WO2017186100A1 - 身份认证方法、系统及设备 - Google Patents

身份认证方法、系统及设备 Download PDF

Info

Publication number
WO2017186100A1
WO2017186100A1 PCT/CN2017/081894 CN2017081894W WO2017186100A1 WO 2017186100 A1 WO2017186100 A1 WO 2017186100A1 CN 2017081894 W CN2017081894 W CN 2017081894W WO 2017186100 A1 WO2017186100 A1 WO 2017186100A1
Authority
WO
WIPO (PCT)
Prior art keywords
party application
hardware
request
smart hardware
information
Prior art date
Application number
PCT/CN2017/081894
Other languages
English (en)
French (fr)
Inventor
刘文清
申子熹
王强
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Priority to US15/771,511 priority Critical patent/US10637668B2/en
Publication of WO2017186100A1 publication Critical patent/WO2017186100A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Definitions

  • the embodiments of the present invention relate to the field of Internet technologies, and in particular, to an identity authentication method, system, and device.
  • Identity authentication also known as “authentication” or “identification” refers to the process of confirming the identity of an operator in a computer and computer network system, that is, determining whether the user has access to and use of a certain resource to make the computer And the network system's access policy can be executed reliably and effectively, preventing the attacker from impersonating the legitimate user's access to the resource, ensuring the security of the system and data, and the process of authorizing the legitimate interests of the visitor. For example, for a login operation, the user can enter a user account and password in the corresponding input box to complete the login process; for example, for the payment operation, the user can enter a payment password in the corresponding input box to complete the payment process.
  • the existing identity authentication method requires the user to manually input related information (such as a user account and password) for identity authentication, the operation is more complicated and inefficient when the user performs network operations requiring identity authentication.
  • the embodiment of the present invention provides an authentication method. , systems and equipment.
  • the technical solution is as follows:
  • an identity authentication method comprising:
  • the third-party application client After obtaining the operation instruction for requesting the execution of the target operation, the third-party application client sends an operation request to the third-party application server, where the operation request is used to request the third-party application server Performing the target operation;
  • the third-party application server requests the information to be signed from the authentication server, and the third-party application client forwards the to-be-signed information to the smart hardware.
  • the smart hardware uses the application private key corresponding to the third-party application to sign the to-be-signed information, obtains a first signature result, and sequentially uses the third-party application client and the third-party application server to a signature result is transparently transmitted to the authentication server;
  • the authentication server uses the application public key corresponding to the third-party application to verify whether the first signature result is correct, and if the first signature result is correct, sends an authentication success indication to the third-party application server;
  • the third-party application server performs the target operation after receiving the verification success indication.
  • an identity authentication method is provided, which is applied to a third-party application client, and the method includes:
  • the third-party application server Transmitting, by the third-party application server, the first signature result to the authentication server, so that the authentication server uses the application public key corresponding to the third-party application to verify whether the first signature result is correct, and If the first signature result is correct, the verification success indication is sent to the third-party application server to trigger the third-party application server to perform the target operation.
  • the third aspect provides an identity authentication method, which is applied to a third-party application server, where the method includes:
  • the target operation is performed after receiving the verification success indication.
  • an identity authentication method is provided, which is applied to intelligent hardware, where the method includes:
  • the third-party application client sends to the third-party application server after obtaining an operation instruction for requesting execution of the target operation, where the operation request is used to request the third-party application server to perform the target operation;
  • a fifth aspect provides an identity authentication method, which is applied to an authentication server, where the method includes:
  • the third-party application server After receiving the authentication request sent by the third-party application server, sending the to-be-signed information to the third-party application server, where the authentication request is received by the third-party application server, and the operation request sent by the third-party application client is received. And then sent to the authentication server, where the operation request is sent by the third-party application client to the third-party application server after acquiring an operation indication for requesting execution of the target operation, where the operation request is used to request the location
  • the third-party application server performs the target operation;
  • the first signature result is used by the smart hardware to receive the to-be-signed information sent by the third-party application server, and the application private key pair corresponding to the third-party application is used. Reporting the signature information for signature;
  • a sixth aspect provides an identity authentication system, where the system includes: a third-party application client, a third-party application server, an intelligent hardware, and an authentication server;
  • the third-party application client is configured to send an operation request to the third-party application server after acquiring an operation instruction for requesting execution of the target operation, where the operation request is used to request the third-party application server to execute the operation Target operation
  • the third-party application server is configured to request the information to be signed from the authentication server, and forward the information to be signed to the smart hardware by using the third-party application client;
  • the smart hardware is configured to sign the to-be-signed information by using an application private key corresponding to the third-party application, to obtain a first signature result, and sequentially pass the third-party application client and the third-party application server Transmitting the first signature result to the authentication server;
  • the authentication server is configured to verify whether the first signature result is correct by using an application public key corresponding to the third-party application, and if the first signature result is correct, send an verification success indication to the third-party application server;
  • the third-party application server is further configured to perform the target operation after receiving the verification success indication.
  • a third-party application client includes:
  • a first request sending module configured to send an operation request to the third-party application server after the operation instruction for requesting the execution of the target operation is acquired, where the operation request is used to request the third-party application server to perform the target operation;
  • a first information receiving module configured to receive information to be signed sent by the third-party application server, where the information to be signed is requested by the third-party application server from the authentication server after receiving the operation request;
  • a first information sending module configured to forward the to-be-signed information to the smart hardware
  • a first result receiving module configured to receive a first signature result sent by the smart hardware, where the first signature result is used by the smart hardware to use the application private key corresponding to the third-party application
  • the name information is obtained after signing
  • a first transparent transmission module configured to transparently transmit the first signature result to the authentication server by using the third-party application server, so that the authentication server uses the application public key corresponding to the third-party application to verify the first Whether the signature result is correct, and if the first signature result is correct, sending an authentication success indication to the third-party application server to trigger the third-party application server to perform the target operation.
  • a third-party application server includes:
  • a second request receiving module configured to receive an operation request sent by a third-party application client, where the operation request is applied by the third-party application client to the third-party application after obtaining an operation instruction for requesting execution of a target operation Sending by the server, the operation request is used to request the third-party application server to perform the target operation;
  • An information obtaining module configured to request, from an authentication server, information to be signed
  • An information forwarding module configured to forward the to-be-signed information to the smart hardware by using the third-party application client;
  • a second result receiving module configured to receive a first signature result sent by the third-party application client, where the first signature result is signed by the smart hardware by using an application private key corresponding to the third-party application The information is obtained after being signed, and sent by the smart hardware to the third-party application client;
  • a third transparent transmission module configured to transparently transmit the first signature result to the authentication server
  • an indication receiving module configured to receive an authentication success indication sent by the authentication server, where the verification success indication is sent by the authentication server by using an application public key corresponding to the third-party application to verify that the first signature result is correct ;
  • a first operation execution module configured to perform the target operation after receiving the verification success indication.
  • an intelligent hardware comprising:
  • the fourth information receiving module is configured to receive the information to be signed sent by the third-party application client, where the information to be signed is obtained by the third-party application server after receiving the operation request sent by the third-party application client, and is obtained from the authentication server.
  • the operation request is sent by the third-party application client to the third-party application server after acquiring an operation indication for requesting execution of a target operation, the operation request for requesting the third-party application server to perform the Target operation
  • a first information signing module configured to use the application private key corresponding to the third-party application to sign the to-be-signed The name information is signed to obtain the first signature result
  • a fifth transparent transmission module configured to transparently transmit the first signature result to the authentication server by using the third-party application client and the third-party application server, so that the authentication server adopts the third-party Applying the corresponding application public key to verify whether the first signature result is correct, and if the first signature result is correct, sending an authentication success indication to the third-party application server to trigger the third-party application server to execute the The target operation.
  • an authentication server includes:
  • a third information sending module configured to send, to the third-party application server, information to be signed after receiving the authentication request sent by the third-party application server, where the authentication request is received by the third-party application server
  • the operation request is sent by the third-party application client to the third-party application server after obtaining an operation instruction for requesting execution of the target operation.
  • the operation request is used to request the third-party application server to perform the target operation;
  • a third result receiving module configured to receive, by the smart hardware, a first signature result transparently transmitted by the third-party application client and the third-party application server, where the first signature result is received by the smart hardware After the information to be signed sent by the third-party application server is used, the information to be signed is obtained by using the application private key corresponding to the third-party application;
  • a first result verification module configured to verify whether the first signature result is correct by using an application public key corresponding to the third-party application
  • a sending module configured to send an authentication success indication to the third-party application server to trigger the third-party application server to perform the target operation, if the first signature result is correct.
  • a third-party application client includes:
  • One or more processors are One or more processors.
  • the memory stores one or more programs, the one or more programs being configured to be executed by the one or more processors, the one or more programs including instructions for:
  • the third-party application server Transmitting, by the third-party application server, the first signature result to the authentication server, so that the authentication server uses the application public key corresponding to the third-party application to verify whether the first signature result is correct, and If the first signature result is correct, the verification success indication is sent to the third-party application server to trigger the third-party application server to perform the target operation.
  • a third-party application server includes:
  • One or more processors are One or more processors.
  • the memory stores one or more programs, the one or more programs being configured to be executed by the one or more processors, the one or more programs including instructions for:
  • the target operation is performed after receiving the verification success indication.
  • an intelligent hardware comprising:
  • One or more processors are One or more processors.
  • the memory stores one or more programs, the one or more programs being configured to be executed by the one or more processors, the one or more programs including instructions for:
  • Receiving to-be-signed information sent by a third-party application client, where the information to be signed is used by a third-party application And obtaining, by the server, an authentication server, after receiving the operation request sent by the third-party application client, the operation request is sent by the third-party application client after acquiring an operation instruction for requesting execution of the target operation
  • the third party application server sends, the operation request is used to request the third-party application server to perform the target operation;
  • an authentication server comprising:
  • One or more processors are One or more processors.
  • the memory stores one or more programs, the one or more programs being configured to be executed by the one or more processors, the one or more programs including instructions for:
  • the third-party application server After receiving the authentication request sent by the third-party application server, sending the to-be-signed information to the third-party application server, where the authentication request is received by the third-party application server, and the operation request sent by the third-party application client is received. And then sent to the authentication server, where the operation request is sent by the third-party application client to the third-party application server after acquiring an operation indication for requesting execution of the target operation, where the operation request is used to request the location
  • the third-party application server performs the target operation;
  • the smart hardware Receiving, by the smart hardware, the first signature result transparently transmitted by the third-party application client and the third-party application server, where the first signature result is received by the smart hardware after receiving the third-party application server After the signature information is described, the information to be signed is obtained by using an application private key corresponding to the third-party application;
  • the first signature result is obtained by signing the signature information by the intelligent hardware, and the authentication server is verifying If the first signature result is correct, the third-party application server is instructed to perform the target operation; the existing identity authentication mode is required to manually input the related information for the identity authentication, thereby causing the user to operate when performing network operations requiring identity authentication. More complicated and inefficient problems; because the identity authentication is implemented by intelligent hardware, the user does not need to manually input relevant information for identity authentication, so that the user is more convenient and efficient when performing network operations requiring identity authentication.
  • FIG. 1 is a schematic diagram of an implementation environment provided by an embodiment of the present invention.
  • FIG. 2 is a flowchart of an identity authentication method according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of an identity authentication method according to another embodiment of the present invention.
  • FIG. 4 is a flowchart of an identity authentication method according to another embodiment of the present invention.
  • FIG. 5 is a flowchart of an identity authentication method according to another embodiment of the present invention.
  • FIG. 6 is a flowchart of a registration binding method according to an embodiment of the present invention.
  • FIG. 7 is a flowchart of a registration binding method according to another embodiment of the present invention.
  • FIG. 8 is a flowchart of a logout method according to an embodiment of the present invention.
  • FIG. 9 is a flowchart of a method for unbinding according to an embodiment of the present invention.
  • FIG. 10 is a flowchart of a method for unbinding according to another embodiment of the present invention.
  • FIG. 11 is a flowchart of a method for reporting loss according to an embodiment of the present invention.
  • FIG. 12 is a flowchart of a method for reporting loss according to another embodiment of the present invention.
  • FIG. 13 is a block diagram of an identity authentication system according to an embodiment of the present invention.
  • FIG. 14 is a block diagram of a third-party application client according to an embodiment of the present invention.
  • FIG. 15 is a block diagram of a third-party application server according to an embodiment of the present invention.
  • 16 is a block diagram of intelligent hardware provided by an embodiment of the present invention.
  • FIG. 17 is a block diagram of an authentication server according to an embodiment of the present invention.
  • FIG. 18 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
  • FIG. 19 is a schematic structural diagram of a server according to an embodiment of the present invention.
  • FIG. 1 is a schematic diagram of an implementation environment provided by an embodiment of the present invention.
  • the implementation environment includes: an intelligent hardware 120 , a third-party application client 140 , a third-party application server 160 , and an authentication server 180 .
  • the intelligent hardware 120 is a hardware device having a digital signature and a key management function for providing identity authentication.
  • the intelligent hardware 120 generally adopts a Bluetooth or NFC (Near Field Communication) interface.
  • the smart hardware 120 can be a wearable device such as a smart bracelet, a smart watch, or the like.
  • the third-party application client 140 may also be referred to as a third-party application middleware, and refers to a driver or a control carried by a third-party APP (Application).
  • the third-party application client 140 is the main portal for user login and authentication.
  • the third party application client 140 may be provided by a system platform or by a third party application.
  • the third-party application client 140 can be used to provide the following services: 1. registration application and login of a user account in a third-party application; 2. recording a default authentication mode of the user; 3. remotely viewing the payment record; 4. managing the authorized intelligence. Hardware 120.
  • the third party application client 140 can be installed to run in a terminal such as a mobile phone or a tablet.
  • the third-party application server 160 is a background management system that is owned or newly created by the third-party application client 140 and is responsible for data forwarding or routing between the third-party application client 140 and the authentication server 180.
  • the third party application server 160 may be provided by a system platform or by a third party application.
  • the third-party application server 160 can be used to provide the following services: 1. Forwarding messages between the third-party application client 140 and the authentication server 180; 2. Managing user accounts in third-party applications, including maintaining account status (such as deactivating, logging out) 3.), processing the data returned by the authentication server 180; 4, valid authentication data storage.
  • the authentication server 180 is configured to provide a set of configuration options to the authenticated party (ie, the smart hardware 120, the third-party application client 140, and the third-party application server 160), and the authenticated party can manage and apply the account through the setting of the relevant protocol. Relevant parameters.
  • Authentication server 180 can be a cloud platform server. In order to maintain consistency in the user experience, the authentication server 180 should support the necessary functions, including: registration binding, login, payment, unbinding, and loss reporting.
  • the authentication server 180 can implement the following functions: 1.
  • the smart hardware 120 registers the binding; 2.
  • the authentication and authorization are authenticated; 3.
  • the key information is securely stored; 4.
  • the intelligent hard The identification of the piece 120 is issued; 5, multi-application management; 6, state management and remote configuration of the intelligent hardware 120.
  • the smart hardware 120 can communicate with a third party application client 140 via a short range wireless communication technology such as Bluetooth, NFC, and the third party application client 140 communicates with the third party application server 160 over a wireless or wired network, a third party application Server 160 communicates with authentication server 180 over a wireless or wired network.
  • a short range wireless communication technology such as Bluetooth, NFC
  • the third party application client 140 communicates with the third party application server 160 over a wireless or wired network
  • a third party application Server 160 communicates with authentication server 180 over a wireless or wired network.
  • a hardware certificate is a unique digital certificate used to identify the identity of a smart hardware.
  • the hardware certificate can conform to the DER (Distinguished Encoding Rules) encoding format of the X.509 standard.
  • Each intelligent hardware writes the corresponding hardware certificate when it is pre-personalized.
  • a hardware certificate is a certificate issued by a CA (Certification Authority) of a certificate server using a system root certificate and stored in intelligent hardware to ensure the authenticity of the smart hardware.
  • the intelligent hardware generates the hardware public key, the hardware private key, and the identifier of the intelligent hardware at the time of production.
  • the hardware hardware hardware certificate can also be pre-planted into the intelligent hardware during the production of intelligent hardware, including the hardware public key and the identification of the intelligent hardware.
  • the identification of the intelligent hardware can also be referred to as a hardware serial number, which can be represented by an H-ID.
  • the identification of the intelligent hardware is used to uniquely identify the intelligent hardware that is pre-planted into the intelligent hardware when the smart hardware is shipped.
  • the identification of the intelligent hardware is 16 bits in the following format:
  • the first to second digits are the product model, indicating the product type of the intelligent hardware, ranging from "01" to "99";
  • the third to fourth digits are the manufacturer number, indicating the number of the manufacturer of the intelligent hardware, ranging from “01" to "99";
  • the fifth to sixth digits are the year of production, taking the last two digits of the natural year, such as: in 2016, the value is "16";
  • the 7th to 8th digits are production months, ranging from “01” to “12”;
  • the 9th to 16th digits are natural serial numbers ranging from “00000001” to “99999999”, which meets the monthly production capacity of 100 million units.
  • the application key index is generated by intelligent hardware and is used to index the application key generated internally by the intelligent hardware.
  • the application key index can be represented by Keyhandle, which can vary in length from 0x00 to 0xff.
  • the application key index is generated when registering the user account registered in the third-party application, and is in the process of login, payment, etc. Intelligent hardware for verification.
  • the identifier of the third-party application is used to uniquely identify the third-party application, and refers to the identifier of different types of applications provided by the application, which can be represented by AppID.
  • FIG. 2 shows a flowchart of an identity authentication method provided by an embodiment of the present invention, which may be used in the implementation environment shown in FIG. 1.
  • the method can include the following steps.
  • Step 201 After obtaining the operation indication for requesting the execution of the target operation, the third-party application client sends an operation request to the third-party application server, where the operation request is used to request the third-party application server to perform the target operation.
  • the third-party application server receives an operation request sent by the third-party application client.
  • Step 202 The third-party application server requests the information to be signed from the authentication server.
  • Step 203 The third-party application server forwards the to-be-signed information to the smart hardware through the third-party application client.
  • the intelligent hardware receives the to-be-signed information forwarded by the third-party application server through the third-party application client.
  • Step 204 The intelligent hardware uses the application private key corresponding to the third-party application to sign the signature information, and obtains the first signature result.
  • Step 205 The intelligent hardware sequentially transmits the first signature result to the authentication server through the third-party application client and the third-party application server.
  • the authentication server receives the first signature result transparently transmitted by the intelligent hardware through the third-party application client and the third-party application server.
  • Step 206 The authentication server uses the application public key corresponding to the third-party application to verify whether the first signature result is correct.
  • Step 207 If the first signature result is correct, the authentication server sends an authentication success indication to the third-party application server.
  • the third-party application server receives the verification success indication sent by the authentication server.
  • Step 208 After receiving the verification success indication, the third-party application server performs the target operation.
  • the method provided in this embodiment obtains a first signature result by using the intelligent hardware to sign the signature information, and the authentication server instructs the third-party application server to perform the target operation when verifying that the first signature result is correct;
  • Some authentication methods require the user to manually enter for identification.
  • the related information of the certificate thus causing the user to operate more complicated and inefficient when performing network operations requiring identity authentication; since the identity authentication is implemented by the intelligent hardware, the user does not need to manually input relevant information for identity authentication, so that the user needs to perform Identity-certified network operations are more convenient and efficient.
  • the registration binding process needs to be completed to establish a binding relationship between the intelligent hardware and the user account of the third-party application.
  • the specific process of registering the binding process can be referred to the description and description in the embodiment shown in FIG. 6 and FIG. 7 below.
  • the intelligent hardware In the registration binding process, the intelligent hardware generates an application public key and an application private key corresponding to the third-party application, sends the application public key to the authentication server, and saves the application private key locally.
  • the intelligent hardware further generates an application key index, where the application key index is used to index the application public key and the application private key corresponding to the third-party application.
  • the intelligent hardware stores the binding relationship between the application private key corresponding to the third-party application and the application key index.
  • the authentication server stores a first binding relationship, where the first binding relationship includes at least an identifier of the smart hardware, a binding relationship between the user account and the application public key corresponding to the third-party application.
  • the first binding relationship further includes an application key index.
  • the identifier of the third-party application is also included in the first binding relationship.
  • the third binding relationship is stored in the third-party application server, and the second binding relationship includes at least the binding relationship between the identifier of the smart hardware and the user account.
  • the second binding relationship further includes an application key index.
  • FIG. 3 is a flowchart of an identity authentication method according to another embodiment of the present invention, which may be used in the implementation environment shown in FIG. 1.
  • the method can include the following steps.
  • Step 301 After obtaining the operation instruction for requesting the execution of the target operation, the third-party application client sends an operation request to the third-party application server.
  • the operation request is used to request a third-party application server to perform a target operation.
  • Target operations are network operations that require user authentication.
  • the target operation is a login operation or a payment operation.
  • the login operation refers to the user account registered by the login user in the third-party application;
  • the payment operation refers to the network payment to the target object through the third-party application.
  • the third-party application can be triggered by an operation.
  • the account display verification mode selection interface wherein the verification mode selection interface can display the smart hardware verification option and the password verification option, and the user can select the corresponding verification mode according to his own needs.
  • the third-party application client detects the selection instruction of the smart hardware verification option, an operation instruction for requesting the execution of the target operation may be acquired, and then, the operation request may be sent to the third-party application server. That is, the above-described operation indication for requesting execution of the target operation is triggered by the user.
  • the user clicks the first operation control in the login interface provided by the third-party application client, and triggers the third-party application client to obtain an operation instruction for requesting to perform the login operation; for example, the user provides the third-party application client.
  • Clicking the second operation control in the payment interface triggers the third-party application client to obtain an operation instruction for requesting to perform the payment operation.
  • the operation request sent by the third-party client to the third-party application server may also carry the identifier of the smart hardware, and correspondingly, the processing procedure may be as follows: the third-party application client is After obtaining the operation indication for requesting to perform the login operation, the identifier may be sent to the smart hardware, where the identifier is used to request the identifier of the smart hardware, and the smart hardware receives the identifier acquisition request sent by the third-party application client.
  • the identifier of the intelligent hardware may be sent to the third-party application client; the third-party application client may receive the identifier of the intelligent hardware sent by the intelligent hardware, and send a login request to the third-party application server, where the login request includes the login request information and the intelligent hardware.
  • logo The login request information is used to request the third-party application server to log in to the target user account in the third-party application, where the target user account is a user account bound to the identifier of the smart hardware in the third-party application.
  • the third-party application client may send a payment request to the third-party application server after obtaining the operation instruction for requesting to perform the payment operation, where the payment request includes payment request information,
  • the payment request information is used to request the third party application server to complete the payment process of the target order, which is an order that has been generated and sent to the third party application server before the request to perform the payment operation.
  • the third-party application server After receiving the operation request sent by the third-party application client, the third-party application server requests to obtain the information to be signed from the authentication server, which includes the following steps 302 to 306.
  • Step 302 The third-party application server acquires the identifier of the smart hardware.
  • the identifier of the intelligent hardware may be provided by the third-party application client to the third-party application server.
  • the third-party application client may obtain the identifier of the smart hardware from the smart hardware after obtaining the operation instruction for requesting to perform the login operation, and then send the identifier to the third-party application server.
  • Smart hardware standard After the third-party application server receives the login request sent by the third-party client, the third-party application server can parse the login request, thereby obtaining the identifier of the intelligent hardware.
  • the target operation is a payment operation
  • the user account in the third-party application client is already in the login state, and the third-party application server can obtain the binding with the currently logged-in user account according to the second binding relationship stored in advance.
  • the second binding relationship is stored in the registration binding process by the third-party application server.
  • the registration binding process is described and illustrated below.
  • the identifier of the intelligent hardware may also be provided by the third-party application client to the third-party application server, for example, carrying the identifier of the smart hardware in the payment request.
  • Step 303 The third-party application server sends an authentication request to the authentication server.
  • the authentication request includes at least an authentication request information and an identifier of the intelligent hardware, and the authentication request information is used to request the authentication server to generate the to-be-signed information.
  • the identifier of the third-party application is also included in the authentication request. Since an intelligent hardware can be bound to a plurality of different third-party applications, that is, to user accounts in a plurality of different third-party applications, the third-party application server identifies the third-party application in order to distinguish the third-party applications. Add to the authentication request.
  • the order information is further included in the authentication request.
  • the order information may include an order number and transaction key information such as transaction amount, merchant name, transaction time, item name, item quantity, and the like.
  • the authentication server receives the authentication request sent by the third-party application server.
  • the third binding relationship between the identifier of the smart hardware and the user account of the third-party application may be pre-stored in the third-party application server.
  • the third-party application server obtains the hardware identifier of the smart hardware, it can determine whether the second binding relationship includes the binding relationship between the smart hardware identifier and the user account of the third-party application, if the smart hardware identifier is stored and The binding relationship of the user account of the third-party application, the third-party application server may send an authentication request to the authentication server.
  • Step 304 The authentication server acquires an available state of the smart hardware according to the identifier of the smart hardware.
  • Available states can include a bound state, an unbound state, and a lost state.
  • the binding state refers to the user account in the third-party application that is currently associated with the identity of the smart hardware.
  • the unbound state refers to the user account in the third-party application that is not currently associated with the identity of the smart hardware.
  • the report status is the user account in all third-party applications that are not currently associated with the identity of the smart hardware. If the available state of the intelligent hardware is the bound state, it can indicate wisdom. The hardware is available; if the available state of the intelligent hardware is unbound or lost, the smart hardware is indicated as unavailable.
  • Step 305 If the available state of the smart hardware indicates that the smart hardware is available, the authentication server generates the to-be-signed information.
  • the information to be signed includes a challenge parameter, where the challenge random number may be any preset number, or may be any number randomly generated by the authentication server according to a preset rule.
  • the information to be signed further includes an application parameter, and the application parameter corresponds to the third-party application.
  • the information to be signed may include a challenge random number and an application parameter.
  • the information to be signed may include challenge random numbers, application parameters, order information, time stamps, and the like.
  • Step 306 The authentication server sends the to-be-signed information to the third-party application server.
  • the third-party application server receives the information to be signed sent by the authentication server.
  • the authentication server does not perform any operation or sends feedback information indicating that the smart hardware is unavailable to the third party application server.
  • the authentication server does not perform any operation.
  • the authentication server does not receive the to-be-signed information within the preset duration after the authentication request is sent, The client can be fed back to the third party application failure indication.
  • the authentication server sends a feedback information indicating that the smart hardware is unavailable to the third-party application server, and the third-party application server may apply to the third-party application after receiving the feedback information.
  • the client feedback failure indication is the available state of the intelligent hardware indicates that the smart hardware is not available.
  • the third-party application client may send a prompt signal indicating that the target operation fails according to the preset prompt manner, wherein the prompt signal may be sent in the form of text, or the prompt signal may be sent in the form of voice, or may be passed.
  • the vibration form emits a prompt signal (wherein, the vibration prompt signal may be issued according to the preset vibration intensity and the number of vibrations, or the vibration prompt signal may be issued according to the preset vibration intensity, the number of vibrations, and the change trend of the vibration intensity).
  • Step 307 The third-party application server forwards the to-be-signed information to the smart hardware through the third-party application client.
  • the third-party application client transparently transmits the information to be signed.
  • the intelligent hardware receives the to-be-signed information forwarded by the third-party application server through the third-party application client.
  • step 308 the intelligent hardware generates confirmation prompt information.
  • the confirmation prompt message is used to ask whether to confirm the execution of the target operation.
  • the confirmation prompt information can be used to ask the user whether to confirm the login to the third-party application; for example, if the target operation is a payment operation, the confirmation prompt information can be used to ask the user whether to confirm the payment target.
  • the manner of prompting the confirmation prompt information is not limited, such as displaying a prompt, a sound and light prompt, a vibration prompt, or a voice prompt.
  • Step 309 The intelligent hardware acquires an acknowledgement indication corresponding to the confirmation prompt information.
  • the smart hardware can be triggered to obtain a corresponding confirmation indication.
  • the user can trigger the smart hardware to obtain a corresponding confirmation indication by pressing the confirmation button, brushing the fingerprint, brushing the iris, and the like.
  • the confirmation indication may also be triggered by the user through the biometric information triggering the intelligent hardware.
  • the biological information collection function can be started, and the biological information of the user is collected, and after the biological information is collected, the biological information can be verified, and when the collected biological information is successfully verified,
  • the triggering intelligent hardware acquires the confirmation indication corresponding to the confirmation prompt information.
  • the reference hardware information may be pre-stored in the intelligent hardware, and after the intelligent hardware collects the physiological information, the collected biological information may be compared with the pre-stored reference biological information. When the collected biological information matches the reference biological information, the intelligent hardware may be triggered to obtain a confirmation indication corresponding to the confirmation prompt information.
  • biological information includes but is not limited to: fingerprint, iris, retina, gene, sound, face, palm geometry, vein, gait and handwriting. Since the biometric information of the user is unique, the above-mentioned manner can realize the identity verification of the operator, and avoid the situation that the smart hardware is erroneously confirmed after being maliciously obtained by others, thereby further improving the security.
  • the smart hardware After acquiring the confirmation indication corresponding to the confirmation prompt information, the smart hardware performs the following step 310, otherwise the following step 310 is not performed if the confirmation indication is not obtained.
  • Step 310 The intelligent hardware uses the application private key corresponding to the third-party application to sign the signature information, and obtains the first signature result.
  • the application private key corresponding to the third-party application is generated by the intelligent hardware in the registration binding process.
  • the application binding key index may also be recorded in the foregoing second binding relationship.
  • the third-party application server requests to obtain the information to be signed from the authentication server
  • the following steps may be performed: the third-party application server is configured according to the following: The identifier of the intelligent hardware or the user account is used to query the second binding relationship to obtain the corresponding application key index, and the third-party application client sends the application key index to the intelligent hardware.
  • the intelligent hardware receives the application key sent by the third-party application server through the third-party application client.
  • the application private key corresponding to the third-party application can be obtained according to the application key index.
  • the second binding relationship includes the identifier of the smart hardware, the binding relationship between the user account and the application key index, and the second binding relationship is stored by the third-party application server in the registration binding process.
  • the application key index is generated by the intelligent hardware in the registration binding process, and is used to index the application public key and the application private key corresponding to the third-party application.
  • the intelligent hardware detects the existence of the corresponding application private key by applying the key index, so that the third-party application server can be verified and the security is improved.
  • Step 311 The intelligent hardware sequentially transmits the first signature result to the authentication server through the third-party application client and the third-party application server.
  • the authentication server receives the first signature result transparently transmitted by the intelligent hardware through the third-party application client and the third-party application server.
  • Step 312 The authentication server uses the application public key corresponding to the third-party application to verify whether the first signature result is correct.
  • the application public key corresponding to the third-party application is generated by the intelligent hardware in the registration binding process.
  • the authentication server stores the first binding relationship in the registration binding process.
  • the first binding relationship includes at least the binding relationship between the identifier of the intelligent hardware, the user account, and the application public key corresponding to the third-party application.
  • the authentication server may obtain the application public key corresponding to the third-party application that is bound to the identifier of the smart hardware by querying the first binding relationship that is stored in advance, and then the third-party application may be corresponding to the third-party application.
  • the application public key verifies the first signature result.
  • Step 313 If the first signature result is correct, the authentication server sends an authentication success indication to the third-party application server. That is, if the authentication server determines that the first signature result is actually obtained by the smart hardware using the application private key to sign the to-be-signed information sent by the authentication server, the authentication success indication may be sent to the third-party application server.
  • the third-party application server receives the verification success indication sent by the authentication server.
  • Step 314 After receiving the verification success indication, the third-party application server performs the target operation.
  • the third-party application server sets the user account bound to the identifier of the smart hardware from the non-login state to the login state, so that the third-party client can log in through the smart hardware without the user inputting the user account. And password.
  • the third-party application server completes the payment process of the target order corresponding to the order information, so that the third-party client can pay through the smart hardware without the user inputting the payment password.
  • the intelligent hardware can also perform the reference number of the application private key corresponding to the third-party application.
  • the foregoing step 310 can be implemented by the following steps: the intelligent hardware acquires the value of the counter, and the counter is used to count the reference number of the application private key corresponding to the third-party application; the intelligent hardware uses the application private key corresponding to the third-party application to treat The signature information and the value of the counter are signed to obtain the first signature result.
  • the above step 311 can be implemented by the following steps: the intelligent hardware sequentially passes the third-party application client and the third-party application server, and the first signature result and the counter are The value is transparently transmitted to the authentication server.
  • the authentication server receives the first signature result and the counter value transparently transmitted by the intelligent hardware through the third-party application client and the third-party application server.
  • the value of the counter can be incremented by one each time the intelligent hardware signs the signature information with the application key.
  • the method provided in this embodiment obtains a first signature result by using the intelligent hardware to sign the signature information, and the authentication server instructs the third-party application server to perform the target operation when verifying that the first signature result is correct;
  • Some authentication methods require the user to manually input relevant information for identity authentication. Therefore, the user has a complicated and inefficient operation when performing network operations requiring identity authentication. Since the identity authentication is implemented by the intelligent hardware, the user does not need to manually input the information. Information about identity authentication makes it easier and more efficient for users to perform network operations that require identity authentication.
  • FIG. 4 is a flowchart of an identity authentication method according to another embodiment of the present invention.
  • the target operation is a login operation, and the login process is introduced and described.
  • the method can include the following steps.
  • step 401 the user selects an intelligent hardware mode to log in in the third-party application client.
  • the third party application client obtains an operation instruction for requesting execution of the login operation.
  • Step 402 After obtaining the foregoing operation indication, the third-party application client sends an identifier acquisition request to the smart hardware.
  • the intelligent hardware receives the identity acquisition request sent by the third-party application client.
  • Step 403 The intelligent hardware sends the identifier of the intelligent hardware to the third-party application client.
  • the third party application client receives the identity of the intelligent hardware sent by the intelligent hardware.
  • Step 404 The third-party application client sends a login request to the third-party application server, where the login request includes the login request information and the identifier of the intelligent hardware.
  • the third-party application server receives the login request sent by the third-party application client.
  • Step 405 The third-party application server detects whether there is a user account bound to the identifier of the smart hardware, and if yes, sends an authentication request to the authentication server, where the authentication request includes the authentication request information, Identification of intelligent hardware and identification of third-party applications.
  • the authentication server receives the authentication request sent by the third-party application server.
  • Step 406 The authentication server acquires an available state of the smart hardware according to the identifier of the smart hardware.
  • Step 407 If the available state of the intelligent hardware indicates that the smart hardware is available, the authentication server sends the to-be-signed information to the third-party application server, where the information to be signed includes the challenge random number and the application parameter.
  • the third-party application server receives the information to be signed sent by the authentication server.
  • Step 408 The third-party application server queries the second binding relationship to obtain the corresponding application key index by using the identifier of the smart hardware.
  • Step 409 The third-party application server sends the to-be-signed information and the application key index to the third-party application client.
  • the third-party application client receives the to-be-signed information and the application key index sent by the third-party application server.
  • Step 410 The third-party application client sends the to-be-signed information and the application key index to the intelligent hardware.
  • the intelligent hardware receives the to-be-signed information and the application key index sent by the third-party application client.
  • step 411 the intelligent hardware generates confirmation prompt information.
  • step 412 the intelligent hardware acquires an acknowledgement indication corresponding to the confirmation prompt information.
  • Step 413 The intelligent hardware searches for the third binding relationship to obtain the corresponding application private key by applying the key index, and uses the application private key to sign the signature information and the counter value to obtain the first signature result.
  • Step 414 The intelligent hardware sequentially transmits the first signature result and the counter value to the authentication server through the third-party application client and the third-party application server.
  • the authentication server receives the first signature result and the counter value transparently transmitted by the intelligent hardware through the third-party application client and the third-party application server.
  • Step 415 The authentication server obtains the corresponding application key index by using the identifier of the smart hardware and the identifier of the third-party application, and obtains the corresponding application public key by applying the key index, and adopts the application public key pair. The first signature result is checked.
  • Step 416 If the verification is successful, the authentication server sends an authentication success indication and an identifier of the intelligent hardware to the third-party application server.
  • the third-party application server receives the verification success indication sent by the authentication server and the identifier of the intelligent hardware.
  • Step 417 The third-party application server queries the second binding relationship to obtain the corresponding user account by using the identifier of the smart hardware, and sets the user account from the non-login state to the login state, and sends the login success information to the third-party application client.
  • the login success information can carry a user account.
  • the third-party application client receives the login success information sent by the third-party application server.
  • Step 418 The third-party application client sets the user account from the non-login state to the login state.
  • step 419 the third-party application client displays the login success page to the user.
  • the user can complete the account login through the intelligent hardware, and the login process is convenient and efficient without inputting the user account and password; and the security is ensured because the smart hardware is higher than the third-party application client. Process security.
  • FIG. 5 is a flowchart of an identity authentication method according to another embodiment of the present invention.
  • the target operation is a payment operation
  • the payment process is introduced and explained.
  • the method can include the following steps.
  • step 501 the user selects an intelligent hardware payment in the third-party application client.
  • the third party application client obtains an operation instruction for requesting execution of the payment operation.
  • Step 502 After obtaining the foregoing operation indication, the third-party application client sends a payment request to the third-party application server, where the payment request includes payment request information.
  • the third party application server receives the payment request sent by the third party application client.
  • Step 503 The third-party application server sends an authentication request to the authentication server, where the authentication request includes the authentication request information, the identifier of the smart hardware, the identifier of the third-party application, and the order information.
  • the authentication server receives the authentication request sent by the third-party application server.
  • Step 504 The authentication server acquires an available state of the smart hardware according to the identifier of the smart hardware.
  • Step 505 If the available state of the intelligent hardware indicates that the smart hardware is available, the authentication server sends the to-be-signed information to the third-party application server, where the information to be signed includes a challenge random number, an application parameter, an order information, and a timestamp.
  • the third-party application server receives the information to be signed sent by the authentication server.
  • Step 506 The third-party application server queries the second binding relationship to obtain the corresponding application key index by using the identifier of the smart hardware or the user account.
  • Step 507 The third-party application server sends the to-be-signed information and the application key index to the third-party application client.
  • the third-party application client receives the to-be-signed information and the application key index sent by the third-party application server.
  • Step 508 The third-party application client sends the to-be-signed information and the application key index to the intelligent hardware.
  • the intelligent hardware receives the to-be-signed information and the application key index sent by the third-party application client.
  • step 509 the intelligent hardware generates confirmation prompt information.
  • the confirmation prompt information may include transaction key information extracted from the order information, such as transaction amount, merchant name, transaction time, and the like.
  • step 510 the intelligent hardware acquires an acknowledgement indication corresponding to the confirmation prompt information.
  • a second verification measure may be added, such as prompting the user to input a password, and the password may be in the form of a number, a fingerprint, an iris, or the like.
  • Step 511 The intelligent hardware applies the key index, queries the third binding relationship to obtain the corresponding application private key, and uses the application private key to sign the signature information and the counter value to obtain the first signature result.
  • the information to be signed in this step may only include the challenge random number and the application parameter, that is, the intelligent hardware uses the application private key to sign the value of the challenge random number, the application parameter, and the counter.
  • Step 512 The intelligent hardware sequentially transmits the first signature result and the counter value to the authentication server through the third-party application client and the third-party application server.
  • the authentication server receives the first signature result and the counter value transparently transmitted by the intelligent hardware through the third-party application client and the third-party application server.
  • Step 513 The authentication server obtains the corresponding application key index by using the identifier of the smart hardware and the identifier of the third-party application, and obtains the corresponding application public key by applying the key index, and adopts the application public key pair. The first signature result is checked.
  • Step 514 If the verification is successful, the authentication server sends an authentication success indication and order information to the third-party application server.
  • the third-party application server receives the verification success indication and the order information sent by the authentication server.
  • Step 515 The third-party application server completes the payment process of the target order corresponding to the order information, and sends the payment success information to the third-party application client.
  • the third-party application client receives the payment success information sent by the third-party application server.
  • step 516 the third-party application client changes from the unpaid state to the support successful state.
  • step 517 the third party application client displays the payment success page to the user.
  • the user can complete the order payment through the intelligent hardware, without inputting the payment password, the login process is convenient and efficient; and because the intelligent hardware is more secure than the third-party application client, the payment process is also guaranteed. safety.
  • FIG. 6 is a flowchart of a registration binding method provided by an embodiment of the present invention, which may be used in the implementation environment shown in FIG. 1 .
  • the method can include the following steps.
  • Step 601 After obtaining the operation instruction for requesting the binding of the intelligent hardware, the third-party application client acquires the identifier of the smart hardware.
  • the user Before the third-party application server is triggered to perform the target operation through the intelligent hardware, the user may perform an operation to trigger the binding relationship between the user account of the third-party application and the identifier of the intelligent hardware.
  • the user can log in to the user account of the third-party application by using a login method in the related art, such as manually inputting the user account and the key, and then triggering the third-party application client to obtain the request binding by using the operation.
  • Operational instructions for intelligent hardware After obtaining the operation indication for requesting the binding of the intelligent hardware, the third-party application client may send an identifier obtaining request to the smart hardware, and the identifier obtaining request is used to request the identifier of the smart hardware; the smart hardware receives the third-party application client. After the identifier sent by the terminal obtains the request, the identifier of the smart hardware is sent to the third-party application client; the third-party application client receives the identifier of the smart hardware sent by the smart hardware.
  • an intelligent hardware can be bound to one user account in the third-party application, that is, for each third-party application, the smart hardware identifier and the user account of the third-party application One-to-one correspondence; for a variety of different third-party applications, supporting one intelligent hardware can be bound to a variety of different third-party applications, that is, bound to user accounts in a variety of different third-party applications.
  • Step 602 The third-party application client sends a binding request to the third-party application server.
  • the binding request includes the binding request information and the identifier of the intelligent hardware, and the binding request information is used to request the binding relationship between the identifier of the intelligent hardware and the user account of the third-party application client.
  • the third-party application server receives the binding request sent by the third-party application client.
  • step 603 the third-party application server forwards the binding request to the authentication server.
  • the binding request includes at least the binding request information and the identifier of the intelligent hardware.
  • the authentication server receives the binding request forwarded by the third-party application server.
  • the third-party application server may also add the identifier of the third-party application to the binding request when the binding request is sent to the authentication server, that is, the binding request sent by the third-party application server to the authentication server may also be carried.
  • the binding request sent by the third-party application server to the authentication server may also be carried.
  • Step 604 After receiving the binding request, the authentication server transparently transmits the registration request to the intelligent hardware through the third-party application server and the third-party application client.
  • the registration request is used to instruct the intelligent hardware to generate an application key corresponding to the third-party application.
  • the registration request includes registration request information and application parameters.
  • the registration request information is used to instruct the intelligent hardware to generate an application key corresponding to the third-party application.
  • Application parameters correspond to third-party applications.
  • the registration request further includes a challenge random number, and the challenge random number is randomly generated by the authentication server according to a preset rule.
  • the intelligent hardware sequentially receives the registration request transparently transmitted by the authentication server through the third-party application server and the third-party application client.
  • the binding request sent by the third-party application server to the authentication server further carries the identifier of the third-party application.
  • the authentication server may further determine whether the identifier of the smart hardware is currently recorded in the authentication server.
  • the binding relationship of the user account of the third-party application corresponding to the identifier of the third-party application. If the binding relationship between the identifier of the smart hardware and the user account of the third-party application is not currently recorded in the authentication server, the third-party application server is sequentially used. And the third-party application client transparently transmits the registration request to the intelligent hardware.
  • the processing may not be performed, or the third-party application server may send the registration failure indication to the third-party client.
  • the third-party client may receive the registration failure indication sent by the authentication server.
  • Step 605 After receiving the registration request, the smart hardware generates an application public key and an application private key corresponding to the third-party application.
  • Step 606 The intelligent hardware uses the hardware private key corresponding to the smart hardware to sign the application public key corresponding to the third-party application, and obtains the second signature result.
  • Step 607 The intelligent hardware sequentially transmits the to-be-verified information to the authentication server through the third-party application client and the third-party application server.
  • the information to be verified includes the application public key corresponding to the third-party application, the second signature result, and the hardware certificate of the intelligent hardware.
  • the hardware certificate of the intelligent hardware includes the hardware public key corresponding to the intelligent hardware and the identifier of the intelligent hardware.
  • the authentication server receives the information to be verified transparently transmitted by the smart hardware through the third-party application client and the third-party application server.
  • the application of the key index is also performed in the foregoing second binding relationship.
  • the smart hardware may further perform the following steps: the intelligent hardware generates an application key index, and the application key The index is used to index the application public key and the application private key corresponding to the third-party application; the intelligent hardware sequentially sends the application key index to the authentication server through the third-party application client and the third-party application server.
  • the application key index may be signed by the hardware private key corresponding to the smart hardware and sent to the authentication server.
  • the registration request sent by the authentication server to the smart hardware may further include an application parameter.
  • the process of the smart hardware generating the application key index may be as follows: the intelligent hardware generates the application parameter and the abstract of the application private key corresponding to the third-party application. Value; the intelligent hardware generates a random number; the intelligent hardware generates an application key index based on the digest value and the random number.
  • Step 608 The authentication server extracts the hardware public key corresponding to the smart hardware from the hardware certificate of the smart hardware when the root certificate public key is used to verify that the hardware certificate of the smart hardware is legal.
  • Step 609 The authentication server uses the hardware public key corresponding to the smart hardware to verify whether the second signature result is correct.
  • Step 610 If the second signature result is correct, the authentication server stores the first binding relationship.
  • the first binding relationship includes an identifier of the smart hardware, a binding relationship between the user account and the application public key corresponding to the third-party application.
  • the identifier of the third-party application is also included in the first binding relationship.
  • Step 611 The authentication server sends the identifier of the smart hardware to the third-party application server.
  • the third-party application server receives the identity of the smart hardware sent by the authentication server.
  • Step 612 The third-party application server stores the second binding relationship.
  • the second binding relationship includes a binding relationship between the identifier of the intelligent hardware and the user account.
  • the first binding relationship stored by the authentication server includes an identifier of the smart hardware, a user account, an application key index, and an application public key corresponding to the third-party application. Binding relationship. After verifying that the second signature result is correct, the authentication server also sends an application key index to the third-party application server.
  • the second binding relationship stored by the third-party application server includes an identifier of the smart hardware, a binding relationship between the user account and the application key index.
  • the hardware certificate is a certificate issued by the authentication server by using the system root certificate and stored in the smart hardware, and the system root certificate is used as a root of trust to authenticate the intelligent hardware to ensure the authenticity of the intelligent hardware, and Secure transmission of the application public key is beneficial to achieve a more secure and stable system.
  • FIG. 7 is a flowchart of a registration binding method according to another embodiment of the present invention.
  • the method can include the following steps.
  • step 701 the user logs in using the user account and password on the third-party application client.
  • Step 702 The third-party application client sends the user login information to the third-party application server, where the user login information includes the user account and the password.
  • the third-party application server receives the user login information sent by the third-party application client.
  • Step 703 After the third-party application server verifies that the user login information is passed, the third-party application client returns the login success information, and the third-party application client displays that the user has entered the login state.
  • Step 704 After the third-party application client successfully logs in, the user selects the bound smart hardware in the third-party application client.
  • the third party application client obtains an operation indication for requesting binding of the smart hardware.
  • Step 705 The third-party application client searches for nearby smart hardware, displays a device list, and the user selects the corresponding smart hardware from the device list.
  • the device list contains the smart hardware that the third-party application client searches nearby.
  • Step 706 The third-party application client sends an identifier acquisition request to the selected intelligent hardware.
  • the identity acquisition request is used to request the identity of the smart hardware.
  • the intelligent hardware receives the identity acquisition request sent by the third-party application client.
  • Step 707 The intelligent hardware sends the identifier of the intelligent hardware to the third-party application client.
  • the third party application client receives the identity of the intelligent hardware sent by the intelligent hardware.
  • Step 708 The third-party application client obtains the binding state of the smart hardware. If the binding state indicates that the smart hardware is unbound, the binding request is sent to the third-party application server.
  • the binding request includes binding request information and an identifier of the intelligent hardware, and the binding request information is used to request a binding relationship between the intelligent hardware and the user account of the third-party application client.
  • the binding state of the intelligent hardware can be sent by the intelligent hardware to the third-party application client.
  • the third-party application server receives the binding request sent by the third-party application client.
  • the registration binding process is exited.
  • step 709 the third-party application server forwards the binding request to the authentication server.
  • the binding request includes binding request information, an identifier of the intelligent hardware, and an identifier of the third-party application.
  • the authentication server receives the binding request forwarded by the third-party application server.
  • Step 710 After receiving the binding request, the authentication server uses a third-party application server to The third-party application client sends a registration request.
  • the registration request includes registration request information, challenge random number, and application parameters.
  • the third-party application client receives the registration request sent by the authentication server through the third-party application server.
  • step 711 the third party application client forwards the registration request to the smart hardware.
  • the intelligent hardware receives the registration request forwarded by the third party application client.
  • step 712 the intelligent hardware generates confirmation prompt information.
  • the confirmation prompt information is used to ask whether to confirm the binding of the smart hardware.
  • step 713 the intelligent hardware acquires an acknowledgement indication corresponding to the confirmation prompt information.
  • the confirmation indication is triggered.
  • the user triggers the confirmation indication by pressing the confirmation button, brushing the fingerprint, brushing the iris, and the like.
  • Step 714 The intelligent hardware generates an application public key and an application private key corresponding to the third-party application, and generates a corresponding application key index, and uses the hardware private key to sign the application key index and the application public key to obtain a second signature result.
  • Step 715 The intelligent hardware sequentially transmits the to-be-verified information to the authentication server through the third-party application client and the third-party application server.
  • the information to be verified includes the application public key corresponding to the third-party application, the second signature result, and the hardware certificate of the intelligent hardware.
  • the hardware certificate of the intelligent hardware includes the hardware public key corresponding to the intelligent hardware and the identifier of the intelligent hardware.
  • the authentication server receives the information to be verified transparently transmitted by the smart hardware through the third-party application client and the third-party application server.
  • Step 716 The authentication server extracts the hardware public key corresponding to the smart hardware from the hardware certificate of the smart hardware when the root certificate public key is used to verify that the hardware certificate of the smart hardware is legal.
  • Step 717 The authentication server uses the hardware public key corresponding to the smart hardware to check the second signature result.
  • Step 718 If the verification is successful, the authentication server stores the first binding relationship.
  • the first binding relationship includes the identifier of the smart hardware, the identifier of the third-party application, the binding relationship between the user account, the application key index, and the application public key corresponding to the third-party application.
  • Step 719 The authentication server sends the identifier of the smart hardware and the application key index to the third-party application server.
  • the third-party application server receives the identifier of the smart hardware and the application key index sent by the authentication server.
  • Step 720 The third-party application server stores the second binding relationship.
  • the second binding relationship includes the identity of the smart hardware, the binding relationship between the user account and the application key index.
  • the third-party application server stores the second binding relationship, and is used for identity authentication when the subsequent user uses the intelligent hardware for login and payment.
  • Step 721 The third-party application server sends the binding success information to the third-party application client.
  • the third-party application client receives the binding success information sent by the third-party application server.
  • step 722 the third-party application client changes from an unbound state to a bound state.
  • step 723 the third-party application client displays the binding success page to the user.
  • FIG. 8 is a flowchart of a logout method provided by an embodiment of the present invention, which may be applied to the implementation environment shown in FIG. 1 .
  • the method can include the following steps.
  • Step 801 After obtaining the operation instruction for requesting to perform the logout operation, the third-party application client sends a logout request to the third-party application server.
  • the logout request includes at least the logout request information and the identifier of the smart hardware.
  • the logout request information is used to request to perform a logout operation, and the logout operation is an unbind operation or a report loss operation.
  • the unbind operation refers to releasing the binding relationship between the intelligent hardware and the user account.
  • a loss reporting operation refers to loss of intelligent hardware.
  • the third party application server receives the logout request sent by the third party application client.
  • Step 802 The third-party application server transparently transmits the log-out request to the authentication server.
  • the authentication server receives the logout request transparently transmitted by the third party application server.
  • Step 803 After receiving the logout request, the authentication server performs a logout operation.
  • the method provided in this embodiment implements the unbinding of the intelligent hardware and the user account, and the loss of the intelligent hardware.
  • FIG. 9 is a flowchart of a method for unbinding according to an embodiment of the present invention.
  • the method may include the following steps.
  • step 901 the user initiates an unbinding request through the third-party application client.
  • the unbinding request is initiated by a real user (such as a mailbox, a mobile phone short message verification code, etc.).
  • Step 902 The third-party application client sends an unbinding request to the authentication server through the third-party application server.
  • the unbinding request includes at least the unbinding request information and the identifier of the intelligent hardware. Unbinding request information is used for Request to perform the unbinding operation. Optionally, the unbinding request further includes an identifier of the user account and the third-party application.
  • the authentication server receives the unbinding request sent by the third-party application client through the third-party application server.
  • Step 903 The authentication server marks the available state of the smart hardware as an unbound state according to the identifier of the smart hardware, and deletes the application key index and the application public key corresponding to the identifier of the smart hardware and the identifier of the third-party application.
  • Step 904 The authentication server sends the processing result of the unbinding request to the third-party application server.
  • the third-party application server receives the processing result sent by the authentication server.
  • Step 905 The third-party application server releases the binding relationship between the identifier of the smart hardware and the application key index.
  • Step 906 The third-party application server sends the processing result and the application key index to the third-party application client.
  • the third-party application client receives the processing result and the application key index sent by the third-party application server.
  • step 907 the third-party application client sends the processing result and the application key index to the smart hardware.
  • the intelligent hardware receives the processing result and the application key index sent by the third-party application client.
  • Step 908 The intelligent hardware deletes the application private key corresponding to the application key index.
  • step 909 the intelligent hardware sends the logout success information to the third-party application client.
  • the third-party application client receives the logout success information sent by the smart hardware.
  • step 910 the third-party application client notifies the user that the binding has been unbound.
  • the unbinding process is initiated from the third-party application client.
  • the unbinding process can also be initiated from the management client.
  • FIG. 10 shows a flowchart of a method for unbinding according to another embodiment of the present invention, which may include the following steps.
  • Step 1001 The user queries the application list bound to the smart hardware by the management client, and initiates a unbinding request to the target application.
  • Step 1002 The management client sends an identifier acquisition request to the smart hardware.
  • the intelligent hardware receives an identity acquisition request sent by the management client.
  • step 1003 the intelligent hardware sends the identifier of the intelligent hardware to the management client.
  • the management client receives the identity of the intelligent hardware sent by the intelligent hardware.
  • Step 1004 The management client sends an unbinding request to the authentication server, where the unbinding request includes the unbinding request information, the identifier of the third-party application, and the identifier of the intelligent hardware.
  • the authentication server receives the unbinding request sent by the management client.
  • step 1005 the authentication server marks the corresponding state of the intelligent hardware as an unbound state according to the identifier of the smart hardware and the identifier of the third-party application.
  • Step 1006 The authentication server sends the processing result of the unbinding request to the third-party application server, where the processing result includes the identifier of the intelligent hardware.
  • the third-party application server receives the processing result sent by the authentication server.
  • step 1007 the authentication server notifies the management client to process the result.
  • the management client receives the processing result sent by the authentication server.
  • step 1008 the management client displays the user unbinding successfully.
  • FIG. 11 is a flowchart of a method for reporting loss according to an embodiment of the present invention.
  • the method may include the following steps.
  • step 1101 the user initiates a loss report request through the third-party application client.
  • the at least two authentication methods are used to confirm that the report is initiated by a real user (such as a mailbox, a mobile phone short message verification code, etc.).
  • Step 1102 The third-party application client sends a report loss request to the authentication server through the third-party application server.
  • the loss report includes at least the report of the loss request and the identifier of the intelligent hardware.
  • the report of the loss request is used to request the execution of the loss reporting operation.
  • the report of the user account and the third-party application is also included in the report of the loss.
  • the authentication server receives the loss report sent by the third-party application client through the third-party application server.
  • Step 1103 The authentication server marks the available state of the smart hardware as a report loss status according to the identifier of the smart hardware, and deletes all application key indexes and application public keys corresponding to the identifiers of the smart hardware.
  • Step 1104 The authentication server sends the processing result of the loss report to the third-party application server.
  • the third-party application server receives the processing result sent by the authentication server.
  • Step 1105 The third-party application server releases the binding relationship between the identifier of the smart hardware and the application key index.
  • Step 1106 The third-party application server sends the processing result to the third-party application client.
  • the third-party application client receives the processing result sent by the third-party application server.
  • step 1107 the third-party application client notifies the user that the intelligent hardware has been lost.
  • the loss reporting process is initiated from the third-party application client. In other possible embodiments, the loss reporting process can also be initiated from the management client. As shown in FIG. 12, it shows a flowchart of a method for reporting loss according to another embodiment of the present invention, and the method may include the following steps.
  • step 1201 the user initiates a loss report request through the management client.
  • Step 1202 The management client forwards the loss report to the authentication server, where the request carries the user account information.
  • the authentication server receives the loss report sent by the management client.
  • Step 1203 The authentication server refers to the user account, and marks the available state of the smart hardware corresponding to the user account as a report loss status.
  • step 1204 the authentication server notifies the management client to process the result.
  • the management client receives the processing result sent by the authentication server.
  • step 1205 the management client displays the report failure to the user.
  • the technical solution provided by the foregoing embodiment provides a secure, convenient, password-free login or payment method for a user to access a third-party application, that is, using intelligent hardware.
  • the user first uses a traditional account password to log in to a third-party application client that supports the use of intelligent hardware.
  • the smart hardware is bound according to the prompt steps. After the binding is completed, the user can log in to the third party using the smart hardware. Apply or pay on a third-party app.
  • Intelligent hardware can be used on multiple third-party applications, no need to enter a password, only the user to do the corresponding interaction (such as: press the confirm button, brush fingerprint, brush iris, etc.) to confirm that the user can complete the operation It simplifies the operation and enhances the user experience, while ensuring the security of login or payment. If the user does not want to use the smart hardware on an application, simply verify the identity on the specific application to quickly unbind the smart application and the application, and unregister the smart hardware information about the application. If the user loses the smart hardware, simply verify the identity on the specific application to quickly log out the smart hardware and unregister all the information bound to the smart hardware.
  • the foregoing steps about the third-party application client may be separately implemented as the identity authentication method of the third-party application client side
  • the steps of the third-party application server may be separately implemented as a third party.
  • the application server side identity authentication method, the above steps about the intelligent hardware can be separately implemented as an intelligent hardware side identity authentication method, the above related authentication
  • the steps of the server can be separately implemented as an authentication method on the authentication server side.
  • FIG. 13 shows a block diagram of an identity authentication system provided by an embodiment of the present invention.
  • the system includes a third party application client 1320, a third party application server 1340, smart hardware 1360, and an authentication server 1380.
  • the third-party application client 1320 is configured to send an operation request to the third-party application server 1340 after acquiring an operation instruction for requesting execution of a target operation, where the operation request is used to request the third-party application server 1340 performs the target operation.
  • the third-party application server 1340 is configured to request the information to be signed from the authentication server 1380, and forward the information to be signed to the smart hardware 1360 through the third-party application client 1320.
  • the smart hardware 1360 is configured to sign the to-be-signed information by using an application private key corresponding to the third-party application, to obtain a first signature result, and sequentially pass the third-party application client 1320 and the third-party application.
  • the server 1340 transparently transmits the first signature result to the authentication server 1380.
  • the authentication server 1380 is configured to verify whether the first signature result is correct by using an application public key corresponding to the third-party application, and if the first signature result is correct, send the verification success to the third-party application server 1340. Instructions.
  • the third-party application server 1340 is further configured to perform the target operation after receiving the verification success indication.
  • the system provided in this embodiment obtains the first signature result by using the intelligent hardware to sign the signature information, and the authentication server instructs the third-party application server to perform the target operation when verifying that the first signature result is correct;
  • Some authentication methods require the user to manually input relevant information for identity authentication. Therefore, the user has a complicated and inefficient operation when performing network operations requiring identity authentication. Since the identity authentication is implemented by the intelligent hardware, the user does not need to manually input the information. Information about identity authentication makes it easier and more efficient for users to perform network operations that require identity authentication.
  • the smart hardware 1360 is specifically configured to:
  • the counter is used to collect an application private key corresponding to the third-party application Number of citations
  • the first signature result and the value of the counter are transparently transmitted to the authentication server 1380 through the third-party application client 1320 and the third-party application server 1340 in sequence.
  • the third-party application server 1340 is configured to obtain an identifier of the smart hardware 1360, and send an authentication request to the authentication server 1380, where the authentication request includes at least an authentication request information and an identifier of the smart hardware.
  • the authentication request information is used to request the authentication server 1380 to generate the to-be-signed information.
  • the authentication server 1380 is specifically configured to acquire an available state of the smart hardware 1360 according to the identifier of the smart hardware 1360. If the available state of the smart hardware 1360 indicates that the smart hardware 1360 is available, generate the to-be-supplied The signature information is sent to the third-party application server 1340 for the to-be-signed information.
  • the smart hardware 1360 is further configured to generate confirmation prompt information, where the confirmation prompt information is used to query whether to confirm execution of the target operation;
  • the smart hardware 1360 is further configured to: after obtaining the confirmation indication corresponding to the confirmation prompt information, performing the signature of the to-be-signed information by using an application private key corresponding to the third-party application, to obtain a first The steps to sign the results.
  • the target operation is a login operation or a payment operation.
  • the third-party application client 1320 is further configured to acquire an identifier of the smart hardware 1360 and send a binding to the third-party application server 1340 after obtaining an operation instruction for requesting binding of the smart hardware 1360.
  • the request includes the binding request information and the identifier of the smart hardware 1360, where the binding request information is used to request to establish the smart hardware 1360 and the user account of the third-party application client 1320. Binding relationship between;
  • the third-party application server 1340 is further configured to forward the binding request to the authentication server 1380, where the binding request includes at least the binding request information and an identifier of the smart hardware 1360;
  • the authentication server 1380 is further configured to transparently transmit a registration request to the smart hardware 1360 through the third-party application server 1340 and the third-party application client 1320 after receiving the binding request;
  • the smart hardware 1360 is further configured to: after receiving the registration request, generate an application public key and an application private key corresponding to the third-party application, and use the hardware private key corresponding to the smart hardware 1360 to the third party. And applying the corresponding application public key as a signature to obtain a second signature result, and the third-party application client 1320 and the third-party application server 1340 are used to transparently transmit the to-be-verified information to the authentication server 1380.
  • the application public key corresponding to the third-party application, the second signature result, and the hardware certificate of the smart hardware 1360, the hardware certificate of the smart hardware 1360 includes a hardware public key corresponding to the smart hardware 1360, and the The identity of the smart hardware 1360;
  • the authentication server 1380 is further configured to: extract the hardware public key corresponding to the smart hardware 1360 from the hardware certificate of the smart hardware 1360, if the root certificate public key is used to verify that the hardware certificate of the smart hardware 1360 is legal. And verifying, by the hardware public key corresponding to the smart hardware 1360, whether the second signature result is correct. If the second signature result is correct, storing a first binding relationship, where the first binding relationship includes the smart The identifier of the hardware 1360, the binding relationship between the user account and the application public key corresponding to the third-party application, and the identifier of the smart hardware 1360 is sent to the third-party application server 1340;
  • the third-party application server 1340 is further configured to store a second binding relationship, where the second binding relationship includes a binding relationship between the identifier of the smart hardware 1360 and the user account.
  • the smart hardware 1360 is further configured to generate an application key index, where the application key index is used to index an application public key and an application private key corresponding to the third-party application;
  • the smart hardware 1360 is further configured to send the application key index to the authentication server 1380 through the third-party application client 1320 and the third-party application server 1340;
  • the first binding relationship includes a binding relationship between the identifier of the smart hardware 1360, the user account, the application key index, and an application public key corresponding to the third-party application;
  • the second binding relationship includes an identifier of the smart hardware 1360, a binding relationship between the user account and the application key index.
  • the smart hardware 1360 is specifically configured to:
  • the third-party application server 1340 is further configured to query the second binding relationship to obtain the corresponding application key index according to the identifier of the smart hardware 1360 or the user account, by using the third-party application client.
  • the terminal 1320 forwards the application key index to the smart hardware 1360;
  • the smart hardware 1360 is further configured to acquire an application private key corresponding to the third-party application according to the application key index.
  • the third-party application client 1320 is further configured to send a logout operation request to the third-party application server 1340 after obtaining an operation instruction for requesting execution of the log-out operation, where the log-out operation request includes at least the log-out request information And the identifier of the smart hardware 1360, the logout request information is used to request to perform the logout operation, the logout operation is an unbind operation or a report loss operation, and the unbind operation refers to releasing the smart hardware 1360 and the The binding relationship between the user accounts, the loss reporting operation refers to reporting the smart hardware 1360;
  • the third-party application server 1340 is further configured to transparently transmit the logout operation request to the authentication server 1380;
  • the authentication server 1380 is further configured to perform the logout operation after receiving the logout operation request.
  • FIG. 14 is a block diagram of a third-party application client provided by an embodiment of the present invention.
  • the third-party application client includes: a first request sending module 1410, a first information receiving module 1420, a first information sending module 1430, a first result receiving module 1440, and a first transparent transmitting module 1450.
  • the first request sending module 1410 is configured to send an operation request to the third-party application server, after the operation instruction for requesting the execution of the target operation is acquired, where the operation request is used to request the third-party application server to perform the target operation. .
  • the first information receiving module 1420 is configured to receive the to-be-signed information sent by the third-party application server, where the to-be-signed information is requested by the third-party application server from the authentication server after receiving the operation request.
  • the first information sending module 1430 is configured to forward the to-be-signed information to the smart hardware.
  • the first result receiving module 1440 is configured to receive a first signature result sent by the smart hardware, where The first signature result is obtained by the smart hardware signing the to-be-signed information by using an application private key corresponding to the third-party application.
  • the first transparent transmission module 1450 is configured to transparently transmit the first signature result to the authentication server by using the third-party application server, so that the authentication server verifies the identifier by using an application public key corresponding to the third-party application. Whether the first signature result is correct, and if the first signature result is correct, sending an authentication success indication to the third-party application server to trigger the third-party application server to perform the target operation.
  • the target operation is a login operation or a payment operation.
  • the third-party application client further includes:
  • An identifier obtaining module configured to acquire an identifier of the smart hardware after obtaining an operation instruction for requesting binding of the smart hardware
  • a second request sending module configured to send a binding request to the third-party application server, where the binding request includes binding request information and an identifier of the intelligent hardware, where the binding request information is used to request to establish a Defining a binding relationship between the intelligent hardware and a user account that is logged in to the third-party application client;
  • a first request receiving module configured to receive a registration request sent by the third-party application server, where the registration request is generated by the authentication server after receiving the binding request forwarded by the third-party application server, and sent to the The third party application server;
  • a third request sending module configured to transparently transmit the registration request to the smart hardware, so that the smart hardware generates an application public key and an application private key corresponding to the third-party application after receiving the registration request And signing, by using a hardware private key corresponding to the smart hardware, an application public key corresponding to the third-party application, to obtain a second signature result;
  • a second information receiving module configured to receive information to be verified sent by the smart hardware, where the information to be verified includes an application public key corresponding to the third-party application, the second signature result, and a hardware certificate of the smart hardware
  • the hardware certificate of the smart hardware includes a hardware public key corresponding to the smart hardware and an identifier of the smart hardware;
  • a second transparent transmission module configured to transparently transmit the to-be-verified information to the authentication server by using the third-party application server, so that the authentication server validates the hardware certificate of the smart hardware by using a root certificate public key.
  • extracting the smart hardware corresponding from the hardware certificate of the smart hardware And storing, in the case of using the hardware public key corresponding to the smart hardware, that the second signature result is correct, the first binding relationship includes the identifier of the smart hardware.
  • the third-party application server is configured to store the second Binding relationship, where the second binding relationship includes a binding relationship between the identifier of the smart hardware and the user account.
  • the third-party application client further includes:
  • a fourth request sending module configured to transparently transmit a specified operation request to the authentication server by using the third-party application server after acquiring an operation instruction for requesting execution of the specified operation, where the specified operation request includes at least an operation request Information and an identifier of the smart hardware, the operation request information is used to request to perform the specified operation, the specified operation is an unbinding operation or a loss reporting operation, and the unbinding operation refers to releasing the smart hardware and the The binding relationship between the user accounts, the loss reporting operation refers to the loss of the intelligent hardware, and the authentication server is configured to perform the specified operation after receiving the specified operation request.
  • FIG. 15 shows a block diagram of a third-party application server provided by an embodiment of the present invention.
  • the third-party application server includes: a second request receiving module 1510, an information obtaining module 1520, an information forwarding module 1530, a second result receiving module 1540, a third transparent transmitting module 1550, an indication receiving module 1560, and a first operation executing module 1570.
  • the second request receiving module 1510 is configured to receive an operation request sent by the third-party application client, where the operation request is sent by the third-party application client to the third party after obtaining an operation instruction for requesting execution of the target operation.
  • the application server sends the operation request for requesting the third-party application server to perform the target operation.
  • the information obtaining module 1520 is configured to request to obtain information to be signed from the authentication server.
  • the information forwarding module 1530 is configured to forward the to-be-signed information to the smart hardware by using the third-party application client.
  • the second result receiving module 1540 is configured to receive a first signature result sent by the third-party application client, where the first signature result is used by the smart hardware to use the application private key corresponding to the third-party application
  • the signature information is obtained after being signed and sent by the smart hardware to the third-party application client.
  • the third transparent transmission module 1550 is configured to transparently transmit the first signature result to the authentication server.
  • the indication receiving module 1560 is configured to receive an authentication success indication sent by the authentication server, where the verification success indicates that the first signature result is correct when the authentication server uses the application public key corresponding to the third-party application to verify that the first signature result is correct. send.
  • the first operation execution module 1570 is configured to execute the target operation after receiving the verification success indication.
  • the information acquiring module includes:
  • An identifier obtaining submodule configured to obtain an identifier of the smart hardware
  • a request sending sub-module configured to send an authentication request to the authentication server, where the authentication request includes at least an authentication request information and an identifier of the smart hardware, where the authentication request information is used to request the authentication server Generating the to-be-signed information;
  • An information receiving submodule configured to receive the to-be-signed information sent by the authentication server, where the information to be signed is obtained by the authentication server according to the identifier of the smart hardware, and the available state of the smart hardware is obtained.
  • the available state of the intelligent hardware indicates that the smart hardware is available for generation.
  • the target operation is a login operation or a payment operation.
  • the third-party application server further includes:
  • a third request receiving module configured to receive a binding request sent by the third-party application client, where the binding request is obtained by the third-party application client to obtain an operation instruction for requesting binding of the smart hardware And sending, the binding request includes binding request information and an identifier of the smart hardware, where the binding request information is used to request to establish a relationship between the smart hardware and a user account that logs in to the third-party application client. Binding relationship
  • a fifth request sending module configured to forward the binding request to the authentication server, where the binding request includes at least the binding request information and an identifier of the smart hardware;
  • a fourth request receiving module configured to receive a registration request sent by the authentication server, where the registration request is generated and sent by the authentication server after receiving the binding request;
  • a third transparent transmission module configured to transparently transmit the registration request to the smart hardware by using the third-party application client, so that the smart hardware generates the third party after receiving the registration request Applying a corresponding application public key and an application private key, and using the hardware private key corresponding to the smart hardware to sign the application public key corresponding to the third-party application, to obtain a second signature result;
  • a third information receiving module configured to receive the to-be-verified information sent by the third-party application client, where the to-be-verified information is sent by the smart hardware to the third-party application client, where the to-be-verified information includes the a hardware certificate corresponding to the third party application, the second signature result, and the hardware certificate of the smart hardware, where the hardware certificate of the smart hardware includes a hardware public key corresponding to the smart hardware and an identifier of the smart hardware;
  • a second information sending module configured to transparently transmit the to-be-verified information to the authentication server, so that the authentication server uses the root certificate public key to verify that the hardware certificate of the smart hardware is legal, Extracting, by the hardware certificate of the smart hardware, the hardware public key corresponding to the smart hardware, and storing the first binding relationship, if the second signature result is correct by using the hardware public key corresponding to the smart hardware,
  • the first binding relationship includes an identifier of the smart hardware, a binding relationship between the user account and an application public key corresponding to the third-party application, and sends the identifier of the smart hardware to the third-party application server.
  • An identifier receiving module configured to receive an identifier of the smart hardware sent by the authentication server
  • the relationship storage module is configured to store a second binding relationship, where the second binding relationship includes a binding relationship between the identifier of the smart hardware and the user account.
  • the third-party application server further includes:
  • a fifth request receiving module configured to receive a specified operation request sent by the third-party application client, where the specified operation request is sent by the third-party application client after acquiring an operation instruction for requesting to perform a specified operation,
  • the specified operation request includes at least an operation request information and an identifier of the smart hardware, where the operation request information is used to request to perform the specified operation, where the specified operation is an unbundling operation or a loss reporting operation, and the unbinding operation Means that the binding relationship between the smart hardware and the user account is released, and the loss reporting operation refers to reporting the smart hardware;
  • a fourth transparent transmission module configured to transparently transmit the specified operation request to the authentication server, so that the authentication server performs the specified operation after receiving the specified operation request.
  • FIG. 16 shows a block diagram of intelligent hardware provided by an embodiment of the present invention.
  • the intelligent hardware includes a fourth information receiving module 1610, a first information signing module 1620, and a fifth transparent transmitting module 1630.
  • the fourth information receiving module 1610 is configured to receive information to be signed sent by the third-party application client, where the to-be-signed information is obtained by the third-party application server after receiving the operation request sent by the third-party application client.
  • the operation request is sent by the third-party application client to the third-party application server after acquiring an operation indication for requesting execution of a target operation, the operation request for requesting the third-party application server to execute the The target operation.
  • the first information signing module 1620 is configured to sign the to-be-signed information by using an application private key corresponding to the third-party application, to obtain a first signature result.
  • the fifth transparent transmission module 1630 is configured to transparently transmit the first signature result to the authentication server by using the third-party application client and the third-party application server, so that the authentication server adopts the first Verifying, by the application public key corresponding to the three-party application, whether the first signature result is correct, and sending a verification success indication to the third-party application server to trigger the third-party application server to execute if the first signature result is correct.
  • the target operation is configured to transparently transmit the first signature result to the authentication server by using the third-party application client and the third-party application server, so that the authentication server adopts the first Verifying, by the application public key corresponding to the three-party application, whether the first signature result is correct, and sending a verification success indication to the third-party application server to trigger the third-party application server to execute if the first signature result is correct.
  • the first information signing module includes:
  • a numerical value obtaining sub-module configured to obtain a value of a counter, where the counter is used to count the number of times of the signature operation, that is, the counter is used to count the reference times of the application private key corresponding to the third-party application;
  • a value signature sub-module configured to use the application private key corresponding to the third-party application to sign the to-be-signed information and the value of the counter to obtain the first signature result
  • the fifth transparent transmission module is further configured to transparently transmit the first signature result and the value of the counter to the authentication server by using the third-party application client and the third-party application server.
  • the smart hardware further includes:
  • a prompt generating module configured to generate confirmation prompt information, where the confirmation prompt information is used to query whether to confirm execution of the target operation
  • the first information signing module is further configured to: after obtaining the confirmation indication corresponding to the confirmation prompt information, performing the signature of the to-be-signed information by using an application private key corresponding to the third-party application, The first step of the signature result.
  • the target operation is a login operation or a payment operation.
  • the intelligent hardware is further included include:
  • a sixth request receiving module configured to receive a registration request sent by the third-party application client, where the registration request is generated by the authentication server after receiving the binding request forwarded by the third-party application server, and
  • the third-party application server transparently transmits to the third-party application client, and the binding request is sent by the third-party application client to the third party after obtaining an operation instruction for requesting binding of the smart hardware.
  • An application server where the binding request includes binding request information and an identifier of the smart hardware, where the binding request information is used to request to establish a relationship between the smart hardware and a user account that logs in to the third-party application client. Binding relationship
  • a key generation module configured to generate an application public key and an application private key corresponding to the third-party application after receiving the registration request
  • a second information signing module configured to use a hardware private key corresponding to the smart hardware to sign an application public key corresponding to the third-party application, to obtain a second signature result
  • a sixth transparent transmission module configured to transparently transmit the to-be-verified information to the authentication server by using the third-party application client and the third-party application server, where the information to be verified includes the application public corresponding to the third-party application a hardware certificate of the smart hardware, the hardware certificate corresponding to the smart hardware, and an identifier of the smart hardware, so that the authentication server is in use If the root certificate public key is used to verify that the hardware certificate of the smart hardware is legal, the hardware public key corresponding to the smart hardware is extracted from the hardware certificate of the smart hardware, and the hardware public key corresponding to the smart hardware is used for verification.
  • the first binding relationship is stored, where the first binding relationship includes an identifier of the smart hardware, the user account, and an application public key corresponding to the third-party application. a binding relationship, and sending the identifier of the smart hardware to the third-party application server, where the third-party application server is configured to store the second binding System, the binding relationship comprises a second binding relationship between the smart hardware identifier and the user account.
  • the smart hardware further includes:
  • An index generating module configured to generate an application key index, where the application key index is used to index an application public key and an application private key corresponding to the third-party application;
  • An index sending module configured to send the application key index to the authentication server by using the third-party application client and the third-party application server in sequence;
  • the first binding relationship includes a binding relationship between the identifier of the smart hardware, the user account, the application key index, and an application public key corresponding to the third-party application; Tied The relationship includes an identifier of the smart hardware, a binding relationship between the user account and the application key index.
  • the index generating module includes:
  • a summary generating submodule configured to generate a digest value of the application parameter and an application private key corresponding to the third party application
  • a random number generation submodule for generating a random number
  • an index generation submodule configured to generate the application key index according to the digest value and the random number.
  • FIG. 17 shows a block diagram of an authentication server provided by an embodiment of the present invention.
  • the authentication server includes a third information sending module 1710, a third result receiving module 1720, a first result verifying module 1730, and an indication sending module 1740.
  • the third information sending module 1710 is configured to: after receiving the authentication request sent by the third-party application server, send the to-be-signed information to the third-party application server, where the authentication request is received by the third-party application server. After the operation request sent by the third-party application client is sent to the authentication server, the operation request is sent by the third-party application client to the third-party application server after acquiring an operation instruction for requesting execution of the target operation. The operation request is for requesting the third-party application server to perform the target operation.
  • the third result receiving module 1720 is configured to receive, by the smart hardware, the first signature result transparently transmitted by the third-party application client and the third-party application server, where the first signature result is received by the smart hardware. After the information to be signed sent by the third-party application server, the information to be signed is obtained by using the application private key corresponding to the third-party application.
  • the first result verification module 1730 is configured to verify whether the first signature result is correct by using an application public key corresponding to the third-party application.
  • the indication sending module 1740 is configured to send an verification success indication to the third-party application server if the first signature result is correct, to trigger the third-party application server to perform the target operation.
  • the third information sending module includes:
  • An identifier reading submodule configured to receive the authentication request sent by the third party application server After the request, the authentication request information included in the authentication request and the identifier of the smart hardware are read, where the authentication request information is used to request the authentication server to generate the to-be-signed information;
  • a state obtaining submodule configured to acquire an available state of the smart hardware according to the identifier of the smart hardware
  • An information generating submodule configured to generate the to-be-signed information if an available state of the smart hardware indicates that the smart hardware is available;
  • a message sending submodule configured to send the to-be-signed information to the third-party application server.
  • the target operation is a login operation or a payment operation.
  • the authentication server further includes:
  • a seventh request receiving module configured to receive a binding request forwarded by the third-party application server, where the binding request includes at least binding request information and an identifier of the smart hardware, where the binding request information is used for requesting Establishing a binding relationship between the smart hardware and a user account that is logged in to the third-party application client, where the binding request is obtained by the third-party application client for requesting binding to the smart hardware.
  • the indication is generated and sent to the third-party application server;
  • a seventh transparent transmission module configured to transparently transmit a registration request to the smart hardware through the third-party application server and the third-party application client, after the receiving the binding request, to enable the smart hardware
  • generating an application public key and an application private key corresponding to the third-party application and signing, by using a hardware private key corresponding to the smart hardware, an application public key corresponding to the third-party application, Second signature result;
  • a fourth information receiving module configured to receive the to-be-verified information transparently transmitted by the smart hardware through the third-party application client and the third-party application server, where the to-be-verified information includes an application corresponding to the third-party application a public key, a second signature result, and a hardware certificate of the smart hardware, where the hardware certificate of the smart hardware includes a hardware public key corresponding to the smart hardware and an identifier of the smart hardware;
  • a public key extraction module configured to extract a hardware public key corresponding to the smart hardware from a hardware certificate of the smart hardware, if the root certificate public key is used to verify that the hardware certificate of the smart hardware is legal;
  • a second result verification module configured to verify whether the second signature result is correct by using a hardware public key corresponding to the smart hardware
  • the first binding relationship includes an identifier of the smart hardware, a binding relationship between the user account and an application public key corresponding to the third-party application;
  • An identifier sending module configured to send the identifier of the smart hardware to the third-party application server, so that the third-party application server stores a second binding relationship, where the second binding relationship includes an identifier of the smart hardware The binding relationship with the user account.
  • the authentication server further includes:
  • An index receiving module configured to receive an application key index sent by the smart hardware through the third-party application client and the third-party application server, where the application key index is used to index the third-party application Apply the public key and the application private key;
  • the first binding relationship includes a binding relationship between the identifier of the smart hardware, the user account, the application key index, and an application public key corresponding to the third-party application;
  • the binding relationship includes an identifier of the smart hardware, a binding relationship between the user account and the application key index.
  • the authentication server further includes:
  • An eighth request receiving module configured to receive a specified operation request transparently transmitted by the third-party application server, where the specified operation request is sent by the third-party application client after obtaining an operation instruction for requesting to perform a specified operation
  • the third-party application server the specified operation request includes at least an operation request information and an identifier of the smart hardware, where the operation request information is used to request to perform the specified operation, where the specified operation is an unbind operation or a report loss Operation, the unbinding operation refers to releasing the binding relationship between the smart hardware and the user account, where the loss reporting operation refers to reporting the intelligent hardware;
  • a second operation execution module configured to perform the specified operation after receiving the specified operation request.
  • FIG. 18 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
  • the electronic device may be the smart hardware in the above embodiment or install a terminal running a third-party application client. Specifically:
  • the electronic device 1800 can include an RF (Radio Frequency) circuit 1810, a memory 1820 including one or more computer readable storage media, an input unit 1830, a display unit 1840, a sensor 1850, an audio circuit 1860, and a WiFi (wireless fidelity,
  • the Wireless Fidelity module 1870 includes a processor 1880 having one or more processing cores, and a power supply 1890 and the like. It will be understood by those skilled in the art that the electronic device structure illustrated in FIG. 18 does not constitute a limitation to the electronic device, and may include more or less components than those illustrated, or a combination of certain components, or different component arrangements. among them:
  • the RF circuit 1810 can be used for receiving and transmitting signals during and after receiving or transmitting information, in particular, after receiving downlink information of the base station, and processing it by one or more processors 1880; in addition, transmitting data related to the uplink to the base station.
  • the RF circuit 1810 includes, but is not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, an LNA (Low Noise Amplifier). , duplexer, etc.
  • SIM Subscriber Identity Module
  • RF circuitry 1810 can also communicate with the network and other devices via wireless communication.
  • the wireless communication may use any communication standard or protocol, including but not limited to GSM (Global System of Mobile communication), GPRS (General Packet Radio Service), CDMA (Code Division Multiple Access). , Code Division Multiple Access), WCDMA (Wideband Code Division Multiple Access), LTE (Long Term Evolution), e-mail, SMS (Short Messaging Service), and the like.
  • GSM Global System of Mobile communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • e-mail Short Messaging Service
  • the memory 1820 can be used to store software programs and modules, and the processor 1880 executes various functional applications and data processing by running software programs and modules stored in the memory 1820.
  • the memory 1820 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be stored according to Data created by the use of the electronic device 1800 (such as audio data, phone book, etc.) and the like.
  • memory 1820 can include high speed random access memory, and can also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 1820 can also include a memory controller to provide The processor 1880 and the input unit 1830 access the memory 1820.
  • Input unit 1830 can be used to receive input numeric or character information, as well as to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function controls.
  • the input unit 1830 may include an image input device 1831 and other input devices 1832.
  • the image input device 1831 may be a camera or an optical scanning device.
  • the input unit 1830 may also include other input devices 1832.
  • other input devices 1832 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
  • Display unit 1840 can be used to display information entered by the user or information provided to the user and various graphical user interfaces of electronic device 1800, which can be comprised of graphics, text, icons, video, and any combination thereof.
  • the display unit 1840 can include a display panel 1841.
  • the display panel 1841 can be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), or the like.
  • Electronic device 1800 may also include at least one type of sensor 1850, such as a light sensor, motion sensor, and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 1841 according to the brightness of the ambient light, and the proximity sensor may close the display panel 1841 when the electronic device 1800 moves to the ear. And / or backlight.
  • the gravity acceleration sensor can detect the magnitude of acceleration in all directions (usually three axes). When it is stationary, it can detect the magnitude and direction of gravity. It can be used to identify the gesture of the mobile phone (such as horizontal and vertical screen switching, related Game, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.
  • the electronic device 1800 can also be configured with gyroscopes, barometers, hygrometers, thermometers, infrared sensors and other sensors, here No longer.
  • An audio circuit 1860, a speaker 1861, and a microphone 1862 can provide an audio interface between the user and the electronic device 1800.
  • the audio circuit 1860 can transmit the converted electrical data of the received audio data to the speaker 1861, and convert it into a sound signal output by the speaker 1861; on the other hand, the microphone 1862 converts the collected sound signal into an electrical signal, by the audio circuit 1860. After receiving, it is converted to audio data, and then processed by the audio data output processor 1880, transmitted to the electronic device such as another electronic device via the RF circuit 1810, or outputted to the memory 1820 for further processing.
  • the audio circuit 1860 may also include an earbud jack to provide communication of the peripheral earphones with the electronic device 1800.
  • WiFi is a short-range wireless transmission technology
  • the electronic device 1800 can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module 1870, which provides wireless information for users. Broadband internet access.
  • FIG. 18 shows the WiFi module 1870, it can be understood that it does not belong to the essential configuration of the electronic device 1800, and may be omitted as needed within the scope of not changing the essence of the invention.
  • the processor 1880 is a control center for the electronic device 1800 that connects various portions of the entire handset with various interfaces and lines, by running or executing software programs and/or modules stored in the memory 1820, and recalling data stored in the memory 1820.
  • the various functions and processing data of the electronic device 1800 are executed to perform overall monitoring of the mobile phone.
  • the processor 1880 may include one or more processing cores; preferably, the processor 1880 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application, and the like.
  • the modem processor primarily handles wireless communications. It will be appreciated that the above described modem processor may also not be integrated into the processor 1880.
  • the electronic device 1800 also includes a power source 1890 (such as a battery) for powering various components.
  • the power source can be logically coupled to the processor 1880 through a power management system to manage functions such as charging, discharging, and power management through the power management system.
  • the power supply 1890 may also include any one or more of a DC or AC power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
  • the electronic device 1800 may further include a Bluetooth module or the like, and details are not described herein again.
  • electronic device 1800 further includes a memory, and one or more programs, wherein one or more programs are stored in the memory and configured to be executed by one or more processors.
  • the one or more programs described above include instructions for implementing the method on the smart hardware side or the third party application client side.
  • non-transitory computer readable storage medium comprising instructions, such as a memory comprising instructions executable by a processor of an electronic device to perform the identity authentication method described above.
  • the non-transitory computer readable storage medium may be a ROM (Read-Only Memory), a RAM (Random-Access Memory), or a CD-ROM (Compact Disc Read-Only Memory, CD-ROM, tape, floppy disk and optical data storage devices.
  • FIG. 19 is a schematic structural diagram of a server according to an embodiment of the present invention.
  • the server may be a third party application server or an authentication server in the above embodiment. Specifically:
  • the server 1900 includes a central processing unit (CPU) 1901, including a random access memory. (RAM) 1902 and system memory 1904 of read only memory (ROM) 1903, and system bus 1905 connecting system memory 1904 and central processing unit 1901.
  • the server 1900 also includes a basic input/output system (I/O system) 1906 that facilitates the transfer of information between various devices within the computer, and mass storage for storing the operating system 1913, applications 1914, and other program modules 1915.
  • I/O system basic input/output system
  • the basic input/output system 1906 includes a display 1908 for displaying information and an input device 1909 such as a mouse, keyboard, etc. for user input of information.
  • the display 1908 and the input device 1909 are both connected to the central processing unit 1901 by an input-output controller 1910 connected to the system bus 1905.
  • the basic input/output system 1906 can also include an input output controller 1910 for receiving and processing input from a plurality of other devices, such as a keyboard, mouse, or electronic stylus.
  • input-output controller 1910 also provides output to a display screen, printer, or other type of output device.
  • the mass storage device 1907 is connected to the central processing unit 1901 by a mass storage controller (not shown) connected to the system bus 1905.
  • the mass storage device 1907 and its associated computer readable medium provide non-volatile storage for the server 1900. That is, the mass storage device 1907 can include a computer readable medium (not shown) such as a hard disk or a CD-ROM drive.
  • the computer readable medium can include computer storage media and communication media.
  • Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data.
  • Computer storage media include RAM, ROM, EPROM, EEPROM, flash memory or other solid state storage technologies, CD-ROM, DVD or other optical storage, tape cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices.
  • RAM random access memory
  • ROM read only memory
  • EPROM Erasable programmable read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • the server 1900 may also be operated by a remote computer connected to the network through a network such as the Internet. That is, the server 1900 can be connected to the network 1912 through a network interface unit 1911 connected to the system bus 1905, or can also be connected to other types of networks or remote computer systems (not shown) using the network interface unit 1911. .
  • the memory also includes one or more programs, the one or more programs being stored in a memory and configured to be executed by one or more processors.
  • One of the above or More than one program includes instructions for implementing the method on the third-party application server side or the authentication server side described above.
  • non-transitory computer readable storage medium comprising instructions, such as a memory comprising instructions executable by a processor of a server to perform the identity authentication method described above.
  • the non-transitory computer readable storage medium may be a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, or the like.
  • a plurality as referred to herein means two or more.
  • "and/or” describing the association relationship of the associated objects, indicating that there may be three relationships, for example, A and/or B, which may indicate that there are three cases where A exists separately, A and B exist at the same time, and B exists separately.
  • the character "/" generally indicates that the contextual object is an "or" relationship.
  • a person skilled in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in a computer readable storage medium.
  • the storage medium mentioned may be a read only memory, a magnetic disk or an optical disk or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Telephonic Communication Services (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明公开了一种身份认证方法、系统及设备。所述方法包括:第三方应用客户端在获取到用于请求执行目标操作的操作指示后,向第三方应用服务器发送操作请求;第三方应用服务器从认证服务器请求获取待签名信息,通过第三方应用客户端向智能硬件转发待签名信息;智能硬件采用第三方应用对应的应用私钥对待签名信息作签名,得到第一签名结果并发送给认证服务器;认证服务器在采用第三方应用对应的应用公钥验证第一签名结果正确之后,向第三方应用服务器发送验证成功指示;第三方应用服务器执行目标操作。本发明通过智能硬件实现身份认证,无需用户手动输入供身份认证的相关信息,使得用户在进行需要身份认证的网络操作时,更加便捷高效。

Description

身份认证方法、系统及设备
本申请要求于2016年4月27日提交中国专利局、申请号为2016102725917、发明名称为“身份认证方法、系统及设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本发明实施例涉及互联网技术领域,特别涉及一种身份认证方法、系统及设备。
背景技术
随着互联网技术的发展,用户的日常活动与网络息息相关。
用户在进行一些网络操作时,需要对用户进行身份认证。身份认证也称为“身份验证”或“身份鉴别”,是指在计算机及计算机网络系统中确认操作者身份的过程,即确定该用户是否具有对某种资源的访问和使用权限,以使计算机和网络系统的访问策略能够可靠、有效地执行,防止攻击者假冒合法用户获得资源的访问权限,保证系统和数据的安全,以及授权访问者的合法利益的过程。例如,对于登录操作,用户可以在相应的输入框中输入用户帐号和密码以完成登录流程;再例如,对于支付操作,用户可以在相应的输入框中输入支付密码以完成支付流程。
由于现有的身份认证方式需要用户手动输入供身份认证的相关信息(如用户帐号和密码),因此导致用户在进行需要身份认证的网络操作时,操作较为复杂低效。
发明内容
为了解决相关技术中身份认证方式需要用户手动输入供身份认证的相关信息,因此导致用户在进行需要身份认证的网络操作时,操作较为复杂低效的问题,本发明实施例提供了一种认证方法、系统及设备。所述技术方案如下:
第一方面,提供了一种身份认证方法,所述方法包括:
第三方应用客户端在获取到用于请求执行目标操作的操作指示之后,向第三方应用服务器发送操作请求,所述操作请求用于请求所述第三方应用服务器 执行所述目标操作;
所述第三方应用服务器从认证服务器请求获取待签名信息,通过所述第三方应用客户端向智能硬件转发所述待签名信息;
所述智能硬件采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果,依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器;
所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,若所述第一签名结果正确,则向所述第三方应用服务器发送验证成功指示;
所述第三方应用服务器在接收到所述验证成功指示之后,执行所述目标操作。
第二方面,提供了一种身份认证方法,应用于第三方应用客户端中,所述方法包括:
在获取到用于请求执行目标操作的操作指示之后,向第三方应用服务器发送操作请求,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
接收所述第三方应用服务器发送的待签名信息,所述待签名信息由所述第三方应用服务器在接收到所述操作请求之后从认证服务器请求获取;
向智能硬件转发所述待签名信息;
接收所述智能硬件发送的第一签名结果,所述第一签名结果由所述智能硬件采用所述第三方应用对应的应用私钥对所述待签名信息作签名后得到;
通过所述第三方应用服务器向所述认证服务器透传所述第一签名结果,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
第三方面,提供了一种身份认证方法,应用于第三方应用服务器中,所述方法包括:
接收第三方应用客户端发送的操作请求,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
从认证服务器请求获取待签名信息;
通过所述第三方应用客户端向智能硬件转发所述待签名信息;
接收所述第三方应用客户端发送的第一签名结果,所述第一签名结果由所述智能硬件采用所述第三方应用对应的应用私钥对所述待签名信息作签名后得到,并由所述智能硬件发送给所述第三方应用客户端;
将所述第一签名结果透传给所述认证服务器;
接收所述认证服务器发送的验证成功指示,所述验证成功指示由所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果正确的情况下发送;
在接收到所述验证成功指示之后,执行所述目标操作。
第四方面,提供了一种身份认证方法,应用于智能硬件中,所述方法包括:
接收第三方应用客户端发送的待签名信息,所述待签名信息由第三方应用服务器在接收到所述第三方应用客户端发送的操作请求之后从认证服务器获取,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果;
依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
第五方面,提供了一种身份认证方法,应用于认证服务器中,所述方法包括:
在接收到第三方应用服务器发送的鉴权请求之后,向所述第三方应用服务器发送待签名信息,所述鉴权请求由所述第三方应用服务器在接收到第三方应用客户端发送的操作请求之后向所述认证服务器发送,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
接收智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器 透传的第一签名结果,所述第一签名结果由所述智能硬件在接收到所述第三方应用服务器发送的所述待签名信息之后,采用所述第三方应用对应的应用私钥对所述待签名信息作签名得到;
采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确;
若所述第一签名结果正确,则向所述第三方应用服务器发送验证成功指示,以触发所述第三方应用服务器执行所述目标操作。
第六方面,提供了一种身份认证系统,所述系统包括:第三方应用客户端、第三方应用服务器、智能硬件和认证服务器;
所述第三方应用客户端,用于在获取到用于请求执行目标操作的操作指示之后,向所述第三方应用服务器发送操作请求,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
所述第三方应用服务器,用于从所述认证服务器请求获取待签名信息,通过所述第三方应用客户端向所述智能硬件转发所述待签名信息;
所述智能硬件,用于采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果,依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器;
所述认证服务器,用于采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,若所述第一签名结果正确,则向所述第三方应用服务器发送验证成功指示;
所述第三方应用服务器,还用于在接收到所述验证成功指示之后,执行所述目标操作。
第七方面,提供了一种第三方应用客户端,所述第三方应用客户端包括:
第一请求发送模块,用于在获取到用于请求执行目标操作的操作指示之后,向第三方应用服务器发送操作请求,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
第一信息接收模块,用于接收所述第三方应用服务器发送的待签名信息,所述待签名信息由所述第三方应用服务器在接收到所述操作请求之后从认证服务器请求获取;
第一信息发送模块,用于向智能硬件转发所述待签名信息;
第一结果接收模块,用于接收所述智能硬件发送的第一签名结果,所述第一签名结果由所述智能硬件采用所述第三方应用对应的应用私钥对所述待签 名信息作签名后得到;
第一透传模块,用于通过所述第三方应用服务器向所述认证服务器透传所述第一签名结果,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
第八方面,提供了一种第三方应用服务器,所述第三方应用服务器包括:
第二请求接收模块,用于接收第三方应用客户端发送的操作请求,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
信息获取模块,用于从认证服务器请求获取待签名信息;
信息转发模块,用于通过所述第三方应用客户端向智能硬件转发所述待签名信息;
第二结果接收模块,用于接收所述第三方应用客户端发送的第一签名结果,所述第一签名结果由所述智能硬件采用所述第三方应用对应的应用私钥对所述待签名信息作签名后得到,并由所述智能硬件发送给所述第三方应用客户端;
第三透传模块,用于将所述第一签名结果透传给所述认证服务器;
指示接收模块,用于接收所述认证服务器发送的验证成功指示,所述验证成功指示由所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果正确的情况下发送;
第一操作执行模块,用于在接收到所述验证成功指示之后,执行所述目标操作。
第九方面,提供了一种智能硬件,所述智能硬件包括:
第四信息接收模块,用于接收第三方应用客户端发送的待签名信息,所述待签名信息由第三方应用服务器在接收到所述第三方应用客户端发送的操作请求之后从认证服务器获取,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
第一信息签名模块,用于采用所述第三方应用对应的应用私钥对所述待签 名信息作签名,得到第一签名结果;
第五透传模块,用于依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
第十方面,提供了一种认证服务器,所述认证服务器包括:
第三信息发送模块,用于在接收到第三方应用服务器发送的鉴权请求之后,向所述第三方应用服务器发送待签名信息,所述鉴权请求由所述第三方应用服务器在接收到第三方应用客户端发送的操作请求之后向所述认证服务器发送,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
第三结果接收模块,用于接收智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器透传的第一签名结果,所述第一签名结果由所述智能硬件在接收到所述第三方应用服务器发送的所述待签名信息之后,采用所述第三方应用对应的应用私钥对所述待签名信息作签名得到;
第一结果验证模块,用于采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确;
指示发送模块,用于在所述第一签名结果正确的情况下向所述第三方应用服务器发送验证成功指示,以触发所述第三方应用服务器执行所述目标操作。
第十一方面,提供了一种第三方应用客户端,所述第三方应用客户端包括:
一个或多个处理器;和
存储器;
所述存储器存储有一个或多个程序,所述一个或多个程序被配置成由所述一个或多个处理器执行,所述一个或多个程序包含用于进行以下操作的指令:
在获取到用于请求执行目标操作的操作指示之后,向第三方应用服务器发送操作请求,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
接收所述第三方应用服务器发送的待签名信息,所述待签名信息由所述第三方应用服务器在接收到所述操作请求之后从认证服务器请求获取;
向智能硬件转发所述待签名信息;
接收所述智能硬件发送的第一签名结果,所述第一签名结果由所述智能硬件采用第三方应用对应的应用私钥对所述待签名信息作签名后得到;
通过所述第三方应用服务器向所述认证服务器透传所述第一签名结果,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
第十二方面,提供了一种第三方应用服务器,所述第三方应用服务器包括:
一个或多个处理器;和
存储器;
所述存储器存储有一个或多个程序,所述一个或多个程序被配置成由所述一个或多个处理器执行,所述一个或多个程序包含用于进行以下操作的指令:
接收第三方应用客户端发送的操作请求,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
从认证服务器请求获取待签名信息;
通过所述第三方应用客户端向智能硬件转发所述待签名信息;
接收所述第三方应用客户端发送的第一签名结果,所述第一签名结果由所述智能硬件采用第三方应用对应的应用私钥对所述待签名信息作签名后得到,并由所述智能硬件发送给所述第三方应用客户端;
将所述第一签名结果透传给所述认证服务器;
接收所述认证服务器发送的验证成功指示,所述验证成功指示由所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果正确的情况下发送;
在接收到所述验证成功指示之后,执行所述目标操作。
第十三方面,提供了一种智能硬件,所述智能硬件包括:
一个或多个处理器;和
存储器;
所述存储器存储有一个或多个程序,所述一个或多个程序被配置成由所述一个或多个处理器执行,所述一个或多个程序包含用于进行以下操作的指令:
接收第三方应用客户端发送的待签名信息,所述待签名信息由第三方应用 服务器在接收到所述第三方应用客户端发送的操作请求之后从认证服务器获取,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
采用第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果;
依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
第十四方面,提供了一种认证服务器,所述认证服务器包括:
一个或多个处理器;和
存储器;
所述存储器存储有一个或多个程序,所述一个或多个程序被配置成由所述一个或多个处理器执行,所述一个或多个程序包含用于进行以下操作的指令:
在接收到第三方应用服务器发送的鉴权请求之后,向所述第三方应用服务器发送待签名信息,所述鉴权请求由所述第三方应用服务器在接收到第三方应用客户端发送的操作请求之后向所述认证服务器发送,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
接收智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器透传的第一签名结果,所述第一签名结果由所述智能硬件在接收到所述第三方应用服务器发送的所述待签名信息之后,采用第三方应用对应的应用私钥对所述待签名信息作签名得到;
采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确;
若所述第一签名结果正确,则向所述第三方应用服务器发送验证成功指示,以触发所述第三方应用服务器执行所述目标操作。
本发明实施例提供的技术方案带来的有益效果包括:
通过智能硬件对待签名信息作签名得到第一签名结果,认证服务器在验证 第一签名结果正确的情况下指示第三方应用服务器执行目标操作;解决了现有的身份认证方式需要用户手动输入供身份认证的相关信息,因此导致用户在进行需要身份认证的网络操作时,操作较为复杂低效的问题;由于通过智能硬件实现身份认证,无需用户手动输入供身份认证的相关信息,使得用户在进行需要身份认证的网络操作时,更加便捷高效。
附图说明
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1是本发明一个实施例提供的实施环境的示意图;
图2是本发明一个实施例提供的身份认证方法的流程图;
图3是本发明另一实施例提供的身份认证方法的流程图;
图4是本发明另一实施例提供的身份认证方法的流程图;
图5是本发明另一实施例提供的身份认证方法的流程图;
图6是本发明一个实施例提供的注册绑定方法的流程图;
图7是本发明另一实施例提供的注册绑定方法的流程图;
图8是本发明一个实施例提供的注销方法的流程图;
图9是本发明一个实施例提供的解绑方法的流程图;
图10是本发明另一实施例提供的解绑方法的流程图;
图11是本发明一个实施例提供的挂失方法的流程图;
图12是本发明另一实施例提供的挂失方法的流程图;
图13是本发明一个实施例提供的身份认证系统的框图;
图14是本发明一个实施例提供的第三方应用客户端的框图;
图15是本发明一个实施例提供的第三方应用服务器的框图;
图16是本发明一个实施例提供的智能硬件的框图;
图17是本发明一个实施例提供的认证服务器的框图;
图18是本发明一个实施例提供的电子设备的结构示意图;
图19是本发明一个实施例提供的服务器的结构示意图。
具体实施方式
为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明实施方式作进一步地详细描述。
请参考图1,其示出了本发明一个实施例提供的实施环境的示意图,该实施环境包括:智能硬件120、第三方应用客户端140、第三方应用服务器160和认证服务器180。
智能硬件120是具有数字签名、密钥管理功能,用于提供身份认证的硬件设备。智能硬件120一般采用蓝牙或者NFC(Near Field Communication,近场通信)接口。例如,智能硬件120可以是诸如智能手环、智能手表之类的可穿戴设备。
第三方应用客户端140也可称为第三方应用中间件,是指第三方APP(Application,应用)搭载的驱动或者控件。第三方应用客户端140是用户登录、认证的主入口。第三方应用客户端140可由系统平台提供,也可由第三方应用商提供。第三方应用客户端140可用于提供以下服务:1、第三方应用中的用户帐号的注册申请和登录;2、记录用户默认的认证方式;3、远程查看支付记录;4、管理已授权的智能硬件120。第三方应用客户端140可安装运行于诸如手机、平板电脑之类的终端中。
第三方应用服务器160是第三方应用客户端140既有或新建的后台管理系统,用于负责第三方应用客户端140与认证服务器180之间的数据转发或路由。第三方应用服务器160可由系统平台提供,也可由第三方应用商提供。第三方应用服务器160可用于提供以下服务:1、在第三方应用客户端140和认证服务器180之间转发消息;2、管理第三方应用中的用户帐号,包括维护帐号状态(如停用、注销等);3、处理认证服务器180返回的数据;4、有效认证数据存储。
认证服务器180用于向被认证方(即智能硬件120、第三方应用客户端140和第三方应用服务器160的统称)提供一套配置选项,被认证方可通过相关协议的设置,管理与应用帐户有关的参数。认证服务器180可以是云平台服务器。为了保持用户体验的一致性,认证服务器180应支持必要功能,包括:注册绑定、登录、支付、解绑和挂失。认证服务器180可实现以下功能:1、智能硬件120注册绑定;2、认证授权被认证方;3、关键信息安全存储;4、智能硬 件120的标识发行;5、多应用管理;6、智能硬件120的状态管理与远程配置。
此外,智能硬件120可通过诸如蓝牙、NFC之类的近距离无线通信技术与第三方应用客户端140通信,第三方应用客户端140通过无线或有线网络与第三方应用服务器160通信,第三方应用服务器160通过无线或有线网络与认证服务器180通信。
为了便于理解,对本文中涉及的一些名词作介绍和说明。
1、硬件证书
硬件证书是指用于标识智能硬件的身份的唯一数字证书。硬件证书可符合X.509标准的DER(Distinguished Encoding Rules,可辨别编码规则)编码格式。每一个智能硬件在预个人化时均会写入相应的硬件证书。硬件证书是由认证服务器的CA(Certification Authority,证书管理机构)采用系统根证书签发、存放于智能硬件中的证书,用于确保智能硬件的真实性。
智能硬件在生产时生成硬件公钥、硬件私钥、智能硬件的标识。智能硬件的硬件证书也可以在智能硬件生产时预植到智能硬件中,内容包括硬件公钥和智能硬件的标识。
2、智能硬件的标识
智能硬件的标识也可称为硬件序列号,可以用H-ID表示。智能硬件的标识用于唯一标识智能硬件,在智能硬件出厂时预植到智能硬件中。
示例性地,智能硬件的标识共16位,格式如下:
第1至2位为产品型号,表示智能硬件的产品类型,范围从“01”至“99”;
第3至4位为厂商编号,表示智能硬件的生产厂商的编号,范围从“01”至“99”;
第5至6位为生产年份,取自然年的后两位,如:2016年,则取值为“16”;
第7至8位为生产月份,范围从“01”至“12”;
第9至16位为自然序列号,范围从“00000001”至“99999999”,满足每月1亿台生产量。
3、应用密钥索引
应用密钥索引由智能硬件生成,用于索引智能硬件内部生成的应用密钥。应用密钥索引可以用Keyhandle表示,其长度可变从0x00至0xff。应用密钥索引在注册绑定第三方应用中登录的用户账号时生成,在登录、支付等流程中由 智能硬件进行验证。
4、第三方应用的标识
第三方应用的标识用于唯一标识第三方应用,是指应用商提供的不同种类的应用的标识符,可以用AppID表示。
请参考图2,其示出了本发明一个实施例提供的身份认证方法的流程图,该方法可用于图1所示的实施环境中。该方法可以包括如下几个步骤。
步骤201,第三方应用客户端在获取到用于请求执行目标操作的操作指示之后,向第三方应用服务器发送操作请求,操作请求用于请求第三方应用服务器执行目标操作。
相应地,第三方应用服务器接收第三方应用客户端发送的操作请求。
步骤202,第三方应用服务器从认证服务器请求获取待签名信息。
步骤203,第三方应用服务器通过第三方应用客户端向智能硬件转发待签名信息。
相应地,智能硬件接收第三方应用服务器通过第三方应用客户端转发的待签名信息。
步骤204,智能硬件采用第三方应用对应的应用私钥对待签名信息作签名,得到第一签名结果。
步骤205,智能硬件依次通过第三方应用客户端和第三方应用服务器将第一签名结果透传给认证服务器。
相应地,认证服务器接收智能硬件依次通过第三方应用客户端和第三方应用服务器透传的第一签名结果。
步骤206,认证服务器采用第三方应用对应的应用公钥验证第一签名结果是否正确。
步骤207,若第一签名结果正确,则认证服务器向第三方应用服务器发送验证成功指示。
相应地,第三方应用服务器接收认证服务器发送的验证成功指示。
步骤208,第三方应用服务器在接收到验证成功指示之后,执行目标操作。
综上所述,本实施例提供的方法,通过智能硬件对待签名信息作签名得到第一签名结果,认证服务器在验证第一签名结果正确的情况下指示第三方应用服务器执行目标操作;解决了现有的身份认证方式需要用户手动输入供身份认 证的相关信息,因此导致用户在进行需要身份认证的网络操作时,操作较为复杂低效的问题;由于通过智能硬件实现身份认证,无需用户手动输入供身份认证的相关信息,使得用户在进行需要身份认证的网络操作时,更加便捷高效。
通过智能硬件实现身份认证之前,需要完成注册绑定流程,以建立智能硬件与第三方应用的用户帐号之间的绑定关系。注册绑定流程的具体过程可参见下述图6和图7所示实施例中的介绍和说明。
在注册绑定流程中,智能硬件生成第三方应用对应的应用公钥和应用私钥,将应用公钥发送给认证服务器,并将应用私钥在本地保存。可选地,智能硬件还生成应用密钥索引,应用密钥索引用于索引第三方应用对应的应用公钥和应用私钥。智能硬件中存储有第三方应用对应的应用私钥和应用密钥索引之间的绑定关系。
在完成注册绑定流程之后,认证服务器中存储有第一绑定关系,该第一绑定关系至少包括智能硬件的标识、用户帐号和第三方应用对应的应用公钥之间的绑定关系。可选地,第一绑定关系中还包括应用密钥索引。可选地,第一绑定关系中还包括第三方应用的标识。
在完成注册绑定流程之后,第三方应用服务器中存储有第二绑定关系,该第二绑定关系至少包括智能硬件的标识和用户帐号之间的绑定关系。可选地,第二绑定关系中还包括应用密钥索引。
在完成注册绑定流程之后,便可通过智能硬件实现身份认证,实现快捷登录和快捷支付。
请参考图3,其示出了本发明另一实施例提供的身份认证方法的流程图,该方法可用于图1所示的实施环境中。该方法可以包括如下几个步骤。
步骤301,第三方应用客户端在获取到用于请求执行目标操作的操作指示之后,向第三方应用服务器发送操作请求。
操作请求用于请求第三方应用服务器执行目标操作。目标操作是指需要对用户进行身份认证的网络操作。例如,目标操作为登录操作或者支付操作。其中,登录操作是指登录用户在第三方应用中注册的用户帐号;支付操作是指通过第三方应用向目标对象进行网络支付。
用户想要进行登录操作或支付操作时,可以通过操作,触发第三方应用客 户端显示验证方式选择界面,其中,验证方式选择界面中可以显示有智能硬件验证选项和密码验证选项,用户可以根据自己的需求,选择相应的验证方式。当第三方应用客户端检测到智能硬件验证选项的选取指令时,即可获取到用于请求执行目标操作的操作指示,进而,可以向第三方应用服务器发送操作请求。也就是说,上述用于请求执行目标操作的操作指示是由用户触发的。又例如,用户在第三方应用客户端提供的登录界面中点击第一操作控件,触发第三方应用客户端获取用于请求执行登录操作的操作指示;再例如,用户在第三方应用客户端提供的支付界面中点击第二操作控件,触发第三方应用客户端获取用于请求执行支付操作的操作指示。
可选地,针对目标操作为登录操作的情况,第三方客户端向第三方应用服务器发送的操作请求中还可以携带有智能硬件的标识,相应的,处理过程可以如下:第三方应用客户端在获取到用于请求执行登录操作的操作指示之后,可以向智能硬件发送标识获取请求,标识获取请求用于请求获取智能硬件的标识;智能硬件在接收到第三方应用客户端发送的标识获取请求之后,可以将智能硬件的标识发送给第三方应用客户端;第三方应用客户端可以接收智能硬件发送的智能硬件的标识,向第三方应用服务器发送登录请求,登录请求中包括登录请求信息和智能硬件的标识。其中,登录请求信息用于请求第三方应用服务器登录在第三方应用中的目标用户帐号,该目标用户帐号是第三方应用中与智能硬件的标识绑定的用户帐号。
可选地,针对目标操作为支付操作的情况,第三方应用客户端在获取到用于请求执行支付操作的操作指示之后,可以向第三方应用服务器发送支付请求,支付请求中包括支付请求信息,支付请求信息用于请求第三方应用服务器完成目标订单的支付流程,该目标订单是在请求执行支付操作之前已生成并发送给第三方应用服务器的订单。
第三方应用服务器接收到第三方应用客户端发送的操作请求之后,从认证服务器请求获取待签名信息,具体包括如下步骤302至步骤306。
步骤302,第三方应用服务器获取智能硬件的标识。
针对目标操作为登录操作的情况,智能硬件的标识可以是由第三方应用客户端提供给第三方应用服务器的。具体的,可以按照301中讲述的方法,第三方应用客户端在获取到用于请求执行登录操作的操作指示之后,可以向智能硬件获取智能硬件的标识,进而,向第三方应用服务器发送携带有智能硬件的标 识的登录请求,第三方应用服务器接收到第三方客户端发送的登录请求后,可以对其进行解析,从而,获取智能硬件的标识。
针对目标操作为支付操作的情况,由于第三方应用客户端中的用户帐号已经处于登录状态,第三方应用服务器可根据预先存储的第二绑定关系,查询获取与当前登录的用户帐号处于绑定关系的智能硬件的标识。上述第二绑定关系由第三方应用服务器在注册绑定流程中存储,注册绑定流程参见下文介绍和说明。当然,在其它可能的实施方式中,智能硬件的标识也可由第三方应用客户端提供给第三方应用服务器,例如在支付请求中携带智能硬件的标识。
步骤303,第三方应用服务器向认证服务器发送鉴权请求。
鉴权请求中至少包括鉴权请求信息和智能硬件的标识,鉴权请求信息用于请求认证服务器生成待签名信息。
可选地,鉴权请求中还包括第三方应用的标识。由于一个智能硬件可与多种不同的第三方应用绑定,也即与多种不同的第三方应用中的用户帐号绑定,因此为了区分第三方应用,第三方应用服务器将第三方应用的标识添加至鉴权请求中。
可选地,在目标操作为支付操作的情况下,鉴权请求中还包括订单信息。订单信息可包括订单号和交易关键信息,如交易金额、商户名称、交易时间、物品名称、物品数量等。
相应地,认证服务器接收第三方应用服务器发送的鉴权请求。
可选的,第三方应用服务器中可以预先存储有智能硬件的标识与第三方应用的用户账号的绑定关系的第二绑定关系。此种情况下,第三方应用服务器获取到智能硬件的硬件标识后,可以判断第二绑定关系中是否包含智能硬件标识与第三方应用的用户账号的绑定关系,如果存储有智能硬件标识与第三方应用的用户账号的绑定关系,则第三方应用服务器可以向认证服务器发送鉴权请求。
步骤304,认证服务器根据智能硬件的标识,获取智能硬件的可用状态。
可用状态可包括绑定状态、未绑定状态、挂失状态。绑定状态是指当前记录有与智能硬件的标识处于绑定关系的该第三方应用中的用户帐号。未绑定状态是指当前未记录有与智能硬件的标识处于绑定关系的该第三方应用中的用户帐号。挂失状态是指当前未记录有与智能硬件的标识处于绑定关系的所有第三方应用中的用户帐号。如果智能硬件的可用状态为绑定状态,则可以指示智 能硬件可用;如果智能硬件的可用状态为未绑定状态或者挂失状态,则指示智能硬件不可用。
步骤305,若智能硬件的可用状态指示智能硬件可用,则认证服务器生成待签名信息。
可选地,待签名信息包括挑战随机数(challenge parameter),其中,挑战随机数可以是预设的任意数,也可以是由认证服务器根据预设规则随机生成的任意数。可选地,待签名信息还包括应用参数(application parameter),应用参数与第三方应用相对应。
在目标操作为登录操作的情况下,待签名信息可包括挑战随机数和应用参数。在目标操作为支付操作的情况下,待签名信息可包括挑战随机数、应用参数、订单信息、时间戳等。
步骤306,认证服务器向第三方应用服务器发送待签名信息。
相应地,第三方应用服务器接收认证服务器发送的待签名信息。
此外,若智能硬件的可用状态指示智能硬件不可用,则认证服务器不执行任何操作,或者向第三方应用服务器发送用于指示智能硬件不可用的反馈信息。相应的,针对若智能硬件的可用状态指示智能硬件不可用,则认证服务器不执行任何操作的情况,如果第三方应用服务器在鉴权请求发送后的预设时长内未接收到待签名信息,则可以向第三方应用客户端反馈失败指示。针对智能硬件的可用状态指示智能硬件不可用,则认证服务器向第三方应用服务器发送用于指示智能硬件不可用的反馈信息的情况,第三方应用服务器接收到上述反馈信息之后,可以向第三方应用客户端反馈失败指示。第三方应用客户端接收到失败指示后,可以根据预设的提示方式,发出目标操作执行失败的提示信号,其中,可以以文本形式发出提示信号,也可以通过语音形式发出提示信号,也可以通过振动形式发出提示信号(其中,可以根据预设的振动强度和振动次数,发出振动提示信号,或者根据预设的振动强度、振动次数和振动强度变化趋势,发出振动提示信号)。
步骤307,第三方应用服务器通过第三方应用客户端向智能硬件转发待签名信息。
此步骤中,第三方应用客户端透传待签名信息。
相应地,智能硬件接收第三方应用服务器通过第三方应用客户端转发的待签名信息。
步骤308,智能硬件生成确认提示信息。
确认提示信息用于询问是否确认执行目标操作。例如,在目标操作为登录操作的情况下,确认提示信息可用于询问用户是否确认登录第三方应用;再例如,在目标操作为支付操作的情况下,确认提示信息可用于询问用户是否确认支付目标订单。在本实施例中,对确认提示信息的提示方式不作限定,例如显示提示、声光提示、震动提示或者语音提示等。
步骤309,智能硬件获取对应于确认提示信息的确认指示。
用户获取到确认提示信息之后,若用户确认执行目标操作,则可以通过操作触发智能硬件获取对应的确认指示。例如,用户可以通过按确认键、刷指纹、刷虹膜等方式来触发智能硬件获取对应的确认指示。
可选地,确认指示也可以由用户通过生物信息触发智能硬件获取。具体的,智能硬件获取到确认提示信息后,可以开启生物信息采集功能,对用户的生物信息进行采集,采集到生物信息后,可以对其进行验证,当采集的生物信息验证成功时,即可触发智能硬件获取对应于确认提示信息的确认指示,例如,智能硬件中可以预先存储有基准生物信息,智能硬件采集到生理信息后,可以将采集的生物信息与预先存储的基准生物信息进行比较,当采集的生物信息与基准生物信息相匹配时,即可触发智能硬件获取对应于确认提示信息的确认指示。其中,生物信息包括但不限于:指纹、虹膜、视网膜、基因、声音、人脸、手掌几何、静脉、步态和笔迹中的任意一种。由于用户的生物信息具有唯一性,通过上述方式,可实现对操作者的身份验证,避免因智能硬件被他人恶意获取后发生误确认的情况,进一步提高安全性。
智能硬件在获取到对应于确认提示信息的确认指示之后,执行下述步骤310,否则若未获取到确认指示则不执行下述步骤310。
步骤310,智能硬件采用第三方应用对应的应用私钥对待签名信息作签名,得到第一签名结果。
第三方应用对应的应用私钥由智能硬件在注册绑定流程中生成。
可选地,上述第二绑定关系中还可以记录有应用密钥索引,此种情况下,第三方应用服务器从认证服务器请求获取待签名信息之后,还可以执行如下步骤:第三方应用服务器根据智能硬件的标识或者用户帐号,查询第二绑定关系获取对应的应用密钥索引,通过第三方应用客户端向智能硬件发送应用密钥索引。智能硬件接收到第三方应用服务器通过第三方应用客户端发送的应用密钥 索引后,可以根据应用密钥索引,获取第三方应用对应的应用私钥。其中,第二绑定关系包括智能硬件的标识、用户帐号和应用密钥索引之间的绑定关系,第二绑定关系由第三方应用服务器在注册绑定流程中存储。应用密钥索引由智能硬件在注册绑定流程中生成,用于索引第三方应用对应的应用公钥和应用私钥。智能硬件通过应用密钥索引检测是否存在相应的应用私钥,可实现对第三方应用服务器进行验证,提高安全性。
步骤311,智能硬件依次通过第三方应用客户端和第三方应用服务器将第一签名结果透传给认证服务器。
相应地,认证服务器接收智能硬件依次通过第三方应用客户端和第三方应用服务器透传的第一签名结果。
步骤312,认证服务器采用第三方应用对应的应用公钥验证第一签名结果是否正确。
第三方应用对应的应用公钥由智能硬件在注册绑定流程中生成。认证服务器在注册绑定流程中存储第一绑定关系,该第一绑定关系至少包括智能硬件的标识、用户帐号和第三方应用对应的应用公钥之间的绑定关系。认证服务器接收到第一签名结果后,可以通过查询预先存储的第一绑定关系,来获取与智能硬件的标识绑定的第三方应用对应的应用公钥,进而,可以采用该第三方应用对应的应用公钥对第一签名结果验证。
步骤313,若第一签名结果正确,则认证服务器向第三方应用服务器发送验证成功指示。即若认证服务器确定出第一签名结果确实是由智能硬件采用应用私钥对认证服务器发送的待签名信息进行签名得到的,则可以向第三方应用服务器发送验证成功指示。
相应地,第三方应用服务器接收认证服务器发送的验证成功指示。
步骤314,第三方应用服务器在接收到验证成功指示之后,执行目标操作。
在目标操作为登录操作的情况下,第三方应用服务器将与智能硬件的标识绑定的用户帐号从非登录态置为登录态,实现第三方客户端可以通过智能硬件登录,无需用户输入用户帐号和密码。
在目标操作为支付操作的情况下,第三方应用服务器完成上述订单信息所对应的目标订单的支付流程,实现第三方客户端可以通过智能硬件支付,无需用户输入支付密码。
可选地,智能硬件还可以对第三方应用对应的应用私钥的引用次数进行统 计,相应的,上述步骤310可由如下步骤替代实现:智能硬件获取计数器的数值,计数器用于统计第三方应用对应的应用私钥的引用次数;智能硬件采用第三方应用对应的应用私钥,对待签名信息和计数器的数值作签名,得到第一签名结果。相应的,针对智能硬件对待签名信息和计数器的数值作签名的情况,上述步骤311可由如下步骤替代实现:智能硬件依次通过第三方应用客户端和第三方应用服务器,将第一签名结果和计数器的数值透传给认证服务器。相应地,认证服务器接收智能硬件依次通过第三方应用客户端和第三方应用服务器透传的第一签名结果和计数器的数值。另外,每当智能硬件采用应用密钥对待签名信息进行签名后,可以将计数器的数值加一。
综上所述,本实施例提供的方法,通过智能硬件对待签名信息作签名得到第一签名结果,认证服务器在验证第一签名结果正确的情况下指示第三方应用服务器执行目标操作;解决了现有的身份认证方式需要用户手动输入供身份认证的相关信息,因此导致用户在进行需要身份认证的网络操作时,操作较为复杂低效的问题;由于通过智能硬件实现身份认证,无需用户手动输入供身份认证的相关信息,使得用户在进行需要身份认证的网络操作时,更加便捷高效。
请参考图4,其示出了本发明另一实施例提供的身份认证方法的流程图。在本实施例中,目标操作为登录操作,对登录流程进行介绍和说明。该方法可以包括如下几个步骤。
步骤401,用户在第三方应用客户端中选择智能硬件方式登录。
相应地,第三方应用客户端获取用于请求执行登录操作的操作指示。
步骤402,第三方应用客户端在获取上述操作指示之后,向智能硬件发送标识获取请求。
相应地,智能硬件接收第三方应用客户端发送的标识获取请求。
步骤403,智能硬件将智能硬件的标识发送给第三方应用客户端。
相应地,第三方应用客户端接收智能硬件发送的智能硬件的标识。
步骤404,第三方应用客户端向第三方应用服务器发送登录请求,登录请求中包括登录请求信息和智能硬件的标识。
相应地,第三方应用服务器接收第三方应用客户端发送的登录请求。
步骤405,第三方应用服务器检测是否存在与智能硬件的标识绑定的用户帐号,若存在,则向认证服务器发送鉴权请求,鉴权请求中包括鉴权请求信息、 智能硬件的标识和第三方应用的标识。
相应地,认证服务器接收第三方应用服务器发送的鉴权请求。
步骤406,认证服务器根据智能硬件的标识,获取智能硬件的可用状态。
步骤407,若智能硬件的可用状态指示智能硬件可用,则认证服务器向第三方应用服务器发送待签名信息,待签名信息包括挑战随机数和应用参数。
相应地,第三方应用服务器接收认证服务器发送的待签名信息。
步骤408,第三方应用服务器通过智能硬件的标识,查询第二绑定关系获取对应的应用密钥索引。
步骤409,第三方应用服务器向第三方应用客户端发送待签名信息和应用密钥索引。
相应地,第三方应用客户端接收第三方应用服务器发送的待签名信息和应用密钥索引。
步骤410,第三方应用客户端向智能硬件发送待签名信息和应用密钥索引。
相应地,智能硬件接收第三方应用客户端发送的待签名信息和应用密钥索引。
步骤411,智能硬件生成确认提示信息。
步骤412,智能硬件获取对应于确认提示信息的确认指示。
步骤413,智能硬件通过应用密钥索引,查询第三绑定关系获取对应的应用私钥,采用应用私钥对待签名信息和计数器的数值作签名,得到第一签名结果。
步骤414,智能硬件依次通过第三方应用客户端和第三方应用服务器,将第一签名结果和计数器的数值透传给认证服务器。
相应地,认证服务器接收智能硬件依次通过第三方应用客户端和第三方应用服务器透传的第一签名结果和计数器的数值。
步骤415,认证服务器通过智能硬件的标识和第三方应用的标识,查询第一绑定关系获取对应的应用密钥索引,并通过应用密钥索引进一步获取对应的应用公钥,采用应用公钥对第一签名结果验签。
步骤416,若验签成功,则认证服务器向第三方应用服务器发送验证成功指示和智能硬件的标识。
相应地,第三方应用服务器接收认证服务器发送的验证成功指示和智能硬件的标识。
步骤417,第三方应用服务器通过智能硬件的标识,查询第二绑定关系获取对应的用户帐号,将该用户帐号从非登录态置为登录态,向第三方应用客户端发送登录成功信息。
登录成功信息中可携带用户帐号。
相应地,第三方应用客户端接收第三方应用服务器发送的登录成功信息。
步骤418,第三方应用客户端将该用户帐号从非登录态置为登录态。
步骤419,第三方应用客户端向用户显示登录成功页面。
通过本实施例提供的方法,用户可通过智能硬件完成帐号登录,无需输入用户帐号和密码,登录过程便捷高效;且由于智能硬件相较于第三方应用客户端的安全性更高,也保证了登录过程的安全性。
请参考图5,其示出了本发明另一实施例提供的身份认证方法的流程图。在本实施例中,目标操作为支付操作,对支付流程进行介绍和说明。该方法可以包括如下几个步骤。
步骤501,用户在第三方应用客户端中选择智能硬件方式支付。
相应地,第三方应用客户端获取用于请求执行支付操作的操作指示。
步骤502,第三方应用客户端在获取上述操作指示之后,向第三方应用服务器发送支付请求,支付请求中包括支付请求信息。
相应地,第三方应用服务器接收第三方应用客户端发送的支付请求。
步骤503,第三方应用服务器向认证服务器发送鉴权请求,鉴权请求中包括鉴权请求信息、智能硬件的标识、第三方应用的标识和订单信息。
相应地,认证服务器接收第三方应用服务器发送的鉴权请求。
步骤504,认证服务器根据智能硬件的标识,获取智能硬件的可用状态。
步骤505,若智能硬件的可用状态指示智能硬件可用,则认证服务器向第三方应用服务器发送待签名信息,待签名信息包括挑战随机数、应用参数、订单信息和时间戳。
相应地,第三方应用服务器接收认证服务器发送的待签名信息。
步骤506,第三方应用服务器通过智能硬件的标识或者用户帐号,查询第二绑定关系获取对应的应用密钥索引。
步骤507,第三方应用服务器向第三方应用客户端发送待签名信息和应用密钥索引。
相应地,第三方应用客户端接收第三方应用服务器发送的待签名信息和应用密钥索引。
步骤508,第三方应用客户端向智能硬件发送待签名信息和应用密钥索引。
相应地,智能硬件接收第三方应用客户端发送的待签名信息和应用密钥索引。
步骤509,智能硬件生成确认提示信息。
其中,确认提示信息中可包括从订单信息中提取的交易关键信息,如交易金额、商户名称、交易时间等。
步骤510,智能硬件获取对应于确认提示信息的确认指示。
可选地,如果交易金额大于预设值,可增加第二验证措施,如提示用户输入密码,该密码的形式可以是数字、指纹、虹膜等。
步骤511,智能硬件通过应用密钥索引,查询第三绑定关系获取对应的应用私钥,采用应用私钥对待签名信息和计数器的数值作签名,得到第一签名结果。
本步骤中的待签名信息可以仅包括挑战随机数和应用参数,也即智能硬件采用应用私钥对挑战随机数、应用参数和计数器的数值作签名。
步骤512,智能硬件依次通过第三方应用客户端和第三方应用服务器,将第一签名结果和计数器的数值透传给认证服务器。
相应地,认证服务器接收智能硬件依次通过第三方应用客户端和第三方应用服务器透传的第一签名结果和计数器的数值。
步骤513,认证服务器通过智能硬件的标识和第三方应用的标识,查询第一绑定关系获取对应的应用密钥索引,并通过应用密钥索引进一步获取对应的应用公钥,采用应用公钥对第一签名结果验签。
步骤514,若验签成功,则认证服务器向第三方应用服务器发送验证成功指示和订单信息。
相应地,第三方应用服务器接收认证服务器发送的验证成功指示和订单信息。
步骤515,第三方应用服务器完成上述订单信息所对应的目标订单的支付流程,向第三方应用客户端发送支付成功信息。
相应地,第三方应用客户端接收第三方应用服务器发送的支付成功信息。
步骤516,第三方应用客户端从未支付状态变为支持成功状态。
步骤517,第三方应用客户端向用户显示支付成功页面。
通过本实施例提供的方法,用户可通过智能硬件完成订单支付,无需输入支付密码,登录过程便捷高效;且由于智能硬件相较于第三方应用客户端的安全性更高,也保证了支付过程的安全性。
下面,通过图6所示实施例,对注册绑定流程进行介绍和说明。
请参考图6,其示出了本发明一个实施例提供的注册绑定方法的流程图,该方法可用于图1所示的实施环境中。该方法可以包括如下几个步骤。
步骤601,第三方应用客户端在获取到用于请求绑定智能硬件的操作指示之后,获取智能硬件的标识。
用户在通过智能硬件方式触发第三方应用服务器执行目标操作前,可以经过操作,触发建立第三方应用的用户账号与智能硬件的标识的绑定关系。具体的,用户可以通过相关技术中的登录方法(比如手动输入用户账号和密钥的方法),登录第三方应用的用户账号,进而,可以通过操作触发第三方应用客户端获取用于请求绑定智能硬件的操作指示。第三方应用客户端在获取到用于请求绑定智能硬件的操作指示之后,可以向智能硬件发送标识获取请求,标识获取请求用于请求获取智能硬件的标识;智能硬件在接收到第三方应用客户端发送的标识获取请求之后,将智能硬件的标识发送给第三方应用客户端;第三方应用客户端接收智能硬件发送的智能硬件的标识。
在实际应用中,对于一种第三方应用,支持一个智能硬件可与该种第三方应用中的一个用户帐号绑定,即对于每种第三方应用,智能硬件标识与该第三方应用的用户账号一一对应;而对于多种不同的第三方应用,支持一个智能硬件可与多种不同的第三方应用绑定,也即与多种不同的第三方应用中的用户帐号绑定。
步骤602,第三方应用客户端向第三方应用服务器发送绑定请求。
绑定请求中包括绑定请求信息和智能硬件的标识,绑定请求信息用于请求建立智能硬件的标识与登录第三方应用客户端的用户帐号之间的绑定关系。
相应地,第三方应用服务器接收第三方应用客户端发送的绑定请求。
步骤603,第三方应用服务器向认证服务器转发绑定请求。
绑定请求中至少包括绑定请求信息和智能硬件的标识。
相应地,认证服务器接收第三方应用服务器转发的绑定请求。
可选地,第三方应用服务器在向认证服务器发送绑定请求时,还可以将第三方应用的标识添加到绑定请求中,即第三方应用服务器向认证服务器发送的绑定请求中还可以携带有第三方应用的标识。
步骤604,认证服务器在接收到绑定请求之后,依次通过第三方应用服务器和第三方应用客户端向智能硬件透传注册请求。
其中,注册请求用于指示智能硬件生成第三方应用对应的应用密钥。可选地,注册请求中包括注册请求信息和应用参数。注册请求信息用于指示智能硬件生成第三方应用对应的应用密钥。应用参数与第三方应用相对应。可选地,注册请求中还包括挑战随机数,挑战随机数由认证服务器根据预设规则随机生成。
相应地,智能硬件依次通过第三方应用服务器和第三方应用客户端接收认证服务器透传的注册请求。
针对第三方应用服务器向认证服务器发送的绑定请求中还携带有第三方应用的标识的情况,认证服务器在接收到绑定请求之后,还可以判断认证服务器中当前是否记录有智能硬件的标识与第三方应用的标识对应的第三方应用的用户账号的绑定关系,如果认证服务器中当前未记录有智能硬件的标识与该第三方应用的用户账号的绑定关系,则依次通过第三方应用服务器和第三方应用客户端向智能硬件透传注册请求。如果认证服务器中当前记录有智能硬件的标识与该第三方应用的用户账号的绑定关系,则可以不进行任何处理,或者,也可以通过第三方应用服务器向第三方客户端发送注册失败指示。针对认证服务器通过第三方服务器向第三方客户端发送注册失败指示的情况,第三方客户端可以接收认证服务器发送的注册失败指示。
步骤605,智能硬件在接收到注册请求之后,生成第三方应用对应的应用公钥和应用私钥。
步骤606,智能硬件采用智能硬件对应的硬件私钥对第三方应用对应的应用公钥作签名,得到第二签名结果。
步骤607,智能硬件依次通过第三方应用客户端和第三方应用服务器向认证服务器透传待验证信息。
待验证信息包括第三方应用对应的应用公钥、第二签名结果和智能硬件的硬件证书,智能硬件的硬件证书包括智能硬件对应的硬件公钥和智能硬件的标识。
相应地,认证服务器依次通过第三方应用客户端和第三方应用服务器接收智能硬件透传的待验证信息。
可选地,针对上述第二绑定关系中还存在应用密钥索引的情况,相应的,智能硬件在接收到注册请求之后,还可以执行如下步骤:智能硬件生成应用密钥索引,应用密钥索引用于索引第三方应用对应的应用公钥和应用私钥;智能硬件依次通过第三方应用客户端和第三方应用服务器将应用密钥索引发送给认证服务器。可选地,应用密钥索引可采用智能硬件对应的硬件私钥作签名后发送给认证服务器。认证服务器向智能硬件发送的注册请求中还可以包括应用参数,此种情况下,智能硬件生成应用密钥索引的处理过程可以如下:智能硬件生成应用参数和第三方应用对应的应用私钥的摘要值;智能硬件生成随机数;智能硬件根据摘要值和随机数生成应用密钥索引。
步骤608,认证服务器在采用根证书公钥验证智能硬件的硬件证书合法的情况下,从智能硬件的硬件证书中提取智能硬件对应的硬件公钥。
步骤609,认证服务器采用智能硬件对应的硬件公钥验证第二签名结果是否正确。
步骤610,若第二签名结果正确,则认证服务器存储第一绑定关系。
第一绑定关系包括智能硬件的标识、用户帐号和第三方应用对应的应用公钥之间的绑定关系。可选地,第一绑定关系中还包括第三方应用的标识。
步骤611,认证服务器向第三方应用服务器发送智能硬件的标识。
相应地,第三方应用服务器接收认证服务器发送的智能硬件的标识。
步骤612,第三方应用服务器存储第二绑定关系。
第二绑定关系包括智能硬件的标识和用户帐号之间的绑定关系。
此外,在认证服务器还获取到应用密钥索引的情况下,认证服务器存储的第一绑定关系包括智能硬件的标识、用户帐号、应用密钥索引和第三方应用对应的应用公钥之间的绑定关系。认证服务器在验证第二签名结果正确之后,还向第三方应用服务器发送应用密钥索引。相应地,第三方应用服务器存储的第二绑定关系包括智能硬件的标识、用户帐号和应用密钥索引之间的绑定关系。
本实施例提供的方法,由于硬件证书是由认证服务器采用系统根证书签发且存放于智能硬件中的证书,以系统根证书作为信任根,用来认证智能硬件以确保智能硬件的真实性,并且保障应用公钥的安全传输,有利于实现更加安全和稳定的系统。
请参考图7,其示出了本发明另一实施例提供的注册绑定方法的流程图。该方法可以包括如下几个步骤。
步骤701,用户在第三方应用客户端上使用用户帐号和密码登录。
步骤702,第三方应用客户端将用户登录信息发送给第三方应用服务器,用户登录信息包括用户帐号和密码。
相应地,第三方应用服务器接收第三方应用客户端发送的用户登录信息。
步骤703,第三方应用服务器验证用户登录信息通过后,向第三方应用客户端返回登录成功信息,第三方应用客户端显示用户已进入登录状态。
步骤704,第三方应用客户端登录成功后,用户在第三方应用客户端中选择绑定智能硬件。
相应地,第三方应用客户端获取用于请求绑定智能硬件的操作指示。
步骤705,第三方应用客户端搜索附近的智能硬件,显示设备列表,用户从设备列表中选择自身对应的智能硬件。
其中,设备列表中包含第三方应用客户端在附近搜索到的智能硬件。
步骤706,第三方应用客户端向被选择的智能硬件发送标识获取请求。
标识获取请求用于请求获取智能硬件的标识。
相应地,智能硬件接收第三方应用客户端发送的标识获取请求。
步骤707,智能硬件将智能硬件的标识发送给第三方应用客户端。
相应地,第三方应用客户端接收智能硬件发送的智能硬件的标识。
步骤708,第三方应用客户端获取智能硬件的绑定状态,若绑定状态指示智能硬件为未绑定,则向第三方应用服务器发送绑定请求。
绑定请求中包括绑定请求信息和智能硬件的标识,绑定请求信息用于请求建立智能硬件与登录第三方应用客户端的用户帐号之间的绑定关系。智能硬件的绑定状态可由智能硬件发送给第三方应用客户端。
相应地,第三方应用服务器接收第三方应用客户端发送的绑定请求。
另外,若绑定状态指示智能硬件为已绑定,则退出注册绑定流程。
步骤709,第三方应用服务器向认证服务器转发绑定请求。
绑定请求中包括绑定请求信息、智能硬件的标识和第三方应用的标识。
相应地,认证服务器接收第三方应用服务器转发的绑定请求。
步骤710,认证服务器在接收到绑定请求之后,通过第三方应用服务器向 第三方应用客户端发送注册请求。
注册请求中包括注册请求信息、挑战随机数和应用参数。
相应地,第三方应用客户端通过第三方应用服务器接收认证服务器发送的注册请求。
步骤711,第三方应用客户端将注册请求转发给智能硬件。
相应地,智能硬件接收第三方应用客户端转发的注册请求。
步骤712,智能硬件生成确认提示信息。
在本实施例中,确认提示信息用于询问是否确认绑定智能硬件。
步骤713,智能硬件获取对应于确认提示信息的确认指示。
用户获取到确认提示信息之后,若确认绑定智能硬件,则触发确认指示。例如,用户通过按确认键、刷指纹、刷虹膜等方式触发确认指示。
步骤714,智能硬件生成第三方应用对应的应用公钥和应用私钥,并生成相应的应用密钥索引,采用硬件私钥对应用密钥索引和应用公钥作签名,得到第二签名结果。
步骤715,智能硬件依次通过第三方应用客户端和第三方应用服务器向认证服务器透传待验证信息。
待验证信息包括第三方应用对应的应用公钥、第二签名结果和智能硬件的硬件证书,智能硬件的硬件证书包括智能硬件对应的硬件公钥和智能硬件的标识。
相应地,认证服务器依次通过第三方应用客户端和第三方应用服务器接收智能硬件透传的待验证信息。
步骤716,认证服务器在采用根证书公钥验证智能硬件的硬件证书合法的情况下,从智能硬件的硬件证书中提取智能硬件对应的硬件公钥。
步骤717,认证服务器采用智能硬件对应的硬件公钥对第二签名结果验签。
步骤718,若验签成功,则认证服务器存储第一绑定关系。
第一绑定关系包括智能硬件的标识、第三方应用的标识、用户帐号、应用密钥索引和第三方应用对应的应用公钥之间的绑定关系。
步骤719,认证服务器向第三方应用服务器发送智能硬件的标识和应用密钥索引。
相应地,第三方应用服务器接收认证服务器发送的智能硬件的标识和应用密钥索引。
步骤720,第三方应用服务器存储第二绑定关系。
第二绑定关系包括智能硬件的标识、用户帐号和应用密钥索引之间的绑定关系。第三方应用服务器存储第二绑定关系,用于后续用户采用智能硬件进行登录和支付时,进行身份认证。
步骤721,第三方应用服务器向第三方应用客户端发送绑定成功信息。
相应地,第三方应用客户端接收第三方应用服务器发送的绑定成功信息。
步骤722,第三方应用客户端从未绑定状态变为已绑定状态。
步骤723,第三方应用客户端向用户显示绑定成功页面。
请参考图8,其示出了本发明一个实施例提供的注销方法的流程图,该方法可应用于图1所示的实施环境中。该方法可包括如下几个步骤。
步骤801,第三方应用客户端在获取到用于请求执行注销操作的操作指示之后,向第三方应用服务器发送注销请求。
注销请求中至少包括注销请求信息和智能硬件的标识。注销请求信息用于请求执行注销操作,注销操作为解绑操作或者挂失操作。解绑操作是指解除智能硬件与用户帐号之间的绑定关系。挂失操作是指挂失智能硬件。
相应地,第三方应用服务器接收第三方应用客户端发送的注销请求。
步骤802,第三方应用服务器向认证服务器透传注销请求。
相应地,认证服务器接收第三方应用服务器透传的注销请求。
步骤803,认证服务器在接收到注销请求之后,执行注销操作。
本实施例提供的方法,实现了智能硬件与用户帐号的解绑,以及智能硬件的挂失。
请参考图9,其示出了本发明一个实施例提供的解绑方法的流程图,该方法可以包括如下几个步骤。
步骤901,用户通过第三方应用客户端发起解绑请求。
通过至少2种认证方式确认该解绑请求由真实的用户发起(如邮箱、手机短信验证码等)。
步骤902,第三方应用客户端通过第三方应用服务器向认证服务器发送解绑请求。
解绑请求中至少包括解绑请求信息和智能硬件的标识。解绑请求信息用于 请求执行解绑操作。可选地,解绑请求中还包括用户帐号和第三方应用的标识。
相应地,认证服务器接收第三方应用客户端通过第三方应用服务器发送的解绑请求。
步骤903,认证服务器根据智能硬件的标识,将该智能硬件的可用状态标记为未绑定状态,并删除与智能硬件的标识和第三方应用的标识相对应的应用密钥索引和应用公钥。
步骤904,认证服务器将解绑请求的处理结果发送给第三方应用服务器。
相应地,第三方应用服务器接收认证服务器发送的处理结果。
步骤905,第三方应用服务器解除智能硬件的标识和应用密钥索引之间的绑定关系。
步骤906,第三方应用服务器将处理结果和应用密钥索引发送给第三方应用客户端。
相应地,第三方应用客户端接收第三方应用服务器发送的处理结果和应用密钥索引。
步骤907,第三方应用客户端将处理结果和应用密钥索引发送给智能硬件。
相应地,智能硬件接收第三方应用客户端发送的处理结果和应用密钥索引。
步骤908,智能硬件删除与应用密钥索引对应的应用私钥。
步骤909,智能硬件向第三方应用客户端发送注销成功信息。
相应地,第三方应用客户端接收智能硬件发送的注销成功信息。
步骤910,第三方应用客户端通知用户已解除绑定。
在上述图9所示实施例中,从第三方应用客户端发起解绑流程。在其它可能的实施例中,也可从管理客户端发起解绑流程。如图10所示,其示出了本发明另一实施例提供的解绑方法的流程图,该方法可以包括如下几个步骤。
步骤1001,用户通过管理客户端查询与智能硬件绑定的应用列表,对目标应用发起解绑请求。
步骤1002,管理客户端向智能硬件发送标识获取请求。
相应地,智能硬件接收管理客户端发送的标识获取请求。
步骤1003,智能硬件向管理客户端发送智能硬件的标识。
相应地,管理客户端接收智能硬件发送的智能硬件的标识。
步骤1004,管理客户端向认证服务器发送解绑请求,解绑请求中包括解绑请求信息、第三方应用的标识和智能硬件的标识。
相应地,认证服务器接收管理客户端发送的解绑请求。
步骤1005,认证服务器根据智能硬件的标识和第三方应用的标识,标记智能硬件相应的状态为未绑定状态。
步骤1006,认证服务器将解绑请求的处理结果发送给第三方应用服务器,该处理结果中包括智能硬件的标识。
相应地,第三方应用服务器接收认证服务器发送的处理结果。
步骤1007,认证服务器通知管理客户端处理结果。
相应地,管理客户端接收认证服务器发送的处理结果。
步骤1008,管理客户端对用户显示解除绑定成功。
请参考图11,其示出了本发明一个实施例提供的挂失方法的流程图,该方法可以包括如下几个步骤。
步骤1101,用户通过第三方应用客户端发起挂失请求。
通过至少2种认证方式确认该挂失请求由真实的用户发起(如邮箱、手机短信验证码等)。
步骤1102,第三方应用客户端通过第三方应用服务器向认证服务器发送挂失请求。
挂失请求中至少包括挂失请求信息和智能硬件的标识。挂失请求信息用于请求执行挂失操作。可选地,挂失请求中还包括用户帐号和第三方应用的标识。
相应地,认证服务器接收第三方应用客户端通过第三方应用服务器发送的挂失请求。
步骤1103,认证服务器根据智能硬件的标识,将该智能硬件的可用状态标记为挂失状态,并删除与智能硬件的标识相对应的所有应用密钥索引和应用公钥。
步骤1104,认证服务器将挂失请求的处理结果发送给第三方应用服务器。
相应地,第三方应用服务器接收认证服务器发送的处理结果。
步骤1105,第三方应用服务器解除智能硬件的标识和应用密钥索引之间的绑定关系。
步骤1106,第三方应用服务器将处理结果发送给第三方应用客户端。
相应地,第三方应用客户端接收第三方应用服务器发送的处理结果。
步骤1107,第三方应用客户端通知用户已挂失智能硬件。
在上述图11所示实施例中,从第三方应用客户端发起挂失流程。在其它可能的实施例中,也可从管理客户端发起挂失流程。如图12所示,其示出了本发明另一实施例提供的挂失方法的流程图,该方法可以包括如下几个步骤。
步骤1201,用户通过管理客户端发起挂失请求。
步骤1202,管理客户端向认证服务器转发挂失请求,请求中携带用户帐号信息。
相应地,认证服务器接收管理客户端发送的挂失请求。
步骤1203,认证服务器参照用户帐号,将与用户帐号对应的智能硬件的可用状态标记为挂失状态。
步骤1204,认证服务器通知管理客户端处理结果。
相应地,管理客户端接收认证服务器发送的处理结果。
步骤1205,管理客户端对用户显示挂失成功。
上述实施例提供的技术方案,为用户访问第三方应用提供一种安全的、便捷的、无需密码的登录或支付方式,即使用智能硬件。用户首先使用传统的账户密码方式登录支持使用智能硬件的第三方应用客户端,在第三方应用客户端上按照提示的步骤绑定智能硬件,绑定完成后用户即可使用智能硬件登录该第三方应用或在第三方应用上支付。智能硬件可在多个第三方应用上使用,不需要输入密码,只需用户做相应的交互动作(如:按确认键、刷指纹、刷虹膜等等)确认是用户本人在操作就可完成操作,既简化了操作提升了用户体验,又保证了登录或支付的安全性。若用户不想在某应用上使用智能硬件,只需在特定应用上验证身份即可快速解绑智能应用和该应用,并注销该智能硬件关于该应用的信息。若用户遗失智能硬件,只需在特定应用上验证身份即可快速挂失该智能硬件,并注销该智能硬件绑定的所有信息。
需要说明的是,在上述各个方法实施例中,上述有关第三方应用客户端的步骤可单独实现成为第三方应用客户端侧的身份认证方法,上述有关第三方应用服务器的步骤可单独实现成为第三方应用服务器侧的身份认证方法,上述有关智能硬件的步骤可单独实现成为智能硬件侧的身份认证方法,上述有关认证 服务器的步骤可单独实现成为认证服务器侧的身份认证方法。
下述为本发明系统实施例,对于本发明系统实施例中未披露的细节,请参照本发明方法实施例。
请参考图13,其示出了本发明一个实施例提供的身份认证系统的框图。该系统包括:第三方应用客户端1320、第三方应用服务器1340、智能硬件1360和认证服务器1380。
所述第三方应用客户端1320,用于在获取到用于请求执行目标操作的操作指示之后,向所述第三方应用服务器1340发送操作请求,所述操作请求用于请求所述第三方应用服务器1340执行所述目标操作。
所述第三方应用服务器1340,用于从所述认证服务器1380请求获取待签名信息,通过所述第三方应用客户端1320向所述智能硬件1360转发所述待签名信息。
所述智能硬件1360,用于采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果,依次通过所述第三方应用客户端1320和所述第三方应用服务器1340将所述第一签名结果透传给所述认证服务器1380。
所述认证服务器1380,用于采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,若所述第一签名结果正确,则向所述第三方应用服务器1340发送验证成功指示。
所述第三方应用服务器1340,还用于在接收到所述验证成功指示之后,执行所述目标操作。
综上所述,本实施例提供的系统,通过智能硬件对待签名信息作签名得到第一签名结果,认证服务器在验证第一签名结果正确的情况下指示第三方应用服务器执行目标操作;解决了现有的身份认证方式需要用户手动输入供身份认证的相关信息,因此导致用户在进行需要身份认证的网络操作时,操作较为复杂低效的问题;由于通过智能硬件实现身份认证,无需用户手动输入供身份认证的相关信息,使得用户在进行需要身份认证的网络操作时,更加便捷高效。
在基于图13所示实施例提供的一个可选实施例中,所述智能硬件1360,具体用于:
获取计数器的数值,所述计数器用于统计所述第三方应用对应的应用私钥 的引用次数;
采用所述第三方应用对应的应用私钥,对所述待签名信息和所述计数器的数值作签名,得到所述第一签名结果;
依次通过所述第三方应用客户端1320和所述第三方应用服务器1340,将所述第一签名结果和所述计数器的数值透传给所述认证服务器1380。
在基于图13所示实施例提供的另一可选实施例中,
所述第三方应用服务器1340,具体用于获取所述智能硬件1360的标识,向所述认证服务器1380发送鉴权请求,所述鉴权请求中至少包括鉴权请求信息和所述智能硬件的标识,所述鉴权请求信息用于请求所述认证服务器1380生成所述待签名信息;
所述认证服务器1380,具体用于根据所述智能硬件1360的标识,获取所述智能硬件1360的可用状态,若所述智能硬件1360的可用状态指示所述智能硬件1360可用,则生成所述待签名信息,向所述第三方应用服务器1340发送所述待签名信息。
在基于图13所示实施例提供的另一可选实施例中,
所述智能硬件1360,还用于生成确认提示信息,所述确认提示信息用于询问是否确认执行所述目标操作;
所述智能硬件1360,还用于在获取到对应于所述确认提示信息的确认指示之后,执行所述采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果的步骤。
在基于图13所示实施例提供的另一可选实施例中,所述目标操作为登录操作或者支付操作。
在基于图13所示实施例提供的另一可选实施例中,
所述第三方应用客户端1320,还用于在获取到用于请求绑定所述智能硬件1360的操作指示之后,获取所述智能硬件1360的标识,向所述第三方应用服务器1340发送绑定请求,所述绑定请求中包括绑定请求信息和所述智能硬件1360的标识,所述绑定请求信息用于请求建立所述智能硬件1360与登录所述第三方应用客户端1320的用户帐号之间的绑定关系;
所述第三方应用服务器1340,还用于向所述认证服务器1380转发所述绑定请求,所述绑定请求中至少包括所述绑定请求信息和所述智能硬件1360的标识;
所述认证服务器1380,还用于在接收到所述绑定请求之后,依次通过所述第三方应用服务器1340和所述第三方应用客户端1320向所述智能硬件1360透传注册请求;
所述智能硬件1360,还用于在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件1360对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果,依次通过所述第三方应用客户端1320和所述第三方应用服务器1340向所述认证服务器1380透传待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件1360的硬件证书,所述智能硬件1360的硬件证书包括所述智能硬件1360对应的硬件公钥和所述智能硬件1360的标识;
所述认证服务器1380,还用于在采用根证书公钥验证所述智能硬件1360的硬件证书合法的情况下,从所述智能硬件1360的硬件证书中提取所述智能硬件1360对应的硬件公钥,采用所述智能硬件1360对应的硬件公钥验证所述第二签名结果是否正确,若所述第二签名结果正确,则存储第一绑定关系,所述第一绑定关系包括所述智能硬件1360的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,向所述第三方应用服务器1340发送所述智能硬件1360的标识;
所述第三方应用服务器1340,还用于存储第二绑定关系,所述第二绑定关系包括所述智能硬件1360的标识和所述用户帐号之间的绑定关系。
在基于图13所示实施例提供的另一可选实施例中,
所述智能硬件1360,还用于生成应用密钥索引,所述应用密钥索引用于索引所述第三方应用对应的应用公钥和应用私钥;
所述智能硬件1360,还用于依次通过所述第三方应用客户端1320和所述第三方应用服务器1340将所述应用密钥索引发送给所述认证服务器1380;
其中,所述第一绑定关系包括所述智能硬件1360的标识、所述用户帐号、所述应用密钥索引和所述第三方应用对应的应用公钥之间的绑定关系;所述第二绑定关系包括所述智能硬件1360的标识、所述用户帐号和所述应用密钥索引之间的绑定关系。
在基于图13所示实施例提供的另一可选实施例中,所述智能硬件1360,具体用于:
生成所述应用参数和所述第三方应用对应的应用私钥的摘要值;
生成随机数;
根据所述摘要值和所述随机数生成所述应用密钥索引。
在基于图13所示实施例提供的另一可选实施例中,
所述第三方应用服务器1340,还用于根据所述智能硬件1360的标识或者所述用户帐号,查询所述第二绑定关系获取对应的所述应用密钥索引,通过所述第三方应用客户端1320向所述智能硬件1360转发所述应用密钥索引;
所述智能硬件1360,还用于根据所述应用密钥索引,获取所述第三方应用对应的应用私钥。
在基于图13所示实施例提供的另一可选实施例中,
所述第三方应用客户端1320,还用于在获取到用于请求执行注销操作的操作指示之后,向所述第三方应用服务器1340发送注销操作请求,所述注销操作请求中至少包括注销请求信息和所述智能硬件1360的标识,所述注销请求信息用于请求执行所述注销操作,所述注销操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件1360与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件1360;
所述第三方应用服务器1340,还用于向所述认证服务器1380透传所述注销操作请求;
所述认证服务器1380,还用于在接收到所述注销操作请求之后,执行所述注销操作。
请参考图14,其示出了本发明一个实施例提供的第三方应用客户端的框图。该第三方应用客户端包括:第一请求发送模块1410、第一信息接收模块1420、第一信息发送模块1430、第一结果接收模块1440和第一透传模块1450。
第一请求发送模块1410,用于在获取到用于请求执行目标操作的操作指示之后,向第三方应用服务器发送操作请求,所述操作请求用于请求所述第三方应用服务器执行所述目标操作。
第一信息接收模块1420,用于接收所述第三方应用服务器发送的待签名信息,所述待签名信息由所述第三方应用服务器在接收到所述操作请求之后从认证服务器请求获取。
第一信息发送模块1430,用于向智能硬件转发所述待签名信息。
第一结果接收模块1440,用于接收所述智能硬件发送的第一签名结果,所 述第一签名结果由所述智能硬件采用所述第三方应用对应的应用私钥对所述待签名信息作签名后得到。
第一透传模块1450,用于通过所述第三方应用服务器向所述认证服务器透传所述第一签名结果,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
在基于图14所示实施例提供的一个可选实施例中,所述目标操作为登录操作或者支付操作。
在基于图14所示实施例提供的另一可选实施例中,所述第三方应用客户端,还包括:
标识获取模块,用于在获取到用于请求绑定所述智能硬件的操作指示之后,获取所述智能硬件的标识;
第二请求发送模块,用于向所述第三方应用服务器发送绑定请求,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
第一请求接收模块,用于接收所述第三方应用服务器发送的注册请求,所述注册请求由所述认证服务器在接收到所述第三方应用服务器转发的所述绑定请求之后生成并发送给所述第三方应用服务器;
第三请求发送模块,用于向所述智能硬件透传所述注册请求,以使得所述智能硬件在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
第二信息接收模块,用于接收所述智能硬件发送的待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
第二透传模块,用于通过所述第三方应用服务器向所述认证服务器透传所述待验证信息,以使得所述认证服务器在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应 的硬件公钥,并在采用所述智能硬件对应的硬件公钥验证所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,并向所述第三方应用服务器发送所述智能硬件的标识,所述第三方应用服务器用于存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
在基于图14所示实施例提供的另一可选实施例中,所述第三方应用客户端,还包括:
第四请求发送模块,用于在获取到用于请求执行指定操作的操作指示之后,通过所述第三方应用服务器向所述认证服务器透传指定操作请求,所述指定操作请求中至少包括操作请求信息和所述智能硬件的标识,所述操作请求信息用于请求执行所述指定操作,所述指定操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件,所述认证服务器用于在接收到所述指定操作请求之后,执行所述指定操作。
请参考图15,其示出了本发明一个实施例提供的第三方应用服务器的框图。该第三方应用服务器包括:第二请求接收模块1510、信息获取模块1520、信息转发模块1530、第二结果接收模块1540、第三透传模块1550、指示接收模块1560和第一操作执行模块1570。
第二请求接收模块1510,用于接收第三方应用客户端发送的操作请求,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作。
信息获取模块1520,用于从认证服务器请求获取待签名信息。
信息转发模块1530,用于通过所述第三方应用客户端向智能硬件转发所述待签名信息。
第二结果接收模块1540,用于接收所述第三方应用客户端发送的第一签名结果,所述第一签名结果由所述智能硬件采用所述第三方应用对应的应用私钥对所述待签名信息作签名后得到,并由所述智能硬件发送给所述第三方应用客户端。
第三透传模块1550,用于将所述第一签名结果透传给所述认证服务器。
指示接收模块1560,用于接收所述认证服务器发送的验证成功指示,所述验证成功指示由所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果正确的情况下发送。
第一操作执行模块1570,用于在接收到所述验证成功指示之后,执行所述目标操作。
在基于图15所示实施例提供的一个可选实施例中,所述信息获取模块,包括:
标识获取子模块,用于获取所述智能硬件的标识;
请求发送子模块,用于向所述认证服务器发送鉴权请求,所述鉴权请求中至少包括鉴权请求信息和所述智能硬件的标识,所述鉴权请求信息用于请求所述认证服务器生成所述待签名信息;
信息接收子模块,用于接收所述认证服务器发送的所述待签名信息,所述待签名信息由所述认证服务器在根据所述智能硬件的标识,获取所述智能硬件的可用状态,且所述智能硬件的可用状态指示所述智能硬件可用的情况下生成。
在基于图15所示实施例提供的另一可选实施例中,所述目标操作为登录操作或者支付操作。
在基于图15所示实施例提供的另一可选实施例中,所述第三方应用服务器,还包括:
第三请求接收模块,用于接收所述第三方应用客户端发送的绑定请求,所述绑定请求由所述第三方应用客户端在获取到用于请求绑定所述智能硬件的操作指示之后发送,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
第五请求发送模块,用于向所述认证服务器转发所述绑定请求,所述绑定请求中至少包括所述绑定请求信息和所述智能硬件的标识;
第四请求接收模块,用于接收所述认证服务器发送的注册请求,所述注册请求由所述认证服务器接收到所述绑定请求之后生成并发送;
第三透传模块,用于通过所述第三方应用客户端向所述智能硬件透传所述注册请求,以使得所述智能硬件在接收到所述注册请求之后,生成所述第三方 应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
第三信息接收模块,用于接收所述第三方应用客户端发送的待验证信息,所述待验证信息由所述智能硬件发送给所述第三方应用客户端,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
第二信息发送模块,用于将所述待验证信息透传给所述认证服务器,以使得所述认证服务器在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,并在采用所述智能硬件对应的硬件公钥验证所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,并向所述第三方应用服务器发送所述智能硬件的标识;
标识接收模块,用于接收所述认证服务器发送的所述智能硬件的标识;
关系储存模块,用于存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
在基于图15所示实施例提供的另一可选实施例中,所述第三方应用服务器还包括:
第五请求接收模块,用于接收所述第三方应用客户端发送的指定操作请求,所述指定操作请求由所述第三方应用客户端在获取到用于请求执行指定操作的操作指示之后发送,所述指定操作请求中至少包括操作请求信息和所述智能硬件的标识,所述操作请求信息用于请求执行所述指定操作,所述指定操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件;
第四透传模块,用于向所述认证服务器透传所述指定操作请求,以使得所述认证服务器在接收到所述指定操作请求之后,执行所述指定操作。
请参考图16,其示出了本发明一个实施例提供的智能硬件的框图。该智能硬件包括:第四信息接收模块1610、第一信息签名模块1620和第五透传模块1630。
第四信息接收模块1610,用于接收第三方应用客户端发送的待签名信息,所述待签名信息由第三方应用服务器在接收到所述第三方应用客户端发送的操作请求之后从认证服务器获取,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作。
第一信息签名模块1620,用于采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果。
第五透传模块1630,用于依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
在基于图16所示实施例提供的一个可选实施例中,所述第一信息签名模块,包括:
数值获取子模块,用于获取计数器的数值,所述计数器用于统计签名操作的次数,即计数器用于统计第三方应用对应的应用私钥的引用次数;
数值签名子模块,用于采用所述第三方应用对应的应用私钥,对所述待签名信息和所述计数器的数值作签名,得到所述第一签名结果;
所述第五透传模块,还用于依次通过所述第三方应用客户端和所述第三方应用服务器,将所述第一签名结果和所述计数器的数值透传给所述认证服务器。
在基于图16所示实施例提供的另一可选实施例中,所述智能硬件,还包括:
提示生成模块,用于生成确认提示信息,所述确认提示信息用于询问是否确认执行所述目标操作;
所述第一信息签名模块,还用于在获取到对应于所述确认提示信息的确认指示之后,执行所述采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果的步骤。
在基于图16所示实施例提供的另一可选实施例中,所述目标操作为登录操作或者支付操作。
在基于图16所示实施例提供的另一可选实施例中,所述智能硬件,还包 括:
第六请求接收模块,用于接收所述第三方应用客户端发送的注册请求,所述注册请求由所述认证服务器在接收到所述第三方应用服务器转发的绑定请求之后生成并通过所述第三方应用服务器透传给所述第三方应用客户端,所述绑定请求由所述第三方应用客户端在获取到用于请求绑定所述智能硬件的操作指示之后发送给所述第三方应用服务器,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
密钥生成模块,用于在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥;
第二信息签名模块,用于采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
第六透传模块,用于依次通过所述第三方应用客户端和所述第三方应用服务器向所述认证服务器透传待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识,以使得所述认证服务器在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,并在采用所述智能硬件对应的硬件公钥验证所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,并向所述第三方应用服务器发送所述智能硬件的标识,所述第三方应用服务器用于存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
在基于图16所示实施例提供的另一可选实施例中,所述智能硬件,还包括:
索引生成模块,用于生成应用密钥索引,所述应用密钥索引用于索引所述第三方应用对应的应用公钥和应用私钥;
索引发送模块,用于依次通过所述第三方应用客户端和所述第三方应用服务器将所述应用密钥索引发送给所述认证服务器;
其中,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号、所述应用密钥索引和所述第三方应用对应的应用公钥之间的绑定关系;所述第二绑 定关系包括所述智能硬件的标识、所述用户帐号和所述应用密钥索引之间的绑定关系。
在基于图16所示实施例提供的另一可选实施例中,所述索引生成模块,包括:
摘要生成子模块,用于生成所述应用参数和所述第三方应用对应的应用私钥的摘要值;
随机数生成子模块,用于生成随机数;
索引生成子模块,用于根据所述摘要值和所述随机数生成所述应用密钥索引。
请参考图17,其示出了本发明一个实施例提供的认证服务器的框图。该认证服务器包括:第三信息发送模块1710、第三结果接收模块1720、第一结果验证模块1730和指示发送模块1740。
第三信息发送模块1710,用于在接收到第三方应用服务器发送的鉴权请求之后,向所述第三方应用服务器发送待签名信息,所述鉴权请求由所述第三方应用服务器在接收到第三方应用客户端发送的操作请求之后向所述认证服务器发送,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作。
第三结果接收模块1720,用于接收智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器透传的第一签名结果,所述第一签名结果由所述智能硬件在接收到所述第三方应用服务器发送的所述待签名信息之后,采用所述第三方应用对应的应用私钥对所述待签名信息作签名得到。
第一结果验证模块1730,用于采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确。
指示发送模块1740,用于在所述第一签名结果正确的情况下向所述第三方应用服务器发送验证成功指示,以触发所述第三方应用服务器执行所述目标操作。
在基于图17所示实施例提供的一个可选实施例中,所述第三信息发送模块,包括:
标识读取子模块,用于在接收到所述第三方应用服务器发送的所述鉴权请 求之后,读取所述鉴权请求中包括的鉴权请求信息和所述智能硬件的标识,所述鉴权请求信息用于请求所述认证服务器生成所述待签名信息;
状态获取子模块,用于根据所述智能硬件的标识,获取所述智能硬件的可用状态;
信息生成子模块,用于在所述智能硬件的可用状态指示所述智能硬件可用的情况下,则生成所述待签名信息;
信息发送子模块,用于向所述第三方应用服务器发送所述待签名信息。
在基于图17所示实施例提供的另一可选实施例中,所述目标操作为登录操作或者支付操作。
在基于图17所示实施例提供的另一可选实施例中,所述认证服务器,还包括:
第七请求接收模块,用于接收所述第三方应用服务器转发的绑定请求,所述绑定请求中至少包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系,所述绑定请求由所述第三方应用客户端在获取到用于请求绑定所述智能硬件的操作指示之后生成并发送给所述第三方应用服务器;
第七透传模块,用于在接收到所述绑定请求之后,依次通过所述第三方应用服务器和所述第三方应用客户端向所述智能硬件透传注册请求,以使得所述智能硬件在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
第四信息接收模块,用于接收所述智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器透传的待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
公钥提取模块,用于在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥;
第二结果验证模块,用于采用所述智能硬件对应的硬件公钥验证所述第二签名结果是否正确;
关系存储模块,用于在所述第二签名结果正确的情况下,存储第一绑定关 系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系;
标识发送模块,用于向所述第三方应用服务器发送所述智能硬件的标识,以使得所述第三方应用服务器存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
在基于图17所示实施例提供的另一可选实施例中,所述认证服务器,还包括:
索引接收模块,用于接收所述智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器发送的应用密钥索引,所述应用密钥索引用于索引所述第三方应用对应的应用公钥和应用私钥;
其中,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号、所述应用密钥索引和所述第三方应用对应的应用公钥之间的绑定关系;所述第二绑定关系包括所述智能硬件的标识、所述用户帐号和所述应用密钥索引之间的绑定关系。
在基于图17所示实施例提供的另一可选实施例中,所述认证服务器,还包括:
第八请求接收模块,用于接收所述第三方应用服务器透传的指定操作请求,所述指定操作请求由所述第三方应用客户端在获取到用于请求执行指定操作的操作指示之后发送给所述第三方应用服务器,所述指定操作请求中至少包括操作请求信息和所述智能硬件的标识,所述操作请求信息用于请求执行所述指定操作,所述指定操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件;
第二操作执行模块,用于在接收到所述指定操作请求之后,执行所述指定操作。
需要说明的是:上述实施例提供的设备在实现其功能时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将设备的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的系统与方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。
请参考图18,其示出了本发明一个实施例提供的电子设备的结构示意图。该电子设备可以是上述实施例中的智能硬件或者安装运行有第三方应用客户端的终端。具体来讲:
电子设备1800可以包括RF(Radio Frequency,射频)电路1810、包括有一个或一个以上计算机可读存储介质的存储器1820、输入单元1830、显示单元1840、传感器1850、音频电路1860、WiFi(wireless fidelity,无线保真)模块1870、包括有一个或者一个以上处理核心的处理器1880、以及电源1890等部件。本领域技术人员可以理解,图18中示出的电子设备结构并不构成对电子设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。其中:
RF电路1810可用于收发信息或通话过程中,信号的接收和发送,特别地,将基站的下行信息接收后,交由一个或者一个以上处理器1880处理;另外,将涉及上行的数据发送给基站。通常,RF电路1810包括但不限于天线、至少一个放大器、调谐器、一个或多个振荡器、用户身份模块(SIM)卡、收发信机、耦合器、LNA(Low Noise Amplifier,低噪声放大器)、双工器等。此外,RF电路1810还可以通过无线通信与网络和其他设备通信。所述无线通信可以使用任一通信标准或协议,包括但不限于GSM(Global System of Mobile communication,全球移动通讯系统)、GPRS(General Packet Radio Service,通用分组无线服务)、CDMA(Code Division Multiple Access,码分多址)、WCDMA(Wideband Code Division Multiple Access,宽带码分多址)、LTE(Long Term Evolution,长期演进)、电子邮件、SMS(Short Messaging Service,短消息服务)等。
存储器1820可用于存储软件程序以及模块,处理器1880通过运行存储在存储器1820的软件程序以及模块,从而执行各种功能应用以及数据处理。存储器1820可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储根据电子设备1800的使用所创建的数据(比如音频数据、电话本等)等。此外,存储器1820可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。相应地,存储器1820还可以包括存储器控制器,以提供处 理器1880和输入单元1830对存储器1820的访问。
输入单元1830可用于接收输入的数字或字符信息,以及产生与用户设置以及功能控制有关的键盘、鼠标、操作杆、光学或者轨迹球信号输入。具体地,输入单元1830可包括图像输入设备1831以及其他输入设备1832。图像输入设备1831可以是摄像头,也可以是光电扫描设备。除了图像输入设备1831,输入单元1830还可以包括其他输入设备1832。具体地,其他输入设备1832可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。
显示单元1840可用于显示由用户输入的信息或提供给用户的信息以及电子设备1800的各种图形用户接口,这些图形用户接口可以由图形、文本、图标、视频和其任意组合来构成。显示单元1840可包括显示面板1841,可选的,可以采用LCD(Liquid Crystal Display,液晶显示器)、OLED(Organic Light-Emitting Diode,有机发光二极管)等形式来配置显示面板1841。
电子设备1800还可包括至少一种传感器1850,比如光传感器、运动传感器以及其他传感器。具体地,光传感器可包括环境光传感器及接近传感器,其中,环境光传感器可根据环境光线的明暗来调节显示面板1841的亮度,接近传感器可在电子设备1800移动到耳边时,关闭显示面板1841和/或背光。作为运动传感器的一种,重力加速度传感器可检测各个方向上(一般为三轴)加速度的大小,静止时可检测出重力的大小及方向,可用于识别手机姿态的应用(比如横竖屏切换、相关游戏、磁力计姿态校准)、振动识别相关功能(比如计步器、敲击)等;至于电子设备1800还可配置的陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器,在此不再赘述。
音频电路1860、扬声器1861,传声器1862可提供用户与电子设备1800之间的音频接口。音频电路1860可将接收到的音频数据转换后的电信号,传输到扬声器1861,由扬声器1861转换为声音信号输出;另一方面,传声器1862将收集的声音信号转换为电信号,由音频电路1860接收后转换为音频数据,再将音频数据输出处理器1880处理后,经RF电路1810以发送给比如另一电子设备,或者将音频数据输出至存储器1820以便进一步处理。音频电路1860还可能包括耳塞插孔,以提供外设耳机与电子设备1800的通信。
WiFi属于短距离无线传输技术,电子设备1800通过WiFi模块1870可以帮助用户收发电子邮件、浏览网页和访问流式媒体等,它为用户提供了无线的 宽带互联网访问。虽然图18示出了WiFi模块1870,但是可以理解的是,其并不属于电子设备1800的必须构成,完全可以根据需要在不改变发明的本质的范围内而省略。
处理器1880是电子设备1800的控制中心,利用各种接口和线路连接整个手机的各个部分,通过运行或执行存储在存储器1820内的软件程序和/或模块,以及调用存储在存储器1820内的数据,执行电子设备1800的各种功能和处理数据,从而对手机进行整体监控。可选的,处理器1880可包括一个或多个处理核心;优选的,处理器1880可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器1880中。
电子设备1800还包括给各个部件供电的电源1890(比如电池),优选的,电源可以通过电源管理系统与处理器1880逻辑相连,从而通过电源管理系统实现管理充电、放电、以及功耗管理等功能。电源1890还可以包括一个或一个以上的直流或交流电源、再充电系统、电源故障检测电路、电源转换器或者逆变器、电源状态指示器等任意组件。
尽管未示出,电子设备1800还可以包括蓝牙模块等,在此不再赘述。
具体在本实施例中,电子设备1800还包括有存储器,以及一个或者一个以上的程序,其中一个或者一个以上程序存储于存储器中,且经配置以由一个或者一个以上处理器执行。上述一个或者一个以上程序包含用于实现上述智能硬件侧或者第三方应用客户端侧的方法的指令。
在示例性实施例中,还提供了一种包括指令的非临时性计算机可读存储介质,例如包括指令的存储器,上述指令可由电子设备的处理器执行以完成上述身份认证方法。例如,所述非临时性计算机可读存储介质可以是ROM(Read-Only Memory,只读存储器)、RAM(Random-Access Memory,随机存取存储器)、CD-ROM(Compact Disc Read-Only Memory,光盘只读存储器)、磁带、软盘和光数据存储设备等。
图19示出了本发明一个实施例提供的服务器的结构示意图。该服务器可以是上述实施例中的第三方应用服务器或者认证服务器。具体来讲:
所述服务器1900包括中央处理单元(CPU)1901、包括随机存取存储器 (RAM)1902和只读存储器(ROM)1903的系统存储器1904,以及连接系统存储器1904和中央处理单元1901的系统总线1905。所述服务器1900还包括帮助计算机内的各个器件之间传输信息的基本输入/输出系统(I/O系统)1906,和用于存储操作系统1913、应用程序1914和其他程序模块1915的大容量存储设备1907。
所述基本输入/输出系统1906包括有用于显示信息的显示器1908和用于用户输入信息的诸如鼠标、键盘之类的输入设备1909。其中所述显示器1908和输入设备1909都通过连接到系统总线1905的输入输出控制器1910连接到中央处理单元1901。所述基本输入/输出系统1906还可以包括输入输出控制器1910以用于接收和处理来自键盘、鼠标、或电子触控笔等多个其他设备的输入。类似地,输入输出控制器1910还提供输出到显示屏、打印机或其他类型的输出设备。
所述大容量存储设备1907通过连接到系统总线1905的大容量存储控制器(未示出)连接到中央处理单元1901。所述大容量存储设备1907及其相关联的计算机可读介质为服务器1900提供非易失性存储。也就是说,所述大容量存储设备1907可以包括诸如硬盘或者CD-ROM驱动器之类的计算机可读介质(未示出)。
不失一般性,所述计算机可读介质可以包括计算机存储介质和通信介质。计算机存储介质包括以用于存储诸如计算机可读指令、数据结构、程序模块或其他数据等信息的任何方法或技术实现的易失性和非易失性、可移动和不可移动介质。计算机存储介质包括RAM、ROM、EPROM、EEPROM、闪存或其他固态存储其技术,CD-ROM、DVD或其他光学存储、磁带盒、磁带、磁盘存储或其他磁性存储设备。当然,本领域技术人员可知所述计算机存储介质不局限于上述几种。上述的系统存储器1904和大容量存储设备1907可以统称为存储器。
根据本发明的各种实施例,所述服务器1900还可以通过诸如因特网等网络连接到网络上的远程计算机运行。也即服务器1900可以通过连接在所述系统总线1905上的网络接口单元1911连接到网络1912,或者说,也可以使用网络接口单元1911来连接到其他类型的网络或远程计算机系统(未示出)。
所述存储器还包括一个或者一个以上的程序,所述一个或者一个以上程序存储于存储器中,且经配置以由一个或者一个以上处理器执行。上述一个或者 一个以上程序包含用于实现上述第三方应用服务器侧或者认证服务器侧的方法的指令。
在示例性实施例中,还提供了一种包括指令的非临时性计算机可读存储介质,例如包括指令的存储器,上述指令可由服务器的处理器执行以完成上述身份认证方法。例如,所述非临时性计算机可读存储介质可以是ROM、RAM、CD-ROM、磁带、软盘和光数据存储设备等。
应当理解的是,在本文中提及的“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。
上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。
以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。

Claims (74)

  1. 一种身份认证方法,其特征在于,所述方法包括:
    第三方应用客户端在获取到用于请求执行目标操作的操作指示之后,向第三方应用服务器发送操作请求,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
    所述第三方应用服务器从认证服务器请求获取待签名信息,通过所述第三方应用客户端向智能硬件转发所述待签名信息,其中,所述待签名信息包括挑战随机数;
    所述智能硬件采用第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果,依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器;
    所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,若所述第一签名结果正确,则向所述第三方应用服务器发送验证成功指示;
    所述第三方应用服务器在接收到所述验证成功指示之后,执行所述目标操作。
  2. 根据权利要求1所述的方法,其特征在于,所述智能硬件采用第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果,依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器,包括:
    所述智能硬件获取计数器的数值,所述计数器用于统计第三方应用对应的应用私钥的引用次数;
    所述智能硬件采用所述第三方应用对应的应用私钥,对所述待签名信息和所述计数器的数值作签名,得到所述第一签名结果;
    所述智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器,将所述第一签名结果和所述计数器的数值透传给所述认证服务器。
  3. 根据权利要求1所述的方法,其特征在于,所述第三方应用服务器从认证服务器请求获取待签名信息,包括:
    所述第三方应用服务器获取所述智能硬件的标识,向所述认证服务器发送鉴权请求,所述鉴权请求中至少包括鉴权请求信息和所述智能硬件的标识,所述鉴权请求信息用于请求所述认证服务器生成待签名信息;
    所述认证服务器根据所述智能硬件的标识,获取所述智能硬件的可用状态,若所述智能硬件的可用状态指示所述智能硬件可用,则生成所述待签名信息,向所述第三方应用服务器发送所述待签名信息。
  4. 根据权利要求1所述的方法,其特征在于,所述智能硬件采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果之前,还包括:
    所述智能硬件生成确认提示信息,所述确认提示信息用于询问是否确认执行所述目标操作;
    所述智能硬件在获取到对应于所述确认提示信息的确认指示之后,执行所述采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果的步骤。
  5. 根据权利要求1所述的方法,其特征在于,所述目标操作为登录操作或者支付操作。
  6. 根据权利要求1至5任一项所述的方法,其特征在于,所述第三方应用客户端向第三方应用服务器发送操作请求之前,还包括:
    所述第三方应用客户端在获取到用于请求绑定所述智能硬件的操作指示之后,获取所述智能硬件的标识,向所述第三方应用服务器发送绑定请求,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
    所述第三方应用服务器向所述认证服务器转发所述绑定请求,所述绑定请求中至少包括所述绑定请求信息和所述智能硬件的标识;
    所述认证服务器在接收到所述绑定请求之后,依次通过所述第三方应用服务器和所述第三方应用客户端向所述智能硬件透传注册请求;
    所述智能硬件在接收到所述注册请求之后,生成所述第三方应用对应的应 用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果,依次通过所述第三方应用客户端和所述第三方应用服务器向所述认证服务器透传待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
    所述认证服务器在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,采用所述智能硬件对应的硬件公钥验证所述第二签名结果是否正确,若所述第二签名结果正确,则存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,向所述第三方应用服务器发送所述智能硬件的标识;
    所述第三方应用服务器存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  7. 根据权利要求6所述的方法,其特征在于,所述智能硬件在接收到所述注册请求之后,还包括:
    所述智能硬件生成应用密钥索引,所述应用密钥索引用于索引所述第三方应用对应的应用公钥和应用私钥;
    所述智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器将所述应用密钥索引发送给所述认证服务器;
    其中,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号、所述应用密钥索引和所述第三方应用对应的应用公钥之间的绑定关系;所述第二绑定关系包括所述智能硬件的标识、所述用户帐号和所述应用密钥索引之间的绑定关系。
  8. 根据权利要求7所述的方法,其特征在于,所述注册请求中包括应用参数,所述智能硬件生成应用密钥索引,包括:
    所述智能硬件生成所述应用参数和所述第三方应用对应的应用私钥的摘要值;
    所述智能硬件生成随机数;
    所述智能硬件根据所述摘要值和所述随机数生成所述应用密钥索引。
  9. 根据权利要求7所述的方法,其特征在于,所述第三方应用服务器从认证服务器请求获取待签名信息之后,还包括:
    所述第三方应用服务器根据所述智能硬件的标识或者所述用户帐号,查询所述第二绑定关系获取对应的所述应用密钥索引,通过所述第三方应用客户端向所述智能硬件转发所述应用密钥索引;
    所述智能硬件根据所述应用密钥索引,获取所述第三方应用对应的应用私钥。
  10. 根据权利要求6所述的方法,其特征在于,所述认证服务器存储第一绑定关系之后,还包括:
    所述第三方应用客户端在获取到用于请求执行注销操作的操作指示之后,向所述第三方应用服务器发送注销请求,所述注销请求中至少包括注销请求信息和所述智能硬件的标识,所述注销请求信息用于请求执行所述注销操作,所述注销操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件;
    所述第三方应用服务器向所述认证服务器透传所述注销请求;
    所述认证服务器在接收到所述注销请求之后,执行所述注销操作。
  11. 一种身份认证方法,其特征在于,应用于第三方应用客户端中,所述方法包括:
    在获取到用于请求执行目标操作的操作指示之后,向第三方应用服务器发送操作请求,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
    接收所述第三方应用服务器发送的待签名信息,所述待签名信息由所述第三方应用服务器在接收到所述操作请求之后从认证服务器请求获取,其中,所述待签名信息包括挑战随机数;
    向智能硬件转发所述待签名信息;
    接收所述智能硬件发送的第一签名结果,所述第一签名结果由所述智能硬件采用第三方应用对应的应用私钥对所述待签名信息作签名后得到;
    通过所述第三方应用服务器向所述认证服务器透传所述第一签名结果,以 使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
  12. 根据权利要求11所述的方法,其特征在于,所述向第三方应用服务器发送操作请求之前,还包括:
    在获取到用于请求绑定所述智能硬件的操作指示之后,获取所述智能硬件的标识;
    向所述第三方应用服务器发送绑定请求,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
    接收所述第三方应用服务器发送的注册请求,所述注册请求由所述认证服务器在接收到所述第三方应用服务器转发的所述绑定请求之后生成并发送给所述第三方应用服务器;
    向所述智能硬件透传所述注册请求,以使得所述智能硬件在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
    接收所述智能硬件发送的待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
    通过所述第三方应用服务器向所述认证服务器透传所述待验证信息,以使得所述认证服务器在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,并在采用所述智能硬件对应的硬件公钥验证所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,并向所述第三方应用服务器发送所述智能硬件的标识,所述第三方应用服务器用于存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  13. 根据权利要求12所述的方法,其特征在于,所述通过所述第三方应用 服务器向所述认证服务器透传所述待验证信息之后,还包括:
    在获取到用于请求执行注销操作的操作指示之后,通过所述第三方应用服务器向所述认证服务器透传注销操作请求,所述注销操作请求中至少包括注销请求信息和所述智能硬件的标识,所述注销请求信息用于请求执行所述注销操作,所述注销操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件,所述认证服务器用于在接收到所述注销操作请求之后,执行所述注销操作。
  14. 一种身份认证方法,其特征在于,应用于第三方应用服务器中,所述方法包括:
    接收第三方应用客户端发送的操作请求,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
    从认证服务器请求获取待签名信息,其中,所述待签名信息包括挑战随机数;
    通过所述第三方应用客户端向智能硬件转发所述待签名信息;
    接收所述第三方应用客户端发送的第一签名结果,所述第一签名结果由所述智能硬件采用第三方应用对应的应用私钥对所述待签名信息作签名后得到,并由所述智能硬件发送给所述第三方应用客户端;
    将所述第一签名结果透传给所述认证服务器;
    接收所述认证服务器发送的验证成功指示,所述验证成功指示由所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果正确的情况下发送;
    在接收到所述验证成功指示之后,执行所述目标操作。
  15. 根据权利要求14所述的方法,其特征在于,所述从认证服务器请求获取待签名信息,包括:
    获取所述智能硬件的标识;
    向所述认证服务器发送鉴权请求,所述鉴权请求中至少包括鉴权请求信息和所述智能硬件的标识,所述鉴权请求信息用于请求所述认证服务器生成待签名信息;
    接收所述认证服务器发送的所述待签名信息,所述待签名信息由所述认证服务器在根据所述智能硬件的标识,获取所述智能硬件的可用状态,且所述智能硬件的可用状态指示所述智能硬件可用的情况下生成。
  16. 根据权利要求14或15所述的方法,其特征在于,所述接收第三方应用客户端发送的操作请求之前,还包括:
    接收所述第三方应用客户端发送的绑定请求,所述绑定请求由所述第三方应用客户端在获取到用于请求绑定所述智能硬件的操作指示之后发送,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
    向所述认证服务器转发所述绑定请求,所述绑定请求中至少包括所述绑定请求信息和所述智能硬件的标识;
    接收所述认证服务器发送的注册请求,所述注册请求由所述认证服务器接收到所述绑定请求之后生成并发送;
    通过所述第三方应用客户端向所述智能硬件透传所述注册请求,以使得所述智能硬件在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
    接收所述第三方应用客户端发送的待验证信息,所述待验证信息由所述智能硬件发送给所述第三方应用客户端,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
    将所述待验证信息透传给所述认证服务器,以使得所述认证服务器在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,并在采用所述智能硬件对应的硬件公钥验证所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,并向所述第三方应用服务器发送所述智能硬件的标识;
    接收所述认证服务器发送的所述智能硬件的标识;
    存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用 户帐号之间的绑定关系。
  17. 根据权利要求16所述的方法,其特征在于,所述存储第二绑定关系之后,还包括:
    接收所述第三方应用客户端发送的注销操作请求,所述注销操作请求由所述第三方应用客户端在获取到用于请求执行注销操作的操作指示之后发送,所述注销操作请求中至少包括注销请求信息和所述智能硬件的标识,所述注销请求信息用于请求执行所述注销操作,所述注销操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件;
    向所述认证服务器透传所述注销操作请求,以使得所述认证服务器在接收到所述注销操作请求之后,执行所述注销操作。
  18. 一种身份认证方法,其特征在于,应用于智能硬件中,所述方法包括:
    接收第三方应用客户端发送的待签名信息,所述待签名信息由第三方应用服务器在接收到所述第三方应用客户端发送的操作请求之后从认证服务器获取,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作,其中,所述待签名信息包括挑战随机数;
    采用第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果;
    依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
  19. 根据权利要求18所述的方法,其特征在于,所述采用第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果,包括:
    获取计数器的数值,所述计数器用于统计第三方应用对应的应用私钥的引用次数;
    采用所述第三方应用对应的应用私钥,对所述待签名信息和所述计数器的数值作签名,得到所述第一签名结果;
    所述依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器,包括:
    依次通过所述第三方应用客户端和所述第三方应用服务器,将所述第一签名结果和所述计数器的数值透传给所述认证服务器。
  20. 根据权利要求19所述的方法,其特征在于,所述采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果之前,还包括:
    生成确认提示信息,所述确认提示信息用于询问是否确认执行所述目标操作;
    在获取到对应于所述确认提示信息的确认指示之后,执行所述采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果的步骤。
  21. 根据权利要求18至20任一项所述的方法,其特征在于,所述接收第三方应用客户端发送的待签名信息之前,还包括:
    接收所述第三方应用客户端发送的注册请求,所述注册请求由所述认证服务器在接收到所述第三方应用服务器转发的绑定请求之后生成并通过所述第三方应用服务器透传给所述第三方应用客户端,所述绑定请求由所述第三方应用客户端在获取到用于请求绑定所述智能硬件的操作指示之后发送给所述第三方应用服务器,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
    在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥;
    采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
    依次通过所述第三方应用客户端和所述第三方应用服务器向所述认证服务器透传待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识,以使得所述认证服务器在 采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,并在采用所述智能硬件对应的硬件公钥验证所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,并向所述第三方应用服务器发送所述智能硬件的标识,所述第三方应用服务器用于存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  22. 根据权利要求21所述的方法,其特征在于,所述接收所述第三方应用客户端发送的注册请求之后,还包括:
    生成应用密钥索引,所述应用密钥索引用于索引所述第三方应用对应的应用公钥和应用私钥;
    依次通过所述第三方应用客户端和所述第三方应用服务器将所述应用密钥索引发送给所述认证服务器;
    其中,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号、所述应用密钥索引和所述第三方应用对应的应用公钥之间的绑定关系;所述第二绑定关系包括所述智能硬件的标识、所述用户帐号和所述应用密钥索引之间的绑定关系。
  23. 根据权利要求22所述的方法,其特征在于,所述注册请求中包括应用参数,所述生成应用密钥索引,包括:
    生成所述应用参数和所述第三方应用对应的应用私钥的摘要值;
    生成随机数;
    根据所述摘要值和所述随机数生成所述应用密钥索引。
  24. 一种身份认证方法,其特征在于,应用于认证服务器中,所述方法包括:
    在接收到第三方应用服务器发送的鉴权请求之后,向所述第三方应用服务器发送待签名信息,所述鉴权请求由所述第三方应用服务器在接收到第三方应用客户端发送的操作请求之后向所述认证服务器发送,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方 应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作,其中,所述待签名信息包括挑战随机数;
    接收智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器透传的第一签名结果,所述第一签名结果由所述智能硬件在接收到所述第三方应用服务器发送的所述待签名信息之后,采用第三方应用对应的应用私钥对所述待签名信息作签名得到;
    采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确;
    若所述第一签名结果正确,则向所述第三方应用服务器发送验证成功指示,以触发所述第三方应用服务器执行所述目标操作。
  25. 根据权利要求24所述的方法,其特征在于,所述在接收到第三方应用服务器发送的鉴权请求之后,向所述第三方应用服务器发送待签名信息,包括:
    在接收到所述第三方应用服务器发送的所述鉴权请求之后,读取所述鉴权请求中包括的鉴权请求信息和所述智能硬件的标识,所述鉴权请求信息用于请求所述认证服务器生成待签名信息;
    根据所述智能硬件的标识,获取所述智能硬件的可用状态;
    若所述智能硬件的可用状态指示所述智能硬件可用,则生成所述待签名信息;
    向所述第三方应用服务器发送所述待签名信息。
  26. 根据权利要求24或25所述的方法,其特征在于,所述向所述第三方应用服务器发送待签名信息之前,还包括:
    接收所述第三方应用服务器转发的绑定请求,所述绑定请求中至少包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系,所述绑定请求由所述第三方应用客户端在获取到用于请求绑定所述智能硬件的操作指示之后生成并发送给所述第三方应用服务器;
    在接收到所述绑定请求之后,依次通过所述第三方应用服务器和所述第三方应用客户端向所述智能硬件透传注册请求,以使得所述智能硬件在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二 签名结果;
    接收所述智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器透传的待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
    在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥;
    采用所述智能硬件对应的硬件公钥验证所述第二签名结果是否正确;
    若所述第二签名结果正确,则存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系;
    向所述第三方应用服务器发送所述智能硬件的标识,以使得所述第三方应用服务器存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  27. 根据权利要求26所述的方法,其特征在于,所述依次通过所述第三方应用服务器和所述第三方应用客户端向所述智能硬件透传注册请求之后,还包括:
    接收所述智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器发送的应用密钥索引,所述应用密钥索引用于索引所述第三方应用对应的应用公钥和应用私钥;
    其中,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号、所述应用密钥索引和所述第三方应用对应的应用公钥之间的绑定关系;所述第二绑定关系包括所述智能硬件的标识、所述用户帐号和所述应用密钥索引之间的绑定关系。
  28. 根据权利要求26所述的方法,其特征在于,所述存储第一绑定关系之后,还包括:
    接收所述第三方应用服务器透传的注销操作请求,所述注销操作请求由所述第三方应用客户端在获取到用于请求执行注销操作的操作指示之后发送给所述第三方应用服务器,所述注销操作请求中至少包括注销请求信息和所述智能 硬件的标识,所述注销请求信息用于请求执行所述注销操作,所述注销操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件;
    在接收到所述注销操作请求之后,执行所述注销操作。
  29. 一种身份认证系统,其特征在于,所述系统包括:第三方应用客户端、第三方应用服务器、智能硬件和认证服务器;
    所述第三方应用客户端,用于在获取到用于请求执行目标操作的操作指示之后,向所述第三方应用服务器发送操作请求,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
    所述第三方应用服务器,用于从所述认证服务器请求获取待签名信息,通过所述第三方应用客户端向所述智能硬件转发所述待签名信息,其中,所述待签名信息包括挑战随机数;
    所述智能硬件,用于采用第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果,依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器;
    所述认证服务器,用于采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,若所述第一签名结果正确,则向所述第三方应用服务器发送验证成功指示;
    所述第三方应用服务器,还用于在接收到所述验证成功指示之后,执行所述目标操作。
  30. 根据权利要求29所述的系统,其特征在于,所述智能硬件,具体用于:
    获取计数器的数值,所述计数器用于统计所述第三方应用对应的应用私钥的引用次数;
    采用所述第三方应用对应的应用私钥,对所述待签名信息和所述计数器的数值作签名,得到所述第一签名结果;
    依次通过所述第三方应用客户端和所述第三方应用服务器,将所述第一签名结果和所述计数器的数值透传给所述认证服务器。
  31. 根据权利要求29所述的系统,其特征在于,
    所述第三方应用服务器,具体用于获取所述智能硬件的标识,向所述认证服务器发送鉴权请求,所述鉴权请求中至少包括鉴权请求信息和所述智能硬件的标识,所述鉴权请求信息用于请求所述认证服务器生成待签名信息;
    所述认证服务器,具体用于根据所述智能硬件的标识,获取所述智能硬件的可用状态,若所述智能硬件的可用状态指示所述智能硬件可用,则生成所述待签名信息,向所述第三方应用服务器发送所述待签名信息。
  32. 根据权利要求29所述的系统,其特征在于,
    所述智能硬件,还用于生成确认提示信息,所述确认提示信息用于询问是否确认执行所述目标操作;
    所述智能硬件,还用于在获取到对应于所述确认提示信息的确认指示之后,执行所述采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果的步骤。
  33. 根据权利要求29所述的系统,其特征在于,所述目标操作为登录操作或者支付操作。
  34. 根据权利要求29至33任一项所述的系统,其特征在于,
    所述第三方应用客户端,还用于在获取到用于请求绑定所述智能硬件的操作指示之后,获取所述智能硬件的标识,向所述第三方应用服务器发送绑定请求,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
    所述第三方应用服务器,还用于向所述认证服务器转发所述绑定请求,所述绑定请求中至少包括所述绑定请求信息和所述智能硬件的标识;
    所述认证服务器,还用于在接收到所述绑定请求之后,依次通过所述第三方应用服务器和所述第三方应用客户端向所述智能硬件透传注册请求;
    所述智能硬件,还用于在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果,依次通过所述第三方应用客户端和所述第三方应用服务器向所述认证服务器透传待验证信息,所述待验证 信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
    所述认证服务器,还用于在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,采用所述智能硬件对应的硬件公钥验证所述第二签名结果是否正确,若所述第二签名结果正确,则存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,向所述第三方应用服务器发送所述智能硬件的标识;
    所述第三方应用服务器,还用于存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  35. 根据权利要求34所述的系统,其特征在于,
    所述智能硬件,还用于生成应用密钥索引,所述应用密钥索引用于索引所述第三方应用对应的应用公钥和应用私钥;
    所述智能硬件,还用于依次通过所述第三方应用客户端和所述第三方应用服务器将所述应用密钥索引发送给所述认证服务器;
    其中,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号、所述应用密钥索引和所述第三方应用对应的应用公钥之间的绑定关系;所述第二绑定关系包括所述智能硬件的标识、所述用户帐号和所述应用密钥索引之间的绑定关系。
  36. 根据权利要求35所述的系统,其特征在于,所述智能硬件,具体用于:
    生成所述应用参数和所述第三方应用对应的应用私钥的摘要值;
    生成随机数;
    根据所述摘要值和所述随机数生成所述应用密钥索引。
  37. 根据权利要求35所述的系统,其特征在于,
    所述第三方应用服务器,还用于根据所述智能硬件的标识或者所述用户帐号,查询所述第二绑定关系获取对应的所述应用密钥索引,通过所述第三方应用客户端向所述智能硬件转发所述应用密钥索引;
    所述智能硬件,还用于根据所述应用密钥索引,获取所述第三方应用对应的应用私钥。
  38. 根据权利要求34所述的系统,其特征在于,
    所述第三方应用客户端,还用于在获取到用于请求执行注销操作的操作指示之后,向所述第三方应用服务器发送注销请求,所述注销请求中至少包括注销请求信息和所述智能硬件的标识,所述注销请求信息用于请求执行所述注销操作,所述注销操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件;
    所述第三方应用服务器,还用于向所述认证服务器透传所述注销请求;
    所述认证服务器,还用于在接收到所述注销请求之后,执行所述注销操作。
  39. 一种第三方应用客户端,其特征在于,所述第三方应用客户端包括:
    第一请求发送模块,用于在获取到用于请求执行目标操作的操作指示之后,向第三方应用服务器发送操作请求,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
    第一信息接收模块,用于接收所述第三方应用服务器发送的待签名信息,所述待签名信息由所述第三方应用服务器在接收到所述操作请求之后从认证服务器请求获取,其中,所述待签名信息包括挑战随机数;
    第一信息发送模块,用于向智能硬件转发所述待签名信息;
    第一结果接收模块,用于接收所述智能硬件发送的第一签名结果,所述第一签名结果由所述智能硬件采用第三方应用对应的应用私钥对所述待签名信息作签名后得到;
    第一透传模块,用于通过所述第三方应用服务器向所述认证服务器透传所述第一签名结果,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
  40. 根据权利要求39所述的第三方应用客户端,其特征在于,所述第三方应用客户端,还包括:
    标识获取模块,用于在获取到用于请求绑定所述智能硬件的操作指示之后,获取所述智能硬件的标识;
    第二请求发送模块,用于向所述第三方应用服务器发送绑定请求,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
    第一请求接收模块,用于接收所述第三方应用服务器发送的注册请求,所述注册请求由所述认证服务器在接收到所述第三方应用服务器转发的所述绑定请求之后生成并发送给所述第三方应用服务器;
    第三请求发送模块,用于向所述智能硬件透传所述注册请求,以使得所述智能硬件在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
    第二信息接收模块,用于接收所述智能硬件发送的待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
    第二透传模块,用于通过所述第三方应用服务器向所述认证服务器透传所述待验证信息,以使得所述认证服务器在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,并在采用所述智能硬件对应的硬件公钥验证所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,并向所述第三方应用服务器发送所述智能硬件的标识,所述第三方应用服务器用于存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  41. 根据权利要求40所述的第三方应用客户端,其特征在于,所述第三方应用客户端,还包括:
    第四请求发送模块,用于在获取到用于请求执行指定操作的操作指示之后,通过所述第三方应用服务器向所述认证服务器透传指定操作请求,所述指定操 作请求中至少包括操作请求信息和所述智能硬件的标识,所述操作请求信息用于请求执行所述指定操作,所述指定操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件,所述认证服务器用于在接收到所述指定操作请求之后,执行所述指定操作。
  42. 一种第三方应用服务器,其特征在于,所述第三方应用服务器包括:
    第二请求接收模块,用于接收第三方应用客户端发送的操作请求,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
    信息获取模块,用于从认证服务器请求获取待签名信息,其中,所述待签名信息包括挑战随机数;
    信息转发模块,用于通过所述第三方应用客户端向智能硬件转发所述待签名信息;
    第二结果接收模块,用于接收所述第三方应用客户端发送的第一签名结果,所述第一签名结果由所述智能硬件采用第三方应用对应的应用私钥对所述待签名信息作签名后得到,并由所述智能硬件发送给所述第三方应用客户端;
    第三透传模块,用于将所述第一签名结果透传给所述认证服务器;
    指示接收模块,用于接收所述认证服务器发送的验证成功指示,所述验证成功指示由所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果正确的情况下发送;
    第一操作执行模块,用于在接收到所述验证成功指示之后,执行所述目标操作。
  43. 根据权利要求42所述的第三方应用服务器,其特征在于,所述信息获取模块,包括:
    标识获取子模块,用于获取所述智能硬件的标识;
    请求发送子模块,用于向所述认证服务器发送鉴权请求,所述鉴权请求中至少包括鉴权请求信息和所述智能硬件的标识,所述鉴权请求信息用于请求所述认证服务器生成待签名信息;
    信息接收子模块,用于接收所述认证服务器发送的所述待签名信息,所述待签名信息由所述认证服务器在根据所述智能硬件的标识,获取所述智能硬件的可用状态,且所述智能硬件的可用状态指示所述智能硬件可用的情况下生成。
  44. 根据权利要求42或43所述的第三方应用服务器,其特征在于,所述第三方应用服务器,还包括:
    第三请求接收模块,用于接收所述第三方应用客户端发送的绑定请求,所述绑定请求由所述第三方应用客户端在获取到用于请求绑定所述智能硬件的操作指示之后发送,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
    第五请求发送模块,用于向所述认证服务器转发所述绑定请求,所述绑定请求中至少包括所述绑定请求信息和所述智能硬件的标识;
    第四请求接收模块,用于接收所述认证服务器发送的注册请求,所述注册请求由所述认证服务器接收到所述绑定请求之后生成并发送;
    第三透传模块,用于通过所述第三方应用客户端向所述智能硬件透传所述注册请求,以使得所述智能硬件在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
    第三信息接收模块,用于接收所述第三方应用客户端发送的待验证信息,所述待验证信息由所述智能硬件发送给所述第三方应用客户端,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
    第二信息发送模块,用于将所述待验证信息透传给所述认证服务器,以使得所述认证服务器在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,并在采用所述智能硬件对应的硬件公钥验证所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,并向所述第三方应用服务器发送所述智能硬件的标识;
    标识接收模块,用于接收所述认证服务器发送的所述智能硬件的标识;
    关系储存模块,用于存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  45. 根据权利要求44所述的第三方应用服务器,其特征在于,所述第三方应用服务器还包括:
    第五请求接收模块,用于接收所述第三方应用客户端发送的指定操作请求,所述指定操作请求由所述第三方应用客户端在获取到用于请求执行指定操作的操作指示之后发送,所述指定操作请求中至少包括操作请求信息和所述智能硬件的标识,所述操作请求信息用于请求执行所述指定操作,所述指定操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件;
    第四透传模块,用于向所述认证服务器透传所述指定操作请求,以使得所述认证服务器在接收到所述指定操作请求之后,执行所述指定操作。
  46. 一种智能硬件,其特征在于,所述智能硬件包括:
    第四信息接收模块,用于接收第三方应用客户端发送的待签名信息,所述待签名信息由第三方应用服务器在接收到所述第三方应用客户端发送的操作请求之后从认证服务器获取,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作,其中,所述待签名信息包括挑战随机数;
    第一信息签名模块,用于采用第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果;
    第五透传模块,用于依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
  47. 根据权利要求46所述的智能硬件,其特征在于,所述第一信息签名模 块,包括:
    数值获取子模块,用于获取计数器的数值,所述计数器用于统计签名操作的次数;
    数值签名子模块,用于采用所述第三方应用对应的应用私钥,对所述待签名信息和所述计数器的数值作签名,得到所述第一签名结果;
    所述第五透传模块,还用于依次通过所述第三方应用客户端和所述第三方应用服务器,将所述第一签名结果和所述计数器的数值透传给所述认证服务器。
  48. 根据权利要求47所述的智能硬件,其特征在于,所述智能硬件,还包括:
    提示生成模块,用于生成确认提示信息,所述确认提示信息用于询问是否确认执行所述目标操作;
    所述第一信息签名模块,还用于在获取到对应于所述确认提示信息的确认指示之后,执行所述采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果的步骤。
  49. 根据权利要求46至48任一项所述的智能硬件,其特征在于,所述智能硬件,还包括:
    第六请求接收模块,用于接收所述第三方应用客户端发送的注册请求,所述注册请求由所述认证服务器在接收到所述第三方应用服务器转发的绑定请求之后生成并通过所述第三方应用服务器透传给所述第三方应用客户端,所述绑定请求由所述第三方应用客户端在获取到用于请求绑定所述智能硬件的操作指示之后发送给所述第三方应用服务器,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
    密钥生成模块,用于在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥;
    第二信息签名模块,用于采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
    第六透传模块,用于依次通过所述第三方应用客户端和所述第三方应用服务器向所述认证服务器透传待验证信息,所述待验证信息包括所述第三方应用 对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识,以使得所述认证服务器在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,并在采用所述智能硬件对应的硬件公钥验证所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,并向所述第三方应用服务器发送所述智能硬件的标识,所述第三方应用服务器用于存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  50. 根据权利要求49所述的智能硬件,其特征在于,所述智能硬件,还包括:
    索引生成模块,用于生成应用密钥索引,所述应用密钥索引用于索引所述第三方应用对应的应用公钥和应用私钥;
    索引发送模块,用于依次通过所述第三方应用客户端和所述第三方应用服务器将所述应用密钥索引发送给所述认证服务器;
    其中,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号、所述应用密钥索引和所述第三方应用对应的应用公钥之间的绑定关系;所述第二绑定关系包括所述智能硬件的标识、所述用户帐号和所述应用密钥索引之间的绑定关系。
  51. 根据权利要求50所述的智能硬件,其特征在于,所述索引生成模块,包括:
    摘要生成子模块,用于生成所述应用参数和所述第三方应用对应的应用私钥的摘要值;
    随机数生成子模块,用于生成随机数;
    索引生成子模块,用于根据所述摘要值和所述随机数生成所述应用密钥索引。
  52. 一种认证服务器,其特征在于,所述认证服务器包括:
    第三信息发送模块,用于在接收到第三方应用服务器发送的鉴权请求之后, 向所述第三方应用服务器发送待签名信息,所述鉴权请求由所述第三方应用服务器在接收到第三方应用客户端发送的操作请求之后向所述认证服务器发送,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作,其中,所述待签名信息包括挑战随机数;
    第三结果接收模块,用于接收智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器透传的第一签名结果,所述第一签名结果由所述智能硬件在接收到所述第三方应用服务器发送的所述待签名信息之后,采用第三方应用对应的应用私钥对所述待签名信息作签名得到;
    第一结果验证模块,用于采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确;
    指示发送模块,用于在所述第一签名结果正确的情况下向所述第三方应用服务器发送验证成功指示,以触发所述第三方应用服务器执行所述目标操作。
  53. 根据权利要求52所述的认证服务器,其特征在于,所述第三信息发送模块,包括:
    标识读取子模块,用于在接收到所述第三方应用服务器发送的所述鉴权请求之后,读取所述鉴权请求中包括的鉴权请求信息和所述智能硬件的标识,所述鉴权请求信息用于请求所述认证服务器生成待签名信息;
    状态获取子模块,用于根据所述智能硬件的标识,获取所述智能硬件的可用状态;
    信息生成子模块,用于在所述智能硬件的可用状态指示所述智能硬件可用的情况下,则生成所述待签名信息;
    信息发送子模块,用于向所述第三方应用服务器发送所述待签名信息。
  54. 根据权利要求52或53所述的认证服务器,其特征在于,所述认证服务器,还包括:
    第七请求接收模块,用于接收所述第三方应用服务器转发的绑定请求,所述绑定请求中至少包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系,所述绑定请求由所述第三方应用客户端在获取到用于请求绑定所述 智能硬件的操作指示之后生成并发送给所述第三方应用服务器;
    第七透传模块,用于在接收到所述绑定请求之后,依次通过所述第三方应用服务器和所述第三方应用客户端向所述智能硬件透传注册请求,以使得所述智能硬件在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
    第四信息接收模块,用于接收所述智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器透传的待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
    公钥提取模块,用于在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥;
    第二结果验证模块,用于采用所述智能硬件对应的硬件公钥验证所述第二签名结果是否正确;
    关系存储模块,用于在所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系;
    标识发送模块,用于向所述第三方应用服务器发送所述智能硬件的标识,以使得所述第三方应用服务器存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  55. 根据权利要求54所述的认证服务器,其特征在于,所述认证服务器,还包括:
    索引接收模块,用于接收所述智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器发送的应用密钥索引,所述应用密钥索引用于索引所述第三方应用对应的应用公钥和应用私钥;
    其中,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号、所述应用密钥索引和所述第三方应用对应的应用公钥之间的绑定关系;所述第二绑定关系包括所述智能硬件的标识、所述用户帐号和所述应用密钥索引之间的绑定关系。
  56. 根据权利要求54所述的认证服务器,其特征在于,所述认证服务器,还包括:
    第八请求接收模块,用于接收所述第三方应用服务器透传的指定操作请求,所述指定操作请求由所述第三方应用客户端在获取到用于请求执行指定操作的操作指示之后发送给所述第三方应用服务器,所述指定操作请求中至少包括操作请求信息和所述智能硬件的标识,所述操作请求信息用于请求执行所述指定操作,所述指定操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件;
    第二操作执行模块,用于在接收到所述指定操作请求之后,执行所述指定操作。
  57. 一种第三方应用客户端,其特征在于,所述第三方应用客户端包括:
    一个或多个处理器;和
    存储器;
    所述存储器存储有一个或多个程序,所述一个或多个程序被配置成由所述一个或多个处理器执行,所述一个或多个程序包含用于进行以下操作的指令:
    在获取到用于请求执行目标操作的操作指示之后,向第三方应用服务器发送操作请求,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
    接收所述第三方应用服务器发送的待签名信息,所述待签名信息由所述第三方应用服务器在接收到所述操作请求之后从认证服务器请求获取;
    向智能硬件转发所述待签名信息;
    接收所述智能硬件发送的第一签名结果,所述第一签名结果由所述智能硬件采用第三方应用对应的应用私钥对所述待签名信息作签名后得到;
    通过所述第三方应用服务器向所述认证服务器透传所述第一签名结果,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
  58. 根据权利要求57所述的第三方应用客户端,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    在获取到用于请求绑定所述智能硬件的操作指示之后,获取所述智能硬件的标识;
    向所述第三方应用服务器发送绑定请求,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
    接收所述第三方应用服务器发送的注册请求,所述注册请求由所述认证服务器在接收到所述第三方应用服务器转发的所述绑定请求之后生成并发送给所述第三方应用服务器;
    向所述智能硬件透传所述注册请求,以使得所述智能硬件在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
    接收所述智能硬件发送的待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
    通过所述第三方应用服务器向所述认证服务器透传所述待验证信息,以使得所述认证服务器在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,并在采用所述智能硬件对应的硬件公钥验证所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,并向所述第三方应用服务器发送所述智能硬件的标识,所述第三方应用服务器用于存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  59. 根据权利要求57所述的第三方应用客户端,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    在获取到用于请求执行注销操作的操作指示之后,通过所述第三方应用服务器向所述认证服务器透传注销操作请求,所述注销操作请求中至少包括注销请求信息和所述智能硬件的标识,所述注销请求信息用于请求执行所述注销操作,所述注销操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件, 所述认证服务器用于在接收到所述注销操作请求之后,执行所述注销操作。
  60. 一种第三方应用服务器,其特征在于,所述第三方应用服务器包括:
    一个或多个处理器;和
    存储器;
    所述存储器存储有一个或多个程序,所述一个或多个程序被配置成由所述一个或多个处理器执行,所述一个或多个程序包含用于进行以下操作的指令:
    接收第三方应用客户端发送的操作请求,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
    从认证服务器请求获取待签名信息;
    通过所述第三方应用客户端向智能硬件转发所述待签名信息;
    接收所述第三方应用客户端发送的第一签名结果,所述第一签名结果由所述智能硬件采用第三方应用对应的应用私钥对所述待签名信息作签名后得到,并由所述智能硬件发送给所述第三方应用客户端;
    将所述第一签名结果透传给所述认证服务器;
    接收所述认证服务器发送的验证成功指示,所述验证成功指示由所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果正确的情况下发送;
    在接收到所述验证成功指示之后,执行所述目标操作。
  61. 根据权利要求60所述的第三方应用服务器,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    获取所述智能硬件的标识;
    向所述认证服务器发送鉴权请求,所述鉴权请求中至少包括鉴权请求信息和所述智能硬件的标识,所述鉴权请求信息用于请求所述认证服务器生成待签名信息;
    接收所述认证服务器发送的所述待签名信息,所述待签名信息由所述认证服务器在根据所述智能硬件的标识,获取所述智能硬件的可用状态,且所述智能硬件的可用状态指示所述智能硬件可用的情况下生成。
  62. 根据权利要求60或61所述的第三方应用服务器,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    接收所述第三方应用客户端发送的绑定请求,所述绑定请求由所述第三方应用客户端在获取到用于请求绑定所述智能硬件的操作指示之后发送,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
    向所述认证服务器转发所述绑定请求,所述绑定请求中至少包括所述绑定请求信息和所述智能硬件的标识;
    接收所述认证服务器发送的注册请求,所述注册请求由所述认证服务器接收到所述绑定请求之后生成并发送;
    通过所述第三方应用客户端向所述智能硬件透传所述注册请求,以使得所述智能硬件在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
    接收所述第三方应用客户端发送的待验证信息,所述待验证信息由所述智能硬件发送给所述第三方应用客户端,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
    将所述待验证信息透传给所述认证服务器,以使得所述认证服务器在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,并在采用所述智能硬件对应的硬件公钥验证所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,并向所述第三方应用服务器发送所述智能硬件的标识;
    接收所述认证服务器发送的所述智能硬件的标识;
    存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  63. 根据权利要求62所述的第三方应用服务器,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    接收所述第三方应用客户端发送的注销操作请求,所述注销操作请求由所述第三方应用客户端在获取到用于请求执行注销操作的操作指示之后发送,所述注销操作请求中至少包括注销请求信息和所述智能硬件的标识,所述注销请求信息用于请求执行所述注销操作,所述注销操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件;
    向所述认证服务器透传所述注销操作请求,以使得所述认证服务器在接收到所述注销操作请求之后,执行所述注销操作。
  64. 一种智能硬件,其特征在于,所述智能硬件包括:
    一个或多个处理器;和
    存储器;
    所述存储器存储有一个或多个程序,所述一个或多个程序被配置成由所述一个或多个处理器执行,所述一个或多个程序包含用于进行以下操作的指令:
    接收第三方应用客户端发送的待签名信息,所述待签名信息由第三方应用服务器在接收到所述第三方应用客户端发送的操作请求之后从认证服务器获取,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
    采用第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果;
    依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器,以使得所述认证服务器采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确,并在所述第一签名结果正确的情况下,向所述第三方应用服务器发送验证成功指示以触发所述第三方应用服务器执行所述目标操作。
  65. 根据权利要求64所述的智能硬件,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    获取计数器的数值,所述计数器用于统计第三方应用对应的应用私钥的引用次数;
    采用所述第三方应用对应的应用私钥,对所述待签名信息和所述计数器的数值作签名,得到所述第一签名结果;
    所述依次通过所述第三方应用客户端和所述第三方应用服务器将所述第一签名结果透传给所述认证服务器,包括:
    依次通过所述第三方应用客户端和所述第三方应用服务器,将所述第一签名结果和所述计数器的数值透传给所述认证服务器。
  66. 根据权利要求65所述的智能硬件,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    生成确认提示信息,所述确认提示信息用于询问是否确认执行所述目标操作;
    在获取到对应于所述确认提示信息的确认指示之后,执行所述采用所述第三方应用对应的应用私钥对所述待签名信息作签名,得到第一签名结果的步骤。
  67. 根据权利要求64至66任一项所述的智能硬件,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    接收所述第三方应用客户端发送的注册请求,所述注册请求由所述认证服务器在接收到所述第三方应用服务器转发的绑定请求之后生成并通过所述第三方应用服务器透传给所述第三方应用客户端,所述绑定请求由所述第三方应用客户端在获取到用于请求绑定所述智能硬件的操作指示之后发送给所述第三方应用服务器,所述绑定请求中包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系;
    在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥;
    采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
    依次通过所述第三方应用客户端和所述第三方应用服务器向所述认证服务器透传待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识,以使得所述认证服务器在 采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥,并在采用所述智能硬件对应的硬件公钥验证所述第二签名结果正确的情况下,存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系,并向所述第三方应用服务器发送所述智能硬件的标识,所述第三方应用服务器用于存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  68. 根据权利要求67所述的智能硬件,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    生成应用密钥索引,所述应用密钥索引用于索引所述第三方应用对应的应用公钥和应用私钥;
    依次通过所述第三方应用客户端和所述第三方应用服务器将所述应用密钥索引发送给所述认证服务器;
    其中,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号、所述应用密钥索引和所述第三方应用对应的应用公钥之间的绑定关系;所述第二绑定关系包括所述智能硬件的标识、所述用户帐号和所述应用密钥索引之间的绑定关系。
  69. 根据权利要求68所述的智能硬件,其特征在于,所述注册请求中包括应用参数,所述一个或多个程序还包含用于进行以下操作的指令:
    生成所述应用参数和所述第三方应用对应的应用私钥的摘要值;
    生成随机数;
    根据所述摘要值和所述随机数生成所述应用密钥索引。
  70. 一种认证服务器,其特征在于,所述认证服务器包括:
    一个或多个处理器;和
    存储器;
    所述存储器存储有一个或多个程序,所述一个或多个程序被配置成由所述一个或多个处理器执行,所述一个或多个程序包含用于进行以下操作的指令:
    在接收到第三方应用服务器发送的鉴权请求之后,向所述第三方应用服务 器发送待签名信息,所述鉴权请求由所述第三方应用服务器在接收到第三方应用客户端发送的操作请求之后向所述认证服务器发送,所述操作请求由所述第三方应用客户端在获取到用于请求执行目标操作的操作指示之后向所述第三方应用服务器发送,所述操作请求用于请求所述第三方应用服务器执行所述目标操作;
    接收智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器透传的第一签名结果,所述第一签名结果由所述智能硬件在接收到所述第三方应用服务器发送的所述待签名信息之后,采用第三方应用对应的应用私钥对所述待签名信息作签名得到;
    采用所述第三方应用对应的应用公钥验证所述第一签名结果是否正确;
    若所述第一签名结果正确,则向所述第三方应用服务器发送验证成功指示,以触发所述第三方应用服务器执行所述目标操作。
  71. 根据权利要求70所述的认证服务器,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    在接收到所述第三方应用服务器发送的所述鉴权请求之后,读取所述鉴权请求中包括的鉴权请求信息和所述智能硬件的标识,所述鉴权请求信息用于请求所述认证服务器生成待签名信息;
    根据所述智能硬件的标识,获取所述智能硬件的可用状态;
    若所述智能硬件的可用状态指示所述智能硬件可用,则生成所述待签名信息;
    向所述第三方应用服务器发送所述待签名信息。
  72. 根据权利要求70或71所述的认证服务器,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    接收所述第三方应用服务器转发的绑定请求,所述绑定请求中至少包括绑定请求信息和所述智能硬件的标识,所述绑定请求信息用于请求建立所述智能硬件与登录所述第三方应用客户端的用户帐号之间的绑定关系,所述绑定请求由所述第三方应用客户端在获取到用于请求绑定所述智能硬件的操作指示之后生成并发送给所述第三方应用服务器;
    在接收到所述绑定请求之后,依次通过所述第三方应用服务器和所述第三 方应用客户端向所述智能硬件透传注册请求,以使得所述智能硬件在接收到所述注册请求之后,生成所述第三方应用对应的应用公钥和应用私钥,采用所述智能硬件对应的硬件私钥对所述第三方应用对应的应用公钥作签名,得到第二签名结果;
    接收所述智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器透传的待验证信息,所述待验证信息包括所述第三方应用对应的应用公钥、所述第二签名结果和所述智能硬件的硬件证书,所述智能硬件的硬件证书包括所述智能硬件对应的硬件公钥和所述智能硬件的标识;
    在采用根证书公钥验证所述智能硬件的硬件证书合法的情况下,从所述智能硬件的硬件证书中提取所述智能硬件对应的硬件公钥;
    采用所述智能硬件对应的硬件公钥验证所述第二签名结果是否正确;
    若所述第二签名结果正确,则存储第一绑定关系,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号和所述第三方应用对应的应用公钥之间的绑定关系;
    向所述第三方应用服务器发送所述智能硬件的标识,以使得所述第三方应用服务器存储第二绑定关系,所述第二绑定关系包括所述智能硬件的标识和所述用户帐号之间的绑定关系。
  73. 根据权利要求72所述的认证服务器,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    接收所述智能硬件依次通过所述第三方应用客户端和所述第三方应用服务器发送的应用密钥索引,所述应用密钥索引用于索引所述第三方应用对应的应用公钥和应用私钥;
    其中,所述第一绑定关系包括所述智能硬件的标识、所述用户帐号、所述应用密钥索引和所述第三方应用对应的应用公钥之间的绑定关系;所述第二绑定关系包括所述智能硬件的标识、所述用户帐号和所述应用密钥索引之间的绑定关系。
  74. 根据权利要求72所述的认证服务器,其特征在于,所述一个或多个程序还包含用于进行以下操作的指令:
    接收所述第三方应用服务器透传的注销操作请求,所述注销操作请求由所 述第三方应用客户端在获取到用于请求执行注销操作的操作指示之后发送给所述第三方应用服务器,所述注销操作请求中至少包括注销请求信息和所述智能硬件的标识,所述注销请求信息用于请求执行所述注销操作,所述注销操作为解绑操作或者挂失操作,所述解绑操作是指解除所述智能硬件与所述用户帐号之间的绑定关系,所述挂失操作是指挂失所述智能硬件;
    在接收到所述注销操作请求之后,执行所述注销操作。
PCT/CN2017/081894 2016-04-27 2017-04-25 身份认证方法、系统及设备 WO2017186100A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/771,511 US10637668B2 (en) 2016-04-27 2017-04-25 Authentication method, system and equipment

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610272591.7 2016-04-27
CN201610272591.7A CN105871867B (zh) 2016-04-27 2016-04-27 身份认证方法、系统及设备

Publications (1)

Publication Number Publication Date
WO2017186100A1 true WO2017186100A1 (zh) 2017-11-02

Family

ID=56628487

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/081894 WO2017186100A1 (zh) 2016-04-27 2017-04-25 身份认证方法、系统及设备

Country Status (3)

Country Link
US (1) US10637668B2 (zh)
CN (1) CN105871867B (zh)
WO (1) WO2017186100A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110932858A (zh) * 2018-09-19 2020-03-27 阿里巴巴集团控股有限公司 认证方法和系统

Families Citing this family (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105450403B (zh) * 2014-07-02 2019-09-17 阿里巴巴集团控股有限公司 身份认证方法、装置及服务器
CN106533687B (zh) * 2015-09-14 2019-11-08 阿里巴巴集团控股有限公司 一种身份认证方法和设备
CN105871867B (zh) * 2016-04-27 2018-01-16 腾讯科技(深圳)有限公司 身份认证方法、系统及设备
WO2018000396A1 (zh) * 2016-06-30 2018-01-04 华为技术有限公司 一种身份认证方法及通信终端
CN106533678B (zh) * 2016-07-06 2019-09-13 天津米游科技有限公司 一种基于多重签名的登录方法及其系统
CN106529948A (zh) * 2016-11-07 2017-03-22 飞天诚信科技股份有限公司 一种支付认证方法及系统
CN106533696B (zh) * 2016-11-18 2019-10-01 江苏通付盾科技有限公司 基于区块链的身份认证方法、认证服务器及用户终端
CN106693366B (zh) * 2016-12-06 2020-04-21 北京奇虎科技有限公司 验证操作合法性的方法、装置和加固安装包的方法、装置
CN108337210B (zh) 2017-01-19 2021-05-18 钉钉控股(开曼)有限公司 设备配置方法及装置、系统
CN107277020A (zh) * 2017-06-23 2017-10-20 国民认证科技(北京)有限公司 基于公私钥体制的远程验证移动设备合法性的系统和方法
CN107155185B (zh) * 2017-06-30 2019-12-03 迈普通信技术股份有限公司 一种接入wlan的认证方法、装置及系统
CN107634941A (zh) * 2017-09-04 2018-01-26 西安电子科技大学 一种基于智能手环的多因子认证方法
US11075906B2 (en) * 2017-12-28 2021-07-27 Shoppertrak Rct Corporation Method and system for securing communications between a lead device and a secondary device
CN110278083B (zh) * 2018-03-16 2021-11-30 腾讯科技(深圳)有限公司 身份认证请求处理方法和装置、设备重置方法和装置
CN110474864B (zh) * 2018-05-10 2021-05-07 华为技术有限公司 一种注册、登录移动应用程序的方法及电子设备
CN108768970B (zh) * 2018-05-15 2023-04-18 腾讯科技(北京)有限公司 一种智能设备的绑定方法、身份认证平台及存储介质
CN109150828B (zh) * 2018-07-10 2021-04-13 珠海腾飞科技有限公司 一种验证注册方法及系统
CN109525395B (zh) * 2018-09-27 2022-02-08 腾讯科技(北京)有限公司 签名信息的传输方法和装置、存储介质及电子装置
US11977621B2 (en) * 2018-10-12 2024-05-07 Cynthia Fascenelli Kirkeby System and methods for authenticating tangible products
US20220318821A1 (en) * 2018-10-12 2022-10-06 Cynthia Fascenelli Kirkeby System and methods for authenticating tangible products
WO2020076968A1 (en) * 2018-10-12 2020-04-16 Kirkeby Cynthia Fascenelli System and methods for authenticating tangible products
CN109560933B (zh) * 2018-10-12 2022-04-08 蚂蚁蓉信(成都)网络科技有限公司 基于数字证书的认证方法及系统、存储介质、电子设备
CN109740321B (zh) * 2018-12-25 2020-03-31 北京深思数盾科技股份有限公司 吊销加密机管理员锁的方法、加密机及厂商服务器
CN109801053B (zh) * 2018-12-28 2023-05-19 易票联支付有限公司 一种统一绑定银行卡的系统及方法
US10602353B1 (en) * 2018-12-31 2020-03-24 Microsoft Technology Licensing, Llc Extensible device identity attestation
CN110224713B (zh) * 2019-06-12 2020-09-15 读书郎教育科技有限公司 一种基于高安全性智能儿童手表的安全防护方法及系统
CN112134780B (zh) * 2019-06-24 2022-09-13 腾讯科技(深圳)有限公司 信息获取方法和装置、存储介质及电子装置
CN112311718B (zh) * 2019-07-24 2023-08-22 华为技术有限公司 检测硬件的方法、装置、设备及存储介质
WO2021072763A1 (zh) * 2019-10-18 2021-04-22 深圳市大疆创新科技有限公司 无人机激活方法、无人机解绑方法、设备及存储介质
CN113038434B (zh) * 2019-12-09 2022-10-28 华为技术有限公司 设备注册方法、装置、移动终端和存储介质
CN111314429B (zh) * 2020-01-19 2021-07-13 上海交通大学 一种网络请求处理系统和方法
CN111614979B (zh) * 2020-04-08 2024-03-08 视联动力信息技术股份有限公司 一种视联网资源的管理方法及装置
SG10202003630VA (en) * 2020-04-21 2021-09-29 Grabtaxi Holdings Pte Ltd Authentication and validation procedure for improved security in communications systems
CN112039848B (zh) * 2020-08-05 2022-11-04 北京链飞未来科技有限公司 一种基于区块链公钥数字签名的Web认证方法、系统和装置
CN112448958B (zh) * 2020-11-30 2022-08-30 南方电网科学研究院有限责任公司 一种域策略下发方法、装置、电子设备和存储介质
CN112866236B (zh) * 2021-01-15 2023-03-31 云南电网有限责任公司电力科学研究院 一种基于简化数字证书的物联网身份认证系统
CN112887409B (zh) * 2021-01-27 2022-05-17 珠海格力电器股份有限公司 一种数据处理系统、方法、装置、设备和存储介质
US20220385481A1 (en) * 2021-06-01 2022-12-01 International Business Machines Corporation Certificate-based multi-factor authentication
CN114285581B (zh) * 2021-12-07 2024-05-14 西安广和通无线通信有限公司 应用管理方法及相关产品
CN114500237B (zh) * 2022-01-05 2024-05-24 北京世格电讯科技有限公司 一种通信方法和系统
CN114691325B (zh) * 2022-03-16 2024-08-16 北京沃东天骏信息技术有限公司 一种应用的管理方法和装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103716794A (zh) * 2013-12-25 2014-04-09 北京握奇数据系统有限公司 一种基于便携式设备的双向安全验证方法及系统
CN104243484A (zh) * 2014-09-25 2014-12-24 小米科技有限责任公司 信息交互方法及装置、电子设备
WO2015047555A1 (en) * 2013-09-28 2015-04-02 Elias Athanasopoulos Methods, systems, and media for authenticating users using multiple services
CN104601327A (zh) * 2013-12-30 2015-05-06 腾讯科技(深圳)有限公司 一种安全验证方法、相关设备和系统
CN105871867A (zh) * 2016-04-27 2016-08-17 腾讯科技(深圳)有限公司 身份认证方法、系统及设备

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8181262B2 (en) * 2005-07-20 2012-05-15 Verimatrix, Inc. Network user authentication system and method
WO2009070430A2 (en) * 2007-11-08 2009-06-04 Suridx, Inc. Apparatus and methods for providing scalable, dynamic, individualized credential services using mobile telephones
US20140156531A1 (en) * 2010-12-14 2014-06-05 Salt Technology Inc. System and Method for Authenticating Transactions Through a Mobile Device
US9059852B2 (en) * 2013-03-27 2015-06-16 International Business Machines Corporation Validating a user's identity utilizing information embedded in a image file
US9600676B1 (en) * 2014-06-16 2017-03-21 Verily Life Sciences Llc Application-level wireless security for wearable devices
CN104618117B (zh) * 2015-02-04 2018-06-12 北京奇虎科技有限公司 基于二维码的智能卡设备的身份认证装置及方法
CN104767616B (zh) * 2015-03-06 2016-08-24 北京石盾科技有限公司 一种信息处理方法、系统及相关设备

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015047555A1 (en) * 2013-09-28 2015-04-02 Elias Athanasopoulos Methods, systems, and media for authenticating users using multiple services
CN103716794A (zh) * 2013-12-25 2014-04-09 北京握奇数据系统有限公司 一种基于便携式设备的双向安全验证方法及系统
CN104601327A (zh) * 2013-12-30 2015-05-06 腾讯科技(深圳)有限公司 一种安全验证方法、相关设备和系统
CN104243484A (zh) * 2014-09-25 2014-12-24 小米科技有限责任公司 信息交互方法及装置、电子设备
CN105871867A (zh) * 2016-04-27 2016-08-17 腾讯科技(深圳)有限公司 身份认证方法、系统及设备

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110932858A (zh) * 2018-09-19 2020-03-27 阿里巴巴集团控股有限公司 认证方法和系统
CN110932858B (zh) * 2018-09-19 2023-05-02 阿里巴巴集团控股有限公司 认证方法和系统

Also Published As

Publication number Publication date
CN105871867B (zh) 2018-01-16
US10637668B2 (en) 2020-04-28
US20180343123A1 (en) 2018-11-29
CN105871867A (zh) 2016-08-17

Similar Documents

Publication Publication Date Title
WO2017186100A1 (zh) 身份认证方法、系统及设备
CN112733107B (zh) 一种信息验证的方法、相关装置、设备以及存储介质
CN109600223B (zh) 验证方法、激活方法、装置、设备及存储介质
TWI713855B (zh) 憑證管理方法及系統
US11026085B2 (en) Authentication apparatus with a bluetooth interface
WO2017041599A1 (zh) 业务处理方法及电子设备
CN110399713B (zh) 一种信息认证的方法及相关装置
WO2018176781A1 (zh) 信息发送方法、信息接收方法、装置及系统
WO2017185711A1 (zh) 控制智能设备的方法、装置、系统和存储介质
WO2015101273A1 (zh) 一种安全验证方法、相关设备和系统
WO2017020630A1 (zh) 一种处理订单信息的方法、装置和系统
CN108234124B (zh) 身份验证方法、装置与系统
WO2019072039A1 (zh) 一种业务证书管理方法、终端及服务器
CN110198301B (zh) 一种服务数据获取方法、装置及设备
CN105515768A (zh) 一种更新密钥的方法、装置和系统
CN105468952A (zh) 身份验证方法及装置
WO2018108062A1 (zh) 身份验证方法、装置及存储介质
WO2015035936A1 (zh) 身份验证方法、身份验证装置和身份验证系统
CN110601858B (zh) 证书管理方法及装置
CN111489172B (zh) 一种资质信息的认证方法和终端以及服务器
CN108475304A (zh) 一种关联应用程序和生物特征的方法、装置以及移动终端
WO2018233584A1 (zh) 账户数值转移方法、装置、计算机设备及存储介质
CN110572268B (zh) 一种匿名认证方法和装置
CN115544464A (zh) 针对微控制芯片的固件烧录方法、装置、系统及存储介质
CN108234412B (zh) 身份验证方法与装置

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 15771511

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17788752

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17788752

Country of ref document: EP

Kind code of ref document: A1