WO2018161777A1 - Identity verification method, terminal apparatus, server, and data storage medium - Google Patents

Identity verification method, terminal apparatus, server, and data storage medium Download PDF

Info

Publication number
WO2018161777A1
WO2018161777A1 PCT/CN2018/076007 CN2018076007W WO2018161777A1 WO 2018161777 A1 WO2018161777 A1 WO 2018161777A1 CN 2018076007 W CN2018076007 W CN 2018076007W WO 2018161777 A1 WO2018161777 A1 WO 2018161777A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
server
data
verification data
timestamp
Prior art date
Application number
PCT/CN2018/076007
Other languages
French (fr)
Chinese (zh)
Inventor
梁宇轩
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2018161777A1 publication Critical patent/WO2018161777A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC

Definitions

  • the present application relates to the field of communications technologies, and in particular, to an authentication method, a terminal device, a server, and a storage medium.
  • user authentication is more and more widely used.
  • user identity verification can effectively protect secure communication and system related resources.
  • a password-based user authentication mechanism provides the most basic functionality to prevent unauthorized access and permissions.
  • some smart cards, tokens TOKEN, etc. are implemented based on user rights and authorization settings.
  • these methods add hardware and maintenance costs invisibly, and the efficiency of user authentication is low and the accuracy is poor.
  • Various embodiments provided in accordance with the present application provide a method, terminal device, server, and storage medium for authentication.
  • a method of authentication including:
  • the terminal device scans the two-dimensional code generated by the client device, so that the terminal device that has scanned the two-dimensional code is registered to the server, and the two-dimensional code is generated by the client device based on the one-time password;
  • the terminal device calculates the second verification data according to the one-way hash function to generate third verification data
  • the terminal device sends the third verification data to the server, so that the server sends the indication information to the client device, where the indication information is used to indicate that the terminal device has passed the verification.
  • a method of authentication including:
  • the server Receiving, by the server, the first verification data sent by the terminal device, where the first verification data is data generated by the terminal device after being registered to the server, and the terminal device generates the second The dimension code is registered to the server, and the two-dimensional code is generated by the client device based on the one-time password;
  • the server calculates the first verification data according to a one-way hash function to generate second verification data
  • the server generates indication information according to the third verification data, where the indication information is used to indicate that the terminal device has passed verification;
  • the server sends the indication information to the client device.
  • a terminal device comprising:
  • a scanning unit configured to scan a two-dimensional code generated by the client device, to register the terminal device that has scanned the two-dimensional code to a server, where the two-dimensional code is generated by the client device based on a one-time password ;
  • a first sending unit configured to send the first verification data to the server, so that the server sends the second verification data to the terminal device, where the second verification data is a one-way hash according to the server a function for calculating the first verification data to generate data;
  • a calculating unit configured to calculate the second verification data according to the one-way hash function to generate third verification data
  • a second sending unit configured to send the third verification data to the server, so that the server sends the indication information to the client device, where the indication information is used to indicate that the terminal device has passed the verification .
  • a terminal device comprising a memory and one or more processors, the memory storing computer readable instructions, the computer readable instructions being executed by the one or more processors to cause the one or more The processors perform the following steps:
  • Transmitting the first verification data to the server, so that the server sends the second verification data to, the second verification data is that the server calculates the first verification data according to the one-way hash function Generated data;
  • a server that includes:
  • a first receiving unit configured to receive first verification data that is sent by the terminal device, where the first verification data is data generated by the terminal device after being registered to the server, and the terminal device scans The two-dimensional code generated by the client device is registered to the server, and the two-dimensional code is generated by the client device based on the one-time password;
  • a first calculating unit configured to calculate the first verification data according to a one-way hash function to generate second verification data
  • a first sending unit configured to send the second verification data to the terminal device, so that the terminal device calculates the second verification data according to the one-way hash function to generate third verification data.
  • a first receiving unit configured to receive the third verification data sent by the terminal device
  • a generating unit configured to generate indication information according to the third verification data, where the indication information is used to indicate that the terminal device has passed verification;
  • a second sending unit configured to send the indication information to the client device.
  • a server comprising a memory and one or more processors having stored therein computer readable instructions, the computer readable instructions being executed by the one or more processors such that the one or more The processor performs the following steps:
  • first verification data sent by the terminal device, where the first verification data is data generated by the terminal device after being registered, and the terminal device is registered by scanning a QR code generated by the client device to The two-dimensional code is generated by the client device based on a one-time password;
  • One or more non-volatile storage media storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the following steps:
  • Transmitting the first verification data to the server, so that the server sends the second verification data to, the second verification data is that the server calculates the first verification data according to the one-way hash function Generated data;
  • One or more non-volatile storage media storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the following steps:
  • first verification data sent by the terminal device, where the first verification data is data generated by the terminal device after being registered, and the terminal device is registered by scanning a QR code generated by the client device to The two-dimensional code is generated by the client device based on a one-time password;
  • FIG. 1 is a schematic structural diagram of an embodiment of a verification system provided by the present application.
  • FIG. 2 is a schematic structural diagram of an embodiment of a server provided by the present application.
  • FIG. 3 is a schematic structural diagram of an embodiment of a terminal device provided by the present application.
  • FIG. 4 is a flow chart of steps of an embodiment of a method for identity verification provided by the present application.
  • FIG. 5 is a flow chart of steps of another embodiment of the method for identity verification provided by the present application.
  • FIG. 6 is a flow chart of steps of another embodiment of the method for identity verification provided by the present application.
  • FIG. 7 is a flow chart of steps of another embodiment of the method for identity verification provided by the present application.
  • FIG. 8 is a schematic structural diagram of another embodiment of a terminal device provided by the present application.
  • FIG. 9 is a schematic structural diagram of another embodiment of a server provided by the present application.
  • the embodiment of the present application provides a method for identity verification, and a method for authenticating the identity verification provided by the embodiment of the present application.
  • the following is a detailed description of the specific structure of the verification system that can implement the method provided by the embodiment of the present application. Detailed description. It is understood that the specific embodiments described herein are merely illustrative of the application and are not intended to be limiting.
  • the verification system shown in this embodiment includes a server 101, at least one client device 102, and at least one terminal device 103.
  • the specific number of the client device 102 and the terminal device 103 included in the verification system shown in this embodiment is not limited.
  • Data communication can be performed between the server 101, the client device 102, and the terminal device 103 shown in this embodiment.
  • the server 200 provided by the embodiment of the present application may have a relatively large difference due to different configurations or performances, and may include one or more central processing units (CPUs) 222 (eg, one or more processors) and Memory 232, one or more storage media 230 storing application 242 or data 244 (e.g., one or one storage device in Shanghai).
  • the memory 232 and the storage medium 230 may be short-term storage or persistent storage.
  • Programs stored on storage medium 230 may include one or more modules (not shown), each of which may include a series of computer readable instructions in a server.
  • central processor 222 can be configured to communicate with storage medium 230, executing a series of computer readable instructions in storage medium 230 on server 200 that, when executed, cause processor 222 to perform a A method of authentication.
  • the storage medium 230 may be a non-volatile storage medium.
  • Server 200 may also include one or more power sources 226, one or more wired or wireless network interfaces 250, one or more input and output interfaces 258, and/or one or more operating systems 241, such as Windows ServerTM, Mac OS. XTM, UnixTM, LinuxTM, FreeBSDTM and more.
  • terminal device 103 The specific structure of the terminal device 103 provided in this embodiment is described in detail below with reference to FIG. 3:
  • the terminal device may be any terminal device including a mobile phone, a tablet computer, a PDA (Personal Digital Assistant), a POS (Point of Sales), an in-vehicle computer, and the like.
  • FIG. 3 is a block diagram showing a partial structure of a terminal device related to a terminal device provided by an embodiment of the present application.
  • the terminal device includes: a radio frequency (RF) circuit 310, a memory 320, an input unit 330, a display unit 340, a sensor 350, an audio circuit 360, a wireless fidelity (WiFi) module 370, and a processor. 380, and power supply 390 and other components.
  • RF radio frequency
  • the terminal device structure shown in FIG. 3 does not constitute a limitation of the terminal device, and may include more or less components than those illustrated, or a combination of certain components, or different component arrangements.
  • the RF circuit 310 can be used for receiving and transmitting signals during and after the transmission or reception of information, in particular, after receiving the downlink information of the base station, and processing it to the processor 380; in addition, transmitting the designed uplink data to the base station.
  • RF circuit 310 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like.
  • LNA Low Noise Amplifier
  • RF circuitry 310 can also communicate with the network and other devices via wireless communication.
  • the above wireless communication may use any communication standard or protocol, including but not limited to Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (Code Division). Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), E-mail, Short Messaging Service (SMS), and the like.
  • GSM Global System of Mobile communication
  • GPRS General Pack
  • the memory 320 can be used to store software programs and modules, and the processor 380 executes various functional applications and data processing of the terminal devices by running software programs and modules stored in the memory 320.
  • the memory 320 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be stored according to Data created by the use of the terminal device (such as audio data, phone book, etc.).
  • memory 320 can include high speed random access memory, and can also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
  • the terminal device also includes a non-volatile storage medium.
  • the non-volatile storage medium stores computer readable instructions.
  • the computer readable instructions can be executed by processor 380.
  • processor 380 can be caused to perform a method of authentication.
  • the input unit 330 can be configured to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the terminal device.
  • the input unit 330 may include a touch panel 331 and other input devices 332.
  • the touch panel 331 also referred to as a touch screen, can collect touch operations on or near the user (such as a user using a finger, a stylus, or the like on the touch panel 331 or near the touch panel 331 Operation), and drive the corresponding connecting device according to a preset program.
  • the touch panel 331 can include two parts: a touch detection device and a touch controller.
  • the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into contact coordinates, and sends the touch information.
  • the processor 380 is provided and can receive commands from the processor 380 and execute them.
  • the touch panel 331 can be implemented in various types such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave.
  • the input unit 330 may also include other input devices 332.
  • other input devices 332 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
  • the display unit 340 can be used to display information input by the user or information provided to the user as well as various menus of the terminal device.
  • the display unit 340 can include a display panel 341.
  • the display panel 341 can be configured in the form of a liquid crystal display (LCD), an organic light-emitting diode (OLED), or the like.
  • the touch panel 331 can cover the display panel 341. When the touch panel 331 detects a touch operation on or near it, the touch panel 331 transmits to the processor 380 to determine the type of the touch event, and then the processor 380 according to the touch event. The type provides a corresponding visual output on display panel 341.
  • the touch panel 331 and the display panel 341 are used as two independent components to implement input and input functions of the terminal device, in some embodiments, the touch panel 331 may be integrated with the display panel 341. And realize the input and output functions of the terminal device.
  • the terminal device may also include at least one type of sensor 350, such as a light sensor, a motion sensor, and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 341 according to the brightness of the ambient light, and the proximity sensor may close the display panel 341 when the terminal device moves to the ear. / or backlight.
  • the accelerometer sensor can detect the acceleration of each direction (usually three axes), and the magnitude and direction of gravity can be detected at rest.
  • attitude of the terminal device such as horizontal and vertical screen switching, Related games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.; as for the gyroscope, barometer, hygrometer, thermometer, infrared sensor and other sensors that can be configured in the terminal device, here No longer.
  • the audio circuit 360, the speaker 361, and the microphone 362 can provide an audio interface between the user and the terminal device.
  • the audio circuit 360 can transmit the converted electrical data of the received audio data to the speaker 361 for conversion to the sound signal output by the speaker 361; on the other hand, the microphone 362 converts the collected sound signal into an electrical signal, by the audio circuit 360. After receiving, it is converted into audio data, and then processed by the audio data output processor 380, sent to, for example, another terminal device via the RF circuit 310, or outputted to the memory 320 for further processing.
  • WiFi is a short-range wireless transmission technology
  • the terminal device can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module 370, which provides wireless broadband Internet access for users.
  • FIG. 3 shows the WiFi module 370, it can be understood that it does not belong to the essential configuration of the terminal device, and may be omitted as needed within the scope of not changing the essence of the invention.
  • the processor 380 is a control center of the terminal device that connects various portions of the entire terminal device using various interfaces and lines, by running or executing software programs and/or modules stored in the memory 320, and recalling data stored in the memory 320. Perform various functions and processing data of the terminal device to perform overall monitoring on the terminal device.
  • the processor 380 may include one or more processing units; preferably, the processor 380 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application, and the like.
  • the modem processor primarily handles wireless communications. It will be appreciated that the above described modem processor may also not be integrated into the processor 380.
  • the terminal device also includes a power source 390 (such as a battery) that supplies power to the various components.
  • a power source 390 such as a battery
  • the power source can be logically coupled to the processor 380 through a power management system to manage functions such as charging, discharging, and power management through the power management system.
  • the terminal device may further include a camera, a Bluetooth module, and the like, and details are not described herein again.
  • the specific structure of the client device 102 is not limited in this embodiment, as long as the client device 102 can generate a two-dimensional code to be scanned by the terminal device 103.
  • Step 401 The client device generates a two-dimensional code based on the one-time password.
  • One-time passwords are only valid for one login session or transaction.
  • One-time passwords prevent many of the shortcomings associated with traditional static passwords, such as replay attacks, dictionary attacks, and phishing attacks. This means that if a potential intruder tries to record a one-time password that has been used to log in to the service or to do something, he will not abuse it because the password is no longer valid.
  • the purpose of a one-time password is to make it more difficult to gain unauthorized access to restricted resources.
  • one-time passwords cannot be remembered by humans. For this reason, they need extra technology to work. Basically, one-time passwords can be divided into the following four categories:
  • Lamport first proposed a one-time password authentication scheme using a one-way hash chain. However, if an indefinite password is required, a new seed value needs to be selected when an old hash chain is exhausted. In particular, maintaining a password file used to authenticate user authentication requests also increases the risk of tampering and maintenance costs. For this reason, many researchers have proposed various user authentications, such as using smart cards to improve security, cost or efficiency.
  • token one-time passwords are usually associated with physical hardware tokens. Inside the token is an accurate clock that has been synchronized with the clock on the server. Recently, it has been able to associate electronic originals with regular key fob one-time password tokens, such as InCard, RSA, SafeNet, and Vasco. However, these methods are not very convenient for the same reasons as smart card solutions.
  • SMS Short-term interest
  • SMS is the best-effort delivery agent, it means that the communication company tries to send the text message, but there is no guarantee that it will be delivered, or that it will take a long time.
  • a one-time password must have a lifecycle as a security feature.
  • SMS-based solutions must continue until additional costs are incurred. Therefore, it is impractical and at the same time not a necessary low-cost solution.
  • the client device shown in this embodiment can generate a two-dimensional code based on the one-time password.
  • the processor of the client device can calculate the preset content by using a one-time password to generate a two-dimensional code, and the display screen of the client device can display the generated second. Dimension code.
  • the application scenario of the method shown in this embodiment is also shown in FIG. 5.
  • the client device shown in this embodiment may store the preset content content shown in FIG. 5 as a uniform resource location address URL, or text. Text, or phone number phone number, or SMS service SMS.
  • the client server can perform encryption operation on the preset content content based on the one-time password to generate a QR code.
  • Step 402 The terminal device scans the two-dimensional code generated by the client device.
  • the terminal device shown in this embodiment scans the two-dimensional code to join the verification system shown in FIG. 1.
  • Terminal devices with embedded cameras can capture two-dimensional codes and then decode them using software running on the terminal device.
  • QR code in a terminal device
  • terminal devices that use QR codes support many of today's services, such as booking, payment, and Uniform Resource Locator reading.
  • this embodiment proposes to use a widely used two-dimensional code technology to support a one-time password system, and the two-dimensional code application on the terminal device can obtain the benefits of inheriting from the two-dimensional code, such as large capacity, small print size, and high-speed scanning. , anti-destructive ability and data robustness. In addition, various attributes such as liquidity and dexterity. Therefore, our approach can be more convenient because the user does not need to have a separate hardware token for each security domain to gain access.
  • the application scenario shown in FIG. 5 is performed after the terminal device scans the two-dimensional code generated by the client device, and the specific execution process of the registration phase is as shown in step 403 to step 408 below.
  • Step 403 The terminal device generates first registration data corresponding to the terminal device.
  • the first registration data IDA is not limited, as long as the first registration data IDA is associated with the terminal device.
  • the first registration data IDA may be an ID code of a processor of the terminal device, or a preset of the terminal device. Login account and login password.
  • Step 404 The terminal device sends the first registration data to the server.
  • Step 405 The server receives the first registration data sent by the terminal device.
  • the server and the terminal device may establish a secure communication channel in advance, so that data is transmitted between the server and the terminal device through the created communication channel. .
  • Step 406 The server generates second registration data.
  • the server shown in this embodiment is capable of calculating the first registration data IDA and the preset key S according to the one-way hash function h(*) to generate the second registration data XA.
  • the preset key S is a long-term key stored in advance by the server.
  • Step 407 The server sends the second registration data to the terminal device.
  • Step 408 The terminal device receives the second registration data.
  • the terminal device shown in this embodiment can store the second registration data XA as a long-term key.
  • the process of registering the terminal device to the server is completed by using steps 403 to 408 shown in this embodiment.
  • Step 409 The terminal device records the first timestamp.
  • the first timestamp T1 is a time when the terminal device detects that the terminal device scans the two-dimensional code.
  • Step 410 The terminal device generates first verification data.
  • the first verification data shown in this embodiment includes a first timestamp T1 and a second registration data XA.
  • Step 411 The terminal device sends the first verification data to the server.
  • Step 412 The server receives the first verification data.
  • Step 413 The server records the second timestamp.
  • the second timestamp T2 is a time when the server detects that the terminal device scans the two-dimensional code
  • Step 414 The server determines whether the first verification data meets the first preset condition. If not, step 415 is performed, and if yes, step 416 is performed.
  • the first preset condition is that the first timestamp is equal to the second timestamp.
  • step 415 when the server determines that the first timestamp included in the first verification data is not equal to the second timestamp recorded by the server, if the first verification data does not satisfy the first preset condition, the process proceeds to step 415.
  • the server determines that the first timestamp included in the first verification data is equal to the second timestamp recorded by the server, it indicates that the first verification data meets the first preset condition, and then proceeds to step 416.
  • Step 415 The server rejects the request of the terminal device for verification.
  • the server may determine that the terminal device performs the authentication request is invalid, and the optional The server may send the target indication information to the terminal device and/or the client device, where the target indication information is used to indicate that the request for the terminal device to perform the identity verification is invalid.
  • Step 416 The server generates the first sub data.
  • the server calculates the target random number r, the first timestamp T1, and the second timestamp T2 according to the one-way hash function h(*) to generate the first sub-data h(r, T1, T2).
  • the target random number r is data randomly generated by the server.
  • Step 417 The server generates the first parameter.
  • the server performs an exclusive OR operation on the target random number r and the second registration data IDA. To generate a first parameter ⁇ ;
  • the second registration data shown in this embodiment is the data generated in step 406.
  • Step 418 The server generates a second sub-data.
  • the server calculates the first parameter by using the first function to generate the second sub data.
  • the first function shown in this embodiment is EOR(*).
  • the first function EOR(*) is a function of encoding data into a two-dimensional code image.
  • the second sub-data is EOR( ⁇ ).
  • Step 419 The server generates second verification data.
  • the second verification data generated by the server includes first sub-data h(r, T1, T2), second sub-data EOR( ⁇ ), and a second timestamp T2.
  • Step 420 The server sends the second verification data to the terminal device.
  • Step 421 The terminal device receives the second verification data.
  • Step 422 The terminal device determines whether the second verification data meets the second preset condition. If not, step 423 is performed, and if yes, step 424 is performed.
  • the second preset condition is that the first timestamp T1 is equal to the second timestamp T2.
  • step 424 may be continued.
  • step 423 may be continued.
  • Step 423 The terminal device refuses to continue identity verification.
  • the terminal device when the terminal device determines that the first timestamp T1 is not equal to the second timestamp T2, the terminal device refuses to continue the identity verification, and the process of the identity verification is terminated.
  • Step 424 The terminal device generates a second parameter.
  • the terminal device calculates the second sub-data EOR( ⁇ ) included in the second verification data by using the second function DOR(*) to generate the second parameter.
  • the second function DOR(*) is a function that the terminal device will decode the two-dimensional code captured in the embedded camera device.
  • the second parameter is DOR (EOR( ⁇ )).
  • Step 425 The terminal device generates a target random number.
  • the terminal device performs an exclusive OR operation on the second parameter DOR (EOR( ⁇ )) and the second registration data XA. A calculation is performed to generate a target random number r.
  • Step 426 The terminal device generates a third parameter.
  • the terminal device calculates the target random number r, the first timestamp T1, and the second timestamp T2 by using the one-way hash function h(*) to generate a third parameter.
  • the third parameter is h(r, T1, T2).
  • Step 427 The terminal device determines whether the third parameter meets the third preset condition. If not, step 428 is performed, and if yes, step 429 is performed.
  • the third preset condition is that the third parameter is equal to the first sub data.
  • step 428 if the terminal device determines that the third parameter is not equal to the first sub-data, proceeding to step 428, if the terminal device determines that the third parameter is equal to the first sub-data, proceeding to step 429.
  • Step 428 The terminal device refuses to continue identity verification.
  • Step 429 The terminal device acquires a third timestamp.
  • the third timestamp shown in this embodiment is the time when the terminal device detects that the terminal device scans the two-dimensional code.
  • Step 430 The terminal device generates third verification data.
  • the third verification data generated by the terminal device shown in this embodiment includes a third parameter h(r, T1, T2) and a third timestamp T3.
  • Step 431 The terminal device sends the third verification data to the server.
  • Step 432 The server determines whether the third verification data meets the fourth preset condition, and if yes, performs step 433.
  • the fourth preset condition is that the difference between the first timestamp T1 and the third timestamp T3 is less than or equal to the preset threshold, and the fourth preset condition is also the third parameter h(r, T1). , T2) is equal to the first sub-data h(r, T1, T2) included in the second verification data stored by the server.
  • the server shown in this embodiment stores a preset threshold in advance, and after receiving the third timestamp, the server may determine whether the difference between the first timestamp and the third timestamp is less than or equal to Preset threshold.
  • the third parameter in this embodiment is sent by the terminal device to the server, and the first sub-data is generated by the server in step 416.
  • the server needs to determine whether the third parameter is equal to the first sub-data.
  • Step 433 The server generates indication information.
  • the server when the server determines that the third verification data meets the fourth preset condition, the server may generate indication information for indicating that the terminal device passes the verification.
  • Step 434 The server sends the indication information to the client device.
  • the server may send the generated indication information to the client device.
  • Step 435 The client device receives the indication information.
  • the client device when the client device receives the indication information, it can determine that the current terminal device has passed the verification, and can perform the corresponding function.
  • the client device may be a computer device capable of performing a ticket booking function.
  • the computer device receives the indication information sent by the server, the computer device is The corresponding function of the booking can be opened for the terminal device.
  • the method shown in this embodiment can continue to perform the phase of security avoidance.
  • the method shown in this embodiment can avoid the risk of the terminal device.
  • the terminal device because the terminal device stores the key XA shown in step 408 for a long time, the terminal device needs to be well protected, and the terminal device shown in this embodiment is only used to scan the two-dimensional code of the client device.
  • the core registration phase and the verification phase are performed on the remote server, and the generation process of the two-dimensional code is performed on the client device, thereby effectively reducing the security risk of the terminal device shown in this embodiment, and improving the terminal device. Safety.
  • the purpose of the attacker obtaining the server key through the terminal device is not feasible, because the one-way hash function shown in this embodiment is also called a one-way hash function, one-way hash.
  • the function is irreversible, and the irreversible one-way hash function can make the attacker unable to obtain the key stored by the server, thereby further improving the security of the verification process.
  • the security risk of the remote user is effectively reduced, because when the value of the corresponding random number r is not known, it is not feasible to obtain the legal user long-term key xA.
  • the information transmitted in the public channel is intercepted, it still cannot get r, because the one-way hash function is irreversible.
  • the man-in-the-middle attack and replay attack are effectively reduced. If the cracker attempts a legal timestamp T3 request intercepted from the public channel multiple times, the server receives the access request on the timestamp T3. . However, if the difference between the timestamp T1 and the timestamp T3 is not lower than the pre-stored time interval, the server can reject it. Moreover, the random number r is randomly selected by the server. Therefore, man-in-the-middle attacks and replay attacks will fail.
  • the verification system is applied to the payment domain.
  • the client device is a computer device capable of performing a payment function.
  • the terminal device joins the verification system by scanning the two-dimensional code generated by the client device. After joining the verification system, the terminal device performs the process shown in FIG. 6 to register the terminal device to the server.
  • the terminal device sends the IDA to the server and the client device, and the specific process of the terminal device sending the IDA is shown in the embodiment shown in FIG. 4 , which is not described in this application scenario.
  • the server calculates the IDA to generate the XA.
  • the specific generation process of the XA in this application scenario is shown in the embodiment shown in Figure 4, and is not described in this application scenario.
  • the server will send the generated XA to the terminal device to cause the terminal device to store the XA.
  • the verification phase can be performed.
  • the specific process of the verification phase can be seen in FIG. 7.
  • the authentication data is exchanged between the terminal device and the server.
  • the specific interaction process refer to the detailed process shown in Figure 4, which is not described in this application scenario.
  • the server may send the indication information to the client device, so that the client device that receives the indication information determines that the terminal device has passed the verification, in the present
  • a client device can perform a payment operation with a verified terminal device.
  • the verification method shown in this embodiment can be adapted to people's habits, convenience, and daily production based on daily products and systematic design.
  • the dynamic security boundary two-dimensional code based on the one-time password authentication protocol provided in this embodiment not only eliminates the use of the password verification table, but also shows the universal ubiquity of the terminal device and the network in the information age era.
  • the method has a wide range of applications, and in the process of verification, the user does not need to add a new device, so that the method shown in this embodiment has a very high cost performance, can be popularized, and can eliminate the carrying of the prior art.
  • the burden of a separate hardware token can also reduce the extra cost of SMS.
  • the method shown in this embodiment effectively improves the security, and the verification of the terminal device using the two-dimensional code improves the convenience and convenience of the original user identity verification.
  • the structure of the terminal device provided in this embodiment is described in detail from the perspective of the hardware entity.
  • the specific structure of the terminal device provided in this embodiment is described in detail from the perspective of the function module.
  • the terminal device includes:
  • the scanning unit 801 is configured to scan a two-dimensional code generated by the client device, so that the terminal device that has scanned the two-dimensional code is registered to a server, and the two-dimensional code is based on the one-time password by the client device. generate;
  • a first generating unit 802 configured to generate first registration data corresponding to the terminal device
  • the third sending unit 803 is configured to send the first registration data to the server, so that the server sends the second registration data to the terminal device, where the second registration data is the server according to the
  • the one-way hash function calculates the first registration data and the preset key to generate data, and the preset key is a key pre-stored by the server;
  • the first receiving unit 804 is configured to receive the second registration data.
  • a first recording unit configured to record a first timestamp, where the first timestamp is a time when the terminal device detects that the terminal device scans the two-dimensional code
  • a second generating unit 805 configured to generate the first verification data, where the first verification data includes the first timestamp and the second registration data, so that the server determines that the first verification data is satisfied
  • the second preset data is generated, where the first preset condition is that the first timestamp is equal to a second timestamp, and the second timestamp is that the server detects the
  • the time at which the terminal device scans the end of the two-dimensional code, the second verification data includes a first sub-data, a second sub-data, and the second timestamp, wherein the first sub-data is
  • the one-way hash function calculates, by the target random number, the first timestamp and the second timestamp, the generated data, the target random number is data randomly generated by the server, and the second
  • the child data is data generated by the server by calculating a first parameter by using a first function, where the first parameter is generated by the server performing an exclusive OR operation on the target random number and the second registration data. It is.
  • the first sending unit 806 is configured to send the first verification data to the server, so that the server sends the second verification data to the terminal device, where the second verification data is a column function calculates the first verification data to generate data;
  • a second receiving unit 807 configured to receive the second verification data, where the second verification data includes a second timestamp, where the second timestamp is that the server detects that the terminal device scans the two-dimensional code End time
  • the first determining unit 808 is configured to determine whether the second verification data meets a second preset condition, where the second preset condition is that the first timestamp is equal to the second timestamp, and the first timestamp is The terminal device detects a time when the terminal device scans the two-dimensional code;
  • the triggering unit 809 is configured to: if the first determining unit determines that the second verification data meets the second preset condition, trigger the execution of the calculating unit to perform the second verification according to the one-way hash function The step of calculating the data to generate third verification data.
  • the calculating unit 810 is configured to calculate the second verification data according to the one-way hash function to generate third verification data;
  • the calculating unit 810 includes:
  • a first calculating module 8101 configured to calculate, by using a second function, the second sub-data included in the second verification data to generate a second parameter
  • a second calculating module 8102 configured to calculate, by using an exclusive OR operation, the second parameter and the second registration data to generate the target random number
  • a third calculating module 8103 configured to calculate, by using the one-way hash function, the target random number, the first timestamp, and the second timestamp to generate a third parameter
  • the determining module 8104 is configured to determine whether the third parameter meets a third preset condition, where the third preset condition is that the third parameter is equal to the first sub-data;
  • the obtaining module 8105 is configured to: if the determining module determines that the third parameter meets the third preset condition, acquire a third timestamp, where the third timestamp is that the terminal device detects that the terminal device scans The time at which the two-dimensional code begins;
  • a determining module 8106 configured to determine that the third verification data includes the third parameter and the third timestamp, so that the server determines that the third verification data meets a fourth preset condition And generating the indication information, where the fourth preset condition is that a difference between the first timestamp and the third timestamp is less than or equal to a preset threshold, and the fourth preset condition is further The third parameter is equal to the first sub-data included in the second verification data stored by the server.
  • a second sending unit 811 configured to send the third verification data to the server, so that the server sends the indication information to the client device, where the indication information is used to indicate that the terminal device has passed verification.
  • FIG. 4 The specific process of the method for performing the authentication by the terminal device shown in FIG. 8 is shown in FIG. 4, which is not described in detail in this embodiment.
  • FIG. 2 illustrates the specific structure of the server from the perspective of a hardware entity.
  • the specific structure of the server is described in detail below from the perspective of the functional module in conjunction with the embodiment shown in FIG. 9:
  • the server includes:
  • the second receiving unit 901 is configured to receive first registration data that is sent by the terminal device and that is corresponding to the terminal device;
  • the second calculating unit 902 is configured to calculate the first registration data and the preset key according to the one-way hash function to generate second registration data, where the preset key is pre-stored by the server Key
  • the second sending unit 903 is configured to send the second registration data to the terminal device.
  • the first receiving unit 904 is configured to receive first verification data that is sent by the terminal device, where the first verification data is data that is generated by the terminal device after being registered to the server, and the terminal device passes the Scanning a QR code generated by the client device to register with the server, the two-dimensional code generated by the client device based on a one-time password;
  • a recording unit 905 configured to record a second timestamp, where the second timestamp is a time when the server detects that the terminal device scans the two-dimensional code;
  • the determining unit 906 is configured to determine whether the first verification data meets a first preset condition, where the first verification data includes a first timestamp and the second registration data, where the first timestamp is the terminal.
  • the device detects the time when the terminal device scans the two-dimensional code, and the first preset condition is that the first timestamp is equal to the second timestamp;
  • the triggering unit 907 is configured to trigger the first calculating unit to perform the first verification data according to the one-way hash function, if the determining unit determines that the first verification data meets the first preset condition A step of performing a calculation to generate second verification data.
  • a first calculating unit 908 configured to calculate the first verification data according to a one-way hash function to generate second verification data
  • the first calculating unit 908 includes:
  • a first calculating module 9081 configured to calculate, according to the one-way hash function, the target random number, the first timestamp, and the second timestamp to generate first sub-data, the target random number Data randomly generated for the server;
  • a second calculating module 9082 configured to perform an exclusive OR operation on the target random number and the second registration data to generate a first parameter
  • a third calculating module 9083 configured to calculate the first parameter by using a first function to generate a second sub-data
  • the first generation module 9084 is configured to generate second verification data, where the second verification data includes the first sub data, the second sub data, and the second timestamp.
  • the first sending unit 909 is configured to send the second verification data to the terminal device, so that the terminal device calculates the second verification data according to the one-way hash function to generate a third verification. data;
  • the first receiving unit 910 is configured to receive the third verification data that is sent by the terminal device, where the third verification data includes a third parameter and a third timestamp, where the third parameter is that the terminal device passes the Calculating, by the one-way hash function, the target random number, the first timestamp, and the second timestamp to generate a parameter, where the target random number is the terminal device, the second parameter, and the
  • the second registration data is calculated by an exclusive OR operation to generate a random number
  • the second parameter is that the terminal device calculates the second sub data included in the second verification data by using a second function to generate
  • the third timestamp is a time when the terminal device detects that the terminal device scans the two-dimensional code
  • the generating unit 911 is configured to generate indication information according to the third verification data, where the indication information is used to indicate that the terminal device has passed verification;
  • the generating unit 911 includes:
  • the determining module 9111 is configured to determine whether the third verification data meets a fourth preset condition, where the fourth preset condition is that a difference between the first timestamp and the third timestamp is less than or equal to Determining a threshold, and the fourth preset condition is further that the third parameter is equal to the first sub-data included in the second verification data stored by the server;
  • the second generation module 9112 is configured to generate the indication information if the determining module determines that the third verification data meets the fourth preset condition.
  • the second sending unit 912 is configured to send the indication information to the client device.
  • FIG. 4 The specific process of the method for performing the authentication by the server shown in FIG. 9 is shown in FIG. 4, which is not described in detail in this embodiment.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • a computer readable storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)

Abstract

An identity verification method comprises: a terminal apparatus scanning a two-dimensional barcode generated at a client apparatus; the terminal apparatus transmitting first verification data to a server; the terminal apparatus performing, according to a unidirectional Hash function, a computation on second verification data to generate third verification data; and the terminal apparatus transmitting the third verification data to the server to enable the server to transmit indication information to the client apparatus. The indication information is used to indicate that the terminal apparatus has passed the verification.

Description

一种身份验证的方法、终端设备、服务器和存储介质Method, terminal device, server and storage medium for authentication
本申请要求于2017年03月09日提交中国专利局,申请号为2017101383283,申请名称为“身份验证的方法、终端设备以及服务器”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application entitled "Identification Method, Terminal Device and Server" by the Chinese Patent Office, filed on March 9, 2017, with the application number of 2017101383283, the entire contents of which are incorporated herein by reference. In the application.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及的是一种身份验证的方法、终端设备、服务器和存储介质。The present application relates to the field of communications technologies, and in particular, to an authentication method, a terminal device, a server, and a storage medium.
背景技术Background technique
随着用户网络安全意识的提升,用户身份验证的应用越来越广泛,在不安全的公共网络渠道中,用户身份验证能够有效的保护安全通信和系统相关资源。With the improvement of user network security awareness, user authentication is more and more widely used. In the insecure public network channel, user identity verification can effectively protect secure communication and system related resources.
因此为了保护安全的网络系统环境,简单而有效的用户身份验证机制是非常必要的。基于密码的用户身份验证机制为防止未经允许授权的访问与权限提供了最基本的功能。当然还有基于用户权限与授权设定实现了一些智能卡、令牌TOKEN等,然而这些手段在无形中增加了硬件成本和维护成本,而且用户身份验证的效率低,准确性差。Therefore, in order to protect a secure network system environment, a simple and effective user authentication mechanism is necessary. A password-based user authentication mechanism provides the most basic functionality to prevent unauthorized access and permissions. Of course, some smart cards, tokens TOKEN, etc. are implemented based on user rights and authorization settings. However, these methods add hardware and maintenance costs invisibly, and the efficiency of user authentication is low and the accuracy is poor.
发明内容Summary of the invention
根据本申请提供的各种实施例提供了一种身份验证的方法、终端设备、服务器和存储介质。Various embodiments provided in accordance with the present application provide a method, terminal device, server, and storage medium for authentication.
一种身份验证的方法,包括:A method of authentication, including:
终端设备扫描客户端设备生成的二维码,以使已扫描所述二维码的所述终端设备注册到服务器,所述二维码由所述客户端设备基于一次性密码所生成;The terminal device scans the two-dimensional code generated by the client device, so that the terminal device that has scanned the two-dimensional code is registered to the server, and the two-dimensional code is generated by the client device based on the one-time password;
所述终端设备将第一验证数据发送给所述服务器,以使所述服务器将第二验证数据发送给所述终端设备,所述第二验证数据为所述服务器根据单向散列函数对所述第一验证数据进行计算以生成的数据;Transmitting, by the terminal device, first verification data to the server, so that the server sends second verification data to the terminal device, where the second verification data is that the server performs a one-way hash function The first verification data is calculated to generate data;
所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;及The terminal device calculates the second verification data according to the one-way hash function to generate third verification data; and
所述终端设备将所述第三验证数据发送给所述服务器,以使所述服务器将指示信息发送给所述客户端设备,所述指示信息用于指示所述终端设备已通过验证。The terminal device sends the third verification data to the server, so that the server sends the indication information to the client device, where the indication information is used to indicate that the terminal device has passed the verification.
一种身份验证的方法,包括:A method of authentication, including:
服务器接收终端设备发送的第一验证数据,所述第一验证数据为所述终端设备注册到所述服务器后所生成的用于进行验证的数据,所述终端设备通过扫描客户端设备生成的二维码注册到所述服务器,所述二维码由所述客户端设备基于一次性密码所生成;Receiving, by the server, the first verification data sent by the terminal device, where the first verification data is data generated by the terminal device after being registered to the server, and the terminal device generates the second The dimension code is registered to the server, and the two-dimensional code is generated by the client device based on the one-time password;
所述服务器根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据;The server calculates the first verification data according to a one-way hash function to generate second verification data;
所述服务器将所述第二验证数据发送给所述终端设备,以使所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;Sending, by the server, the second verification data to the terminal device, so that the terminal device calculates the second verification data according to the one-way hash function to generate third verification data;
所述服务器接收所述终端设备发送的所述第三验证数据;Receiving, by the server, the third verification data sent by the terminal device;
所述服务器根据所述第三验证数据生成指示信息,所述指示信息用于指示所述终端设备已通过验证;及The server generates indication information according to the third verification data, where the indication information is used to indicate that the terminal device has passed verification;
所述服务器将所述指示信息发送给所述客户端设备。The server sends the indication information to the client device.
一种终端设备,包括:A terminal device comprising:
扫描单元,用于扫描客户端设备生成的二维码,以使已扫描所述二维码的所述终端设备注册到服务器,所述二维码由所述客户端设备基于一次性密码所生成;a scanning unit, configured to scan a two-dimensional code generated by the client device, to register the terminal device that has scanned the two-dimensional code to a server, where the two-dimensional code is generated by the client device based on a one-time password ;
第一发送单元,用于将第一验证数据发送给所述服务器,以使所述服务器将第二验证数据发送给所述终端设备,所述第二验证数据为所述服务器根据单向散列函数对所述第一验证数据进行计算以生成的数据;a first sending unit, configured to send the first verification data to the server, so that the server sends the second verification data to the terminal device, where the second verification data is a one-way hash according to the server a function for calculating the first verification data to generate data;
计算单元,用于根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;及a calculating unit, configured to calculate the second verification data according to the one-way hash function to generate third verification data; and
第二发送单元,用于将所述第三验证数据发送给所述服务器,以使所述服务器将指示信息发送给所述客户端设备,所述指示信息用于指示所述终端设备已通过验证。a second sending unit, configured to send the third verification data to the server, so that the server sends the indication information to the client device, where the indication information is used to indicate that the terminal device has passed the verification .
一种终端设备,包括存储器及一个或多个处理器,所述存储器中储存有 计算机可读指令,所述计算机可读指令被所述一个或多个处理器执行时,使得所述一个或多个处理器执行以下步骤:A terminal device comprising a memory and one or more processors, the memory storing computer readable instructions, the computer readable instructions being executed by the one or more processors to cause the one or more The processors perform the following steps:
扫描客户端设备生成的二维码,以使已扫描所述二维码的注册到服务器,所述二维码由所述客户端设备基于一次性密码所生成;Scanting a two-dimensional code generated by the client device to register the scanned two-dimensional code to the server, the two-dimensional code being generated by the client device based on the one-time password;
将第一验证数据发送给所述服务器,以使所述服务器将第二验证数据发送给,所述第二验证数据为所述服务器根据单向散列函数对所述第一验证数据进行计算以生成的数据;Transmitting the first verification data to the server, so that the server sends the second verification data to, the second verification data is that the server calculates the first verification data according to the one-way hash function Generated data;
根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;及Calculating the second verification data according to the one-way hash function to generate third verification data; and
将所述第三验证数据发送给所述服务器,以使所述服务器将指示信息发送给所述客户端设备,所述指示信息用于指示已通过验证。And sending the third verification data to the server, so that the server sends the indication information to the client device, where the indication information is used to indicate that the verification has been passed.
一种服务器,包括:A server that includes:
第一接收单元,用于接收终端设备发送的第一验证数据,所述第一验证数据为所述终端设备注册到所述服务器后所生成的用于进行验证的数据,所述终端设备通过扫描客户端设备生成的二维码注册到所述服务器,所述二维码由所述客户端设备基于一次性密码所生成;a first receiving unit, configured to receive first verification data that is sent by the terminal device, where the first verification data is data generated by the terminal device after being registered to the server, and the terminal device scans The two-dimensional code generated by the client device is registered to the server, and the two-dimensional code is generated by the client device based on the one-time password;
第一计算单元,用于根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据;a first calculating unit, configured to calculate the first verification data according to a one-way hash function to generate second verification data;
第一发送单元,用于将所述第二验证数据发送给所述终端设备,以使所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;a first sending unit, configured to send the second verification data to the terminal device, so that the terminal device calculates the second verification data according to the one-way hash function to generate third verification data. ;
第一接收单元,用于接收所述终端设备发送的所述第三验证数据;a first receiving unit, configured to receive the third verification data sent by the terminal device;
生成单元,用于根据所述第三验证数据生成指示信息,所述指示信息用于指示所述终端设备已通过验证;及a generating unit, configured to generate indication information according to the third verification data, where the indication information is used to indicate that the terminal device has passed verification;
第二发送单元,用于将所述指示信息发送给所述客户端设备。a second sending unit, configured to send the indication information to the client device.
一种服务器,包括存储器及一个或多个处理器,所述存储器中储存有计算机可读指令,所述计算机可读指令被所述一个或多个处理器执行时,使得所述一个或多个处理器执行以下步骤:A server comprising a memory and one or more processors having stored therein computer readable instructions, the computer readable instructions being executed by the one or more processors such that the one or more The processor performs the following steps:
接收终端设备发送的第一验证数据,所述第一验证数据为所述终端设备注册到后所生成的用于进行验证的数据,所述终端设备通过扫描客户端设备 生成的二维码注册到,所述二维码由所述客户端设备基于一次性密码所生成;Receiving first verification data sent by the terminal device, where the first verification data is data generated by the terminal device after being registered, and the terminal device is registered by scanning a QR code generated by the client device to The two-dimensional code is generated by the client device based on a one-time password;
根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据;Calculating the first verification data according to a one-way hash function to generate second verification data;
将所述第二验证数据发送给所述终端设备,以使所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;Transmitting the second verification data to the terminal device, so that the terminal device calculates the second verification data according to the one-way hash function to generate third verification data;
接收所述终端设备发送的所述第三验证数据;Receiving the third verification data sent by the terminal device;
根据所述第三验证数据生成指示信息,所述指示信息用于指示所述终端设备已通过验证;及Generating indication information according to the third verification data, where the indication information is used to indicate that the terminal device has passed verification;
将所述指示信息发送给所述客户端设备。Sending the indication information to the client device.
一个或多个存储有计算机可读指令的非易失性存储介质,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行以下步骤:One or more non-volatile storage media storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the following steps:
扫描客户端设备生成的二维码,以使已扫描所述二维码的注册到服务器,所述二维码由所述客户端设备基于一次性密码所生成;Scanting a two-dimensional code generated by the client device to register the scanned two-dimensional code to the server, the two-dimensional code being generated by the client device based on the one-time password;
将第一验证数据发送给所述服务器,以使所述服务器将第二验证数据发送给,所述第二验证数据为所述服务器根据单向散列函数对所述第一验证数据进行计算以生成的数据;Transmitting the first verification data to the server, so that the server sends the second verification data to, the second verification data is that the server calculates the first verification data according to the one-way hash function Generated data;
根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;及Calculating the second verification data according to the one-way hash function to generate third verification data; and
将所述第三验证数据发送给所述服务器,以使所述服务器将指示信息发送给所述客户端设备,所述指示信息用于指示已通过验证。And sending the third verification data to the server, so that the server sends the indication information to the client device, where the indication information is used to indicate that the verification has been passed.
一个或多个存储有计算机可读指令的非易失性存储介质,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行以下步骤:One or more non-volatile storage media storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the following steps:
接收终端设备发送的第一验证数据,所述第一验证数据为所述终端设备注册到后所生成的用于进行验证的数据,所述终端设备通过扫描客户端设备生成的二维码注册到,所述二维码由所述客户端设备基于一次性密码所生成;Receiving first verification data sent by the terminal device, where the first verification data is data generated by the terminal device after being registered, and the terminal device is registered by scanning a QR code generated by the client device to The two-dimensional code is generated by the client device based on a one-time password;
根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据;Calculating the first verification data according to a one-way hash function to generate second verification data;
将所述第二验证数据发送给所述终端设备,以使所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;Transmitting the second verification data to the terminal device, so that the terminal device calculates the second verification data according to the one-way hash function to generate third verification data;
接收所述终端设备发送的所述第三验证数据;Receiving the third verification data sent by the terminal device;
根据所述第三验证数据生成指示信息,所述指示信息用于指示所述终端设备已通过验证;及Generating indication information according to the third verification data, where the indication information is used to indicate that the terminal device has passed verification;
将所述指示信息发送给所述客户端设备。Sending the indication information to the client device.
本申请的一个或多个实施例的细节在下面的附图和描述中提出。本申请的其它特征、目的和优点将从说明书、附图以及权利要求书变得明显。Details of one or more embodiments of the present application are set forth in the accompanying drawings and description below. Other features, objects, and advantages of the invention will be apparent from the description and appended claims.
附图说明DRAWINGS
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present application. Other drawings may also be obtained from those of ordinary skill in the art in light of the inventive work.
图1为本申请所提供的验证系统的一种实施例结构示意图;1 is a schematic structural diagram of an embodiment of a verification system provided by the present application;
图2为本申请所提供的服务器的一种实施例结构示意图;2 is a schematic structural diagram of an embodiment of a server provided by the present application;
图3为本申请所提供的终端设备的一种实施例结构示意图;3 is a schematic structural diagram of an embodiment of a terminal device provided by the present application;
图4为本申请所提供的身份验证的方法的一种实施例步骤流程图;4 is a flow chart of steps of an embodiment of a method for identity verification provided by the present application;
图5为本申请所提供的身份验证的方法的另一种实施例步骤流程图;FIG. 5 is a flow chart of steps of another embodiment of the method for identity verification provided by the present application;
图6为本申请所提供的身份验证的方法的另一种实施例步骤流程图;6 is a flow chart of steps of another embodiment of the method for identity verification provided by the present application;
图7为本申请所提供的身份验证的方法的另一种实施例步骤流程图;FIG. 7 is a flow chart of steps of another embodiment of the method for identity verification provided by the present application;
图8为本申请所提供的终端设备的另一种实施例结构示意图;及FIG. 8 is a schematic structural diagram of another embodiment of a terminal device provided by the present application; and
图9为本申请所提供的服务器的另一种实施例结构示意图。FIG. 9 is a schematic structural diagram of another embodiment of a server provided by the present application.
具体实施方式detailed description
本申请实施例提供了一种身份验证的方法、为更好的理解本申请实施例所提供的身份验证的方法,以下首先对能够实现本申请实施例所提供的方法的验证系统的具体结构进行详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。The embodiment of the present application provides a method for identity verification, and a method for authenticating the identity verification provided by the embodiment of the present application. The following is a detailed description of the specific structure of the verification system that can implement the method provided by the embodiment of the present application. Detailed description. It is understood that the specific embodiments described herein are merely illustrative of the application and are not intended to be limiting.
如图1所示,本实施例所示的验证系统包括服务器101、至少一个客户端设备102以及至少一个终端设备103。As shown in FIG. 1, the verification system shown in this embodiment includes a server 101, at least one client device 102, and at least one terminal device 103.
本实施例所示的所述验证系统所包括的所述客户端设备102以及所述终端设备103的具体数目不作限定。The specific number of the client device 102 and the terminal device 103 included in the verification system shown in this embodiment is not limited.
本实施例所示的所述服务器101、所述客户端设备102以及所述终端设备103之间能够进行数据通信。Data communication can be performed between the server 101, the client device 102, and the terminal device 103 shown in this embodiment.
以下结合图2所示对本实施例所示的服务器的具体结构进行说明:The specific structure of the server shown in this embodiment will be described below with reference to FIG. 2:
本申请实施例所提供的服务器200可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上中央处理器(central processing units,CPU)222(例如,一个或一个以上处理器)和存储器232,一个或一个以上存储应用程序242或数据244的存储介质230(例如一个或一个以上海量存储设备)。其中,存储器232和存储介质230可以是短暂存储或持久存储。存储在存储介质230的程序可以包括一个或一个以上模块(图示没标出),每个模块可以包括对服务器中的一系列计算机可读指令。更进一步地,中央处理器222可以设置为与存储介质230通信,在服务器200上执行存储介质230中的一系列计算机可读指令,该计算机可读指令被执行时,可使得处理器222执行一种身份验证的方法。存储介质230可以是非易失性存储介质。The server 200 provided by the embodiment of the present application may have a relatively large difference due to different configurations or performances, and may include one or more central processing units (CPUs) 222 (eg, one or more processors) and Memory 232, one or more storage media 230 storing application 242 or data 244 (e.g., one or one storage device in Shanghai). Among them, the memory 232 and the storage medium 230 may be short-term storage or persistent storage. Programs stored on storage medium 230 may include one or more modules (not shown), each of which may include a series of computer readable instructions in a server. Still further, central processor 222 can be configured to communicate with storage medium 230, executing a series of computer readable instructions in storage medium 230 on server 200 that, when executed, cause processor 222 to perform a A method of authentication. The storage medium 230 may be a non-volatile storage medium.
服务器200还可以包括一个或一个以上电源226,一个或一个以上有线或无线网络接口250,一个或一个以上输入输出接口258,和/或,一个或一个以上操作系统241,例如Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTM等等。 Server 200 may also include one or more power sources 226, one or more wired or wireless network interfaces 250, one or more input and output interfaces 258, and/or one or more operating systems 241, such as Windows ServerTM, Mac OS. XTM, UnixTM, LinuxTM, FreeBSDTM and more.
以下结合图3所示对本实施例所提供的终端设备103的具体结构进行详细说明:The specific structure of the terminal device 103 provided in this embodiment is described in detail below with reference to FIG. 3:
如图3所示,为了便于说明,仅示出了与本申请实施例相关的部分,具体技术细节未揭示的,请参照本申请实施例方法部分。该终端设备可以为包括手机、平板电脑、PDA(Personal Digital Assistant,个人数字助理)、POS(Point of Sales,销售终端)、车载电脑等任意终端设备。As shown in FIG. 3, for the convenience of description, only the parts related to the embodiments of the present application are shown. For the specific technical details not disclosed, please refer to the method part of the embodiment of the present application. The terminal device may be any terminal device including a mobile phone, a tablet computer, a PDA (Personal Digital Assistant), a POS (Point of Sales), an in-vehicle computer, and the like.
图3示出的是与本申请实施例提供的终端设备相关的终端设备的部分结构的框图。参考图3,终端设备包括:射频(Radio Frequency,RF)电路310、存储器320、输入单元330、显示单元340、传感器350、音频电路360、无线保真(wireless fidelity,WiFi)模块370、处理器380、以及电源390等部件。本领域技术人员可以理解,图3中示出的终端设备结构并不构成对终端设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。FIG. 3 is a block diagram showing a partial structure of a terminal device related to a terminal device provided by an embodiment of the present application. Referring to FIG. 3, the terminal device includes: a radio frequency (RF) circuit 310, a memory 320, an input unit 330, a display unit 340, a sensor 350, an audio circuit 360, a wireless fidelity (WiFi) module 370, and a processor. 380, and power supply 390 and other components. It will be understood by those skilled in the art that the terminal device structure shown in FIG. 3 does not constitute a limitation of the terminal device, and may include more or less components than those illustrated, or a combination of certain components, or different component arrangements.
下面结合图3对终端设备的各个构成部件进行具体的介绍:The following describes the components of the terminal device in detail with reference to FIG. 3:
RF电路310可用于收发信息或通话过程中,信号的接收和发送,特别地,将基站的下行信息接收后,给处理器380处理;另外,将设计上行的数据发 送给基站。通常,RF电路310包括但不限于天线、至少一个放大器、收发信机、耦合器、低噪声放大器(Low Noise Amplifier,LNA)、双工器等。此外,RF电路310还可以通过无线通信与网络和其他设备通信。上述无线通信可以使用任一通信标准或协议,包括但不限于全球移动通讯系统(Global System of Mobile communication,GSM)、通用分组无线服务(General Packet Radio Service,GPRS)、码分多址(Code Division Multiple Access,CDMA)、宽带码分多址(Wideband Code Division Multiple Access,WCDMA)、长期演进(Long Term Evolution,LTE)、电子邮件、短消息服务(Short Messaging Service,SMS)等。The RF circuit 310 can be used for receiving and transmitting signals during and after the transmission or reception of information, in particular, after receiving the downlink information of the base station, and processing it to the processor 380; in addition, transmitting the designed uplink data to the base station. Generally, RF circuit 310 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, RF circuitry 310 can also communicate with the network and other devices via wireless communication. The above wireless communication may use any communication standard or protocol, including but not limited to Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (Code Division). Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), E-mail, Short Messaging Service (SMS), and the like.
存储器320可用于存储软件程序以及模块,处理器380通过运行存储在存储器320的软件程序以及模块,从而执行终端设备的各种功能应用以及数据处理。存储器320可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储根据终端设备的使用所创建的数据(比如音频数据、电话本等)等。此外,存储器320可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。终端设备还包括非易失性存储介质。该非易失性存储介质存储有计算机可读指令。该计算机可读指令可以被处理器380执行。计算机可读指令被处理器380执行时,可使得处理器380执行一种身份验证的方法。The memory 320 can be used to store software programs and modules, and the processor 380 executes various functional applications and data processing of the terminal devices by running software programs and modules stored in the memory 320. The memory 320 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be stored according to Data created by the use of the terminal device (such as audio data, phone book, etc.). Moreover, memory 320 can include high speed random access memory, and can also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. The terminal device also includes a non-volatile storage medium. The non-volatile storage medium stores computer readable instructions. The computer readable instructions can be executed by processor 380. When computer readable instructions are executed by processor 380, processor 380 can be caused to perform a method of authentication.
输入单元330可用于接收输入的数字或字符信息,以及产生与终端设备的用户设置以及功能控制有关的键信号输入。具体地,输入单元330可包括触控面板331以及其他输入设备332。触控面板331,也称为触摸屏,可收集用户在其上或附近的触摸操作(比如用户使用手指、触笔等任何适合的物体或附件在触控面板331上或在触控面板331附近的操作),并根据预先设定的程式驱动相应的连接装置。可选的,触控面板331可包括触摸检测装置和触摸控制器两个部分。其中,触摸检测装置检测用户的触摸方位,并检测触摸操作带来的信号,将信号传送给触摸控制器;触摸控制器从触摸检测装置上接收触摸信息,并将它转换成触点坐标,再送给处理器380,并能接收处理器380发来的命令并加以执行。此外,可以采用电阻式、电容式、红外线以 及表面声波等多种类型实现触控面板331。除了触控面板331,输入单元330还可以包括其他输入设备332。具体地,其他输入设备332可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。The input unit 330 can be configured to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the terminal device. Specifically, the input unit 330 may include a touch panel 331 and other input devices 332. The touch panel 331 , also referred to as a touch screen, can collect touch operations on or near the user (such as a user using a finger, a stylus, or the like on the touch panel 331 or near the touch panel 331 Operation), and drive the corresponding connecting device according to a preset program. Optionally, the touch panel 331 can include two parts: a touch detection device and a touch controller. Wherein, the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into contact coordinates, and sends the touch information. The processor 380 is provided and can receive commands from the processor 380 and execute them. Further, the touch panel 331 can be implemented in various types such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. In addition to the touch panel 331, the input unit 330 may also include other input devices 332. In particular, other input devices 332 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
显示单元340可用于显示由用户输入的信息或提供给用户的信息以及终端设备的各种菜单。显示单元340可包括显示面板341,可选的,可以采用液晶显示器(Liquid Crystal Display,LCD)、有机发光二极管(Organic Light-Emitting Diode,OLED)等形式来配置显示面板341。进一步的,触控面板331可覆盖显示面板341,当触控面板331检测到在其上或附近的触摸操作后,传送给处理器380以确定触摸事件的类型,随后处理器380根据触摸事件的类型在显示面板341上提供相应的视觉输出。虽然在图3中,触控面板331与显示面板341是作为两个独立的部件来实现终端设备的输入和输入功能,但是在某些实施例中,可以将触控面板331与显示面板341集成而实现终端设备的输入和输出功能。The display unit 340 can be used to display information input by the user or information provided to the user as well as various menus of the terminal device. The display unit 340 can include a display panel 341. Alternatively, the display panel 341 can be configured in the form of a liquid crystal display (LCD), an organic light-emitting diode (OLED), or the like. Further, the touch panel 331 can cover the display panel 341. When the touch panel 331 detects a touch operation on or near it, the touch panel 331 transmits to the processor 380 to determine the type of the touch event, and then the processor 380 according to the touch event. The type provides a corresponding visual output on display panel 341. Although in FIG. 3, the touch panel 331 and the display panel 341 are used as two independent components to implement input and input functions of the terminal device, in some embodiments, the touch panel 331 may be integrated with the display panel 341. And realize the input and output functions of the terminal device.
终端设备还可包括至少一种传感器350,比如光传感器、运动传感器以及其他传感器。具体地,光传感器可包括环境光传感器及接近传感器,其中,环境光传感器可根据环境光线的明暗来调节显示面板341的亮度,接近传感器可在终端设备移动到耳边时,关闭显示面板341和/或背光。作为运动传感器的一种,加速计传感器可检测各个方向上(一般为三轴)加速度的大小,静止时可检测出重力的大小及方向,可用于识别终端设备姿态的应用(比如横竖屏切换、相关游戏、磁力计姿态校准)、振动识别相关功能(比如计步器、敲击)等;至于终端设备还可配置的陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器,在此不再赘述。The terminal device may also include at least one type of sensor 350, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 341 according to the brightness of the ambient light, and the proximity sensor may close the display panel 341 when the terminal device moves to the ear. / or backlight. As a kind of motion sensor, the accelerometer sensor can detect the acceleration of each direction (usually three axes), and the magnitude and direction of gravity can be detected at rest. It can be used to identify the attitude of the terminal device (such as horizontal and vertical screen switching, Related games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.; as for the gyroscope, barometer, hygrometer, thermometer, infrared sensor and other sensors that can be configured in the terminal device, here No longer.
音频电路360、扬声器361,传声器362可提供用户与终端设备之间的音频接口。音频电路360可将接收到的音频数据转换后的电信号,传输到扬声器361,由扬声器361转换为声音信号输出;另一方面,传声器362将收集的声音信号转换为电信号,由音频电路360接收后转换为音频数据,再将音频数据输出处理器380处理后,经RF电路310以发送给比如另一终端设备,或者将音频数据输出至存储器320以便进一步处理。The audio circuit 360, the speaker 361, and the microphone 362 can provide an audio interface between the user and the terminal device. The audio circuit 360 can transmit the converted electrical data of the received audio data to the speaker 361 for conversion to the sound signal output by the speaker 361; on the other hand, the microphone 362 converts the collected sound signal into an electrical signal, by the audio circuit 360. After receiving, it is converted into audio data, and then processed by the audio data output processor 380, sent to, for example, another terminal device via the RF circuit 310, or outputted to the memory 320 for further processing.
WiFi属于短距离无线传输技术,终端设备通过WiFi模块370可以帮助 用户收发电子邮件、浏览网页和访问流式媒体等,它为用户提供了无线的宽带互联网访问。虽然图3示出了WiFi模块370,但是可以理解的是,其并不属于终端设备的必须构成,完全可以根据需要在不改变发明的本质的范围内而省略。WiFi is a short-range wireless transmission technology, and the terminal device can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module 370, which provides wireless broadband Internet access for users. Although FIG. 3 shows the WiFi module 370, it can be understood that it does not belong to the essential configuration of the terminal device, and may be omitted as needed within the scope of not changing the essence of the invention.
处理器380是终端设备的控制中心,利用各种接口和线路连接整个终端设备的各个部分,通过运行或执行存储在存储器320内的软件程序和/或模块,以及调用存储在存储器320内的数据,执行终端设备的各种功能和处理数据,从而对终端设备进行整体监控。可选的,处理器380可包括一个或多个处理单元;优选的,处理器380可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器380中。The processor 380 is a control center of the terminal device that connects various portions of the entire terminal device using various interfaces and lines, by running or executing software programs and/or modules stored in the memory 320, and recalling data stored in the memory 320. Perform various functions and processing data of the terminal device to perform overall monitoring on the terminal device. Optionally, the processor 380 may include one or more processing units; preferably, the processor 380 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application, and the like. The modem processor primarily handles wireless communications. It will be appreciated that the above described modem processor may also not be integrated into the processor 380.
终端设备还包括给各个部件供电的电源390(比如电池),优选的,电源可以通过电源管理系统与处理器380逻辑相连,从而通过电源管理系统实现管理充电、放电、以及功耗管理等功能。The terminal device also includes a power source 390 (such as a battery) that supplies power to the various components. Preferably, the power source can be logically coupled to the processor 380 through a power management system to manage functions such as charging, discharging, and power management through the power management system.
尽管未示出,终端设备还可以包括摄像头、蓝牙模块等,在此不再赘述。Although not shown, the terminal device may further include a camera, a Bluetooth module, and the like, and details are not described herein again.
本实施例对所述客户端设备102的具体结构不作限定,只要所述客户端设备102能够生成二维码以被终端设备103扫描即可。The specific structure of the client device 102 is not limited in this embodiment, as long as the client device 102 can generate a two-dimensional code to be scanned by the terminal device 103.
基于图1至图3所示,以下结合图4所示对本申请实施例所提供的身份验证的方法的具体执行过程进行详细说明。Based on FIG. 1 to FIG. 3 , the specific implementation process of the method for identity verification provided by the embodiment of the present application is described in detail below with reference to FIG. 4 .
步骤401、客户端设备基于一次性密码生成二维码。Step 401: The client device generates a two-dimensional code based on the one-time password.
首先对本实施例所示的一次性密码进行说明:First, the one-time password shown in this embodiment is explained:
在对用户进行身份验证的过程中,静态密码容易遭到破解,而一次性密码(英文全称:One Time Password,英文简称:OTP)能够有效的提升用户身份验证的安全性。In the process of authenticating users, static passwords are vulnerable to cracking, and one-time passwords (English name: One Time Password, English abbreviation: OTP) can effectively improve the security of user authentication.
一次性密码只对于一个登录会话或事务是有效的。一次性密码防止了与传统静态密码相关联的许多缺点,例如,重播攻击,字典攻击,网络钓鱼攻击。这意味着,如果一个潜在的入侵者试着去记录一个已经被用于登录服务或者进行事物的一次性密码,他将不能滥用它因为这个密码不再有效。One-time passwords are only valid for one login session or transaction. One-time passwords prevent many of the shortcomings associated with traditional static passwords, such as replay attacks, dictionary attacks, and phishing attacks. This means that if a potential intruder tries to record a one-time password that has been used to log in to the service or to do something, he will not abuse it because the password is no longer valid.
因此,一次性密码的目的是使它更加难以获得未经授权访问受限资源的 权限。Therefore, the purpose of a one-time password is to make it more difficult to gain unauthorized access to restricted resources.
一次性密码方案不能由人类记忆。出于这个原因,为了工作,它们需要额外的技术。基本上,一次性密码可以分为一下四类:One-time password schemes cannot be remembered by humans. For this reason, they need extra technology to work. Basically, one-time passwords can be divided into the following four categories:
一类:基于数学算法:1981年,Lamport首先提出了利用单向散列链的一次性密码身份验证方案。然而,如果需要无期限的密码,当一套老哈希链用尽的时候,需要选取一个新的种子值。特别是,维护一个用来验证用户身份验证请求的密码文件同时也增加了篡改的风险和维护成本。出于这个原因,许多研究人员提出了各种用户身份验证,如使用智能卡来改善安全,成本或效率。One type: based on mathematical algorithms: In 1981, Lamport first proposed a one-time password authentication scheme using a one-way hash chain. However, if an indefinite password is required, a new seed value needs to be selected when an old hash chain is exhausted. In particular, maintaining a password file used to authenticate user authentication requests also increases the risk of tampering and maintenance costs. For this reason, many researchers have proposed various user authentications, such as using smart cards to improve security, cost or efficiency.
另一类:基于智能卡:由于管理密码文件中的抗篡改技术和便利性,智能卡已经广泛应用到许多远程身份验证方案。然而,对于用户来说,随身携带卡和扫描器仍然是一个负担。因此这个障碍限制了基于身份验证方案的智能卡的应用。The other type: based on smart cards: Due to the tamper-resistant technology and convenience in managing password files, smart cards have been widely used in many remote authentication schemes. However, it is still a burden for the user to carry the card and the scanner with him or her. This barrier therefore limits the application of smart cards based on authentication schemes.
另一类:基于令牌标记:令牌一次性密码通常与物理硬件令牌相关联。在令牌的内部是一个准确的已经与服务器上的时钟同步的时钟。近期,它已经可以将电子原件与常规密钥卡一次性密码令牌相关联,例如InCard,RSA,SafeNet,和Vasco。然而,出于和智能卡方案一样的原因,这些方法不是很方便。Another type: token-based tokens: token one-time passwords are usually associated with physical hardware tokens. Inside the token is an accurate clock that has been synchronized with the clock on the server. Recently, it has been able to associate electronic originals with regular key fob one-time password tokens, such as InCard, RSA, SafeNet, and Vasco. However, these methods are not very convenient for the same reasons as smart card solutions.
另一类:基于短消息服务:由于短息是一个无处不在的通信通道同时在所有的手机上利用。然后,尽管短信是一个最尽力的递送员,意味着通讯公司尽力地传送短信,但是不能保证它一定送达,或者不知道它要花多长时间。应该强调,一次性密码必须有一个生命周期作为安全特性。此外,基于短信方案必须持续直到带来额外费用。因此,它是不切实际的,同时不是必要地低成本解决方案。The other type: based on short message service: Since short-term interest is a ubiquitous communication channel, it is used on all mobile phones at the same time. Then, although SMS is the best-effort delivery agent, it means that the communication company tries to send the text message, but there is no guarantee that it will be delivered, or that it will take a long time. It should be emphasized that a one-time password must have a lifecycle as a security feature. In addition, SMS-based solutions must continue until additional costs are incurred. Therefore, it is impractical and at the same time not a necessary low-cost solution.
可见,为了消除上述所示的一次性密码的缺点,则本实施例所示的客户端设备可基于一次性密码生成二维码。It can be seen that, in order to eliminate the disadvantages of the one-time password shown above, the client device shown in this embodiment can generate a two-dimensional code based on the one-time password.
具体的,本实施例所示的客户端设备被启动时,客户端设备的处理器能够通过一次性密码计算预设内容以生成二维码,客户端设备的显示屏即可显示已生成的二维码。Specifically, when the client device shown in this embodiment is started, the processor of the client device can calculate the preset content by using a one-time password to generate a two-dimensional code, and the display screen of the client device can display the generated second. Dimension code.
应用本实施例所示的方法的应用场景也可参见图5所示,本实施例所示 的客户端设备可存储有图5所示的预设内容content可为统一资源定位地址URL,或文本text,或电话号码phone number,或短讯服务SMS。The application scenario of the method shown in this embodiment is also shown in FIG. 5. The client device shown in this embodiment may store the preset content content shown in FIG. 5 as a uniform resource location address URL, or text. Text, or phone number phone number, or SMS service SMS.
如图5所示的应用场景可知,客户端服务器能够基于一次性密码对预设内容content进行加密运算以生成二维码QR Code。As shown in the application scenario shown in FIG. 5, the client server can perform encryption operation on the preset content content based on the one-time password to generate a QR code.
步骤402、终端设备扫描客户端设备生成的二维码。Step 402: The terminal device scans the two-dimensional code generated by the client device.
本实施例所示的终端设备通过扫描二维码以加入图1所示的验证系统。The terminal device shown in this embodiment scans the two-dimensional code to join the verification system shown in FIG. 1.
由于移动通信的飞速发展,在嵌入式摄像头中的二维码技术已经作为新的输入接口被应用。有嵌入式摄像头的终端设备可以捕捉到二维码,然后使用运行在终端设备上的软件对它们进行解码。Due to the rapid development of mobile communications, the two-dimensional code technology in embedded cameras has been applied as a new input interface. Terminal devices with embedded cameras can capture two-dimensional codes and then decode them using software running on the terminal device.
与此同时,在终端设备中使用二维码有许多好处,比如全方位的可读性和纠错能力。出于这个原因,采用了二维码的终端设备支持现在的许多服务,比如,订票、支付和统一资源定位符阅读。At the same time, there are many benefits to using a QR code in a terminal device, such as full-scale readability and error correction. For this reason, terminal devices that use QR codes support many of today's services, such as booking, payment, and Uniform Resource Locator reading.
所以本实施例提出采用广泛使用的二维码技术来支持一次性密码系统,则终端设备上的二维码应用可以获得从二维码上继承的好处,如大容量,打印尺寸小,高速扫描,抗毁坏能力和数据健壮性。此外,各种属性,比如流动性和灵巧性。因此,我们的方法可以更加的便利,因为用户不需要对于每一个安全域都携带单独的硬件令牌来获得访问权限。Therefore, this embodiment proposes to use a widely used two-dimensional code technology to support a one-time password system, and the two-dimensional code application on the terminal device can obtain the benefits of inheriting from the two-dimensional code, such as large capacity, small print size, and high-speed scanning. , anti-destructive ability and data robustness. In addition, various attributes such as liquidity and dexterity. Therefore, our approach can be more convenient because the user does not need to have a separate hardware token for each security domain to gain access.
如图5所示的应用场景为例,则终端设备扫描客户端设备所生成的二维码后则执行注册阶段,注册阶段的具体执行过程请详见下述步骤403至步骤408所示。For example, the application scenario shown in FIG. 5 is performed after the terminal device scans the two-dimensional code generated by the client device, and the specific execution process of the registration phase is as shown in step 403 to step 408 below.
步骤403、终端设备生成与终端设备对应的第一注册数据。Step 403: The terminal device generates first registration data corresponding to the terminal device.
本实施例对第一注册数据IDA不作限定,只要第一注册数据IDA与终端设备对应即可,例如,第一注册数据IDA可为终端设备的处理器的ID码,或终端设备的预设的登录账号和登陆密码等。In this embodiment, the first registration data IDA is not limited, as long as the first registration data IDA is associated with the terminal device. For example, the first registration data IDA may be an ID code of a processor of the terminal device, or a preset of the terminal device. Login account and login password.
步骤404、终端设备将第一注册数据发送给服务器。Step 404: The terminal device sends the first registration data to the server.
步骤405、服务器接收终端设备发送的第一注册数据。Step 405: The server receives the first registration data sent by the terminal device.
具体的,在执行本实施例所示的步骤404和步骤405的过程中,服务器和终端设备可预先建立安全的通信通道,从而使得服务器和终端设备之间通过已创建的通信通道进行数据的传输。Specifically, in the process of performing step 404 and step 405 shown in this embodiment, the server and the terminal device may establish a secure communication channel in advance, so that data is transmitted between the server and the terminal device through the created communication channel. .
步骤406、服务器生成第二注册数据。Step 406: The server generates second registration data.
具体的,本实施例所示的服务器能够根据单向散列函数h(*)对第一注册数据IDA和预设密钥S进行计算以生成第二注册数据XA。Specifically, the server shown in this embodiment is capable of calculating the first registration data IDA and the preset key S according to the one-way hash function h(*) to generate the second registration data XA.
预设密钥S为服务器预先存储的长期密钥。The preset key S is a long-term key stored in advance by the server.
更具体的,XA=h(IDA,S)。More specifically, XA = h (IDA, S).
步骤407、服务器将第二注册数据发送给终端设备。Step 407: The server sends the second registration data to the terminal device.
步骤408、终端设备接收第二注册数据。Step 408: The terminal device receives the second registration data.
本实施例所示的终端设备在接收到第二注册数据之后,终端设备即可将第二注册数据XA作为长期密钥进行存储。After receiving the second registration data, the terminal device shown in this embodiment can store the second registration data XA as a long-term key.
采用本实施例所示的步骤403至步骤408从而完成了终端设备注册到服务器的过程。The process of registering the terminal device to the server is completed by using steps 403 to 408 shown in this embodiment.
如图5所示的应用场景为例,在执行完步骤403至步骤408,完成了终端设备注册到服务器的过程后,通过下述所示的步骤409至步骤435执行验证阶段。As an example of the application scenario shown in FIG. 5, after the steps 403 to 408 are performed, the process of registering the terminal device to the server is completed, and the verification phase is performed through steps 409 to 435 shown below.
步骤409、终端设备记录第一时间戳。Step 409: The terminal device records the first timestamp.
具体的,第一时间戳T1为终端设备检测到终端设备扫描二维码结束的时间。Specifically, the first timestamp T1 is a time when the terminal device detects that the terminal device scans the two-dimensional code.
步骤410、终端设备生成第一验证数据。Step 410: The terminal device generates first verification data.
具体的,本实施例所示的第一验证数据包括第一时间戳T1和第二注册数据XA。Specifically, the first verification data shown in this embodiment includes a first timestamp T1 and a second registration data XA.
步骤411、终端设备将第一验证数据发送给服务器。Step 411: The terminal device sends the first verification data to the server.
步骤412、服务器接收第一验证数据。Step 412: The server receives the first verification data.
步骤413、服务器记录第二时间戳。Step 413: The server records the second timestamp.
具体的,第二时间戳T2为服务器检测到终端设备扫描二维码结束的时间;Specifically, the second timestamp T2 is a time when the server detects that the terminal device scans the two-dimensional code;
步骤414、服务器判断第一验证数据是否满足第一预设条件,若否,则执行步骤415,若是,则执行步骤416。Step 414: The server determines whether the first verification data meets the first preset condition. If not, step 415 is performed, and if yes, step 416 is performed.
其中,第一预设条件为第一时间戳等于第二时间戳。The first preset condition is that the first timestamp is equal to the second timestamp.
具体的,当服务器判断出第一验证数据所包括的第一时间戳与服务器所记录的第二时间戳不相等,则说明第一验证数据不满足第一预设条件,则继续执行步骤415。Specifically, when the server determines that the first timestamp included in the first verification data is not equal to the second timestamp recorded by the server, if the first verification data does not satisfy the first preset condition, the process proceeds to step 415.
当服务器判断出第一验证数据所包括的第一时间戳与服务器所记录的第二时间戳相等,则说明第一验证数据满足第一预设条件,则继续执行步骤416。When the server determines that the first timestamp included in the first verification data is equal to the second timestamp recorded by the server, it indicates that the first verification data meets the first preset condition, and then proceeds to step 416.
步骤415、服务器拒绝终端设备进行验证的请求。Step 415: The server rejects the request of the terminal device for verification.
在服务器判断出第一验证数据所包括的第一时间戳与服务器所记录的第二时间戳不相等的情况下,则服务器即可确定出终端设备进行身份验证的请求是无效的,可选的,服务器可向终端设备和/或客户端设备发送目标指示信息,目标指示信息用于指示终端设备进行身份验证的请求是无效的。If the server determines that the first timestamp included in the first verification data is not equal to the second timestamp recorded by the server, the server may determine that the terminal device performs the authentication request is invalid, and the optional The server may send the target indication information to the terminal device and/or the client device, where the target indication information is used to indicate that the request for the terminal device to perform the identity verification is invalid.
步骤416、服务器生成第一子数据。Step 416: The server generates the first sub data.
具体的,服务器根据单向散列函数h(*)对目标随机数r、第一时间戳T1和第二时间戳T2进行计算以生成第一子数据h(r,T1,T2)。Specifically, the server calculates the target random number r, the first timestamp T1, and the second timestamp T2 according to the one-way hash function h(*) to generate the first sub-data h(r, T1, T2).
目标随机数r为服务器随机生成的数据。The target random number r is data randomly generated by the server.
步骤417、服务器生成第一参数。Step 417: The server generates the first parameter.
具体的,服务器对目标随机数r和第二注册数据IDA进行异或运算
Figure PCTCN2018076007-appb-000001
以生成第一参数α; Specifically, the server performs an exclusive OR operation on the target random number r and the second registration data IDA.
Figure PCTCN2018076007-appb-000001
To generate a first parameter α;
本实施例所示的第二注册数据为在步骤406中所生成的数据。The second registration data shown in this embodiment is the data generated in step 406.
具体的,
Figure PCTCN2018076007-appb-000002
specific,
Figure PCTCN2018076007-appb-000002
步骤418、服务器生成第二子数据。Step 418: The server generates a second sub-data.
具体的,服务器通过第一函数对第一参数进行计算以生成第二子数据。Specifically, the server calculates the first parameter by using the first function to generate the second sub data.
更具体的,本实施例所示的第一函数为EOR(*)。More specifically, the first function shown in this embodiment is EOR(*).
其中,第一函数EOR(*)为将数据编码成二维码图像的函数。Among them, the first function EOR(*) is a function of encoding data into a two-dimensional code image.
在本实施例中,第二子数据为EOR(α)。In this embodiment, the second sub-data is EOR(α).
步骤419、服务器生成第二验证数据。Step 419: The server generates second verification data.
本实施例中,服务器所生成的第二验证数据包括第一子数据h(r,T1,T2)、第二子数据EOR(α)以及第二时间戳T2。In this embodiment, the second verification data generated by the server includes first sub-data h(r, T1, T2), second sub-data EOR(α), and a second timestamp T2.
步骤420、服务器将第二验证数据发送给终端设备。Step 420: The server sends the second verification data to the terminal device.
步骤421、终端设备接收第二验证数据。Step 421: The terminal device receives the second verification data.
步骤422、终端设备判断第二验证数据是否满足第二预设条件,若否,则执行步骤423、若是,则执行步骤424。Step 422: The terminal device determines whether the second verification data meets the second preset condition. If not, step 423 is performed, and if yes, step 424 is performed.
本实施例中,第二预设条件为第一时间戳T1等于第二时间戳T2。In this embodiment, the second preset condition is that the first timestamp T1 is equal to the second timestamp T2.
即若终端设备确定出第一时间戳T1等于第二时间戳T2,则确定出第二 验证数据满足第二预设条件,则可继续执行步骤424。That is, if the terminal device determines that the first timestamp T1 is equal to the second timestamp T2, and determines that the second verification data meets the second preset condition, step 424 may be continued.
若终端设备确定出第一时间戳T1不等于第二时间戳T2,则确定出第二验证数据不满足第二预设条件,则可继续执行步骤423。If the terminal device determines that the first timestamp T1 is not equal to the second timestamp T2, and determines that the second verification data does not satisfy the second preset condition, step 423 may be continued.
步骤423、终端设备拒绝继续进行身份验证。Step 423: The terminal device refuses to continue identity verification.
本实施例在终端设备确定出第一时间戳T1不等于第二时间戳T2的情况下,则终端设备拒绝继续进行身份验证,则身份验证的流程终止。In this embodiment, when the terminal device determines that the first timestamp T1 is not equal to the second timestamp T2, the terminal device refuses to continue the identity verification, and the process of the identity verification is terminated.
步骤424、终端设备生成第二参数。Step 424: The terminal device generates a second parameter.
具体的,终端设备通过第二函数DOR(*)对第二验证数据所包括的第二子数据EOR(α)进行计算以生成第二参数。Specifically, the terminal device calculates the second sub-data EOR(α) included in the second verification data by using the second function DOR(*) to generate the second parameter.
其中,第二函数DOR(*)为终端设备将捕获在嵌入式摄像头设备的二维码解码的函数。The second function DOR(*) is a function that the terminal device will decode the two-dimensional code captured in the embedded camera device.
第二参数为DOR(EOR(α))。The second parameter is DOR (EOR(α)).
步骤425、终端设备生成目标随机数。Step 425: The terminal device generates a target random number.
本实施例中,终端设备对第二参数DOR(EOR(α))和第二注册数据XA通过异或运算
Figure PCTCN2018076007-appb-000003
进行计算以生成目标随机数r。 In this embodiment, the terminal device performs an exclusive OR operation on the second parameter DOR (EOR(α)) and the second registration data XA.
Figure PCTCN2018076007-appb-000003
A calculation is performed to generate a target random number r.
具体的,
Figure PCTCN2018076007-appb-000004
specific,
Figure PCTCN2018076007-appb-000004
步骤426、终端设备生成第三参数。Step 426: The terminal device generates a third parameter.
具体的,终端设备通过单向散列函数h(*)对目标随机数r、第一时间戳T1以及第二时间戳T2进行计算以生成第三参数。Specifically, the terminal device calculates the target random number r, the first timestamp T1, and the second timestamp T2 by using the one-way hash function h(*) to generate a third parameter.
更具体的,第三参数为h(r,T1,T2)。More specifically, the third parameter is h(r, T1, T2).
步骤427、终端设备判断第三参数是否满足第三预设条件,若否,则执行步骤428,若是,则执行步骤429。Step 427: The terminal device determines whether the third parameter meets the third preset condition. If not, step 428 is performed, and if yes, step 429 is performed.
本实施例中,第三预设条件为第三参数等于第一子数据。In this embodiment, the third preset condition is that the third parameter is equal to the first sub data.
具体的,若终端设备判断出第三参数不等于第一子数据,则继续执行步骤428,若终端设备判断出第三参数等于第一子数据,则继续执行步骤429。Specifically, if the terminal device determines that the third parameter is not equal to the first sub-data, proceeding to step 428, if the terminal device determines that the third parameter is equal to the first sub-data, proceeding to step 429.
步骤428、终端设备拒绝继续进行身份验证。Step 428: The terminal device refuses to continue identity verification.
步骤429、终端设备获取第三时间戳。Step 429: The terminal device acquires a third timestamp.
本实施例所示的第三时间戳为终端设备检测到终端设备扫描二维码开始的时间。The third timestamp shown in this embodiment is the time when the terminal device detects that the terminal device scans the two-dimensional code.
步骤430、终端设备生成第三验证数据。Step 430: The terminal device generates third verification data.
本实施例所示的终端设备所生成的第三验证数据包括第三参数h(r,T1,T2)和第三时间戳T3。The third verification data generated by the terminal device shown in this embodiment includes a third parameter h(r, T1, T2) and a third timestamp T3.
步骤431、终端设备将第三验证数据发送给服务器。Step 431: The terminal device sends the third verification data to the server.
步骤432、服务器判断第三验证数据是否满足第四预设条件,若是,则执行步骤433。Step 432: The server determines whether the third verification data meets the fourth preset condition, and if yes, performs step 433.
本实施例中,第四预设条件为第一时间戳T1和第三时间戳T3之间的差值小于或等于预设阈值,且第四预设条件还为第三参数h(r,T1,T2)和服务器所存储的第二验证数据所包括的第一子数据h(r,T1,T2)相等。In this embodiment, the fourth preset condition is that the difference between the first timestamp T1 and the third timestamp T3 is less than or equal to the preset threshold, and the fourth preset condition is also the third parameter h(r, T1). , T2) is equal to the first sub-data h(r, T1, T2) included in the second verification data stored by the server.
具体的,本实施例所示的服务器预先存储有预设阈值,则服务器在接收到第三时间戳后,服务器即可判断第一时间戳和第三时间戳之间的差值是否小于或等于预设阈值。Specifically, the server shown in this embodiment stores a preset threshold in advance, and after receiving the third timestamp, the server may determine whether the difference between the first timestamp and the third timestamp is less than or equal to Preset threshold.
本实施例第三参数为终端设备发送给服务器的,第一子数据为服务器在执行步骤416所生成的,则本步骤所示,服务器需要判断第三参数是否等于第一子数据。The third parameter in this embodiment is sent by the terminal device to the server, and the first sub-data is generated by the server in step 416. In this step, the server needs to determine whether the third parameter is equal to the first sub-data.
步骤433、服务器生成指示信息。Step 433: The server generates indication information.
本实施例所示在服务器确定出第三验证数据满足第四预设条件的情况下,则服务器可生成用于指示终端设备通过验证的指示信息。In the embodiment, when the server determines that the third verification data meets the fourth preset condition, the server may generate indication information for indicating that the terminal device passes the verification.
步骤434、服务器将指示信息发送给客户端设备。Step 434: The server sends the indication information to the client device.
本实施例中,在服务器确定出终端设备已通过验证的情况下,服务器可将已生成的指示信息发送给客户端设备。In this embodiment, when the server determines that the terminal device has passed the verification, the server may send the generated indication information to the client device.
步骤435、客户端设备接收指示信息。Step 435: The client device receives the indication information.
本实施例中,客户端设备在接收到指示信息的情况下,即可确定当前的终端设备已通过验证,即可执行对应的功能。In this embodiment, when the client device receives the indication information, it can determine that the current terminal device has passed the verification, and can perform the corresponding function.
例如,将本实施例所示的验证系统应用至订票领域,则客户端设备可为能够执行订票功能的计算机设备,在计算机设备接收到服务器所发送的指示信息的情况下,计算机设备即可对终端设备开放订票的对应功能。For example, if the verification system shown in this embodiment is applied to the ticket reservation field, the client device may be a computer device capable of performing a ticket booking function. When the computer device receives the indication information sent by the server, the computer device is The corresponding function of the booking can be opened for the terminal device.
如图5所示的应用场景中,在完成了验证阶段后,本实施例所示的方法还能够继续执行安全规避的阶段。In the application scenario shown in FIG. 5, after the verification phase is completed, the method shown in this embodiment can continue to perform the phase of security avoidance.
具体的,本实施例所示的方法能够对终端设备的风险进行规避。Specifically, the method shown in this embodiment can avoid the risk of the terminal device.
其中,本实施例因为终端设备长期存储有步骤408所示的密钥XA,因此 终端设备需要受到良好的保护,而本实施例所示的终端设备只是用来扫描客户端设备的二维码,核心的注册阶段以及验证阶段在远端的服务器上执行,二维码的生成阶段在客户端设备上执行,从而有效的降低了本实施例所示的终端设备的安全风险,提升了终端设备的安全。In this embodiment, because the terminal device stores the key XA shown in step 408 for a long time, the terminal device needs to be well protected, and the terminal device shown in this embodiment is only used to scan the two-dimensional code of the client device. The core registration phase and the verification phase are performed on the remote server, and the generation process of the two-dimensional code is performed on the client device, thereby effectively reducing the security risk of the terminal device shown in this embodiment, and improving the terminal device. Safety.
采用本实施例所示的方法,攻击者通过终端设备得到服务器的密钥的目的是不可行的,因为本实施例所示的单向散列函数又称单向哈希函数,单向哈希函数是不可逆转的,通过不可逆转的单向哈希函数,能够使得攻击者无法获取到服务器所存储的密钥,从而进一步的提升了验证过程的安全。With the method shown in this embodiment, the purpose of the attacker obtaining the server key through the terminal device is not feasible, because the one-way hash function shown in this embodiment is also called a one-way hash function, one-way hash. The function is irreversible, and the irreversible one-way hash function can make the attacker unable to obtain the key stored by the server, thereby further improving the security of the verification process.
采用本实施例所示的方法,有效的降低了远程用户的安全风险,因为当不知道相应的随机数r的值时,得到合法的用户长期密钥xA是不可行的。另一方面如果截获了在公共渠道传播的信息,它仍然无法得到r,这是因为单向哈希函数是不可逆转的。By adopting the method shown in this embodiment, the security risk of the remote user is effectively reduced, because when the value of the corresponding random number r is not known, it is not feasible to obtain the legal user long-term key xA. On the other hand, if the information transmitted in the public channel is intercepted, it still cannot get r, because the one-way hash function is irreversible.
采用本实施例所示的方法,有效的降低了中间人攻击和重放攻击,如果破解者多次尝试一个从公共渠道上截获的合法的时间戳T3请求,服务器在时间戳T3上接收到了访问请求。但是时间戳T1和时间戳T3之间的差值不低于预先存储的时间间隔,则服务器即可进行拒绝。而且随机数r是服务器随机选取的。因此,中间人攻击和重放攻击将会失败。With the method shown in this embodiment, the man-in-the-middle attack and replay attack are effectively reduced. If the cracker attempts a legal timestamp T3 request intercepted from the public channel multiple times, the server receives the access request on the timestamp T3. . However, if the difference between the timestamp T1 and the timestamp T3 is not lower than the pre-stored time interval, the server can reject it. Moreover, the random number r is randomly selected by the server. Therefore, man-in-the-middle attacks and replay attacks will fail.
为更好的理解本申请实施例所示的方法,则以下结合应用场景对本实施例所示的方法进行详细说明:For a better understanding of the method shown in this embodiment, the method shown in this embodiment is described in detail below in conjunction with the application scenario:
本应用场景中,将验证系统应用至支付领域,在本应用场景中,客户端设备为能够执行支付功能的计算机设备。In this application scenario, the verification system is applied to the payment domain. In this application scenario, the client device is a computer device capable of performing a payment function.
结合图5、图6以及图7所示。5, 6, and 7 are combined.
本应用场景所示的客户端设备生成二维码的具体过程,请详见图4的实施例所示,具体不做赘述。The specific process of generating a two-dimensional code by the client device shown in this application scenario is shown in the embodiment of FIG. 4, and details are not described herein.
在支付之前,终端设备通过扫描客户端设备所生成的二维码以加入验证系统,在加入验证系统后,终端设备执行图6所示的过程以使终端设备注册到服务器。Before the payment, the terminal device joins the verification system by scanning the two-dimensional code generated by the client device. After joining the verification system, the terminal device performs the process shown in FIG. 6 to register the terminal device to the server.
如图6所示,终端设备将IDA发送至服务器和客户端设备,终端设备发送IDA的具体过程请详见图4所示的实施例,具体在本应用场景中不做赘述。As shown in FIG. 6 , the terminal device sends the IDA to the server and the client device, and the specific process of the terminal device sending the IDA is shown in the embodiment shown in FIG. 4 , which is not described in this application scenario.
服务器对IDA进行计算以生成XA,本应用场景中XA的具体生成过程 请详见图4所示的实施例,具体在本应用场景中不做赘述。The server calculates the IDA to generate the XA. The specific generation process of the XA in this application scenario is shown in the embodiment shown in Figure 4, and is not described in this application scenario.
服务器将以生成的XA发送至终端设备,以使终端设备对XA进行存储。The server will send the generated XA to the terminal device to cause the terminal device to store the XA.
终端设备存储XA的具体过程,请详见图4所示的实施例,具体在本应用场景中不做赘述。For details about the process of storing the XA on the terminal device, refer to the embodiment shown in Figure 4, which is not described in this application scenario.
如图5所示可知,在终端设备执行完注册阶段以使终端设备注册到服务器上后,即可执行验证阶段,验证阶段的具体过程可参见图7所示。As shown in FIG. 5, after the terminal device performs the registration phase to register the terminal device to the server, the verification phase can be performed. The specific process of the verification phase can be seen in FIG. 7.
在验证阶段,终端设备和服务器之间进行验证数据的交互,具体的交互过程,请详见图4所示的具体过程,在本应用场景中不做赘述。During the verification phase, the authentication data is exchanged between the terminal device and the server. For the specific interaction process, refer to the detailed process shown in Figure 4, which is not described in this application scenario.
在图7所示中,若服务器确定出终端设备已通过验证,则服务器即可将指示信息发送给客户端设备,以使接收到指示信息的客户端设备确定出终端设备已通过验证,在本应用场景中,客户端设备即可与已通过验证的终端设备之间进行支付的操作。In FIG. 7, if the server determines that the terminal device has passed the verification, the server may send the indication information to the client device, so that the client device that receives the indication information determines that the terminal device has passed the verification, in the present In an application scenario, a client device can perform a payment operation with a verified terminal device.
在高速发展的信息化时代,采用本实施例所示的验证方法在基于日常产品和系统化设计的情况下,能够配合到人们的习惯、便利性和日常生产。本实施例提供的基于一次性密码认证协议的动态安全性边界二维码,不仅消除了密码验证表的使用,同时由于信息化时代终端设备以及网络的普遍遍及性,使得本实施例所示的方法具有广泛的应用范围,而且在验证的过程中,用户无需添置新的设备,则使得本实施例所示的方法具有非常高的性价比,能够普及的应用,可以消除现有技术所示的携带单独硬件令牌的负担,还可以减少短信带来的额外费用。且本实施例所示的方法有效的提高了安全性,使用二维码的终端设备的验证使原有用户身份验证提高了方便性和便捷性。In the fast-developing information age, the verification method shown in this embodiment can be adapted to people's habits, convenience, and daily production based on daily products and systematic design. The dynamic security boundary two-dimensional code based on the one-time password authentication protocol provided in this embodiment not only eliminates the use of the password verification table, but also shows the universal ubiquity of the terminal device and the network in the information age era. The method has a wide range of applications, and in the process of verification, the user does not need to add a new device, so that the method shown in this embodiment has a very high cost performance, can be popularized, and can eliminate the carrying of the prior art. The burden of a separate hardware token can also reduce the extra cost of SMS. Moreover, the method shown in this embodiment effectively improves the security, and the verification of the terminal device using the two-dimensional code improves the convenience and convenience of the original user identity verification.
图3所示从硬件实体的角度对本实施例所提供的终端设备的结构进行说明,以下结合图8所示从功能模块角度对本实施例所提供的终端设备的具体结构进行详细说明:The structure of the terminal device provided in this embodiment is described in detail from the perspective of the hardware entity. The specific structure of the terminal device provided in this embodiment is described in detail from the perspective of the function module.
所述终端设备包括:The terminal device includes:
扫描单元801,用于扫描客户端设备生成的二维码,以使已扫描所述二维码的所述终端设备注册到服务器,所述二维码由所述客户端设备基于一次性密码所生成;The scanning unit 801 is configured to scan a two-dimensional code generated by the client device, so that the terminal device that has scanned the two-dimensional code is registered to a server, and the two-dimensional code is based on the one-time password by the client device. generate;
第一生成单元802,用于生成与所述终端设备对应的第一注册数据;a first generating unit 802, configured to generate first registration data corresponding to the terminal device;
第三发送单元803,用于将所述第一注册数据发送给所述服务器,以使 所述服务器将第二注册数据发送给所述终端设备,所述第二注册数据为所述服务器根据所述单向散列函数对所述第一注册数据和预设密钥进行计算以生成的数据,所述预设密钥为所述服务器预先存储的密钥;The third sending unit 803 is configured to send the first registration data to the server, so that the server sends the second registration data to the terminal device, where the second registration data is the server according to the The one-way hash function calculates the first registration data and the preset key to generate data, and the preset key is a key pre-stored by the server;
第一接收单元804,用于接收所述第二注册数据。The first receiving unit 804 is configured to receive the second registration data.
第一记录单元,用于记录第一时间戳,所述第一时间戳为所述终端设备检测到所述终端设备扫描所述二维码结束的时间;a first recording unit, configured to record a first timestamp, where the first timestamp is a time when the terminal device detects that the terminal device scans the two-dimensional code;
第二生成单元805,用于生成所述第一验证数据,所述第一验证数据包括所述第一时间戳和所述第二注册数据,以使所述服务器确定所述第一验证数据满足第一预设条件的情况下,生成所述第二验证数据,所述第一预设条件为所述第一时间戳等于第二时间戳,所述第二时间戳为所述服务器检测到所述终端设备扫描所述二维码结束的时间,所述第二验证数据包括第一子数据、第二子数据以及所述第二时间戳,其中,所述第一子数据为所述服务器根据所述单向散列函数对目标随机数、所述第一时间戳和所述第二时间戳进行计算以生成的数据,所述目标随机数为所述服务器随机生成的数据,所述第二子数据为所述服务器通过第一函数对第一参数进行计算以生成的数据,所述第一参数为所述服务器对所述目标随机数和所述第二注册数据进行异或运算所生成的数据。a second generating unit 805, configured to generate the first verification data, where the first verification data includes the first timestamp and the second registration data, so that the server determines that the first verification data is satisfied The second preset data is generated, where the first preset condition is that the first timestamp is equal to a second timestamp, and the second timestamp is that the server detects the The time at which the terminal device scans the end of the two-dimensional code, the second verification data includes a first sub-data, a second sub-data, and the second timestamp, wherein the first sub-data is The one-way hash function calculates, by the target random number, the first timestamp and the second timestamp, the generated data, the target random number is data randomly generated by the server, and the second The child data is data generated by the server by calculating a first parameter by using a first function, where the first parameter is generated by the server performing an exclusive OR operation on the target random number and the second registration data. It is.
第一发送单元806,用于将第一验证数据发送给所述服务器,以使所述服务器将第二验证数据发送给所述终端设备,所述第二验证数据为所述服务器根据单向散列函数对所述第一验证数据进行计算以生成的数据;The first sending unit 806 is configured to send the first verification data to the server, so that the server sends the second verification data to the terminal device, where the second verification data is a column function calculates the first verification data to generate data;
第二接收单元807,用于接收所述第二验证数据,所述第二验证数据包括第二时间戳,所述第二时间戳为所述服务器检测到所述终端设备扫描所述二维码结束的时间;a second receiving unit 807, configured to receive the second verification data, where the second verification data includes a second timestamp, where the second timestamp is that the server detects that the terminal device scans the two-dimensional code End time
第一判断单元808,用于判断所述第二验证数据是否满足第二预设条件,所述第二预设条件为第一时间戳等于所述第二时间戳,所述第一时间戳为所述终端设备检测到所述终端设备扫描所述二维码结束的时间;The first determining unit 808 is configured to determine whether the second verification data meets a second preset condition, where the second preset condition is that the first timestamp is equal to the second timestamp, and the first timestamp is The terminal device detects a time when the terminal device scans the two-dimensional code;
触发单元809,用于若所述第一判断单元判断出所述第二验证数据满足第二预设条件,则触发执行所述计算单元执行根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据的步骤。The triggering unit 809 is configured to: if the first determining unit determines that the second verification data meets the second preset condition, trigger the execution of the calculating unit to perform the second verification according to the one-way hash function The step of calculating the data to generate third verification data.
计算单元810,用于根据所述单向散列函数对所述第二验证数据进行计 算以生成第三验证数据;The calculating unit 810 is configured to calculate the second verification data according to the one-way hash function to generate third verification data;
具体的,所述计算单元810包括:Specifically, the calculating unit 810 includes:
第一计算模块8101,用于通过第二函数对所述第二验证数据所包括的所述第二子数据进行计算以生成第二参数;a first calculating module 8101, configured to calculate, by using a second function, the second sub-data included in the second verification data to generate a second parameter;
第二计算模块8102,用于对所述第二参数和所述第二注册数据通过异或运算进行计算以生成所述目标随机数;a second calculating module 8102, configured to calculate, by using an exclusive OR operation, the second parameter and the second registration data to generate the target random number;
第三计算模块8103,用于通过所述单向散列函数对所述目标随机数、所述第一时间戳以及所述第二时间戳进行计算以生成第三参数;a third calculating module 8103, configured to calculate, by using the one-way hash function, the target random number, the first timestamp, and the second timestamp to generate a third parameter;
判断模块8104,用于判断所述第三参数是否满足第三预设条件,所述第三预设条件为所述第三参数等于所述第一子数据;The determining module 8104 is configured to determine whether the third parameter meets a third preset condition, where the third preset condition is that the third parameter is equal to the first sub-data;
获取模块8105,用于若所述判断模块判断出所述第三参数满足第三预设条件,则获取第三时间戳,所述第三时间戳为所述终端设备检测到所述终端设备扫描所述二维码开始的时间;The obtaining module 8105 is configured to: if the determining module determines that the third parameter meets the third preset condition, acquire a third timestamp, where the third timestamp is that the terminal device detects that the terminal device scans The time at which the two-dimensional code begins;
确定模块8106,用于确定所述第三验证数据包括所述第三参数和所述第三时间戳,以使所述服务器在确定出所述第三验证数据满足第四预设条件的情况下,生成所述指示信息,所述第四预设条件为所述第一时间戳和所述第三时间戳之间的差值小于或等于预设阈值,且所述第四预设条件还为所述第三参数和所述服务器所存储的所述第二验证数据所包括的所述第一子数据相等。a determining module 8106, configured to determine that the third verification data includes the third parameter and the third timestamp, so that the server determines that the third verification data meets a fourth preset condition And generating the indication information, where the fourth preset condition is that a difference between the first timestamp and the third timestamp is less than or equal to a preset threshold, and the fourth preset condition is further The third parameter is equal to the first sub-data included in the second verification data stored by the server.
第二发送单元811,用于将所述第三验证数据发送给所述服务器,以使所述服务器将指示信息发送给所述客户端设备,所述指示信息用于指示所述终端设备已通过验证。a second sending unit 811, configured to send the third verification data to the server, so that the server sends the indication information to the client device, where the indication information is used to indicate that the terminal device has passed verification.
图8所示的终端设备执行身份验证的方法的具体过程请详见图4所示的实施例,具体在本实施例中不做赘述。The specific process of the method for performing the authentication by the terminal device shown in FIG. 8 is shown in FIG. 4, which is not described in detail in this embodiment.
图8所示的终端设备在执行身份验证方法的具体过程所取得的有益效果的说明,请详见图4所示的实施例,具体在本实施例中不做赘述。For the description of the beneficial effects obtained by the terminal device shown in FIG. 8 in the specific process of performing the identity verification method, please refer to the embodiment shown in FIG. 4, which is not specifically described in this embodiment.
图2从硬件实体的角度对服务器的具体结构进行说明,以下结合图9所示的实施例从功能模块的角度对服务器的具体结构进行详细说明:FIG. 2 illustrates the specific structure of the server from the perspective of a hardware entity. The specific structure of the server is described in detail below from the perspective of the functional module in conjunction with the embodiment shown in FIG. 9:
所述服务器包括:The server includes:
第二接收单元901,用于接收所述终端设备发送的与所述终端设备对应 的第一注册数据;The second receiving unit 901 is configured to receive first registration data that is sent by the terminal device and that is corresponding to the terminal device;
第二计算单元902,用于根据所述单向散列函数对所述第一注册数据和预设密钥进行计算以生成第二注册数据,所述预设密钥为所述服务器预先存储的密钥;The second calculating unit 902 is configured to calculate the first registration data and the preset key according to the one-way hash function to generate second registration data, where the preset key is pre-stored by the server Key
第二发送单元903,用于将所述第二注册数据发送给所述终端设备。The second sending unit 903 is configured to send the second registration data to the terminal device.
第一接收单元904,用于接收终端设备发送的第一验证数据,所述第一验证数据为所述终端设备注册到所述服务器后所生成的用于进行验证的数据,所述终端设备通过扫描客户端设备生成的二维码注册到所述服务器,所述二维码由所述客户端设备基于一次性密码所生成;The first receiving unit 904 is configured to receive first verification data that is sent by the terminal device, where the first verification data is data that is generated by the terminal device after being registered to the server, and the terminal device passes the Scanning a QR code generated by the client device to register with the server, the two-dimensional code generated by the client device based on a one-time password;
记录单元905,用于记录第二时间戳,所述第二时间戳为所述服务器检测到所述终端设备扫描所述二维码结束的时间;a recording unit 905, configured to record a second timestamp, where the second timestamp is a time when the server detects that the terminal device scans the two-dimensional code;
判断单元906,用于判断所述第一验证数据是否满足第一预设条件,所述第一验证数据包括第一时间戳和所述第二注册数据,所述第一时间戳为所述终端设备检测到所述终端设备扫描所述二维码结束的时间,所述第一预设条件为所述第一时间戳等于第二时间戳;The determining unit 906 is configured to determine whether the first verification data meets a first preset condition, where the first verification data includes a first timestamp and the second registration data, where the first timestamp is the terminal The device detects the time when the terminal device scans the two-dimensional code, and the first preset condition is that the first timestamp is equal to the second timestamp;
触发单元907,用于若所述判断单元判断出所述第一验证数据满足所述第一预设条件,则触发所述第一计算单元执行根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据的步骤。The triggering unit 907 is configured to trigger the first calculating unit to perform the first verification data according to the one-way hash function, if the determining unit determines that the first verification data meets the first preset condition A step of performing a calculation to generate second verification data.
第一计算单元908,用于根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据;a first calculating unit 908, configured to calculate the first verification data according to a one-way hash function to generate second verification data;
具体的,所述第一计算单元908包括:Specifically, the first calculating unit 908 includes:
第一计算模块9081,用于根据所述单向散列函数对所述目标随机数、所述第一时间戳和所述第二时间戳进行计算以生成第一子数据,所述目标随机数为所述服务器随机生成的数据;a first calculating module 9081, configured to calculate, according to the one-way hash function, the target random number, the first timestamp, and the second timestamp to generate first sub-data, the target random number Data randomly generated for the server;
第二计算模块9082,用于对所述目标随机数和所述第二注册数据进行异或运算以生成第一参数;a second calculating module 9082, configured to perform an exclusive OR operation on the target random number and the second registration data to generate a first parameter;
第三计算模块9083,用于通过第一函数对所述第一参数进行计算以生成第二子数据;a third calculating module 9083, configured to calculate the first parameter by using a first function to generate a second sub-data;
第一生成模块9084,用于生成第二验证数据,所述第二验证数据包括所述第一子数据、所述第二子数据以及所述第二时间戳。The first generation module 9084 is configured to generate second verification data, where the second verification data includes the first sub data, the second sub data, and the second timestamp.
第一发送单元909,用于将所述第二验证数据发送给所述终端设备,以使所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;The first sending unit 909 is configured to send the second verification data to the terminal device, so that the terminal device calculates the second verification data according to the one-way hash function to generate a third verification. data;
第一接收单元910,用于接收所述终端设备发送的所述第三验证数据,所述第三验证数据包括第三参数和第三时间戳,所述第三参数为所述终端设备通过所述单向散列函数对所述目标随机数、所述第一时间戳以及所述第二时间戳进行计算以生成的参数,所述目标随机数为所述终端设备对第二参数和所述第二注册数据通过异或运算进行计算以生成的随机数,所述第二参数为所述终端设备通过第二函数对所述第二验证数据所包括的所述第二子数据进行计算以生成的参数,所述第三时间戳为所述终端设备检测到所述终端设备扫描所述二维码开始的时间;The first receiving unit 910 is configured to receive the third verification data that is sent by the terminal device, where the third verification data includes a third parameter and a third timestamp, where the third parameter is that the terminal device passes the Calculating, by the one-way hash function, the target random number, the first timestamp, and the second timestamp to generate a parameter, where the target random number is the terminal device, the second parameter, and the The second registration data is calculated by an exclusive OR operation to generate a random number, and the second parameter is that the terminal device calculates the second sub data included in the second verification data by using a second function to generate The third timestamp is a time when the terminal device detects that the terminal device scans the two-dimensional code;
生成单元911,用于根据所述第三验证数据生成指示信息,所述指示信息用于指示所述终端设备已通过验证;The generating unit 911 is configured to generate indication information according to the third verification data, where the indication information is used to indicate that the terminal device has passed verification;
具体的,所述生成单元911包括:Specifically, the generating unit 911 includes:
判断模块9111,用于判断所述第三验证数据是否满足第四预设条件,所述第四预设条件为所述第一时间戳和所述第三时间戳之间的差值小于或等于预设阈值,且所述第四预设条件还为所述第三参数和所述服务器所存储的所述第二验证数据所包括的所述第一子数据相等;The determining module 9111 is configured to determine whether the third verification data meets a fourth preset condition, where the fourth preset condition is that a difference between the first timestamp and the third timestamp is less than or equal to Determining a threshold, and the fourth preset condition is further that the third parameter is equal to the first sub-data included in the second verification data stored by the server;
第二生成模块9112,用于若所述判断模块判断出所述第三验证数据满足所述第四预设条件,则生成所述指示信息。The second generation module 9112 is configured to generate the indication information if the determining module determines that the third verification data meets the fourth preset condition.
第二发送单元912,用于将所述指示信息发送给所述客户端设备。The second sending unit 912 is configured to send the indication information to the client device.
图9所示的服务器执行身份验证的方法的具体过程请详见图4所示的实施例,具体在本实施例中不做赘述。The specific process of the method for performing the authentication by the server shown in FIG. 9 is shown in FIG. 4, which is not described in detail in this embodiment.
图9所示的服务器在执行身份验证方法的具体过程所取得的有益效果的说明,请详见图4所示的实施例,具体在本实施例中不做赘述。For the description of the beneficial effects of the specific process of performing the authentication method, the details of the server shown in FIG. 9 are shown in FIG. 4 , and details are not described in this embodiment.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示 意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干计算机可读指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application, in essence or the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of computer readable instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。The above embodiments are only used to explain the technical solutions of the present application, and are not limited thereto; although the present application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that they can still The technical solutions described in the embodiments are modified, or the equivalents of the technical features are replaced by the equivalents. The modifications and substitutions of the embodiments do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (20)

  1. 一种身份验证的方法,包括:A method of authentication, including:
    终端设备扫描客户端设备生成的二维码,以使已扫描所述二维码的所述终端设备注册到服务器,所述二维码由所述客户端设备基于一次性密码所生成;The terminal device scans the two-dimensional code generated by the client device, so that the terminal device that has scanned the two-dimensional code is registered to the server, and the two-dimensional code is generated by the client device based on the one-time password;
    所述终端设备将第一验证数据发送给所述服务器,以使所述服务器将第二验证数据发送给所述终端设备,所述第二验证数据为所述服务器根据单向散列函数对所述第一验证数据进行计算以生成的数据;Transmitting, by the terminal device, first verification data to the server, so that the server sends second verification data to the terminal device, where the second verification data is that the server performs a one-way hash function The first verification data is calculated to generate data;
    所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;及The terminal device calculates the second verification data according to the one-way hash function to generate third verification data; and
    所述终端设备将所述第三验证数据发送给所述服务器,以使所述服务器将指示信息发送给所述客户端设备,所述指示信息用于指示所述终端设备已通过验证。The terminal device sends the third verification data to the server, so that the server sends the indication information to the client device, where the indication information is used to indicate that the terminal device has passed the verification.
  2. 根据权利要求1所述的方法,其特征在于,还包括:The method of claim 1 further comprising:
    所述终端设备生成与所述终端设备对应的第一注册数据;The terminal device generates first registration data corresponding to the terminal device;
    所述终端设备将所述第一注册数据发送给所述服务器,以使所述服务器将第二注册数据发送给所述终端设备,所述第二注册数据为所述服务器根据所述单向散列函数对所述第一注册数据和预设密钥进行计算以生成的数据,所述预设密钥为所述服务器预先存储的密钥;及Transmitting, by the terminal device, the first registration data to the server, so that the server sends the second registration data to the terminal device, where the second registration data is The column function calculates the first registration data and the preset key to generate data, and the preset key is a key pre-stored by the server;
    所述终端设备接收所述第二注册数据。The terminal device receives the second registration data.
  3. 根据权利要求2所述的方法,其特征在于,还包括:The method of claim 2, further comprising:
    所述终端设备记录第一时间戳,所述第一时间戳为所述终端设备检测到所述终端设备扫描所述二维码结束的时间;及The terminal device records a first timestamp, where the first timestamp is a time when the terminal device detects that the terminal device scans the two-dimensional code; and
    所述终端设备生成所述第一验证数据,所述第一验证数据包括所述第一时间戳和所述第二注册数据,以使所述服务器确定所述第一验证数据满足第一预设条件的情况下,生成所述第二验证数据,所述第一预设条件为所述第一时间戳等于第二时间戳,所述第二时间戳为所述服务器检测到所述终端设备扫描所述二维码结束的时间,所述第二验证数据包括第一子数据、第二子数据以及所述第二时间戳,其中,所述第一子数据为所述服务器根据所述单向散列函数对目标随机数、所述第一时间戳和所述第二时间戳进行计算以生 成的数据,所述目标随机数为所述服务器随机生成的数据,所述第二子数据为所述服务器通过第一函数对第一参数进行计算以生成的数据,所述第一参数为所述服务器对所述目标随机数和所述第二注册数据进行异或运算所生成的数据。The terminal device generates the first verification data, where the first verification data includes the first timestamp and the second registration data, so that the server determines that the first verification data meets a first preset The second verification data is generated, where the first preset condition is that the first timestamp is equal to a second timestamp, and the second timestamp is that the server detects that the terminal device scans When the two-dimensional code ends, the second verification data includes a first sub-data, a second sub-data, and the second timestamp, wherein the first sub-data is the one-way according to the server The hash function calculates, by the target random number, the first timestamp and the second timestamp, the generated data, the target random number is data randomly generated by the server, and the second sub-data is The server calculates, by using a first function, the first parameter to generate data, where the first parameter is data generated by the server performing an exclusive OR operation on the target random number and the second registration data.
  4. 根据权利要求1所述的方法,其特征在于,还包括:The method of claim 1 further comprising:
    所述终端设备接收所述第二验证数据,所述第二验证数据包括第二时间戳,所述第二时间戳为所述服务器检测到所述终端设备扫描所述二维码结束的时间;Receiving, by the terminal device, the second verification data, where the second verification data includes a second timestamp, where the second timestamp is a time when the server detects that the terminal device scans the two-dimensional code;
    所述终端设备判断所述第二验证数据是否满足第二预设条件,所述第二预设条件为第一时间戳等于所述第二时间戳,所述第一时间戳为所述终端设备检测到所述终端设备扫描所述二维码结束的时间;及Determining, by the terminal device, whether the second verification data meets a second preset condition, where the second preset condition is that the first timestamp is equal to the second timestamp, and the first timestamp is the terminal device Detecting a time when the terminal device scans the two-dimensional code; and
    若所述终端设备判断出所述第二验证数据满足第二预设条件,则触发执行所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据的步骤。If the terminal device determines that the second verification data meets the second preset condition, triggering execution by the terminal device to calculate the second verification data according to the one-way hash function to generate third verification data. A step of.
  5. 根据权利要求3所述的方法,其特征在于,所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据包括:The method according to claim 3, wherein the calculating, by the terminal device, the second verification data according to the one-way hash function to generate the third verification data comprises:
    所述终端设备通过第二函数对所述第二验证数据所包括的所述第二子数据进行计算以生成第二参数;The terminal device calculates the second sub-data included in the second verification data by using a second function to generate a second parameter;
    所述终端设备对所述第二参数和所述第二注册数据通过异或运算进行计算以生成所述目标随机数;Transmitting, by the terminal device, the second parameter and the second registration data by an exclusive OR operation to generate the target random number;
    所述终端设备通过所述单向散列函数对所述目标随机数、所述第一时间戳以及所述第二时间戳进行计算以生成第三参数;The terminal device calculates the target random number, the first timestamp, and the second timestamp by using the one-way hash function to generate a third parameter;
    所述终端设备判断所述第三参数是否满足第三预设条件,所述第三预设条件为所述第三参数等于所述第一子数据;Determining, by the terminal device, whether the third parameter meets a third preset condition, where the third preset condition is that the third parameter is equal to the first sub-data;
    若所述终端设备判断出所述第三参数满足第三预设条件,则所述终端设备获取第三时间戳,所述第三时间戳为所述终端设备检测到所述终端设备扫描所述二维码开始的时间;及If the terminal device determines that the third parameter meets the third preset condition, the terminal device acquires a third timestamp, where the third timestamp is that the terminal device detects that the terminal device scans the The time at which the QR code begins; and
    所述终端设备确定所述第三验证数据包括所述第三参数和所述第三时间戳,以使所述服务器在确定出所述第三验证数据满足第四预设条件的情况下,生成所述指示信息,所述第四预设条件为所述第一时间戳和所述第三时间戳 之间的差值小于或等于预设阈值,且所述第四预设条件还为所述第三参数和所述服务器所存储的所述第二验证数据所包括的所述第一子数据相等。Determining, by the terminal device, that the third verification data includes the third parameter and the third timestamp, so that the server generates, if it is determined that the third verification data meets a fourth preset condition In the indication information, the fourth preset condition is that a difference between the first timestamp and the third timestamp is less than or equal to a preset threshold, and the fourth preset condition is further The third parameter is equal to the first sub-data included in the second verification data stored by the server.
  6. 一种身份验证的方法,包括:A method of authentication, including:
    服务器接收终端设备发送的第一验证数据,所述第一验证数据为所述终端设备注册到所述服务器后所生成的用于进行验证的数据,所述终端设备通过扫描客户端设备生成的二维码注册到所述服务器,所述二维码由所述客户端设备基于一次性密码所生成;Receiving, by the server, the first verification data sent by the terminal device, where the first verification data is data generated by the terminal device after being registered to the server, and the terminal device generates the second The dimension code is registered to the server, and the two-dimensional code is generated by the client device based on the one-time password;
    所述服务器根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据;The server calculates the first verification data according to a one-way hash function to generate second verification data;
    所述服务器将所述第二验证数据发送给所述终端设备,以使所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;Sending, by the server, the second verification data to the terminal device, so that the terminal device calculates the second verification data according to the one-way hash function to generate third verification data;
    所述服务器接收所述终端设备发送的所述第三验证数据;Receiving, by the server, the third verification data sent by the terminal device;
    所述服务器根据所述第三验证数据生成指示信息,所述指示信息用于指示所述终端设备已通过验证;及The server generates indication information according to the third verification data, where the indication information is used to indicate that the terminal device has passed verification;
    所述服务器将所述指示信息发送给所述客户端设备。The server sends the indication information to the client device.
  7. 根据权利要求6所述的方法,其特征在于,还包括:The method of claim 6 further comprising:
    所述服务器接收所述终端设备发送的与所述终端设备对应的第一注册数据;Receiving, by the server, first registration data that is sent by the terminal device and corresponding to the terminal device;
    所述服务器根据所述单向散列函数对所述第一注册数据和预设密钥进行计算以生成第二注册数据,所述预设密钥为所述服务器预先存储的密钥;及The server calculates the first registration data and the preset key according to the one-way hash function to generate second registration data, where the preset key is a key pre-stored by the server;
    所述服务器将所述第二注册数据发送给所述终端设备。The server sends the second registration data to the terminal device.
  8. 根据权利要求7所述的方法,其特征在于,还包括:The method of claim 7 further comprising:
    所述服务器记录第二时间戳,所述第二时间戳为所述服务器检测到所述终端设备扫描所述二维码结束的时间;The server records a second timestamp, where the second timestamp is a time when the server detects that the terminal device scans the two-dimensional code;
    所述服务器判断所述第一验证数据是否满足第一预设条件,所述第一验证数据包括第一时间戳和所述第二注册数据,所述第一时间戳为所述终端设备检测到所述终端设备扫描所述二维码结束的时间,所述第一预设条件为所述第一时间戳等于第二时间戳;及Determining, by the server, that the first verification data meets a first preset condition, where the first verification data includes a first timestamp and the second registration data, where the first timestamp is detected by the terminal device The terminal device scans a time when the two-dimensional code ends, and the first preset condition is that the first timestamp is equal to a second timestamp;
    若所述服务器判断出所述第一验证数据满足所述第一预设条件,则触发 执行所述服务器根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据的步骤。If the server determines that the first verification data meets the first preset condition, triggering execution of the step of the server performing calculation on the first verification data according to a one-way hash function to generate second verification data .
  9. 根据权利要求8所述方法,其特征在于,所述服务器根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据包括:The method according to claim 8, wherein the calculating, by the server, the first verification data according to the one-way hash function to generate the second verification data comprises:
    所述服务器根据所述单向散列函数对所述目标随机数、所述第一时间戳和所述第二时间戳进行计算以生成第一子数据,所述目标随机数为所述服务器随机生成的数据;The server calculates the target random number, the first timestamp, and the second timestamp according to the one-way hash function to generate first sub-data, where the target random number is random to the server Generated data;
    所述服务器对所述目标随机数和所述第二注册数据进行异或运算以生成第一参数;The server performs an exclusive OR operation on the target random number and the second registration data to generate a first parameter;
    所述服务器通过第一函数对所述第一参数进行计算以生成第二子数据;及The server calculates the first parameter by using a first function to generate a second sub-data; and
    所述服务器生成第二验证数据,所述第二验证数据包括所述第一子数据、所述第二子数据以及所述第二时间戳。The server generates second verification data, the second verification data including the first sub data, the second sub data, and the second timestamp.
  10. 根据权利要求9所述的方法,其特征在于,所述第三验证数据包括第三参数和第三时间戳,所述第三参数为所述终端设备通过所述单向散列函数对所述目标随机数、所述第一时间戳以及所述第二时间戳进行计算以生成的参数,所述目标随机数为所述终端设备对第二参数和所述第二注册数据通过异或运算进行计算以生成的随机数,所述第二参数为所述终端设备通过第二函数对所述第二验证数据所包括的所述第二子数据进行计算以生成的参数,所述第三时间戳为所述终端设备检测到所述终端设备扫描所述二维码开始的时间;The method according to claim 9, wherein the third verification data comprises a third parameter and a third timestamp, the third parameter being that the terminal device pairs the said one-way hash function The target random number, the first timestamp, and the second timestamp are calculated to generate a parameter, where the target random number is performed by the terminal device by using an exclusive OR operation on the second parameter and the second registration data. Computation to generate a random number, where the second parameter is a parameter generated by the terminal device by using the second function to calculate the second sub-data included in the second verification data, the third timestamp And detecting, by the terminal device, a time when the terminal device scans the two-dimensional code;
    所述服务器根据所述第三验证数据生成指示信息包括:The generating information by the server according to the third verification data includes:
    所述服务器判断所述第三验证数据是否满足第四预设条件,所述第四预设条件为所述第一时间戳和所述第三时间戳之间的差值小于或等于预设阈值,且所述第四预设条件还为所述第三参数和所述服务器所存储的所述第二验证数据所包括的所述第一子数据相等;及The server determines whether the third verification data meets a fourth preset condition, where the fourth preset condition is that a difference between the first timestamp and the third timestamp is less than or equal to a preset threshold. And the fourth preset condition is further that the third parameter is equal to the first sub-data included in the second verification data stored by the server; and
    若所述服务器判断出所述第三验证数据满足所述第四预设条件,则所述服务器生成所述指示信息。And if the server determines that the third verification data meets the fourth preset condition, the server generates the indication information.
  11. 一种终端设备,其特征在于,包括:A terminal device, comprising:
    扫描单元,用于扫描客户端设备生成的二维码,以使已扫描所述二维码 的所述终端设备注册到服务器,所述二维码由所述客户端设备基于一次性密码所生成;a scanning unit, configured to scan a two-dimensional code generated by the client device, to register the terminal device that has scanned the two-dimensional code to a server, where the two-dimensional code is generated by the client device based on a one-time password ;
    第一发送单元,用于将第一验证数据发送给所述服务器,以使所述服务器将第二验证数据发送给所述终端设备,所述第二验证数据为所述服务器根据单向散列函数对所述第一验证数据进行计算以生成的数据;a first sending unit, configured to send the first verification data to the server, so that the server sends the second verification data to the terminal device, where the second verification data is a one-way hash according to the server a function for calculating the first verification data to generate data;
    计算单元,用于根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;及a calculating unit, configured to calculate the second verification data according to the one-way hash function to generate third verification data; and
    第二发送单元,用于将所述第三验证数据发送给所述服务器,以使所述服务器将指示信息发送给所述客户端设备,所述指示信息用于指示所述终端设备已通过验证。a second sending unit, configured to send the third verification data to the server, so that the server sends the indication information to the client device, where the indication information is used to indicate that the terminal device has passed the verification .
  12. 一种终端设备,包括存储器及一个或多个处理器,所述存储器中储存有计算机可读指令,所述计算机可读指令被所述一个或多个处理器执行时,使得所述一个或多个处理器执行以下步骤:A terminal device comprising a memory and one or more processors, the memory storing computer readable instructions, the computer readable instructions being executed by the one or more processors to cause the one or more The processors perform the following steps:
    扫描客户端设备生成的二维码,以使已扫描所述二维码的注册到服务器,所述二维码由所述客户端设备基于一次性密码所生成;Scanting a two-dimensional code generated by the client device to register the scanned two-dimensional code to the server, the two-dimensional code being generated by the client device based on the one-time password;
    将第一验证数据发送给所述服务器,以使所述服务器将第二验证数据发送给,所述第二验证数据为所述服务器根据单向散列函数对所述第一验证数据进行计算以生成的数据;Transmitting the first verification data to the server, so that the server sends the second verification data to, the second verification data is that the server calculates the first verification data according to the one-way hash function Generated data;
    根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;及Calculating the second verification data according to the one-way hash function to generate third verification data; and
    将所述第三验证数据发送给所述服务器,以使所述服务器将指示信息发送给所述客户端设备,所述指示信息用于指示已通过验证。And sending the third verification data to the server, so that the server sends the indication information to the client device, where the indication information is used to indicate that the verification has been passed.
  13. 根据权利要求12所述的终端设备,其特征在于,所述计算机可读指令被所述一个或多个处理器执行时,还使得所述一个或多个处理器执行以下步骤:The terminal device according to claim 12, wherein said computer readable instructions are executed by said one or more processors, further causing said one or more processors to perform the following steps:
    生成与对应的第一注册数据;Generating and corresponding first registration data;
    将所述第一注册数据发送给所述服务器,以使所述服务器将第二注册数据发送给,所述第二注册数据为所述服务器根据所述单向散列函数对所述第一注册数据和预设密钥进行计算以生成的数据,所述预设密钥为所述服务器预先存储的密钥;及Transmitting the first registration data to the server, so that the server sends the second registration data to, the second registration data is that the server registers the first registration according to the one-way hash function Data and a preset key are calculated to generate data, and the preset key is a key pre-stored by the server;
    接收所述第二注册数据。Receiving the second registration data.
  14. 根据权利要求13所述的终端设备,其特征在于,所述计算机可读指令被所述一个或多个处理器执行时,还使得所述一个或多个处理器执行以下步骤:The terminal device according to claim 13, wherein said computer readable instructions are executed by said one or more processors, further causing said one or more processors to perform the following steps:
    记录第一时间戳,所述第一时间戳为检测到扫描所述二维码结束的时间;及Recording a first timestamp, where the first timestamp is detecting the end of scanning the two-dimensional code; and
    生成所述第一验证数据,所述第一验证数据包括所述第一时间戳和所述第二注册数据,以使所述服务器确定所述第一验证数据满足第一预设条件的情况下,生成所述第二验证数据,所述第一预设条件为所述第一时间戳等于第二时间戳,所述第二时间戳为所述服务器检测到扫描所述二维码结束的时间,所述第二验证数据包括第一子数据、第二子数据以及所述第二时间戳,其中,所述第一子数据为所述服务器根据所述单向散列函数对目标随机数、所述第一时间戳和所述第二时间戳进行计算以生成的数据,所述目标随机数为所述服务器随机生成的数据,所述第二子数据为所述服务器通过第一函数对第一参数进行计算以生成的数据,所述第一参数为所述服务器对所述目标随机数和所述第二注册数据进行异或运算所生成的数据。Generating the first verification data, the first verification data including the first timestamp and the second registration data, so that the server determines that the first verification data meets a first preset condition Generating the second verification data, the first preset condition is that the first timestamp is equal to a second timestamp, and the second timestamp is a time when the server detects that the scanning of the two-dimensional code ends. The second verification data includes a first sub-data, a second sub-data, and the second timestamp, wherein the first sub-data is a target random number of the server according to the one-way hash function, The first timestamp and the second timestamp are calculated to generate data, the target random number is data randomly generated by the server, and the second sub-data is the first function of the server The parameter is calculated to generate data, and the first parameter is data generated by the server performing an exclusive OR operation on the target random number and the second registration data.
  15. 一种服务器,其特征在于,包括:A server, comprising:
    第一接收单元,用于接收终端设备发送的第一验证数据,所述第一验证数据为所述终端设备注册到所述服务器后所生成的用于进行验证的数据,所述终端设备通过扫描客户端设备生成的二维码注册到所述服务器,所述二维码由所述客户端设备基于一次性密码所生成;a first receiving unit, configured to receive first verification data that is sent by the terminal device, where the first verification data is data generated by the terminal device after being registered to the server, and the terminal device scans The two-dimensional code generated by the client device is registered to the server, and the two-dimensional code is generated by the client device based on the one-time password;
    第一计算单元,用于根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据;a first calculating unit, configured to calculate the first verification data according to a one-way hash function to generate second verification data;
    第一发送单元,用于将所述第二验证数据发送给所述终端设备,以使所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;a first sending unit, configured to send the second verification data to the terminal device, so that the terminal device calculates the second verification data according to the one-way hash function to generate third verification data. ;
    第一接收单元,用于接收所述终端设备发送的所述第三验证数据;a first receiving unit, configured to receive the third verification data sent by the terminal device;
    生成单元,用于根据所述第三验证数据生成指示信息,所述指示信息用于指示所述终端设备已通过验证;及a generating unit, configured to generate indication information according to the third verification data, where the indication information is used to indicate that the terminal device has passed verification;
    第二发送单元,用于将所述指示信息发送给所述客户端设备。a second sending unit, configured to send the indication information to the client device.
  16. 一种服务器,包括存储器及一个或多个处理器,所述存储器中储存有计算机可读指令,所述计算机可读指令被所述一个或多个处理器执行时,使得所述一个或多个处理器执行以下步骤:A server comprising a memory and one or more processors having stored therein computer readable instructions, the computer readable instructions being executed by the one or more processors such that the one or more The processor performs the following steps:
    接收终端设备发送的第一验证数据,所述第一验证数据为所述终端设备注册到后所生成的用于进行验证的数据,所述终端设备通过扫描客户端设备生成的二维码注册到,所述二维码由所述客户端设备基于一次性密码所生成;Receiving first verification data sent by the terminal device, where the first verification data is data generated by the terminal device after being registered, and the terminal device is registered by scanning a QR code generated by the client device to The two-dimensional code is generated by the client device based on a one-time password;
    根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据;Calculating the first verification data according to a one-way hash function to generate second verification data;
    将所述第二验证数据发送给所述终端设备,以使所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;Transmitting the second verification data to the terminal device, so that the terminal device calculates the second verification data according to the one-way hash function to generate third verification data;
    接收所述终端设备发送的所述第三验证数据;Receiving the third verification data sent by the terminal device;
    根据所述第三验证数据生成指示信息,所述指示信息用于指示所述终端设备已通过验证;及Generating indication information according to the third verification data, where the indication information is used to indicate that the terminal device has passed verification;
    将所述指示信息发送给所述客户端设备。Sending the indication information to the client device.
  17. 根据权利要求16所述的服务器,其特征在于,还包括:The server according to claim 16, further comprising:
    接收所述终端设备发送的与所述终端设备对应的第一注册数据;Receiving, by the terminal device, first registration data corresponding to the terminal device;
    根据所述单向散列函数对所述第一注册数据和预设密钥进行计算以生成第二注册数据,所述预设密钥为预先存储的密钥;及Calculating the first registration data and the preset key according to the one-way hash function to generate second registration data, where the preset key is a pre-stored key;
    将所述第二注册数据发送给所述终端设备。Sending the second registration data to the terminal device.
  18. 根据权利要求17所述的服务器,其特征在于,还包括:The server according to claim 17, further comprising:
    记录第二时间戳,所述第二时间戳为检测到所述终端设备扫描所述二维码结束的时间;Recording a second timestamp, where the second timestamp is a time when the terminal device detects that the two-dimensional code is scanned;
    判断所述第一验证数据是否满足第一预设条件,所述第一验证数据包括第一时间戳和所述第二注册数据,所述第一时间戳为所述终端设备检测到所述终端设备扫描所述二维码结束的时间,所述第一预设条件为所述第一时间戳等于第二时间戳;及Determining whether the first verification data meets a first preset condition, where the first verification data includes a first timestamp and the second registration data, where the first timestamp is that the terminal device detects the terminal The time when the device scans the end of the two-dimensional code, where the first preset condition is that the first timestamp is equal to the second timestamp;
    若判断出所述第一验证数据满足所述第一预设条件,则触发执行根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据的步骤。If it is determined that the first verification data satisfies the first preset condition, triggering a step of performing calculation on the first verification data according to a one-way hash function to generate second verification data.
  19. 一个或多个存储有计算机可读指令的非易失性存储介质,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行以下步骤:One or more non-volatile storage media storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the following steps:
    扫描客户端设备生成的二维码,以使已扫描所述二维码的注册到服务器,所述二维码由所述客户端设备基于一次性密码所生成;Scanting a two-dimensional code generated by the client device to register the scanned two-dimensional code to the server, the two-dimensional code being generated by the client device based on the one-time password;
    将第一验证数据发送给所述服务器,以使所述服务器将第二验证数据发送给,所述第二验证数据为所述服务器根据单向散列函数对所述第一验证数据进行计算以生成的数据;Transmitting the first verification data to the server, so that the server sends the second verification data to, the second verification data is that the server calculates the first verification data according to the one-way hash function Generated data;
    根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;及Calculating the second verification data according to the one-way hash function to generate third verification data; and
    将所述第三验证数据发送给所述服务器,以使所述服务器将指示信息发送给所述客户端设备,所述指示信息用于指示已通过验证。And sending the third verification data to the server, so that the server sends the indication information to the client device, where the indication information is used to indicate that the verification has been passed.
  20. 一个或多个存储有计算机可读指令的非易失性存储介质,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行以下步骤:One or more non-volatile storage media storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the following steps:
    接收终端设备发送的第一验证数据,所述第一验证数据为所述终端设备注册到后所生成的用于进行验证的数据,所述终端设备通过扫描客户端设备生成的二维码注册到,所述二维码由所述客户端设备基于一次性密码所生成;Receiving first verification data sent by the terminal device, where the first verification data is data generated by the terminal device after being registered, and the terminal device is registered by scanning a QR code generated by the client device to The two-dimensional code is generated by the client device based on a one-time password;
    根据单向散列函数对所述第一验证数据进行计算以生成第二验证数据;Calculating the first verification data according to a one-way hash function to generate second verification data;
    将所述第二验证数据发送给所述终端设备,以使所述终端设备根据所述单向散列函数对所述第二验证数据进行计算以生成第三验证数据;Transmitting the second verification data to the terminal device, so that the terminal device calculates the second verification data according to the one-way hash function to generate third verification data;
    接收所述终端设备发送的所述第三验证数据;Receiving the third verification data sent by the terminal device;
    根据所述第三验证数据生成指示信息,所述指示信息用于指示所述终端设备已通过验证;及Generating indication information according to the third verification data, where the indication information is used to indicate that the terminal device has passed verification;
    将所述指示信息发送给所述客户端设备。Sending the indication information to the client device.
PCT/CN2018/076007 2017-03-09 2018-02-09 Identity verification method, terminal apparatus, server, and data storage medium WO2018161777A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710138328.3A CN106657166B (en) 2017-03-09 2017-03-09 A kind of method of authentication, terminal device and server
CN201710138328.3 2017-03-09

Publications (1)

Publication Number Publication Date
WO2018161777A1 true WO2018161777A1 (en) 2018-09-13

Family

ID=58847387

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/076007 WO2018161777A1 (en) 2017-03-09 2018-02-09 Identity verification method, terminal apparatus, server, and data storage medium

Country Status (2)

Country Link
CN (1) CN106657166B (en)
WO (1) WO2018161777A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657166B (en) * 2017-03-09 2019-09-17 腾讯科技(深圳)有限公司 A kind of method of authentication, terminal device and server
CN107155185B (en) * 2017-06-30 2019-12-03 迈普通信技术股份有限公司 It is a kind of to access the authentication method of WLAN, apparatus and system
CN108154362B (en) * 2018-01-18 2021-05-18 上海众人网络安全技术有限公司 Transaction method, device and system based on graphic bar code
CN111031031A (en) * 2019-12-10 2020-04-17 刘兴丹 Method and device for acquiring information from display screen and transmitting information
CN112543241B (en) * 2020-10-22 2023-05-30 重庆恢恢信息技术有限公司 Construction site safety image data mining method by using block chain

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350719A (en) * 2007-07-18 2009-01-21 康佳集团股份有限公司 Novel identification authentication method
JP2011141785A (en) * 2010-01-08 2011-07-21 Girunetto Kk Member registration system using portable terminal and authentication system
CN105025008A (en) * 2015-06-10 2015-11-04 安徽朗坤物联网有限公司 An access authentication method based on two-dimensional codes and asymmetric encryption in an agricultural material IOT
CN105282088A (en) * 2014-05-28 2016-01-27 腾讯科技(深圳)有限公司 Method and system for controlling verification server and method and system for controlling verification
CN106412907A (en) * 2016-09-14 2017-02-15 广东欧珀移动通信有限公司 Network access methods and system, and related devices
CN106657166A (en) * 2017-03-09 2017-05-10 腾讯科技(深圳)有限公司 Identity verification method, terminal device and server

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350719A (en) * 2007-07-18 2009-01-21 康佳集团股份有限公司 Novel identification authentication method
JP2011141785A (en) * 2010-01-08 2011-07-21 Girunetto Kk Member registration system using portable terminal and authentication system
CN105282088A (en) * 2014-05-28 2016-01-27 腾讯科技(深圳)有限公司 Method and system for controlling verification server and method and system for controlling verification
CN105025008A (en) * 2015-06-10 2015-11-04 安徽朗坤物联网有限公司 An access authentication method based on two-dimensional codes and asymmetric encryption in an agricultural material IOT
CN106412907A (en) * 2016-09-14 2017-02-15 广东欧珀移动通信有限公司 Network access methods and system, and related devices
CN106657166A (en) * 2017-03-09 2017-05-10 腾讯科技(深圳)有限公司 Identity verification method, terminal device and server

Also Published As

Publication number Publication date
CN106657166A (en) 2017-05-10
CN106657166B (en) 2019-09-17

Similar Documents

Publication Publication Date Title
US11663578B2 (en) Login using QR code
JP7391860B2 (en) Extending secure key storage for transaction confirmation and cryptocurrencies
EP3420677B1 (en) System and method for service assisted mobile pairing of password-less computer login
WO2018161777A1 (en) Identity verification method, terminal apparatus, server, and data storage medium
US10091195B2 (en) System and method for bootstrapping a user binding
US11764966B2 (en) Systems and methods for single-step out-of-band authentication
KR101671351B1 (en) Privacy enhanced key management for a web service provider using a converged security engine
US10299118B1 (en) Authenticating a person for a third party without requiring input of a password by the person
JP2021510978A (en) Systems and methods for binding verifiable claims
WO2017118412A1 (en) Method, apparatus and system for updating key
WO2017041599A1 (en) Service processing method and electronic device
WO2017020630A1 (en) Method, apparatus and system for processing order information
KR20180016235A (en) Authentication techniques including speech and/or lip movement analysis
KR20160129839A (en) An authentication apparatus with a bluetooth interface
WO2017084288A1 (en) Method and device for verifying identity
CN105656627B (en) Identity authentication method, device, system, processing method, equipment and storage medium
WO2015035936A1 (en) Identity authentication method, identity authentication apparatus, and identity authentication system
JP6039029B1 (en) Selection device, selection method, selection program, and authentication processing system
WO2018108123A1 (en) Identity authentication method, device and system
CN111181909B (en) Identity information acquisition method and related device
JP2023522835A (en) System and method for cryptographic authentication
WO2018108062A1 (en) Method and device for identity verification, and storage medium
CN108475304A (en) A kind of method, apparatus and mobile terminal of affiliate application and biological characteristic
WO2020251744A1 (en) System and method for electronic claim verification
JP7404907B2 (en) Systems and methods, computer-implemented methods, programs, and systems for location-aware two-factor authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18764046

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18764046

Country of ref document: EP

Kind code of ref document: A1