provide application services and can process business data of legitimate users.

Based on the above system, the system needs to perform the following steps before user authentication:

Step 1. The user registers the user information in the CA center and submits a personal digital certificate application. The user information includes information such as a user name and a user ID. Further, the user registers user information and submits a personal digital certificate application on the CA center terminal.

Step 2: The CA center audits the user information. If the audit is approved, the user's personal digital certificate application is approved, otherwise the user's personal digital certificate application is rejected.

Step 3: After the CA center approves the personal digital certificate application, the user inserts the TF card into the interface of the CA center, and logs in to the CA center by using the user information; after logging in to the CA center, the personal digital certificate and the key pair are obtained from the CA center, for example, Click the Get button. The CA Center generates a personal digital certificate for the user and invokes the TF card to generate a key pair for the user. Since the key pair is generated in the TF card and already stored in the TF card, the CA center needs to store the user's personal digital certificate in the TF card. The CA Center also needs to publish the user's personal digital certificate to the LDAP server.

If you want to log in to the application server, you need to pass user authentication, as follows:

Step 1: Insert the TF card storing the personal digital certificate and the key pair into the mobile terminal; when the mobile terminal attempts to log in to the application server, the user authentication request carrying the personal digital certificate, the login information, and the login information signature is sent to the application server.

Step 2: After receiving the user authentication request, the application server forwards the request to the authentication server.

Step 3: The authentication server receives the user authentication request, obtains the personal digital certificate of the user from the LDAP server, and performs validity verification on the personal digital certificate in the user authentication request; if the validity verification is passed, the login information is used to log in. The information is integrity verified. If the integrity verification is also passed, the authentication passes; otherwise, the authentication fails, and the authentication process ends.

The application server provides the application password with the application password. Before the user uses the service provided by the application server, the password verification is also applied, as follows:

Step 1. After the user authentication is passed, the authentication server generates an encryption key and encrypts it using a personal digital certificate. The authentication server sends the encrypted encryption key to the mobile terminal through the application server.

Step 2: The mobile terminal receives the encryption key, prompts the user to input the application password, and then decrypts the encryption key with the private key in the TF card, encrypts the application password input by the user using the decrypted encryption key, and sends the application password to the application. The server is forwarded by the application server to the authentication server for password verification.

Step 3: The authentication server receives the application password, and decrypts the application password by using a pre-generated decryption key. Obtaining an application password corresponding to the user from the LDAP server, performing password verification on the decrypted application password by using the correct application password, and then returning the verification result to the mobile terminal through the application server. If the verification is passed, the user may provide the application server. The business service otherwise ends the process.

Embodiment 6

This embodiment provides a user authentication apparatus. Figure 7 is a structural diagram of a user authentication apparatus according to a sixth embodiment of the present invention. The device is in the mobile terminal and can act as a client in the mobile terminal.

The device disposed in the mobile terminal includes:

The obtaining module 710 is configured to obtain login information and obtain a personal digital certificate stored in the TF card when attempting to log in to the application server.

The signing module 720 is configured to perform signature processing on the login information by using the private key stored in the TF to obtain a login information signature.

The first sending module 730 is configured to send the personal digital certificate, the login information, and the login information signature to the authentication server, so that the authentication server performs the user authentication using the personal digital certificate, the login information, and the login information signature.

The first receiving module 740 is configured to receive the authentication result fed back by the authentication server, and if the authentication passes, is allowed to log in to the application server; otherwise, the process ends.

The apparatus provided in the mobile terminal further includes a first encryption and decryption module (not shown).

The first receiving module 740 is further configured to receive an encryption key encrypted by the authentication server by using a personal digital certificate after the authentication is passed.

The first encryption and decryption module is configured to decrypt the encryption key using the private key stored in the TF card; and encrypt the application password input by the user by using the decrypted encryption key.

The first sending module 730 is further configured to send the encrypted application password to the authentication server, so that the authentication server performs password verification on the application password.

The first receiving module 740 is further configured to receive the verification result fed back by the authentication server, and if the verification is passed, the application service provided by the application server is allowed to be used.

The functions of the device in this embodiment have been described in the method embodiments shown in FIG. 1 , FIG. 4 and FIG. 5 , and therefore, in the description of the embodiment, the related description in the foregoing embodiment may be referred to. I will not repeat them here.

Example 7

This embodiment provides a user authentication apparatus. Figure 8 is a structural diagram of a user authentication apparatus according to a seventh embodiment of the present invention. The device is in the authentication server.

The device disposed in the authentication server includes:

The second receiving module 810 is configured to receive a personal digital certificate, login information, and login information signature from the mobile terminal, where the personal digital certificate is obtained by the mobile terminal from the TF card, and the login information signature is used by the mobile terminal in the TF card. The stored private key is obtained by signing the login information.

The authentication module 820 is configured to perform user authentication of the mobile terminal based on the personal digital certificate, login information, and login information signature.

The second sending module 830 is configured to send the authentication result to the mobile terminal.

The apparatus provided in the authentication server further includes a first generation module (not shown) and a second encryption and decryption module (not shown).

The first generation module is configured to generate an encryption key if the authentication result is the authentication pass.

The second encryption and decryption module is configured to encrypt the encryption key by using a personal digital certificate.

The second sending module 830 is further configured to send the encrypted encryption key to the mobile terminal.

The second receiving module 810 is further configured to: after transmitting the encrypted encryption key to the mobile terminal, receive an application password that is sent by the mobile terminal and encrypted by using an encryption key.

The second encryption and decryption module is further configured to perform password verification on the application password after decrypting the application password.

The second sending module 830 is further configured to send the password verification result to the mobile terminal.

The functions of the device in this embodiment have been described in the method embodiments shown in FIG. 2, FIG. 4 and FIG. 5, and therefore, in the description of the present embodiment, reference may be made to the related description in the foregoing embodiment. I will not repeat them here.

Example eight

This embodiment provides a user authentication apparatus. Figure 9 is a structural diagram of a user authentication apparatus according to an eighth embodiment of the present invention. The device is on the CA center side.

The device disposed in the CA center includes:

The connection module 910 is configured to obtain user information of a legitimate user after connecting the TF card.

The calling module 920 is configured to invoke the TF card to generate a key pair in the TF card for the legal user; the key pair includes a public key and a private key.

The second generation module 930 is configured to generate a personal digital certificate according to the user information and the public key in the key pair.

a storage module 940, configured to store the personal digital certificate into the TF card, so that the mobile terminal acquires the personal digital certificate and the key pair (public key) from the TF card inserted into its interface And private key) for user authentication.

The functions of the device in this embodiment have been described in the method embodiments shown in FIG. 1-5. Therefore, in the description of the present embodiment, reference may be made to the related description in the foregoing embodiment. Do not repeat them.

While the preferred embodiments of the present invention have been disclosed for purposes of illustration, those skilled in the art will recognize that various modifications, additions and substitutions are possible, and the scope of the invention should not be limited to the embodiments described above.

Industrial applicability

According to the foregoing technical solution provided by the embodiment of the present invention, a key pair (public key and private key) and a personal digital certificate of a legal user are stored in a separate TF card by the CA center, and then the TF card is inserted into the mobile terminal to perform user authentication. At the time of authentication, user authentication is performed on the authentication server side based on the personal digital certificate in the TF card that has been inserted into the mobile terminal. The invention can avoid the problem that the static password user authentication method has low security, and the private key stored in the TF card cannot be obtained, counterfeited, and tampered with.

Claims

A user authentication method, the steps on the mobile terminal side include:

When attempting to log in to the application server, obtaining login information, and obtaining a personal digital certificate stored in the TF card;

Logging the login information by using a private key stored in the TF card to obtain a login information signature;

Sending the personal digital certificate, the login information, and the login information signature to an authentication server, so that the authentication server performs user authentication based on the personal digital certificate, the login information, and the login information signature;

Receiving the authentication result fed back by the authentication server, if the authentication is passed, it is allowed to log in to the application server.
The method of claim 1, wherein the step of the mobile terminal side further comprises:

After the authentication is passed, receiving an encryption key encrypted by the authentication server by using the personal digital certificate;

Decrypting the encryption key using a private key stored in the TF card;

Encrypting the application password input by the user by using the decrypted encryption key;

Sending the encrypted application password to the authentication server, so that the authentication server performs password verification on the application password;

Receiving the verification result fed back by the authentication server, if the verification is passed, the application service provided by the application server is allowed to be used.
A user authentication method, the steps on the authentication server side include:

Receiving a personal digital certificate, login information, and login information signature from the mobile terminal; wherein the personal digital certificate is obtained by the mobile terminal from its TF card, and the login information signature is that the mobile terminal utilizes the TF The private key stored in the card is obtained by signing the login information;

Performing user authentication on the mobile terminal based on the personal digital certificate, login information, and login information signature;

The authentication result is sent to the mobile terminal.
The method of claim 3, wherein the step of authenticating the server side further comprises:

And generating an encryption key if the authentication result is that the authentication is passed;

Encrypting the encryption key by using the personal digital certificate;

The encrypted encryption key is transmitted to the mobile terminal.
The method of claim 4, wherein the step of authenticating the server further comprises:

After transmitting the encrypted encryption key to the mobile terminal, receiving an application password that is sent by the mobile terminal and encrypted by using the encryption key;

After decrypting the application password, performing password verification on the application password;

The password verification result is sent to the mobile terminal.
A user authentication method, the steps on the CA center side of the certification authority include:

After connecting the TF card, obtaining user information of the legal user;

Invoking the TF card to generate a key pair in the TF card for the legal user;

Generating a personal digital certificate according to the user information and the public key in the key pair;

The personal digital certificate is stored in the TF card such that the mobile terminal acquires the personal digital certificate and the key pair from the TF card inserted into its interface for user authentication.
A user authentication device, the device disposed in the mobile terminal includes:

Obtaining a module, configured to obtain login information and obtain a personal digital certificate stored in the TF card when attempting to log in to the application server;

a signature module, configured to perform signature processing on the login information by using a private key stored in the TF card, to obtain a login information signature;

a first sending module, configured to send the personal digital certificate, the login information, and the login information signature to an authentication server, so that the authentication server is based on the personal digital certificate, the login information, and the login information Signature execution user authentication;

The first receiving module is configured to receive the authentication result fed back by the authentication server, and if the authentication passes, is allowed to log in to the application server.
The apparatus of claim 7, wherein said means disposed in the mobile terminal further comprises a first encryption and decryption module;

The first receiving module is further configured to: after the authentication is passed, receive an encryption key that is encrypted by the authentication server by using the personal digital certificate;

The first encryption and decryption module is configured to decrypt the encryption key by using a private key stored in the TF card; and encrypt the application password input by the user by using the decrypted encryption key;

The first sending module is further configured to send the encrypted application password to the authentication server, so that the authentication server performs password verification on the application password;

The first receiving module is further configured to receive the verification result fed back by the authentication server, and if the verification passes, the application service provided by the application server is allowed to be used.
A user authentication device, the device disposed in an authentication server includes:

a second receiving module, configured to receive a personal digital certificate, login information, and login information signature from the mobile terminal; wherein the personal digital certificate is obtained by the mobile terminal from its TF card, and the login information signature is The mobile terminal obtains signature processing on the login information by using a private key stored in the TF card;

An authentication module, configured to perform user authentication on the mobile terminal based on the personal digital certificate, login information, and login information signature;

The second sending module is configured to send the authentication result to the mobile terminal.
The apparatus of claim 9, wherein the apparatus disposed in the authentication server further comprises: a first generation module and a second encryption and decryption module;

The first generating module is configured to generate an encryption key if the authentication result is the authentication pass;

The second encryption and decryption module is configured to perform encryption processing on the encryption key by using the personal digital certificate;

The second sending module is further configured to send the encrypted encryption key to the mobile terminal.
The device of claim 10, wherein

The second receiving module is further configured to: after transmitting the encrypted encryption key to the mobile terminal, receive an application password that is sent by the mobile terminal and encrypted by using the encryption key;

The second encryption and decryption module is further configured to perform password verification on the application password after performing decryption processing on the application password;

The second sending module is further configured to send a password verification result to the mobile terminal.
A user authentication device, the device disposed in a CA center includes:

The connection module is configured to obtain user information of a legitimate user after connecting the TF card;

Calling a module, configured to invoke the TF card to generate a key pair in the TF card for the legal user;

a second generation module, configured to generate a personal digital certificate according to the user information and a public key in the key pair;

a storage module configured to store the personal digital certificate into the TF card, so that the mobile terminal acquires the personal digital certificate and the key pair from the TF card inserted into its interface to perform a user Certification.