WO2019179394A1 - Procédé, terminal et serveur d'authentification pour récupérer des informations d'identité - Google Patents

Procédé, terminal et serveur d'authentification pour récupérer des informations d'identité Download PDF

Info

Publication number
WO2019179394A1
WO2019179394A1 PCT/CN2019/078502 CN2019078502W WO2019179394A1 WO 2019179394 A1 WO2019179394 A1 WO 2019179394A1 CN 2019078502 W CN2019078502 W CN 2019078502W WO 2019179394 A1 WO2019179394 A1 WO 2019179394A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
identity
information
identity information
message
Prior art date
Application number
PCT/CN2019/078502
Other languages
English (en)
Chinese (zh)
Inventor
赵晓娜
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2019179394A1 publication Critical patent/WO2019179394A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present application relates to the field of identity authentication, and in particular, to a method, a terminal, and an authentication server for acquiring identity information.
  • the electronic identity (eID) technology is based on cryptography and is based on a smart security chip.
  • the public security organ issues a unique electronic identity to the citizen, enabling citizenship without revealing citizenship information.
  • Identification the realized eID carrier includes physical cards such as an integrated circuit card (IC) card, a social security card, and a Subscriber Identification Module (SIM) card, and there are smart terminals such as wearable devices and mobile phones in the future.
  • IC integrated circuit card
  • SIM Subscriber Identification Module
  • eID technology is mainly used for online remote identification of identity, the main use scenarios are payment, social networking sites, e-commerce, logistics, e-government and so on.
  • the issuing institution ie, the Ministry of Public Security
  • the electronic identity code is then securely stored in the eID bearer along with the public key certificate generated for the eID bearer and the private key generated by the eID bearer.
  • eID carrier When a service authenticates a service requester based on the eID technology, the eID carrier generates signature data (also called a signature) for the service by using the private key stored therein, and the service application obtains the signature and sends the signature to the network identity service.
  • signature data also called a signature
  • eID holder also known as the electronic identity holder
  • the service requester is the eID holder.
  • eID holder also known as the electronic identity holder
  • certain businesses need to selectively authenticate part of the basic identity information of eID holders, for example, check the age of the consumer when buying alcohol and tobacco, check the photos, names and even marital status of the passengers when they are in the store, and send and receive Check the name and contact information of the sender when the courier is checked.
  • the traffic police checks the driver's photo, the validity period of the electronic driver's license, etc., and checks the gender of the user using some public facilities (such as the locker room).
  • the user may be required to provide the plaintext information to the service provider.
  • the user may need to manually input private information such as the ID number of the user, which may easily cause leakage of the private data.
  • private information such as the ID number of the user
  • users often need to provide valid documents (such as second-generation ID cards, driver's licenses, passports, etc.) or main privacy data (such as name, ID number, etc.) in the documents.
  • main privacy data such as name, ID number, etc.
  • the embodiment of the invention provides a method, a terminal and an authentication server for acquiring identity information, which can obtain the identity information or the identity verification result required by the service, thereby avoiding the key privacy data that may be caused by the user actively providing the valid identity document.
  • the leakage of the leaked and non-essential information enhances the user experience.
  • a method of obtaining identity information is provided.
  • the terminal sends a first message, where the first message includes first electronic identity data and first information, where the first electronic identity data is used by the verification server to verify the electronic identity holder corresponding to the first electronic identity data.
  • Identity and when the authentication of the electronic identity holder is passed, the first information is used by the verification server to obtain an identity required for the first service from all identity information of the electronic identity holder Information; the terminal receives a second message, the second message including the required identity information or an identity information collation result obtained based on the required identity information.
  • the first message sent by the terminal includes not only the first electronic identity data but also the first information, so that on the one hand, the verification server can verify the electronic identity corresponding to the first electronic identity data according to the first electronic identity data.
  • the terminal receives the second message, and the second message includes the required identity information or the identity information collation result obtained based on the required identity information.
  • the terminal can obtain the required identity information at the same time as the identity authentication, and does not need the service request to provide the plaintext information to the service provider, can avoid the leakage of the key privacy data, and avoid the redundancy of the non-essential information.
  • the terminal executes the first service. According to this embodiment, it is possible to automatically trigger execution of a service that satisfies a service requirement.
  • the terminal sends the first message to the verification server; the terminal receives the second message from the verification server.
  • the terminal directly requests authentication from the authentication server, and the communication path only passes through the terminal and the verification server, and does not pass through the service server, thereby simplifying the communication process and shortening the time.
  • the terminal sends the first message to a service server corresponding to the first service, where the first message further includes indication information, where the indication information is used to indicate the service server Transmitting the first electronic identity data and the first information to the verification server; the terminal receiving the second message from the service server.
  • the terminal requests authentication from the service server through the service server, and the communication path not only passes through the terminal and the verification server but also passes through the service server, which facilitates the control of the service by the service server, and is beneficial to improving security.
  • the method further includes: acquiring, by the terminal, biometric information of a service requester of the first service; when the biometric information of the service requester is held by the electronic identity
  • the terminal executes the first service.
  • the terminal can acquire the required identity information at the same time as the identity authentication, and can ensure that the identity of the person is unified (ie, the electronic identity holder is consistent with the service requester).
  • it is possible to avoid leakage of key private data and avoid redundancy of non-essential information without requiring a service request to provide plaintext information to the service provider; on the other hand, it can avoid theft of the electronic identity.
  • the terminal compares biometric information of the service requester with biometric information of the required identity information to determine The biometric information of the service requester is consistent with the biometric information of the electronic identity holder.
  • the above-described comparison process is performed by the terminal, and it is possible to adapt to the regulation that certain biometric information cannot be transmitted out of the terminal.
  • the terminal before the performing, by the terminal, the biometric information of the service requester, the biometrics of the service requester, to the service server corresponding to the first service
  • the information is used by the service server to compare the biometric information of the service requester with the biometric information in the required identity information; the terminal receives the result of the comparison from the service server.
  • the foregoing comparison process is performed by the service server, which facilitates the control of the service by the service server, is beneficial to improving security, and can reduce resource overhead on the terminal.
  • the biometric information of the service requester is sent to the verification server before the terminal performs the first service, and biometric information of the service requester is used for the
  • the verification server compares the biometric information of the service requester with the biometric information in the required identity information; the terminal receives the result of the comparison from the verification server.
  • the verification process is performed by the verification server, so that the verification server does not transmit the biometric information of the electronic identity holder, which is advantageous for improving security and reducing resource overhead on the terminal.
  • the first information is the required identity information identifier; or the first information is a service application identifier that performs the first service and a service of the first service.
  • Type identifier when the first information is the required identity information identifier, the verification server may obtain, according to the required identity information identifier, the first identity information from all the identity information corresponding to the first electronic identity data.
  • the identity information required by the service when the first information is the service application identifier of the first service and the service type identifier of the first service, the verification server may determine not only the service type identifier of the first service but not only And verifying, according to the first electronic identity data, the identity of the corresponding electronic identity holder, and obtaining, when the identity verification is passed, the required information of the first service from all the identity information corresponding to the first electronic identity data.
  • the identity information, the mapping table of the service application identifier and the required identity information identifier is stored in the verification server, and the verification server may determine the identity information identifier required by the first service according to the service application identifier of the first service, and then Determining, according to the identity information required by the first service, all identity letters corresponding to the first electronic identity data Obtaining identity information required by the first service.
  • the terminal before the terminal sends the first message, uses the private key of the electronic identity holder to perform signature calculation on the service data of the first service to generate the first Electronic identity data; or the terminal acquiring the first electronic identity data from a security device where the private identity holder's private key is located, wherein the first electronic identity data is the security device usage
  • the private key of the electronic identity holder performs signature calculation on the service data of the first service.
  • the signature calculation can be performed only on the service data, and the signature calculation is not performed on the first information, which is advantageous for compatibility with the prior art.
  • the terminal signs the service data of the first service and the first information by using a private key of the electronic identity holder.
  • the security device uses the private key of the electronic identity holder to perform signature calculation on the service data of the first service and the first information. According to this embodiment, not only the signature calculation of the service data but also the signature calculation of the first information is performed, and the security is high.
  • the terminal determines an identity information identifier required by the first service; and the terminal determines an identity information identifier required by the first service.
  • the terminal may determine the required identity information identifier according to the mapping table of the pre-stored service application identifier and the required identity information identifier; or the terminal determines the required according to the user instruction.
  • the identity information identifier; or, the terminal receives the required identity information identifier from a service server corresponding to the first service.
  • the terminal may determine the required identity information identifier by using any of the foregoing manners, and the implementation manner is flexible.
  • the method before the sending, by the terminal, the method, further includes: sending, by the terminal, a third message to a service server corresponding to the first service, where the third message is used by And requesting, by the service server, an identity information customization service required to register the first service with the verification server; the terminal receives a fourth message from the service server, where the fourth message is used to notify the identity information customization The service registration was successful.
  • the verification server can respond to the request of the terminal and the service server, facilitating the verification server to respond only to legitimate requests.
  • the method further includes: the terminal adding a service application identifier of the first service to a whitelist; After the request for the first service is triggered, it is determined that the whitelist includes the service application identifier of the first service.
  • the terminal can pre-judicate and filter the service application, and does not send the first message to the service application that is not in the white list, thereby improving the security to a certain extent and reducing the verification request of the illegal business application. Unnecessary communication pressure.
  • a method of obtaining identity information receives the fifth message, wherein the fifth message includes the first electronic identity data and the first information; the verification server verifies the electronic identity corresponding to the first electronic identity data according to the first electronic identity data a valid identity; when the identity of the electronic identity holder passes, the verification server acquires the identity required for the first service from all identity information of the electronic identity holder according to the first information Information; the verification server sends a sixth message, the sixth message including the required identity information.
  • the verification server can send the required identity information at the same time as the identity authentication, and the service provider can provide the plaintext information to the service provider without the service request, can avoid the leakage of the key privacy data, and avoid the redundancy of the unnecessary information.
  • the verification server receives the fifth message from a terminal; the verification server sends the sixth message to the terminal.
  • the terminal directly requests authentication from the authentication server, and the communication path only passes through the terminal and the verification server, and does not pass through the service server, thereby simplifying the communication process and shortening the time.
  • the verification server receives the fifth message from a service server corresponding to the first service; and the verification server sends the sixth message to the service server.
  • the terminal requests authentication from the service server through the service server, and the communication path not only passes through the terminal and the verification server but also passes through the service server, which facilitates the control of the service by the service server, and is beneficial to improving security.
  • the verification server before the verification server sends the sixth message, the verification server receives biometric information of the service requester of the first service from the terminal; when the biometric feature of the service requester When the information is consistent with the biometric information of the electronic identity holder, the verification server sends the sixth message.
  • the comparison process is performed by the verification server, so that the verification server does not transmit the biometric information of the electronic identity holder, which is beneficial to improve security.
  • the first information is the required identity information identifier; or the first information is a service application identifier that performs the first service and a service of the first service.
  • Type identifier when the first information is the required identity information identifier, the verification server may obtain, according to the required identity information identifier, the first identity information from all the identity information corresponding to the first electronic identity data.
  • the identity information required by the service when the first information is the service application identifier of the first service and the service type identifier of the first service, the verification server may determine not only the service type identifier of the first service but not only And verifying, according to the first electronic identity data, the identity of the corresponding electronic identity holder, and obtaining, when the identity verification is passed, the required information of the first service from all the identity information corresponding to the first electronic identity data.
  • the identity information, the mapping table of the service application identifier and the required identity information identifier is stored in the verification server, and the verification server may determine the identity information identifier required by the first service according to the service application identifier of the first service, and then Determining, according to the identity information required by the first service, all identity letters corresponding to the first electronic identity data Obtaining identity information required by the first service.
  • the first electronic identity data is signature data generated by performing signature calculation on the service data of the first service by using a private key of the electronic identity holder; or, the An electronic identity data is signature data generated by signing service data of the first service and the first information using a private key of the electronic identity holder; the verification server is held according to the electronic identity The party's public key verifies the signature data to verify the identity of the electronic identity holder.
  • the signature calculation can be performed only on the service data, and the signature calculation is not performed on the first information, which is beneficial to the compatibility with the prior art; not only the signature calculation of the service data but also the signature calculation of the first information is performed. High security.
  • the verification server when the first information is a service application identifier of the first service and a service type identifier of the first service, the verification server is configured according to a pre-stored service application and required
  • the mapping table of the identity information identifier determines the required identity information identifier corresponding to the first service, and the verification server obtains the identity information from all the identity information of the electronic identity holder according to the required identity information identifier Determining the required identity information; or, when the first information is the required identity information identity, the authentication server identifies all identities from the electronic identity holder based on the required identity information
  • the required identity information is obtained in the information.
  • the verification server can determine the required identity information by using any of the above methods, and the implementation manner is flexible.
  • the method further includes: the verification server receiving a seventh message from the service server corresponding to the first service, where the seventh message includes The information of the service provider of the first service and the identity information customization instruction; the verification server determines that the service provider is legal according to the information of the service provider of the first service, and customizes the registration according to the identity information.
  • the identity information customization service the verification server sends an eighth message to the service server, where the eighth message is used to notify the service provider that the service provider is legal and the identity information customization service is successfully registered.
  • the verification server can respond to the request of the terminal and the service server, facilitating the verification server to respond only to legitimate requests.
  • the seventh message further includes a service application identifier of the first service, where the verification server determines that the service provider is legal according to the information of the service provider of the first service.
  • the verification server determines that the business application including the first service in the white list is determined by the verification server. logo.
  • the fifth message may be directly ignored for the white list, and unnecessary message parsing is avoided. To some extent, it can save resources.
  • the seventh message further includes an identity information identifier required by the first service
  • the method further includes: determining, by the service application identifier, the service application identifier The identity information ID is saved in the mapping table.
  • the verification server receives the fifth message, when the first information is the service application identifier of the first service and the service type identifier of the first service, the verification server is pre-stored according to the Determining, by the mapping table of the service application identifier and the required identity information identifier, a required identity information identifier corresponding to the first service, the verification server identifying, according to the required identity information, from the electronic identity holder Obtain the required identity information in all identity information.
  • a method of obtaining identity information is provided.
  • the service server corresponding to the first service receives the ninth message from the terminal, where the ninth message includes first electronic identity data, first information, and first indication information, where the first electronic identity data is used to verify the server verification office.
  • the service server transmitting the first electronic identity data and the first information to the verification server according to the first indication information; Receiving, by the server, a tenth message, the tenth message including the required identity information or an identity information collation result obtained based on the required identity information; the service server transmitting the location to the terminal Determining the required identity information or the identity information to check the results.
  • the first indication information may be sent as a single parameter in the first message, or may be represented by attribute information of the first message itself, such as a label value used to indicate that the message is the first message. .
  • the first information is not included in the ninth message, and the determination of the first information (eg, the required identity information identifier) is not performed by the terminal, and the terminal only utilizes the service.
  • the data generates electronic identity data (eg, signatures) that is then sent to the business server.
  • the service server determines the required identity information identifier according to the service requirement, and attaches the determined identity information identifier to the signature, and then sends it to the verification server for verification together with the received signature. Sign the feedback with the required identity information.
  • the terminal can acquire the required identity information at the same time as the identity authentication, and does not need to provide the plaintext information to the service provider without the service request, can avoid the leakage of the key privacy data, and avoid the redundancy of the non-essential information.
  • the terminal requests authentication from the service server through the service server, and the communication path not only passes through the terminal and the verification server, but also passes through the service server, which facilitates the control of the service by the service server, and is beneficial to improving security.
  • the method further includes: the service server receiving the Biometric information of the service requester of the first service; the service server compares biometric information of the service requester with biometric information of the required identity information; the service server sends the location to the terminal The result of the comparison.
  • the terminal can acquire the required identity information at the same time as the identity authentication, and can ensure that the identity of the person is unified (ie, the electronic identity holder is consistent with the service requester).
  • the foregoing comparison process is performed by the service server, which facilitates the control of the service by the service server, and is beneficial to improving security.
  • the first information is the required identity information identifier; or the first information is a service application identifier that performs the first service and a service type of the first service. logo.
  • the verification server may obtain, according to the required identity information identifier, the first identity information from all the identity information corresponding to the first electronic identity data.
  • the identity information required by the service when the first information is the service application identifier of the first service and the service type identifier of the first service, the verification server may determine not only the service type identifier of the first service but not only And verifying, according to the first electronic identity data, the identity of the corresponding electronic identity holder, and obtaining, when the identity verification is passed, the required information of the first service from all the identity information corresponding to the first electronic identity data.
  • the identity information, the mapping table of the service application identifier and the required identity information identifier is stored in the verification server, and the verification server may determine the identity information identifier required by the first service according to the service application identifier of the first service, and then Determining, according to the identity information required by the first service, all identity letters corresponding to the first electronic identity data Obtaining identity information required by the first service.
  • the method further includes: the service server sending an eleventh message to the verification server, where the eleventh message includes Determining an information and identity information customization indication of the service provider of the first service, or including information of the service provider and the required identity information identifier; the service server receives the twelfth message from the verification server The twelfth message is used to notify the service provider that the service provider is legal and the identity information customization service is successfully registered.
  • the verification server can respond to the request of the terminal and the service server, facilitating the verification server to respond only to legitimate requests.
  • the embodiment of the present invention provides a terminal, which can implement the functions performed in the foregoing method design of the first aspect, and the functions can be implemented by using hardware or by executing corresponding software by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the structure of the terminal includes a processor configured to support the terminal to perform the corresponding functions of the first aspect method described above.
  • the terminal can also include a memory for coupling with the processor that retains the program instructions and data necessary for the terminal.
  • the terminal may also include a communication interface for transmitting or receiving information and the like.
  • an embodiment of the present invention provides an authentication server, which can implement the functions performed in the foregoing method design of the second aspect, and the functions can be implemented by using hardware or by executing corresponding software by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the authentication server includes a processor configured to support the verification server to perform the corresponding functions of the second aspect method described above.
  • the verification server can also include a memory for coupling with the processor that holds the program instructions and data necessary for the verification server.
  • the authentication server may also include a communication interface for transmitting or receiving information and the like.
  • an embodiment of the present invention provides a service server, where the service server can implement the functions performed in the method design of the foregoing third aspect, and the functions can be implemented by using hardware or by executing corresponding software by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the structure of the service server includes a processor configured to support the service server to perform the corresponding function in the method of the third aspect above.
  • the service server can also include a memory for coupling with the processor that holds the program instructions and data necessary for the service server.
  • the service server may also include a communication interface for transmitting or receiving information and the like.
  • an embodiment of the present invention provides a communication device, which may be, for example, a chip, and the communication device may be disposed in a terminal, where the communication device includes a processor and an interface.
  • the processor is configured to support the communication device to perform the corresponding function of the method of any of the first to third aspects described above.
  • the interface is used to support communication between the communication device and other communication devices or other network elements.
  • the communication device can also include a memory for coupling with the processor that retains the program instructions and data necessary for the communication device.
  • an embodiment of the present invention provides a computer storage medium, where the computer storage medium stores instructions, when executed on a computer, causing the computer to perform any of the foregoing first to third aspects. The method described.
  • an embodiment of the present invention provides a computer program or computer program product, comprising instructions, when executed by a computer, causing a computer to perform any of the first to third aspects described above Said method.
  • the terminal can acquire the required identity information at the same time as the identity authentication, and the service provider can provide the plaintext information to the service provider without the service request, which can avoid the leakage of the key privacy data and reduce the redundancy of the non-essential information.
  • FIG. 1 is a schematic diagram of a system architecture for performing identity authentication based on eID technology
  • 2A is a flowchart of a method for acquiring identity information according to an embodiment of the present invention
  • 2B is a flowchart of another method for obtaining identity information according to an embodiment of the present invention.
  • 2C is a flowchart of another method for obtaining identity information according to an embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of a system based on a method for acquiring identity information according to an embodiment of the present disclosure
  • FIG. 4 is a schematic communication diagram of a method for acquiring identity information according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of another method for obtaining identity information according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of another method for acquiring identity information according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of another communication method for acquiring identity information according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of another method for obtaining identity information according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of another method for obtaining identity information according to an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of another method for obtaining identity information according to an embodiment of the present invention.
  • FIG. 11 is a schematic diagram of another method for obtaining identity information according to an embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of a terminal according to an embodiment of the present disclosure.
  • FIG. 13 is a schematic structural diagram of another terminal according to an embodiment of the present disclosure.
  • FIG. 14 is a schematic structural diagram of a communication apparatus according to an embodiment of the present invention.
  • FIG. 15 is a schematic structural diagram of an authentication server according to an embodiment of the present disclosure.
  • FIG. 16 is a schematic structural diagram of another authentication server according to an embodiment of the present disclosure.
  • FIG. 17 is a schematic structural diagram of another communication apparatus according to an embodiment of the present invention.
  • An embodiment of the present invention provides a method for acquiring identity information. After a service is triggered, based on the identity authentication of the service requester by using the electronic identity identifier, the user corresponding to the electronic identity identifier is based on the service requirement. Identity information is checked. When the check result is yes, the service is executed by the terminal, otherwise the service is not executed.
  • the present invention it is not only necessary to verify whether the identity of the service requester is legal, but also to verify whether part of the identity information of the service requester meets the service requirement, thereby avoiding leakage and redundancy of the identity information of the service requester. On the one hand, it reduces the work under the service provider line or separately checked.
  • the service requester can be authenticated by using an electronic identity in any of the existing ways, such as eID technology.
  • the application is not limited to this.
  • the following is an example of how to use the eID technology to authenticate the service requester by using the electronic identity identifier.
  • eID technology is a network electronic identity that is issued to citizens by the “Public Network Identification System of the Ministry of Public Security” based on cryptographic technology and with intelligent security chips as the carrier. It can identify the identity remotely without divulging identity information. It can also be defined as follows: it is issued by the competent national authority and has a one-to-one correspondence with the personal identity of the individual, and is used to identify the online electronic identity of the citizen's real identity online. Consists of a pair of asymmetric keys and digital certificates containing their public keys and associated information.
  • the electronic identity identification is a series of codes used to replace the plaintext identity information of the citizen. According to this code, the corresponding plaintext identity information cannot be reversed.
  • the serial code is in the form of a digital certificate, consisting of a pair of asymmetric keys and containing its public key.
  • a digital certificate consisting of related information, which can generally be generated by a security chip that stores an electronic identity, wherein the public key can be exported to a digital certificate authority (such as a certificate authority CA, the public security department can act as the role), The authority uses this digital certificate to generate it, and the private key cannot be exported. It is mainly used when generating signatures for business data in subsequent business operations.
  • the certificate described here consists of a number of fields, such as the public key information of the electronic identity holder (also known as the electronic identity holder) (including the above public key and the identifier of the corresponding public key algorithm), the issuing authority
  • the signature usually calculated by signing the above public key with the institution's own private key
  • the authority code usually calculated by signing the above public key with the institution's own private key
  • the authority code usually calculated by signing the above public key with the institution's own private key
  • the authority code usually calculated by signing the above public key with the institution's own private key
  • the authority code the serial number (the number indicating the certificate uniquely)
  • the code representing the holder of the electronic identity information For example, eID_code is a character code obtained by calculating and processing the actual plaintext identity information of a citizen according to a specific rule method.
  • FIG. 1 is a schematic diagram of a system architecture for identity authentication based on eID technology.
  • the system includes:
  • the eID issuing organization 101 (also known as the eID center) connects to the Ministry of Public Security's Population Library's “Citizen Network Identification System of the Ministry of Public Security” and assumes the eID issuance and management functions.
  • the eID registration and issuer 102 undertakes the registration and issuance functions of the eID carrier, and can provide an eID-loading carrier, a wide distribution channel, and a strict identity verification and face-to-face verification procedure, and can apply to become an eID registration issuer (such as a bank). .
  • the eID network identity service provider 103 which is connected to the eID issuing organization 101 and accesses the service organization of the network application (ie, online application), undertakes the eID network identity basic service and related security value-added services.
  • the online application 104 refers to a ubiquitous network service, and an application requiring an eID network identity and security service can access the eID network identity service provider 103.
  • the eID carrier 105 which is a smart security chip that meets the requirements of the eID high-strength security mechanism, can be used as a carrier of the eID to securely store the eID, for example, a financial IC card, a social security card, a smart phone, a wearable device, and the like.
  • each citizen can only choose to have the eID function enabled on an eID carrier.
  • the eID carrier can be replaced, the eID can be enabled on the new carrier only if the eID on the original carrier is logged off.
  • each citizen may choose to activate eID functionality on multiple eID bearers, with one eID bearer as the primary eID bearer and the other eID bearer as the secondary eID bearer.
  • the primary eID bearer can be used alone for identity authentication of the service requester of a certain service.
  • the secondary eID carrier may not be used alone, and the secondary eID carrier needs to be used together with another primary eID carrier for identity authentication of the service requester of a certain service.
  • the bank counter personnel can send the identity information submitted by the user (ie, the name + ID number) to The eID center (ie, the eID issuing authority 101), and then the eID center submits the user identity information (for example, the ID number, the avatar, etc.) to the public security population bank for verification to ensure the accuracy of the identity information.
  • the eID center is The user generates an eID certificate, and then delivers the certificate to the bank outlet.
  • the bank outlet writes the eID certificate to the bank card (ie, eID carrier 105) applied by the user.
  • the eID technology involves the private key and the public key of the electronic identity (which may also be referred to as the private key and the public key of the electronic identity holder, for example, it can correspond to the information security technology - citizen network electronic identity format specification
  • the asymmetric network key of the citizen network electronic identity defined in the article) so the system may also include a Certification Authority (CA) to prove the credibility of the public key and other related information associated with its owner.
  • CA Certification Authority
  • the Public Key is a key that can be exposed in an asymmetric key pair used by an entity.
  • a public key certificate (Public Key Certificate) is a public key information of an entity that is not forged by a CA.
  • the authentication center may be set up separately or integrated in the eID network identity service provider 103, and thus is not shown in FIG.
  • the online application 104 can be installed in a terminal, which can be a user terminal (such as a mobile phone, a tablet computer, etc.) or a point of sale (POS), which can accept bank card information and has The communication function, and accepts the instructions of the teller to complete the financial transaction information and equipment related to information exchange.
  • a terminal can be a user terminal (such as a mobile phone, a tablet computer, etc.) or a point of sale (POS), which can accept bank card information and has The communication function, and accepts the instructions of the teller to complete the financial transaction information and equipment related to information exchange.
  • POS point of sale
  • the eID carrier 105 can be installed in a terminal, which can be a user terminal, and the terminal has a communication function.
  • the eID carrier 105 may also be a separate entity (such as an eID card) outside the user terminal, such as a bank card with a security chip, and may be connected to the user terminal through a near field communication NFC, Bluetooth Bluetooth, or the like. Communication is performed, or communication with a user terminal can be performed through an interface technology such as Universal Serial Bus (USB) or audio.
  • USB Universal Serial Bus
  • the online application 104 and the eID carrier 105 are installed in the same terminal, and the online application 104 and the eID carrier 105 exchange information through an internal communication mechanism.
  • the online application 104 and the eID carrier 105 are installed in different terminals, and the two terminals exchange information by short-range wireless communication technology, so that information can be exchanged securely and quickly, for example, for transactions.
  • the short-range wireless communication technology may include Near Field Communication (NFC) technology, Bluetooth (Blue Tooth) technology, Wi-Fi technology, and ZigBee technology, but the embodiment of the present invention is not limited thereto.
  • the embodiment of the present invention provides a solution in combination with the eID verification service to obtain part of the user identity information based on the service selectivity, and determines whether to allow the current service operation based on the obtained partial user identity information, thereby eliminating the need for the user to manually or Providing clear identity information to the service provider without causing leakage of critical user privacy data and redundancy of non-essential information.
  • a part of the user identity information (such as biometric information such as an avatar) may be compared with the information of the service requester collected by the terminal, thereby ensuring the service requester and the electronic identity holder. (such as eID holders) is indeed the same person, that is, to achieve true human identity.
  • the electronic identity holder is the service requester, that is, the identity of the person is assumed to be one.
  • the terminal executes the first service when the required identity information satisfies the requirement of performing the first service or the identity information check result is yes.
  • FIG. 2A is a flowchart of a method for acquiring identity information according to an embodiment of the present invention.
  • the embodiment assumes that an electronic identity holder is a service requester, and the method includes:
  • Step 201 The terminal determines an identity information identifier required by the first service.
  • the terminal determines the required identity information identifier according to a mapping table of the pre-stored service application identifier and the required identity information identifier; or the terminal determines the required identity information identifier according to a user instruction; or The terminal receives the required identity information identifier from a service server corresponding to the first service.
  • Step 202 The terminal sends a request message, where the request message includes first electronic identity data and first information, where the first electronic identity data is used by the verification server to verify the identity of the electronic identity holder corresponding to the first electronic identity data, and When the identity of the electronic identity holder is passed, the first information is used to verify that the server obtains the required identity information from all identity information of the electronic identity holder.
  • the first information may be a required identity information identifier; and the verification server obtains the required identity information from all the identity information of the electronic identity holder according to the required identity information.
  • the first information may be a service application identifier of the first service and a service type identifier of the first service; in this case, step 201 is not required to be performed.
  • the verification server determines, according to the service type identifier of the first service, that the first service needs the identity authentication service and obtains the identity information required by the service, and according to the service application identifier of the first service, the pre-configured service application identifier and the required
  • the mapping information of the identity information identifier determines the identity information identifier required by the first service, and obtains the required identity information from all the identity information of the electronic identity holder according to the identity information required by the first service.
  • mapping table described above may be configured when the authentication server registers the identity information customization service required for the first service.
  • the first electronic identity data may be signature data generated by the terminal using a private key of the electronic identity holder to perform signature calculation on the service data of the first service; or the terminal is from the electronic identity
  • the security device obtained by the security device in which the private key of the holder is located uses the private key of the electronic identity holder to sign the signature data generated by the signature of the service data of the first service.
  • the original data calculated by the above signature may include not only the service data but also the first information.
  • Step 203 The terminal receives a response message, where the response message includes the required identity information or an identity information collation result obtained based on the required identity information.
  • the foregoing identity information check result is used to indicate whether the required identity information satisfies the service requirement. For example, when the identity information check result is yes, it indicates that the required identity information satisfies the service requirement; when the identity information check result is no, the indication is The required identity information does not meet the business requirements.
  • the required identity information may be a single identity information (for example, age), and the service requirement may be embodied as a single check criterion for the single identity information.
  • the identity information check result is yes.
  • the identity information check result is no.
  • the required identity information may also be a plurality of identity information (for example, age and gender), each identity information has a single check condition, and the service requirement may be embodied as a single check condition corresponding to the identity information of each identity information.
  • the identity information check result is yes.
  • the identity information check result is no.
  • the business requirement may be embodied as determining a comprehensive verification result according to whether each identity information satisfies a single check condition corresponding to the identity information, and the comprehensive verification result needs to meet the comprehensive check condition, and when each identity information satisfies the single check condition, The result of checking the identity information is yes.
  • the comprehensive check result satisfies the comprehensive check condition. If the comprehensive check condition is met, the identity information check result is yes, if the comprehensive check condition is not met , the identity information check result is no.
  • the terminal may directly send a request message to the verification server in step 202. Accordingly, in step 203, the terminal may receive the response message from the verification server. Alternatively, in step 202, the terminal may send a request message to the service server, and send a request message to the verification server indirectly through the service server. Accordingly, in step 203, the terminal may receive a response message from the service server, where the response message is received by the service server from the verification server. Sent after the response message.
  • Step 204 When the required identity information meets the requirement for executing the first service or the identity information check result is yes, the terminal performs the first service.
  • the terminal can acquire the required identity information at the same time as the identity authentication, and does not need to provide the plaintext information to the service provider without the service request, can avoid the leakage of the key privacy data, and avoid the redundancy of the non-essential information.
  • the electronic identity holder is not necessarily the service requester (eg, the electronic identity holder's eID card is stolen), that is, it is necessary to verify whether the identity is integrated.
  • the terminal executes the first service when the required identity information satisfies the requirement for executing the first service or the identity information check result is yes, and the verification result of the identity verification is YES.
  • the terminal acquires biometric information of the service requester of the first service; and when the biometric information of the service requester is consistent with the biometric information of the electronic identity holder, determining the identity of the person and the person The verification result is yes.
  • FIG. 2B is a flowchart of another method for obtaining identity information according to an embodiment of the present invention.
  • the embodiment assumes that an electronic identity holder is not necessarily a service requester, and the method includes:
  • Step 211 The terminal determines an identity information identifier required by the first service.
  • Step 212 The terminal sends a request message, where the request message includes first electronic identity data and first information, where the first electronic identity data is used by the verification server to verify the identity of the electronic identity holder corresponding to the first electronic identity data, and When the identity of the electronic identity holder is passed, the first information is used to verify that the server obtains the required identity information from all identity information of the electronic identity holder.
  • the first information may be a required identity information identifier; and the verification server obtains the required identity information from all the identity information of the electronic identity holder according to the required identity information.
  • the first information may be a service application identifier of the first service and a service type identifier of the first service; in this case, step 211 need not be performed.
  • the verification server determines, according to the service type identifier of the first service, that the first service needs the identity authentication service and obtains the identity information required by the service, and according to the service application identifier of the first service, the pre-configured service application identifier and the required
  • the mapping information of the identity information identifier determines the identity information identifier required by the first service, and obtains the required identity information from all the identity information of the electronic identity holder according to the identity information required by the first service.
  • Step 213 The terminal receives a response message, where the response message includes the required identity information or an identity information collation result obtained based on the required identity information.
  • the terminal may directly send a request message to the verification server in step 212. Accordingly, in step 213, the terminal may receive the response message from the verification server. Alternatively, in step 212, the terminal may send a request message to the service server, and send a request message to the verification server indirectly through the service server. Accordingly, in step 213, the terminal may receive a response message from the service server, where the response message is received by the service server from the verification server. Sent after the response message.
  • Step 214 The terminal acquires biometric information of the service requester of the first service.
  • Step 215 When the required identity information satisfies the requirement for executing the first service, or the identity information check result is yes, and the biometric information of the service requester and the electronic identity holder When the biometric information is consistent, the terminal executes the first service.
  • the biometric information of the service requester and the biometric information in the required identity information can be compared by the terminal.
  • the terminal sends the biometric information of the service requester to the service server corresponding to the first service, where the biometric information of the service requester is used by the service server to compare the biometric information of the service requester with Biometric information in the required identity information; the terminal receiving the result of the comparison from the service server.
  • the terminal sends the biometric information of the service requester to the verification server, where the biometric information of the service requester is used by the verification server to compare the biometric information of the service requester with the required Biometric information in the identity information; the terminal receives the result of the comparison from the authentication server.
  • the terminal can acquire the required identity information at the same time as the identity authentication, and can ensure that the identity of the person is unified (that is, the electronic identity holder is consistent with the service requester).
  • the terminal can avoid leakage of key private data and avoid redundancy of non-essential information without requiring a service request to provide plaintext information to the service provider; on the other hand, it can avoid theft of the electronic identity.
  • FIG. 2C is a flowchart of another method for obtaining identity information according to an embodiment of the present invention.
  • the terminal further performs identity information customization service registration before sending the first message, and the registration process may be combined with FIG. 2A or In combination with FIG. 2B, this embodiment is described by taking the registration process as an example in combination with FIG. 2A, and the method includes:
  • Step 221 The terminal determines an identity information identifier required by the first service.
  • Step 222 The terminal sends a request message to the service server corresponding to the first service, where the request message is used to request the service server to register the identity information customization service required for the first service to the verification server.
  • the request message may extend the service application identifier of the first service.
  • the verification server determines that the service provider is legal according to the information of the service provider of the first service, the verification server adds the service application identifier of the first service to the whitelist.
  • the request message may include a service application identifier of the first service and an identity information identifier required by the first service.
  • the verification server may further save the service application identifier and the required identity information identifier corresponding to the service application identifier in the mapping table. .
  • Step 223 The terminal receives a response message from the service server, where the response message is used to notify the identity information customization service that the registration is successful.
  • the terminal may further include: the terminal adds the service application identifier of the first service to the whitelist; and the terminal determines, after the terminal triggers the request for the first service, if the terminal determines The whitelist includes the service application identifier of the first service, and then step 224 is performed, otherwise the subsequent steps are not performed.
  • Step 224 The terminal sends a request message, where the request message includes first electronic identity data and first information, where the first electronic identity data is used by the verification server to verify the identity of the electronic identity holder corresponding to the first electronic identity data, and When the identity of the electronic identity holder is passed, the first information is used to verify that the server obtains the required identity information from all identity information of the electronic identity holder.
  • the first information may be a required identity information identifier; and the verification server obtains the required identity information from all the identity information of the electronic identity holder according to the required identity information.
  • the first information may be a service application identifier of the first service and a service type identifier of the first service; in this case, step 221 need not be performed.
  • the verification server determines, according to the service type identifier of the first service, that the first service needs the identity authentication service and obtains the identity information required by the service, and according to the service application identifier of the first service, the pre-configured service application identifier and the required
  • the mapping information of the identity information identifier determines the identity information identifier required by the first service, and obtains the required identity information from all the identity information of the electronic identity holder according to the identity information required by the first service.
  • the first information is a service application identifier of the first service and a service type identifier of the first service
  • a whitelist of valid service application identifiers is established in the verification server.
  • the verification server determines, after the whitelist includes the service application identifier of the first service, the mapping table from the pre-configured service application identifier and the required identity information identifier according to the service application identifier of the first service. Determining the identity information identifier required by the first service, and obtaining the required identity information from all identity information of the electronic identity holder according to the identity information required by the first service.
  • Step 225 The terminal receives a response message, where the response message includes the required identity information or an identity information collation result obtained based on the required identity information.
  • Step 226 When the required identity information meets the requirement for executing the first service or the identity information check result is yes, the terminal performs the first service.
  • the embodiment of the present invention can ensure that only the service that the verification server confirms to be legitimate can initiate the process of acquiring the required identity information.
  • FIG. 2B it is determined whether the identity of the person and the person can be determined based on the identity information required to obtain the service.
  • the purpose of registering the identity information customization service in FIG. 2C is to obtain the identity information required by the service. Obtain the identity information required by the business, and on this basis, how to determine whether the identity of the person is integrated, and how to register the identity information customization service.
  • the method for obtaining identity information provided by the embodiment of the present invention is combined with the identity authentication technology.
  • EID technology can be used for identity authentication, and other electronic identity authentication technologies can be used for identity authentication, so as to obtain identity information required for the service while authenticating. Since the system architecture shown in FIG. 1 is relatively complicated and is a system architecture for eID technology, the system architecture shown in FIG. 1 is abstracted into the system architecture shown in FIG. 3 for versatility.
  • FIG. 3 is a schematic structural diagram of a system based on a method for acquiring identity information according to an embodiment of the present invention.
  • the system includes a terminal 301, an authentication server 302, and a service server 303.
  • terminal 301 can correspond to the terminal in which the online application 104 is located in FIG.
  • terminal 301 includes a business application and an electronic identity client (e.g., an eID client), wherein the business application can include the online application 104 shown in FIG.
  • the business application can be embodied in the form of a business APP for providing online application functionality.
  • the above-mentioned business application can be embedded in the electronic identity client, or the business application and the electronic identity client are independent of each other, and the electronic identity client is invoked by the business application, and the electronic identity client can be used to generate or obtain data for characterizing the user, such as The first electronic identity data described above in Figures 2A-2C. Take the eID client as an example.
  • the eID client is mainly used to read and write eID cards.
  • the eID card can be an independent card, such as a bank card loaded with an eID function, and the eID card can generate the first electronic identity data for reading by the eID client, and the read/write eID card can be realized by short-range wireless communication technology.
  • short-range wireless communication technology For example, near field communication NFC technology.
  • the NFC technology is a short-range wireless connection technology based on radio frequency identification (RFID), which uses magnetic field induction to realize communication between electronic devices at close range, and the user only needs to touch or close the device. Information can be exchanged and traded securely and quickly, such as near-field payments.
  • the NFC operates at a frequency of 13.56 MHz with an effective communication range of 0-20 cm and a typical value of 4 cm.
  • the eID card can also be integrated in the terminal, and the read/write eID card can be implemented through the internal communication mechanism of the terminal.
  • the above-mentioned electronic identity client may also be other types of clients other than the eID client.
  • the electronic identity identifier may be directly stored (which may be different from the eID, such as a string of characters representing the identity of the user).
  • the secure electronic chip (such as the secure element SE on the mobile phone or the trusted execution environment TEE) reads the encrypted electronic identity as the first electronic identity data, and specifically, the electronic identity client invokes the corresponding one in the security chip.
  • the letter application generates the first electronic identity data (which may not be signature data, such as encrypting the stored electronic identity using the public key of the authentication server).
  • the terminal 301 may be a smart terminal such as a mobile phone or a PC (a suitable scenario is: when a user performs online shopping or other online services on a mobile phone or a PC, and needs to verify certain specific identity information), or may be a dedicated terminal such as a POS ( Applicable scenarios such as physical stores, government workers, etc. require the verification of certain specific identity information of citizens.
  • the above-mentioned services include business operations such as online shopping, specific order submission operations or payment confirmation operations in online shopping, electronic voting, booking of hotel housing, sending and receiving express, traffic police verification and other government affairs, temporary use or lease of public facilities.
  • the authentication server 302 may correspond to the eID network identity service provider 103 of FIG. 1 (or may also correspond to the eID network identity service provider 103 and the eID issuing authority 101) for electronic identity data provided to the terminal (eg, using an electronic identity)
  • the signature data calculated by the holder's private key to sign the business data is verified (if the electronic identity holder's public key is used to verify the signature data accordingly), and the identity information required by the service is provided.
  • the service server 303 is configured to perform one or more services in cooperation with the service application on the terminal 301.
  • the service server 303 does not participate in the process of acquiring identity information
  • the communication path 1 is shown in solid lines in FIG. 3;
  • the second communication path is adopted (ie In the case of the communication path 2), the service server 303 participates in the process of acquiring the identity information, and the communication path 2 is shown by a broken line in FIG.
  • the communication path 1 or the communication path 2 can be used to implement the method for obtaining identity information provided by the embodiment of the present invention.
  • the first communication path (ie, the communication path 1) directly requests the authentication server 302 (for example, the eID server) for the terminal 301 (for example, the service APP through the eID client) to perform identity authentication, and requests the identity information required for the service or
  • the identity information collation result (for example, the service APP requests the eID client to directly send the signature and other related information to the verification server for processing after obtaining the signature).
  • the communication path passes through the terminal 301 and the authentication server 302 without passing through the service server 303, that is, the terminal 301 directly sends a request to the authentication server 302.
  • the second communication path (ie, the communication path 2), for the terminal 301 (for example, after the service APP obtains the signature by the eID client), requests the authentication server 302 (for example, the eID server) to perform identity authentication through the service server 303, and requests the acquisition of the service. Required identity information or check results.
  • the communication path passes through the terminal 301, the service server 303, and the authentication server 302, that is, the terminal 301 indirectly transmits a request to the authentication server 302 through the service server 303.
  • the terminal 301 may first determine the identity information identifier required by the first service; then send a request message to the authentication server 302 or the service server 303, wherein the request message includes the first electronic identity.
  • Data and first information, the first electronic identity data being used by the verification server 302 to verify the identity of the electronic identity holder corresponding to the first electronic identity data, and when the identity verification of the electronic identity holder passes
  • the first information is used by the verification server 302 to obtain identity information required by the first service from all identity information of the electronic identity holder.
  • the terminal 301 receives a response message from the authentication server 302 or the service server 303, the response message including the required identity information or the identity information collation result obtained based on the required identity information.
  • the terminal 301 determines the identity information identifier required by the first service; the terminal 301 sends a request message to the authentication server 302, wherein the request message includes the first electronic identity data and First information; the verification server 302 verifies the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data; when the identity verification passes, according to the first information from the first Obtaining the identity information required by the first service from all the identity information corresponding to the electronic identity data; the verification server 302 sends a response message to the terminal 301, where the response message includes the required identity information or based on the required The identity information obtained by the identity information is checked against the result.
  • the service server 303 does not participate in the process of acquiring the identity information, and only performs the corresponding service process flow when the required identity information meets the service requirements, and details are not described herein.
  • the terminal 301 sends a request message to the service server 303 corresponding to the first service, where the request message includes first electronic identity data, first information, and indication information;
  • the service server 303 is configured according to The indication information sends the first electronic identity data and the first information to the verification server 302;
  • the verification server 302 verifies the electronic identity holding corresponding to the first electronic identity data according to the first electronic identity data
  • the identity of the party when the identity verification is passed, the identity information required by the first service is obtained from all the identity information corresponding to the first electronic identity data according to the first information; the verification server 302 sends the identity information to the service server 303.
  • the required identity information or the identity information obtained based on the required identity information is checked;
  • the service server 303 sends a response message to the terminal 301, where the response message includes the required identity information or identity information check result .
  • the verification server 302 can directly send the identity information required by the service to the terminal 301 according to the request of the terminal 301, and the terminal 301 checks whether the identity information required by the service satisfies the service requirement. When the identity information required by the service meets the service requirements, the verification result is yes. The terminal 301 executes the service. When the identity information required by the service does not meet the service requirement, the verification result is no, and the terminal 301 does not perform the service.
  • the verification server 302 can directly send the identity information required by the service to the terminal 301 according to the request of the terminal 301, and the terminal 301 sends the identity information required by the service to the service server 303.
  • the service server 303 checks whether the identity information required by the service meets the service requirement. When the identity information required by the service meets the service requirement, the verification result is yes, the service server 303 sends the verification result to the terminal 301, so that the terminal 301 performs In the service, when the identity information required by the service does not meet the service requirement, the verification result is no, and the service server 303 sends the verification result to the terminal 301, so that the terminal 301 does not perform the service.
  • the verification server 302 can check whether the identity information required by the service meets the service requirement according to the request of the terminal 301. When the identity information required by the service satisfies the service requirement, the verification result is If yes, the verification server 302 sends the verification result to the terminal 301, so that the terminal 301 performs the service. When the identity information required by the service does not meet the service requirement, the verification result is no, and the verification server 302 sends the verification result to the terminal. 301, so that the terminal 301 does not perform the service.
  • the identity information required by the business may include the basic identity information of the individual, such as the age, gender, marriage, etc. of the citizen, and/or the identity relationship information of the service requester and other users, such as kinship, agency relationship, and the like. It can be understood that the identity information required by the service may be the entire content of the identity information (referred to as all identity information), or may be part of the identity information (referred to as partial identity information).
  • part of the identity information may refer to the basic identity information of the plaintext such as photo, name, ID number, date of birth, etc., or may also refer to basic identity information indicating whether the user is X years old, whether the electronic driver's license is valid, or not.
  • the agency relationship can include agency relationships in various scenarios, such as loans, legal entrustments, etc.
  • the agent ie, the e-identity holder, such as the eID holder
  • the agent will electronically identify it (such as an eID card, or even
  • a copy of the eID card may appear, which can be interpreted as a copy of the current second-generation certificate, which is handed over to the agent (that is, the business requester, which is also the current user of the eID card), and is directly used by the agent.
  • the effective object of the business is the agent, not the agent.
  • the service requirement may be a requirement that the service provider checks the specific identity information of the service requester (that is, the identity information required by the service) when the service requester uses a service through the service APP, for example, checking the user photo.
  • One or more pieces of information such as age, gender, nationality, marital status, e-mail validity period, and even the need to check the relationship between multiple users. For example, when buying tobacco and alcohol, it is necessary to check the age of the consumer in particular. When you live in the store, you often need to check the photo, name and even the marital status of the passenger. You may need to check the name and contact information of the sender when you send the courier.
  • the traffic police may need to check the driver's photos, the validity period of the electronic driver's license, etc., and the use of certain public facilities (such as locker rooms) may require special checks on the gender of the user.
  • the identity information required by the business may include one or more identity information, such as age and nationality, and each identity information needs to be checked.
  • the server may feed back the verification result of each identity information (hereinafter referred to as a single check result) to the terminal, so that the terminal can check according to all the single items.
  • the result is determined whether the service is allowed to be executed; or the server may determine a comprehensive verification result according to the verification result of each identity information, and feed back the comprehensive verification result to the terminal, so that the terminal determines whether to allow the service to be performed according to the comprehensive verification result.
  • the terminal needs to check the identity information required by the service, and the terminal may present the identity information required by the service to the service provider (such as a merchant, etc.) through a display screen or other means (such as voice).
  • the service provider manually checks whether the service is allowed to be executed in a certain way (such as clicking a confirmation button) after manually confirming that the service requirements are met, or the terminal can also check the identity information required by the service through the service APP without Manual intervention.
  • the verification server 302 can directly send the identity information required by the service to the service server 303 according to the request of the service server 303, and the service server 303 checks whether the identity information required by the service satisfies the service. It is required that when the identity information required by the service meets the service requirement, the verification result is yes, the service server 303 sends the verification result to the terminal 301, so that the terminal 301 performs the service, when the identity information required by the service does not meet the service requirement. If the verification result is no, the service server 303 sends the verification result to the terminal 301, so that the terminal 301 does not perform the service.
  • the verification server 302 can directly send the identity information required by the service to the service server 303 according to the request of the service server 303, and the service server 303 sends the identity information required by the service to the service server 303.
  • the terminal 301 checks whether the identity information required by the service meets the service requirement, and when the identity information required by the service satisfies the service requirement, the verification result is yes, the terminal 301 executes the service, and the identity information required by the service is not satisfied. When the service is required, the verification result is no, and the terminal 301 does not execute the service.
  • the verification server 302 can check whether the identity information required by the service meets the service requirement according to the request of the service server 303, and check the result when the identity information required by the service satisfies the service requirement. If yes, the verification server 302 sends the verification result to the service server 303, and the service server 303 sends the verification result to the terminal 301, so that the terminal 301 performs the service. When the identity information required by the service does not meet the service requirement, If the verification result is no, the verification server 302 sends the verification result to the service server 303, and the service server 303 sends the verification result to the terminal 301, so that the terminal 301 does not perform the service.
  • the identity information required by the business may include one or more identity information, such as age and nationality, and each identity information needs to be checked.
  • the server may feed back the verification result of each identity information (hereinafter referred to as a single check result) to the terminal, so that the terminal can check according to all the single items.
  • the result is determined whether the service is allowed to be executed; or the server may determine a comprehensive verification result according to the verification result of each identity information, and feed back the comprehensive verification result to the terminal, so that the terminal determines whether to allow the service to be performed according to the comprehensive verification result.
  • the terminal needs to check the identity information required by the service, and the terminal may present the identity information required by the service to the service provider (such as a merchant, etc.) through a display screen or other means (such as voice).
  • the service provider manually checks whether the service is allowed to be executed in a certain way (such as clicking a confirmation button) after manually confirming that the service requirements are met, or the terminal can also check the identity information required by the service through the service APP without Manual intervention.
  • the above-mentioned terminal execution service can be understood as a specific order submission operation or payment confirmation operation in online shopping, online shopping, etc., electronic voting, booking of hotel housing, sending and receiving express, traffic police verification and other government affairs activities, temporary use or lease of public facilities, etc. If it is determined according to the identity information or the identity information required by the received service to determine that the required identity information meets the service requirements, the subsequent processes are continued, such as successful order submission and subsequent payment operations, such as successful hotel reservation After that, the service requester is assigned a room number and a mail or SMS notification.
  • the terminal does not perform the service, and may be understood to terminate the current service process if the identity information required for the service is determined according to the identity information or the identity information verification result of the received service does not meet the service requirement. Such as prompting the order submission failure or payment failure, as well as the reason for the failure.
  • the foregoing first communication path only passes through the terminal 301 and the verification server 302, and specifically relates to communication between the service APP and the eID client in the terminal local area, and does not pass through the service server 303, and can simplify the communication process and shorten the time from the server side. .
  • the foregoing second communication path not only passes through the terminal 301 and the verification server 302 but also passes through the service server 303, which facilitates the control of the service by the service server 303.
  • the terminal side can obtain the signature data by calling the eID client by the service APP according to the prior art.
  • the data obtained by signing the service data by using the private key of the eID, where the service data is a service serial number, etc., is reported to the service server.
  • the server side determines the identity information required for the current service, supplements the data reported by the terminal according to the service requirement, and sends the related information to the verification server together with the signature data reported by the terminal, so that only the service server side and the verification are required.
  • the modification on the server side does not involve changes on the terminal side, and the implementation is relatively uncomplicated.
  • FIG. 4 is a schematic diagram of a communication method for acquiring identity information according to an embodiment of the present invention.
  • the method may be based on the system architecture shown in FIG. 2, and adopts the first communication path to obtain the identity information or the identity information verification result required by the service, and the terminal determines whether to perform the service according to the identity information or the identity information required by the service. No instructions for the business server are required, the method includes:
  • Step 401 The terminal determines an identity information identifier required by the first service.
  • the terminal determines, according to a mapping table of the pre-stored service application identifier and the required identity information identifier, a required identity information identifier corresponding to the first service; or, the terminal determines, according to a user instruction. And the required identity information identifier corresponding to the first service is obtained by the terminal, or the terminal obtains the required identity information identifier corresponding to the first service from the service server corresponding to the first service.
  • the first service has a requirement for checking specific identity information, such as: checking one or more pieces of information such as user photo, age, gender, nationality, marital status, e-mail validity period, and even checking multiple users. The relationship between them.
  • the service may be classified into a scenario, such as a class A, a class B, a class C, a service scenario, and the identity information required for the corresponding service is a class I, a class II, a class III, a combination, such that the terminal A mapping table of identity information required by the service and the service may be maintained locally.
  • the type of the identity information required may be determined according to the type of the service.
  • the foregoing mapping table may be implemented in multiple manners.
  • the mapping table includes at least one service application identifier and its corresponding required identity information identifier, or includes at least one service application type and its corresponding required
  • the identification of the identity information in which the terminal can find the corresponding identity information identifier according to the service application identifier or the type of the service application, where the service application identifier is used to uniquely identify a service application, such as a mobile phone Android system.
  • the type of the business application mentioned here is used to identify the classification to which the business application belongs, such as dividing the business application into a payment application (such as various shopping clients), and a subscription application (such as a hotel reservation type client, a ticket reservation type client, etc.), a government application (such as a voting client, etc.); and, for example, the mapping table includes at least one service identifier and its corresponding required The identity information is identified, and the terminal can find the corresponding identity information identifier according to the service identifier of the triggered service.
  • the service identifier is used to uniquely identify a service, such as a payment service included in a service application, a subscription service, or another service that needs to verify user-specific identity information; for example, the mapping table includes at least one service application identifier and The corresponding service identifier and the required identity information identifier.
  • the terminal can find the corresponding identity information identifier according to the service application identifier and the service identifier of the triggered service (for example, the type of the service).
  • the business application may correspond to one or more services, and the identity information of the users that need to be verified for each service is different.
  • the first type of service requires a combination of type I identity information (such as age), and the second type of service.
  • a combination of Type II identity information (such as age and marital status) is required.
  • the identity information identifier required above may be an identifier of a single identity information, or an identifier of a type of identity information combination (including at least one identity information).
  • the service server may also maintain the foregoing mapping table on the server side.
  • the service server may request the type of the identity information required by the service.
  • the required identity information may also be user-defined (for example, the service provider manually selects or inputs the required identity information).
  • the information about the identity required for determining the first service may be based on a user-triggered service operation on the service APP side or the service server side (for example, when the user logs in to the website, the eID login mode is selected, such as the user confirms the payment, the voting operation, etc.) To determine the identity information ID you need.
  • Step 402 The terminal sends a first message to the verification server, where the first message includes first electronic identity data and first information, where the first electronic identity data is used by the verification server to verify that the first electronic identity data corresponds to The identity of the electronic identity holder, and when the authentication is passed, the first information is used by the verification server to obtain the first service required from all the identity information corresponding to the first electronic identity data.
  • Identity Information is used by the verification server to obtain the first service required from all the identity information corresponding to the first electronic identity data.
  • the first information is the required identity information identifier; the verification server obtains the first identity from all the identity information corresponding to the first electronic identity data according to the required identity information identifier.
  • the first information is a service application identifier that performs the first service and a service type identifier of the first service.
  • step 401 need not be performed.
  • the service type identifier of the first service is used to indicate that the verification server not only verifies the identity of the corresponding electronic identity holder according to the first electronic identity data, and from the first electronic identity data when the identity verification is passed.
  • the identity information required by the first service is obtained from all the corresponding identity information.
  • the mapping server stores the mapping between the service application identifier and the required identity information identifier, and the verification server may determine the identity information identifier required by the first service according to the service application identifier of the first service, and then according to the The identity information identifier required by the first service, and the identity information required by the first service is obtained from all the identity information corresponding to the first electronic identity data.
  • the first information includes a service application identifier that performs the first service and a service identifier of the first service.
  • a service application identifier that performs the first service and a service identifier of the first service.
  • the service identifier may also be carried in the first information.
  • the service application also provides the service identifier when registering the electronic identity identifier eID service, and the verification server side also establishes a mapping table between the service identifier and the identity information identifier required by the service, and can utilize the service identifier in the first information.
  • the identity information required for the first service is determined by reading the mapping table.
  • the terminal generates the first electronic identity data described above by a digital signature operation.
  • the terminal uses the private key corresponding to the electronic identity identifier eID (ie, the first electronic identity identifier) of the electronic identity holder to perform signature calculation on the service data of the first service to generate the first electronic identity data; or
  • the terminal acquires the first electronic identity data from a security device where the private key corresponding to the first electronic identity identifier is located, where the first electronic identity data is that the security device uses the first electronic
  • the private key corresponding to the identity identifier is used to perform signature calculation on the service data of the first service.
  • the signature operation described herein may use prior art means (such as calculating a digest for the original data used for the signature, and then encrypting the digest with a private key), and will not be described again.
  • the terminal uses the private key corresponding to the first electronic identity to perform signature calculation on the service data of the first service and the first information to generate the first electronic identity data; or, the terminal Obtaining the first electronic identity data in a security device where a private key corresponding to the first electronic identity is located, where the first electronic identity is a private key that is used by the security device to use the first electronic identity Performing signature calculation on the service data of the first service and the first information.
  • the first message sent by the terminal to the verification server may include the foregoing service data (which may be data provided by the service provider, such as the user in the shopping client, in addition to the first electronic identity data and the first information.
  • the order number generated by the client when submitting the shopping list, etc.) because the business data may be part of the original data of the above signature or the original data, the verification server needs to use the complete original when verifying the signature.
  • the verification of the signature described herein may be performed by prior art means (such as decrypting the signature with the public key corresponding to the private key described above to obtain a digest, then calculating a digest for the original data of the signature, and finally comparing the two digests. Whether it is the same or not), no longer repeat them.
  • Step 403 The verification server verifies the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data.
  • the signature obtained by calculating the first electronic identity data is taken as an example to describe the identity verification process, that is, how to verify the signature.
  • the verification server verifies the signature of the authority in the first electronic identity eID public key certificate according to the prior art
  • the signature data is decrypted by the eID public key to obtain a digest (such as a hash hash value), and then the same digest is used.
  • the algorithm calculates the original data in the first message to obtain a digest, and finally compares whether the two digests are the same to confirm whether the signature is legal. If it is legal, the electronic identity tag and the eID used by the service requesting party are considered to be valid. People are consistent.
  • Step 404 When the identity verification is passed, the verification server acquires the identity information required by the first service from all the identity information corresponding to the first electronic identity data according to the first information.
  • the first information is a desired identity information identification.
  • the verification server directly obtains the identity information required by the first service from all the identity information corresponding to the first electronic identity data according to the required identity information identifier.
  • the first information is a service application identifier that performs the first service and a service type identifier of the first service.
  • a mapping table of the service application identifier and the required identity information identifier is stored in the verification server.
  • the authentication server is configured according to the first service in the first information.
  • a service application identifier which is used to determine an identity information identifier required by the first service, and then obtain the first information from all identity information corresponding to the first electronic identity data according to the identity information identifier required by the first service The identity information required for the business.
  • the first information includes a service application identifier that performs the first service, a service identifier of the first service, and a service type identifier of the first service.
  • the verification server side establishes a mapping table of the service application identifier, the service identifier, and the identity information identifier required by the service.
  • the verification server determines the service application identifier according to the first information.
  • the service identifier is obtained by reading the mapping table to determine an identity information identifier required by the first service, and then obtaining, according to the identity information identifier required by the first service, all the identity information corresponding to the first electronic identity data.
  • the identity information required by the first service is obtained by reading the mapping table to determine an identity information identifier required by the first service, and then obtaining, according to the identity information identifier required by the first service, all the identity information corresponding to the first electronic identity data.
  • Step 405 The verification server sends a second message to the terminal, where the second message includes the required identity information or the identity information collation result obtained based on the required identity information.
  • the second message includes the required identity information. That is, the authentication server includes the identity information required by the first service acquired in step 404 in the second message, and sends the identity information to the terminal.
  • the terminal may send the identity information required by the first service to the service server, and the service server determines the identity information check result, and the service server sends the identity information check result to the terminal.
  • the embodiment determines whether to perform the service according to the verification result of the identity information sent by the service server, and can ensure the controllability of the service and improve the security of the service.
  • the second message includes an identity information collation result. That is, after verifying the identity information required by the first service, the verification server checks the identity information, and returns the identity information verification result as a second message to the terminal.
  • the identity information collation result refers to determining whether the identity information satisfies the requirement of executing the first service. For example, when a user purchases certain special commodities (such as tobacco and alcohol) through a business application, it is required to determine whether the user is an adult (such as whether At the age of 18, users need to determine whether the user's relationship with other people is legal, etc., when they handle certain matters for other people through business applications (such as mediation for citizens to do loan business, parents for social security services for their children).
  • special commodities such as tobacco and alcohol
  • Step 406 When the required identity information meets the requirement for executing the first service or the identity information check result is yes, the terminal performs the first service.
  • the second message returned by the verification server includes the required identity information as described above (eg, the requester is 19 years old).
  • the terminal checks the received identity information and determines whether the required identity information satisfies the requirement of executing the first service (the requirement is, for example, requiring the requester to be over 18 years old) To determine whether this business operation is allowed.
  • the second message returned by the verification server includes an identity information collation result (eg, whether the age is over 18 years old).
  • the terminal directly checks the result according to the returned identity information to determine whether to perform the current service operation. When the verification result is yes, the first service is executed.
  • the terminal directly requests authentication from the authentication server, and obtains only the identity information required for service execution or directly obtains the identity verification result, so that the user does not need to provide the plaintext identity information to the service provider. Does not cause user privacy data to leak, and avoids redundancy of non-essential information.
  • the method of the above embodiment is executed by the first communication path, and only passes through the terminal 301 and the verification server 302, and does not pass through the service server 303, thereby simplifying the communication flow and shortening the time.
  • FIG. 5 is a schematic diagram of another method for acquiring identity information according to an embodiment of the present invention.
  • the method may be based on the system architecture shown in FIG. 3, and adopts a second communication path to obtain identity information or identity information matching results required by the service, and the method includes:
  • Step 501 The terminal determines an identity information identifier required by the first service.
  • step 401 For the implementation of this step, reference may be made to the description of step 401 in FIG. 4, and details are not described herein again.
  • Step 502 The terminal sends a first message to the service server, where the first message includes first electronic identity data, first information, and indication information, where the first electronic identity data is used by the verification server to verify the first electronic The identity of the electronic identity holder corresponding to the identity data, and the first information is used by the verification server to obtain the first service from all identity information corresponding to the first electronic identity data when the identity verification is passed The required identity information.
  • the indication information is used to instruct the service server to send the first electronic identity data and the first information to the verification server, where the indication information can be sent as a single parameter in the first message. Alternatively, it may also be represented by attribute information of the first message itself, such as a tag value indicating that the message is the first message.
  • the first information may be similar to the first information in step 402 of FIG. 4 above, and details are not described herein again.
  • the terminal generates the first electronic identity data described above by digital signature calculation. For example, the terminal uses the private key corresponding to the electronic identity identifier eID (ie, the first electronic identity identifier) of the electronic identity holder to perform signature calculation on the service data of the first service to generate the first electronic identity data; or The terminal acquires first electronic identity data from a security device where the private key corresponding to the first electronic identity identifier is located, where the first electronic identity data is that the security device uses the first electronic identity identifier The corresponding private key performs signature calculation on the service data of the first service.
  • eID ie, the first electronic identity identifier
  • the terminal acquires first electronic identity data from a security device where the private key corresponding to the first electronic identity identifier is located, where the first electronic identity data is that the security device uses the first electronic identity identifier
  • the corresponding private key performs signature calculation on the service data of the first service.
  • the terminal uses the private key corresponding to the first electronic identity to perform signature calculation on the service data of the first service and the first information to generate the first electronic identity data; or, the terminal Obtaining the first electronic identity data in a security device where a private key corresponding to the first electronic identity is located, where the first electronic identity data is a private key that is used by the security device to use the first electronic identity Performing signature calculation on the service data of the first service and the first information.
  • the first message sent by the terminal in addition to the first electronic identity data and the first information, may also include service data to request verification of the server for verification and provide the required identity information.
  • Step 503 The service server sends the first electronic identity data and the first information to the verification server according to the indication information.
  • Step 504 The verification server verifies the identity of the electronic identity holder corresponding to the first electronic identity data according to the first electronic identity data.
  • step 403 For the implementation of this step, reference may be made to the description of step 403 in FIG. 4, and details are not described herein again.
  • Step 505 When the identity verification is passed, the verification server acquires the identity information required by the first service from all the identity information corresponding to the first electronic identity data according to the first information.
  • step 404 For the implementation of this step, reference may be made to the description of step 404 in FIG. 4, and details are not described herein again.
  • Step 506 The verification server sends a second message to the service server, where the second message includes the required identity information or the identity information collation result obtained based on the required identity information.
  • the second message includes the required identity information. That is, the authentication server includes the identity information required by the first service acquired in step 505 in the second message, and sends the identity information to the service server.
  • the second message includes an identity information collation result. That is, after the authentication server obtains the identity information required by the first service, the identity information is checked, and the identity information verification result is included in the second message and returned to the service server.
  • Step 507 The service server sends the required identity information or identity information check result to the terminal.
  • the service server may directly send the required identity information or identity information check result received in step 506 to the terminal.
  • the service server when the service server receives the required identity information in the above step 506, the required identity information may be checked, and then the identity information check result is sent to the terminal.
  • Step 508 When the required identity information meets the requirement for executing the first service or the identity information check result is yes, the terminal executes the first service.
  • step 406 of FIG. 406 The manner of execution of this step can be referred to the description of step 406 of FIG.
  • the terminal requests authentication from the authentication server through the service server, and obtains only the identity information required for the service execution or directly obtains the identity verification result, so that the user does not need to provide the plaintext to the service provider.
  • Identity information does not cause leakage of user privacy data and avoids redundancy of non-essential information.
  • the method of the foregoing embodiment is implemented by using the second communication path, not only through the terminal 301 and the verification server 302, but also through the service server 303, which facilitates the control of the service by the service server 303, and is beneficial to improving security.
  • the message sent by the terminal to the service server may not carry the first information, but the service server receives the message and then first according to the indication information.
  • the information is sent to the verification server together with the first electronic identity data in the message, wherein the first electronic identity data is signature data obtained by signing the service data.
  • the embodiment described above in connection with FIG. 4 and FIG. 5 can effectively verify the electronic identity used by the service requester and obtain the identity information required by the service after the verification is passed, that is, verify the identity of the electronic identity holder. At the same time, it can also provide the service provider with the identity information required by the business.
  • the service provider and the user often cannot interact face to face. Therefore, after the service provider (such as an online store) receives some of the identity information fed back by the eID verification server, the absolute identity of the person cannot be achieved. In other words, according to conventional techniques, it is impossible to ensure true human identity by means of automation.
  • the embodiment of the present invention may locally collect required identity information or a part of identity information in the required identity information. (such as biometric information such as avatars, optionally other information that can characterize the user's identity), and then compare the identity information collected by the terminal with the required identity information provided by the authentication server (eg, eID server). This ensures that the business requester and the electronic identity holder (such as the eID holder) are indeed the same person, that is, real human identity is achieved.
  • the authentication server eg, eID server
  • the identity information required by the business includes biometric information.
  • the terminal acquires biometric information of the service requester of the first service; when the biometric information of the service requester and the biometric feature in the required identity information When the information (ie, the biometric information of the electronic identity holder) is consistent, the terminal executes the first service.
  • Biometric information includes a variety of user profile information, such as avatar photos, fingerprints, irises, voiceprints, and other biometric information that may be employed in the future.
  • the terminal collects corresponding biometric information according to the type of biometric information in the required identity information, for example, using a camera to collect a user's avatar photo or an iris photo, using a fingerprint sensor to collect the user's fingerprint, and collecting the sound using a sound collecting device (such as a microphone).
  • a sound collecting device such as a microphone
  • biometric information of the service requester can be compared with the biometric information in the required identity information by any one of a terminal, a service server, and an authentication server to determine the service. Whether the biometric information of the requesting party is consistent with the biometric information of the electronic identity holder.
  • the biometric information of the service requester is obtained by the terminal, and the identity information required by the service is acquired by the terminal by using the method of the foregoing embodiment, and then the terminal compares the biometric information of the service requester with the required Biometric information in the identity information to determine whether the biometric information of the service requester is consistent with the biometric information of the electronic identity holder.
  • the terminal obtains the biometric information of the service requester and the identity information required by the terminal to obtain the service, and the sequence of the two is not limited.
  • the terminal may first obtain the biometric information of the service requester, and then acquire the required biometric information of the service requester.
  • Identity information or, the terminal may first obtain the identity information required by the service, and then obtain the biometric information of the service requester.
  • the biometric information of the service requester is obtained by the terminal, and the biometric information of the service requester is sent to the verification server, and the biometric information of the service requester and the required identity information are compared by the verification server.
  • the biometric information is determined to determine whether the biometric information of the service requester is consistent with the biometric information of the electronic identity holder, and the verification server transmits the biometric information to the terminal.
  • the biometric information of the service requester is obtained by the terminal, and the biometric information of the service requester is sent to the service server.
  • the service server receives the required identity information from the verification server or the terminal, the service server compares the information. Determining biometric information of the service requester and biometric information in the required identity information to determine whether the biometric information of the service requester is consistent with the biometric information of the electronic identity holder, the service server The result of whether the biometric information is consistent is sent to the terminal.
  • the terminal may need to process the collected biometric information. Then it happens to compare the server. For example, the terminal sends the hash value of the collected fingerprint data to the verification server. Since the verification server may be a mechanism capable of extracting and storing the citizen fingerprint information, the verification server side may hash the received fingerprint data. The value is compared with the hash value of the fingerprint data of the citizen that is saved by itself.
  • the data that the terminal may transmit may also refer to information used by the auxiliary verification server to find the corresponding fingerprint data of the citizen, such as a fingerprint template identifier. , there is no limit here.
  • the service provider customizes the service using the identity information provided by the verification server (ie, authenticating the identity of the electronic identity holder and providing the service provider with the identity information required by the service) Before, the registration operation of the service may be performed in advance. Therefore, the embodiment of the present invention may further include a processing procedure for performing service registration for the service provider.
  • the method before the sending the first message, further includes: the terminal sending a third message to the service server corresponding to the first service, where the third message is used to request the service server to And verifying, by the server, the identity information customization service required to register the first service; the terminal receiving a fourth message from the service server, where the fourth message is used to notify that the identity information customization service is successfully registered.
  • the verification server can establish a mapping table of the service and its required identity information (such as the mapping table described in step 402 in FIG. 4 above) in response to the request of the terminal and the service server.
  • the method before the sending the first message by the terminal, the method further includes: the terminal sending a service registration request to the verification server, where the service registration request includes service provision of the first service a party information and identity information customization indication, or including information of the service provider and a required identity information identifier, or information of the service provider; the terminal receiving a service registration response from the verification server, The service registration response is used to notify the service that registration is successful.
  • the information of the service provider may be electronic identity information of the service provider (such as signature data calculated based on its eID private key, or encrypted eID certificate information, etc.); the identity information customization indication is used to notify The authentication server needs to provide the required identity information service for the service.
  • the server registration request may not carry the required identity information identifier, and the verification server needs to maintain a service application identifier and the required identity information identifier in advance.
  • a mapping table or a mapping table for maintaining the type of the business application and the required identity information, so that the verification server can determine, after receiving the request, that the first message is subsequently received and then provided to the service according to the requirement indication.
  • the required identity information is provided by the party.
  • the server may subsequently determine which requirements are provided to the service provider according to the required identity information identifier in the received first message. Identity information.
  • the verification server may verify the first electronic identity data sent by the service provider and provide the service to the service after receiving the corresponding message (such as the first message in the embodiment shown in FIG. 4 above).
  • the party provides the identity information required by the business.
  • the verification server may further perform a verification service for the required identity information, such as checking whether the required identity information satisfies the service requirement for executing the first service, such as checking the biometric information of the service requester. Whether it is consistent with the biometric information of the locally pre-stored electronic identity holder.
  • the terminal can pre-filter the service by means of whitelisting.
  • the method further includes: the terminal adding a service application identifier of the first service to a whitelist; A request for a service determines that the whitelist includes a service application identifier of the first service.
  • the terminal can pre-judicate and filter the service application, and does not send the first message to the service application that is not in the white list, thereby reducing unnecessary communication pressure caused by the verification request of the illegal service application.
  • the verification server may also use a whitelisting method.
  • the verification server adds the service application identifier of the first service to the whitelist, so that the verification server receives the first message.
  • the service application identifier of the first service is determined to be in the whitelist. If the service application identifier is not in the whitelist, the first message may be directly ignored, and unnecessary message parsing may be avoided, thereby saving resource overhead to a certain extent.
  • the terminal further includes a service application (subsequently called a service APP) and an eID client, wherein the eID client is used to read and write the eID card, can be embedded in the service application, or, as a separate module, Business application call.
  • a service application subsequently called a service APP
  • eID client is used to read and write the eID card
  • the terminal is further described as a service application and an eID client, and the embodiments of the present invention are further described according to different communication paths.
  • FIG. 6 is a schematic diagram of another method for obtaining identity information according to an embodiment of the present invention. It can be understood that, on the basis of FIG. 4, FIG. 6 refines the terminal into a service application and an eID client, and further shows an operation flow inside the terminal. Referring to FIG. 6, the method adopts a first communication path, where the communication path is that the service APP requests the eID server to perform identity authentication and the required identity information through the eID client, and the identity information required by the service is part of the identity of the service requester. Information, the method includes:
  • Step 601 The service APP determines the required identity information identifier according to the service requirement.
  • the service APP pre-stores a mapping table between the service and the required identity information identifier, and determines a required identity information identifier corresponding to the first service according to the mapping table; or, the service APP is from the corresponding service.
  • the server acquires the required identity information identifier corresponding to the first service. Specific examples of the categories of service categories and required identity information are described above and will not be described again.
  • Step 602 The service APP sends a request to the eID client that includes the required identity information identifier.
  • Step 603 The eID client obtains signature data, where the signature data is generated by using a private key of the eID to perform signature calculation on the required identity information identifier and service data.
  • the calculation of the signature data can be performed in a security chip that stores related information such as a private key of the eID, a public key certificate, and the like, and the security chip can be integrated on the terminal, for example, a security unit integrated into a terminal such as a mobile phone ( SE, Secure Element), Trusted Execution Environment (TEE), and even System of Chip (SoC).
  • the eID client can obtain the security chip generation through the existing secure channel inside the terminal.
  • the signature data; or the security chip can also be used as a separate security device, such as a bank card, a wearable device, etc.
  • the eID client can read the signature data generated by the security chip through a connection technology such as NFC. .
  • Step 604 The eID client sends an authentication request to the eID server, where the signature data and the original data of the signature are generated.
  • the verification request described herein may correspond to the first message in FIG. 4, and the signature data may correspond to the first electronic identity data in FIG. 4, and the original data for generating the signature may include the first in FIG. 4 above. information.
  • Step 605 The eID server verifies the signature, and after the verification succeeds, prepares corresponding identity information according to the required identity information identifier.
  • the eID server first verifies the signature to confirm that the signature is legitimate. If it is legal, the eID server can obtain all the identity information registered by the eID, and select the required identity information from all the identity information according to the identity information identifier required above.
  • Step 606 The eID server sends the verification result to the eID client, including the required identity information.
  • Step 607 The eID client sends a verification result to the service APP, including the required identity information.
  • Step 608 the service APP checks whether the required identity information meets the service requirement.
  • Step 609 If the service APP determines that the required identity information meets the service requirement, perform the current service operation.
  • the service APP performs the current service operation, and specifically, the service request is sent to the service server. For example, in the scenario of generating an order link in the online shopping, the service APP confirms that the order submission is successful and continues to perform the subsequent payment operation ( That is, the payment request is sent) to allow the service requester to make the corresponding payment.
  • steps 602-603 and 607 are the interaction of the service APP with the eID card through the eID client, and the eID card can sign the required identity information identifier as part of the original data, or a separate parameter other than the signature.
  • the above steps 604-606 are the interaction of the service APP with the eID server through the eID client, and the required identity information identifier may be used as part of the signature original data in the verification request, or a parameter extended by the extension parameter field.
  • the Extension parameter field is a field defined by the standard "YD/T 3150-2016 Network Electronic Identity EID Authentication Service Interface Technical Requirements".
  • the calculation manner of the signature is performed by using the prior art.
  • the eID card calculates a hash value for the original data (including the service data sent by the service APP, and may also include the required identity information identifier).
  • the hash value is encrypted using the private key saved in the eID card.
  • the eID server decrypts the signature using the public key of the eID card to obtain a hash value, and uses the original data to calculate a hash value, and then compares the two hash values to verify the Whether the signature is valid.
  • the eID client when it sends the signature and its original data to the eID server through the verification request, it can also perform encryption again, such as using the public key of the eID server to encrypt the data, and the eID server receives the eID server after receiving it.
  • the private key is decrypted; optionally, the session key (symmetric key) negotiated by the eID client and the eID server in the session may be used for encryption and decryption.
  • the required identity information identifier may represent one or more of the plaintext information such as photo, name, ID number, date of birth, gender, nationality, address, etc., or may also indicate whether it is X years old or not.
  • One or more of the individual check conditions (ie, status information) such as whether the citizen of country X or the driver's license is valid.
  • the specific implementation is as follows: each bit in a number of bytes is used to represent an identity information (such as Table 1 or Table 2), and optionally, a byte representation is used, which is not limited in this application.
  • Table 1 Correspondence table between the bit and the identity of the identity information, the identity of the identity information is used to obtain the plaintext information
  • each bit is used to indicate the identity of an identity information.
  • the 8th bit of byte 1 is used to indicate a photo
  • the 7th bit of byte 1 is used to indicate the name
  • 6 bits are used to indicate age
  • the 5th bit of byte 1 is used to indicate gender
  • the 4th bit of byte 1 is used to indicate nationality
  • the third bit of byte 1 is used to indicate address
  • the second bit of byte 1 Used to indicate the birthplace
  • the first bit of byte 1 is used to indicate the marital status.
  • Table 2 Correspondence table between the bit and the identity of the identity information, the identity of the identity information is used to obtain the state information
  • each bit is used to indicate the identity of an identity information.
  • the 8th bit of byte 1 is used to indicate a photo
  • the 7th bit of byte 1 is used to indicate the name, the first of byte 1.
  • 6 bits are used to indicate whether X is full or not.
  • the 5th bit of byte 1 is used to indicate whether it is male/female.
  • the 4th bit of byte 1 is used to indicate whether it is a Chinese citizen.
  • the third bit of byte 1 is used to indicate the address.
  • the second bit of byte 1 is used to indicate whether it is born in x
  • the first bit of byte 1 is used to indicate whether it is married/unmarried.
  • the identity information returned by the eID server may be the above plaintext information, or may be the foregoing state information to protect user privacy.
  • the service APP may send the same identity information to the service server together with the service request, so that the service server checks whether the identity information meets the service requirement and determines whether The business operation is allowed to be performed, or it may be sent to the service server first, so that the service server checks whether the identity information meets the service requirement, and then determines whether to send a service request to the service server according to the verification result of the service server.
  • business requests such as adding a shopping cart or confirming payment and other online shopping operations, website login operations, voting operations, and the like.
  • the service server mentioned here checks these identity information mainly by looking at the form of the identity information returned by the eID server. It can be plain text, such as age X, gender male/female, marital status, etc., or it can be non-clear text. Status information, such as whether it is X or older, whether it is unmarried, etc., or it may be the result of the verification of the identity information by the eID server, namely: yes or no (such as requesting the eID server to determine the age of the eID holder) Whether it is more than X years old, etc.; optional can be added to the eID holder photo (can be used to check the current user of the eID card).
  • FIG. 7 is a schematic diagram of another method for obtaining identity information according to an embodiment of the present invention.
  • the method adopts a first communication path, and the communication path is that the service APP requests the eID server for identity authentication and the eID client.
  • the acquisition of the required identity information, the identity information required by the service includes the association relationship identity information of the plurality of users, and the plurality of users may be, but not limited to, two users.
  • FIG. 7 refines the terminal into a service application and an eID client, and refines the identity information required by the service into association relationship information including multiple users, and further shows the internal relationship of the terminal. Operating procedures.
  • This embodiment uses two users as an example for description.
  • the method includes:
  • step 701 the service APP determines the required identity information identifier according to the service requirement.
  • the identity information identifier required as described above includes the association relationship of the plurality of users (for example, the first user and the second user) and the respective avatar, name, and age information.
  • Step 702 The service APP sends a request to the eID client that includes the required identity information identifier.
  • Step 703 The eID client obtains the first signature and the second signature, where the first signature is signature data generated by using the private key corresponding to the first user to perform signature calculation on the required identity information identifier and service data, and the second signature is generated.
  • the eID client directly reads the first signature and the second signature from the security chip of the terminal; if the security chip does not store the eID information in the terminal, the eID The client needs to read the first signature and the second signature from the eID carrier (ie, a separate device including the security chip).
  • the eID information includes the private key of the electronic identity, and the security chip uses the private key of the electronic identity to sign the required identity information identifier and the service data to generate a signature.
  • the eID is stored for the first user's eID information.
  • the first security chip of the information uses the private key of the eID to perform signature calculation on the required identity information identifier and the service data to generate a first signature.
  • the second security chip storing the eID information utilizes the second security chip.
  • the private key of the eID is used to sign the required identity information identifier and the service data to generate a second signature.
  • the first security chip and the second security chip may be the same physical chip when integrated on the terminal, and the internal The storage and operation are isolated and do not interfere with each other, and the first security chip and the second security chip may be two separate devices when they are independent devices.
  • Step 704 The eID client sends an authentication request to the eID server, where the verification request is used to request identity verification of the first signature and the second signature.
  • the verification request, the first or second signature, the original data for generating the first or second signature, and the verification request, the signature data, and the original data of the generated signature in step 604 in FIG. 6 respectively. Similar, no longer repeat them.
  • Step 705 The eID server verifies the signature, and prepares corresponding identity information according to the required identity information.
  • the eID server performs the verification operation on the first signature and the second signature respectively. After the verification succeeds, the eID server determines, according to the required identity information identifier, that one of the identity information that needs to be provided is the first user and the second user. Relationship information.
  • the association information may be stored in the database that the eID server or the eID server can access. For example, all the identity information corresponding to the first user includes the first user and other users (such as the second user or other users).
  • the association information includes the association information between the second user and other users (such as the first user or other users).
  • the eID server can obtain the association relationship information between the first user and the second user from all the identity information corresponding to the first user, and optionally the second user.
  • the relationship information is obtained from all the identity information.
  • Step 706 The eID server sends the verification result to the eID client, including the required identity information.
  • Step 707 The eID client sends a verification result to the service APP, including the required identity information.
  • step 708 the service APP checks whether the required identity information meets the service requirement.
  • Step 709 When the service APP checks that the required identity information meets the service requirement, the service APP sends a service operation request to the service server.
  • the embodiment shown in FIG. 7 is different from the embodiment shown in FIG. 6 in that the required identity information identifier determined by the terminal characterizes the association relationship between multiple users, and therefore, multiple users are acquired through the eID client.
  • the eID signature is obtained from the eID server to obtain association information of multiple users to check whether the service requirements are met.
  • the required identity information identifier may represent association relationship information between a plurality of users, such as whether it is a kinship relationship such as a husband/child/parent/brother, or even a classmate, an agent relationship, or the like.
  • association relationship information between multiple users and at least one plaintext information/status information of each user may also be characterized.
  • This embodiment is applicable to the verification of the identity relationship of the user by the service provider when a plurality of users jointly handle a certain service, such as booking a room, or when a user gives a service to another user, the service provider performs the service on the agent and the agent. Check the identity relationship of the agent, such as parents to provide medical insurance for their children.
  • the terminal user (such as the offline service may be the service provider, and the online service may be the service requester (eID card user)) may prompt according to the prompt after triggering the service operation.
  • Multiple eID cards are sequentially connected to the terminal (such as near the NFC sensing area), or the "Verify multiple users' associations" option may be manually selected when the business operation is triggered, and then multiple eID cards are sequentially displayed according to the prompts. Interact near the terminal.
  • the service provider sends the signature data generated by each eID card to the server for verification.
  • the eID server may only authorize the service requirement for the association relationship between the users, and simultaneously for each
  • the provision of the specific identity information of the user is limited (it can be understood that the eID server only feeds back information about the association relationship between the users to the service provider, and does not provide the plaintext identity information of each user).
  • this embodiment does not preclude the use of an eID card. For example, when a parent gives a child some services, only the child's eID card needs to be used, and the service provider's terminal indicates to the eID server that the verification request is provided.
  • the relationship information and the father/mother photos can be fed back for verification by the service provider; for example, when the intermediary handles certain services for the user, the eID card is used.
  • information representing the identity of the user (such as the user's eID certificate number, name, etc.) needs to be submitted to the verification server at the same time, so that the verification server determines, by means of the information representing the identity of the user, whether to obtain the association relationship between the intermediary and the user. information.
  • the implementation allows the user to modify the identity association relationship information, for example, the user temporarily adds or modifies certain association relationship information through the modification service provided by the verification server (such as the eID server), it can be applied to various intermediary agent services.
  • the modification service provided by the verification server (such as the eID server)
  • the modification service can be applied to various intermediary agent services.
  • intermediary agent services such as loans, transfer, lawyer entrustment, etc.
  • FIG. 8 is a schematic diagram of another method for obtaining identity information according to an embodiment of the present invention.
  • the method of the embodiment may be based on the extension and refinement of the method shown in FIG. 4 or FIG.
  • the interaction of the terminal with the eID authentication server (for example, the first message).
  • the method adopts the first communication path, and is extended on the basis of the standard "YD/T 3150-2016 Network Electronic Identity EID Authentication Service Interface Technical Requirements", and mainly relates to the interaction process between the terminal and the eID server. (ie, including steps 803-806) for extension, the method includes:
  • step 801 the terminal sends a service request to the eID server.
  • This service request is used to declare that the eID authentication service provided by the eID server is to be requested.
  • the service APP on the terminal needs to register the eID verification service with the eID server in advance.
  • the service APP on the terminal registers the eID authentication service with the eID server, it determines the type of service required by the service, that is, the corresponding service needs to obtain the partial identity information in each authentication.
  • eID Server After verifying that the service APP is legal, it assigns a service application identifier, that is, app_id, and records the service type corresponding to the service application identifier, and the required fixed identity information.
  • Step 802 The eID server sends a challenge value to the terminal.
  • the challenge value may be a random number generated by the eID server, so that when the terminal generates a signature (specifically, the terminal generates a signature through the eID card), the security of the service can be improved, and the replay attack can be prevented to a certain extent.
  • step 803 the terminal completes the eID signature operation and constructs the request data.
  • the signature operation may include: using the private key of the eID to sign the original data (such as the service data, or the service data and the first information), and the challenge value returned by the eID server may be used in this process.
  • Step 804 The terminal sends an authentication request to the eID server, where the verification request includes a signature and first information.
  • the service App registers the required service type with the eIDserver, which in this example is used to indicate that the request to use the identity authentication and request the provision of partial identity information, in addition to
  • the service type used by the embodiment of the present invention may further include other types, such as account binding, account recovery, secure login, and real-name authentication.
  • the eID server may store the service application identifier (that is, the aforementioned app-id, the service application to which the service requesting the identity authentication service belongs), the service type, and the required identity information identifier in the form of a mapping table.
  • the first information may not include the required identity information identifier, but includes the service application identifier and the service type identifier.
  • the first information includes the required identity information identifier
  • the required identity information identifier can be carried by the extension parameter field defined by the above standard.
  • the service type defined by the above standard may not be extended, and the service APP may register an existing eID authentication service (such as real-name authentication) with the eID Server during the verification service registration phase.
  • the signature is the signature generated by the operation in step 803.
  • the original data may be only the service data, but other methods are not excluded, such as identifying the required identity information, and/or the service type as part of the original data.
  • the above raw data is also included in the verification request for transmission.
  • Step 805 The eID server verifies the signature, and prepares the required identity information according to the first information.
  • the eID server first verifies the signature, and the verification process can refer to the description in the previous embodiment. After the verification is passed, the eID server can prepare the required identity information according to the first information in the verification request.
  • the first information includes the required identity information identifier
  • the eID server can select the required identity information from all the identity information corresponding to the eID data.
  • the first information includes the service application identifier and the service type
  • the eID server may determine the identity information identifier required by the service from the foregoing mapping table according to the service application identifier and the service type, and then according to the required identity information.
  • the identifier obtains the required identity information from all the identity information corresponding to the eID data.
  • Step 806 The eID server sends the verification result to the terminal.
  • the verification results include the authentication result passed by the identity authentication and the required identity information.
  • Step 807 The terminal determines whether the required identity information meets a service requirement to determine whether to allow the service operation.
  • This embodiment utilizes the existing identity authentication process to obtain partial identity information of the user, which has small improvement on the existing process, simple implementation, and low network overhead.
  • the solution may be extended in the service APP registration eID verification service stage for the purpose of protecting the user privacy, as follows:
  • the service APP proves its legitimacy to the eID client when registering and using the eID authentication service phase (for example, registering eID login, eID checking age/electronic driver license validity period, eID service, etc.) in a certain service APP.
  • the eID client is authenticated (for example, the eID information of the service provider is verified)
  • the eID client is requested to open the identity information customization service, so that the eID client adds the service APP identifier to the whitelist;
  • the eID client checks whether the service APP is in its white list after receiving the request of the service APP. If yes, step 803 is executed to sign the service data in the request.
  • FIG. 9 is a schematic diagram of another method for obtaining identity information according to an embodiment of the present invention. It can be understood that FIG. 9 refines the terminal into a service application (also referred to as a service APP) and an eID client on the basis of FIG. Further shows the operation flow inside the terminal. Referring to FIG. 9, the method adopts a second communication path. The communication path is that the service APP obtains the signature through the eID client, and then requests the eID server to perform identity authentication and obtain the required identity information through the service server.
  • the method of FIG. 9 is compared to the method of FIG. 6 showing an embodiment employing another communication path (ie, communication path 2). As shown in FIG. 9, the method of this embodiment includes:
  • step 901 the service APP determines the required identity information identifier according to the service requirement.
  • Step 902 The service APP sends a request to the eID client that includes the required identity information identifier.
  • step 903 the eID client obtains signature data.
  • the signature is generated by using the private key of the eID to perform signature calculation on the required identity information identifier and service data.
  • the calculation of the signature data can be performed in a security chip that stores related information such as a private key of the eID, a public key certificate, and the like, and the security chip can be integrated on the terminal, for example, a security unit integrated into a terminal such as a mobile phone ( Secure Element (SE), Trusted Execution Environment (TEE), and even System of Chip (SoC).
  • SE Secure Element
  • TEE Trusted Execution Environment
  • SoC System of Chip
  • the eID client can obtain the security chip generation through the existing secure channel inside the terminal.
  • the signature data; or the security chip can also be used as a separate security device, such as a bank card, a wearable device, etc.
  • the eID client can read the signature data generated by the security chip through a connection technology such as NFC. .
  • Step 904 the eID client sends the signature to the service APP.
  • Step 9051 The service APP sends an authentication request to the service server, where the verification request includes a signature and original data for generating the signature, and is used to request identity verification of the signature.
  • Step 9052 The service server sends an authentication request to the eID server, where the verification request includes a signature and original data, and is used to request verification of the signature.
  • the information carried in the verification request described herein may be the same as the information carried in the foregoing first message, and the signature data may be the foregoing first electronic identity data, and the original data for generating the signature may be the foregoing first information. .
  • Step 906 The eID server verifies the signature, and after the verification succeeds, prepares corresponding identity information according to the required identity information identifier.
  • the eID server first verifies the signature to confirm that the signature is legitimate. If it is legal, the eID server can obtain all the identity information registered by the eID, and select the required identity information from all the identity information according to the identity information identifier required above.
  • step 9071 the eID server sends a verification result to the service server, including the required identity information.
  • step 9072 the service server sends a verification result to the service APP, including the required identity information.
  • step 908 the service APP checks whether the required identity information meets the service requirement.
  • Step 909 When the service APP checks that the required identity information meets the service requirement, the service APP sends a service operation request to the service server.
  • the service APP obtains the signature through the eID client, and then directly sends the signature to the service server, so that the service server requests the eID server to perform verification. Provide the required identity information.
  • the above steps 902-904 are the interaction of the service APP with the eID card through the eID client, and the eID card can sign the required identity information identifier as part of the original data, or as a separate parameter outside the signature.
  • the above steps 9051-9072 are the interaction of the service APP with the eID server through the service server, and the required identity information identifier may be used as part of the signature original data in the verification request, or a parameter extended by the extension.
  • the Extension parameter field is a field defined by the standard "YD/T 3150-2016 Network Electronic Identity EID Authentication Service Interface Technical Requirements".
  • the identity information identifier is the same as that in the foregoing first communication path, and is not described here.
  • the service server forwards the required identity information to the service APP and the service APP performs the verification of the information, which is optional.
  • the service server receives the information provided by the eID server. After the required identity information, you can directly verify whether the service requirements are met, and then send the verification result to the service APP, or directly perform the business operation.
  • the determination of the identity information identification required is not performed by the service APP, that is, steps 901 and 903 in FIG. 9 are not performed, and in step 903 only
  • the signature is generated using the business data and then sent to the service server.
  • the service Sever determines the identity information identifier required according to the service requirement, and attaches the determined identity information identifier to the signature, and then sends it to the eID Server for verification together with the received signature. Sign the feedback with the required identity information.
  • the required identity information may not be identified as part of the original data, but will be sent directly to the server along with the signature.
  • FIG. 10 is a schematic diagram of another method for obtaining identity information according to an embodiment of the present invention.
  • the method does not limit the adopted communication path, and the terminal may use the first communication path to obtain the required identity information.
  • the second communication path can also be used to obtain the required identity information.
  • the terminal After obtaining the required identity information, the terminal not only needs to check whether the required identity information meets the service requirements, but also obtains the identity information input by the user (for example, locally. Collecting identity information), comparing the identity information input by the user with the required identity information to confirm whether the person and the person are unified, the method includes:
  • step 1001 the service Sever and/or the service APP determines the required identity information identifier according to the service requirement.
  • the identification of the identity information required according to the service requirement may be based on the user-triggered service operation on the service APP side or the service server side (for example, the eID login mode is selected when the user logs in to the website, such as the user confirms the payment, the voting operation, etc. ) to determine the identity information ID required.
  • step 1002 the service APP collects the required identity information or a part thereof.
  • an avatar photo For example, an avatar photo.
  • step 1003 the service APP obtains the required identity information from the eID server.
  • the manner of obtaining is described in the foregoing embodiment.
  • the embodiment of the present invention can obtain the required identity information by using any one of the methods shown in FIG. 4 to FIG. 9 , and details are not described herein.
  • step 1004 the service APP compares the collected identity information with the required identity information provided by the eID server, and determines whether the "personal card is unified.”
  • the service APP may also send the collected identity information to the service Sever, and the service Sever compares the collected identity information with the required identity information provided by the eID server to determine whether the “personal card is unified”.
  • FIG. 11 is a schematic diagram of another method for obtaining identity information according to an embodiment of the present invention.
  • the terminal may use the first communication path to obtain required identity information, which is required by the service APP or the service server. Whether the identity information meets the business requirements and is consistent with the collected identity information, the method includes:
  • step 1101 the service Sever and/or the service APP determines the required identity information identifier according to the service requirement.
  • the identification of the identity information required according to the service requirement may be based on the user-triggered service operation on the service APP side or the service server side (for example, the eID login mode is selected when the user logs in to the website, such as the user confirms the payment, the voting operation, etc. ) to determine the identity information ID required.
  • step 1102 the service APP collects the required identity information or a part thereof.
  • an avatar photo For example, an avatar photo.
  • Step 1103 The service APP sends the collected identity information to the service server.
  • step 1104a the service APP sends a request to the eID client containing the required identity information identifier.
  • Step 1104b The eID client obtains signature data, where the signature data is generated by using a private key of the eID to perform signature calculation on the required identity information identifier and service data.
  • the eID client sends an authentication request to the eID server, including the signature data and the original data that generated the signature.
  • step 1104c the eID server verifies the signature, and after the verification succeeds, prepares corresponding identity information according to the required identity information identifier.
  • the eID server sends the verification result to the eID client, including the required identity information.
  • step 1104d the eID client sends a verification result to the service APP, including the required identity information.
  • steps 1104a-d are processes in which the service APP obtains the required identity information from the eID server.
  • step 1105 the service APP sends a verification result to the service server, including the required identity information.
  • step 1106 the service Sever checks whether the required identity information meets the service requirement, and whether the required identity information is consistent with the collected identity information.
  • the embodiment of the present invention does not exclude other implementation manners, for example, whether the required identity information meets the service requirements on the service APP side, and checks the required requirements on the service server side. Whether the identity information is consistent with the identity information collected by the terminal, and vice versa; for example, the service APP sends the identity information collected by the terminal to the eID server for auxiliary verification in the extension parameter of the verification request, and then, one way is The auxiliary verification result is notified by the eID server, and the service APP determines whether to allow the current business operation according to the auxiliary verification result and the verification result of the required identity information; the other way is determined by the eID server according to the auxiliary verification result. Whether to provide the terminal with the required identity information.
  • the collected identity information may be biometric information of the current user, because it is to check whether the current user and the holder of the eID card (citizens whose card is actually represented) are the same person, and the terminal may Collect the current user's avatar or other biometric information. For example, if an avatar is collected, the image matching may be performed locally after receiving the eID holder photo provided by the eID server, or the image may be sent to the server and the image matching may be performed on the server side. For another example, the fingerprint is collected.
  • the hash value of the collected fingerprint may be encrypted (encrypted using the public key of the eID server) and transmitted to the eID server by the eID. After the server decrypts (using the private key of the eID server for decryption), the fingerprint hash value is matched (because the Ministry of Public Security eID server side saves the biometric information such as the fingerprint of the citizen).
  • the eID server provides the identity information required by the service according to various service requirements, so as to facilitate the service provider to check part of the identity information of the user, but It does not really ensure that "one person is in one" (ie, the eID current user is consistent with the eID holder, but based on the ideal situation of "eID current user is its holder”.
  • a service provider such as a physical store, a hotel, etc.
  • an eID user often interact face to face. Therefore, an end user (such as a merchant or a traffic police officer) may manually check the feedback of the eID server.
  • Part of the identity information (such as photos, name, gender, etc.) to ensure the identity of the person, for example: manually compare the photo of the holder returned by the eID server with the current user is the same person, receive the name, age and other information returned by the eID Then ask the current user to check if they are the same person. But these need to be done manually and cannot be automated.
  • the embodiment shown in Figures 10 and 11 enables the terminal to automatically check whether the person is unanimous.
  • the service provider In an online business, the service provider and the user often cannot interact face to face. Therefore, the service provider (such as an online store) receives some of the identity information (such as photos, names, genders, etc.) fed back by the eID server, and cannot achieve absolute The person ID is in one.
  • the eID card used by the current user is not his own, but the online merchant does not know.
  • the embodiment shown in Figures 10 and 11 can also enable the terminal to automatically check whether the identity is integrated.
  • the embodiment can be applied to online and offline services.
  • offline services the terminal user is not required to manually verify the identity information provided by the eID server, and the terminal can perform the verification logic by itself.
  • the embodiments of the present invention can not only meet the verification requirements of different services for different identity information, but also avoid data redundancy and privacy leakage (ie, achieve identity authentication) that may be caused by providing comprehensive and identical identity information in each service operation. In the meantime, the provision of private information is minimized. In addition, it is more likely to ensure that "personal identity is integrated" (ie, the eID current user is consistent with the eID holder).
  • the first electronic identity data is exemplified by the calculated signature data, and may be implemented in other manners, for example, the first electronic identity data.
  • An electronic identity (such as a serial number or code that uniquely identifies the identity of the user) issued by the electronic identity service provider (such as the authentication service provider) for the user, or stored in the secure chip, or the electronic identity
  • encryption processing (such as encrypting the electronic identity with the public key of the authentication server or a symmetric key to facilitate verification of the server to perform corresponding decryption processing)
  • the verification server may directly receive the electronic identity All the identity information of the user corresponding to the electronic identity identifier is found, so that the identity information required by the service is determined from the all identity information according to the first information received at the same time and fed back to the service provider.
  • each network element such as a terminal, etc.
  • each network element in order to implement the above functions, includes hardware structures and/or software modules corresponding to each function.
  • the embodiments of the present invention can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present application.
  • the embodiment of the present invention may divide a function module into a terminal or the like according to the foregoing method example.
  • each function module may be divided according to each function, or two or more functions may be integrated into one processing module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules. It should be noted that the division of the module in the embodiment of the present invention is schematic, and is only a logical function division, and the actual implementation may have another division manner.
  • FIG. 12 shows a possible structural diagram of the terminal involved in the above embodiment.
  • the terminal 1200 includes a processing module 1202 and a communication module 1203.
  • the processing module 1202 is configured to control and manage the actions of the terminal.
  • the processing module 1202 is configured to support the terminal to perform the processes in FIG. 2A, FIG. 2B, FIG. 2C, and FIGS. 4 to 11, and/or for the description herein.
  • Other processes of technology is configured to support communication between the terminal and other network entities, such as communication with an authentication server or a service server.
  • the terminal may further include a storage module 1201 for storing program codes and data of the terminal.
  • the terminal includes components such as a storage module 1201, a processing module 1202, a communication module 1203, an input module 1204, an output module 1205, and a peripheral module 1206.
  • the communication module 1203 is configured to send a first message, where the first message includes first electronic identity data and first information, where the first electronic identity data is used by the verification server to verify that the first electronic identity data corresponds to The identity of the electronic identity holder, and when the identity verification of the electronic identity holder passes, the first information is used by the verification server to obtain the first of all identity information of the electronic identity holder The identity information required by the service; receiving the second message, the second message including the required identity information or the identity information collation result obtained based on the required identity information.
  • the processing module 1202 is configured to: when the required identity information meets a requirement for executing the first service, or the identity information check result When yes, the first service is executed.
  • the communication module 1203 sends the first message, including: sending the first message to a service server corresponding to the first service, where the first message further includes indication information, where the indication information is used Instructing the service server to send the first electronic identity data and the first information to the verification server;
  • the receiving, by the communication module 1203, the second message includes: receiving the second message from the service server.
  • the terminal further includes:
  • An acquiring module (ie, the input module 1204), configured to acquire biometric information of the service requester of the first service;
  • the processing module 1202 is configured to execute the first service when the biometric information of the service requester is consistent with the biometric information of the electronic identity holder.
  • the communication module 1203 is further configured to send biometric information of the service requester to a service server corresponding to the first service, where The biometric information of the service requester is used by the service server to compare the biometric information of the service requester with the biometric information in the required identity information; and receive the result of the comparison from the service server.
  • the first information is the required identity information identifier; or the first information is a service application identifier that performs the first service and a service type identifier of the first service.
  • the processing module 1202 is configured to perform signature calculation on the service data of the first service by using the private key of the electronic identity holder.
  • the first electronic identity data is used; or the communication module 1203 is further configured to acquire the first electronic identity data from a security device where the private identity of the electronic identity holder is located, where the first electronic The identity data is generated by the security device using the private key of the electronic identity holder to perform signature calculation on the service data of the first service.
  • the processing module 1202 is configured to use the private key of the electronic identity holder to compare the service data of the first service with the first The information is subjected to a signature calculation to generate the first electronic identity data; or the communication module 1203 is further configured to acquire the first electronic identity data from a security device where the private identity holder's private key is located, where The first electronic identity data is generated by the security device using the private key of the electronic identity holder to perform signature calculation on the service data of the first service and the first information.
  • the processing module 1202 is further configured to determine an identity information identifier required by the first service.
  • the processing module 1202 is configured to determine an identity information identifier required by the first service, including:
  • the required identity information identifier is received by the communication module 1203 from a service server corresponding to the first service.
  • the communication module 1203 before the communication module 1203 sends the first message, the communication module 1203 is further configured to send a third message to the service server corresponding to the first service, where the third message is used to request the location
  • the service server registers the identity information customization service required by the first service with the verification server; receives a fourth message from the service server, where the fourth message is used to notify the identity information customization service that the registration is successful.
  • the processing module 1202 is further configured to add a service application identifier of the first service to a whitelist; After the request of a service, it is determined that the whitelist includes the service application identifier of the first service.
  • the first message sent by the communication module 1203 includes not only the first electronic identity data but also the first information, so that on the one hand, the verification server can verify the corresponding corresponding to the first electronic identity data according to the first electronic identity data.
  • the identity of the electronic identity holder and on the other hand, when the identity verification of the electronic identity holder is passed, the verification server may obtain the identity information from all identity information of the electronic identity holder according to the first information.
  • the required identity information the communication module 1203 receives the second message, the second message including the required identity information or identity information collation result.
  • the terminal can obtain the required identity information at the same time as the identity authentication, and does not need the service request to provide the plaintext information to the service provider, can avoid the leakage of the key privacy data, and avoid the redundancy of the non-essential information.
  • the processing module 1202 can be a processor or a controller.
  • the communication module 1203 may be a communication interface, a transceiver, a transceiver circuit, etc., wherein the communication interface is a collective name and may include one or more interfaces.
  • the storage module 1201 may be a memory.
  • FIG. 13 is a schematic structural diagram of a terminal according to an embodiment of the present disclosure.
  • the mobile terminal is used as a mobile phone as an example
  • FIG. 13 is a block diagram showing a partial structure of the mobile phone 1300 related to the embodiment of the present invention.
  • the mobile phone 1300 includes: a radio frequency (RF) circuit 1310, a memory 1320, an input unit 1330, a display screen 1340, a sensor 1350, an audio circuit 1360, a WiFi (wireless fidelity) module 1370, and a processor. 1380, and power supply 1390 and other components.
  • RF radio frequency
  • the structure of the handset shown in FIG. 13 does not constitute a limitation to the handset, and may include more or less components than those illustrated, or some components may be combined, or different components may be arranged.
  • the components of the mobile phone 1300 are specifically described below with reference to FIG. 13:
  • the RF circuit 1310 can be used for receiving and transmitting signals during and after the transmission or reception of information, in particular, after receiving the downlink information of the base station, and processing it to the processor 1380; in addition, transmitting the designed uplink data to the base station.
  • RF circuits include, but are not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like.
  • LNA Low Noise Amplifier
  • RF circuitry 1310 can also communicate with the network and other devices via wireless communication.
  • the wireless communication may use any communication standard or protocol, including but not limited to Global System for Mobile Communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (Code). Division Multiple Access (CDMA) system, Wideband Code Division Multiple Access (WCDMA) system, Long Term Evolution (LTE) system, e-mail, Short Message Service (SMS), etc.
  • GSM Global System for Mobile Communications
  • the RF circuit 1310 when the terminal interacts with the eID card through the eID client, the RF circuit 1310 is involved. Possible methods such as NFC communication, and of course, other methods are not involved; the interaction between the terminal and various types of servers also involves the RF circuit. 1310, such as through the baseband module.
  • the memory 1320 can be used to store software programs and modules, and the processor 1380 executes various functional applications and data processing of the handset 1300 by running software programs and modules stored in the memory 1320.
  • the memory 1320 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be stored. Data (such as audio data, phone book, etc.) created according to the use of the mobile phone 1300.
  • the memory 1320 may include volatile memory, such as non-volatile volatile random access memory (NVRAM), phase change random access memory (PRAM), magnetoresistive random access memory.
  • NVRAM non-volatile volatile random access memory
  • PRAM phase change random access memory
  • magnetoresistive random access memory magnetoresistive random access memory
  • the memory 1320 may further include a non-volatile memory, such as at least one disk storage device, an electrically erasable programmable read-only memory (EEPROM), a flash memory device, For example, NOR flash memory or NAND flash memory, semiconductor devices such as Solid State Disk (SSD).
  • EEPROM electrically erasable programmable read-only memory
  • flash memory device For example, NOR flash memory or NAND flash memory, semiconductor devices such as Solid State Disk (SSD).
  • SSD Solid State Disk
  • the memory 620 can also include a combination of the above types of memory.
  • the service APP registration eID service phase may involve storage of data, such as whitelist storage, mapping table storage, etc., and the data may be stored in the foregoing storage 1320.
  • the input unit 1330 can be configured to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the handset 1300.
  • the input unit 1330 may include a touch panel 1331 and other input devices 1332.
  • the touch panel 1331 also referred to as a touch screen, can collect touch operations on or near the user (such as a user using a finger, a stylus, or the like on the touch panel 1331 or near the touch panel 1331. Operation), and drive the corresponding connecting device according to a preset program.
  • the touch panel 1331 may include two parts: a touch detection device and a touch controller.
  • the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into contact coordinates, and sends the touch information.
  • the processor 1380 is provided and can receive commands from the processor 1380 and execute them.
  • the input unit 1330 can implement the touch panel 1331 by using various types such as resistive, capacitive, infrared, and surface acoustic waves.
  • the input unit 1330 may further include other input devices 1332.
  • other input devices 1332 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
  • the display 1340 can be used to display information entered by the user or information provided to the user as well as various menus of the handset 1300.
  • the display panel 1340 can include a display panel 1341.
  • the display panel 1341 can be configured in the form of a liquid crystal display (LCD), an organic light-emitting diode (OLED), or the like.
  • the touch panel 1331 may cover the display panel 1341. After the touch panel 1331 detects a touch operation thereon or nearby, the touch panel 1331 transmits to the processor 1380 to determine the type of the touch event, and then the processor 1380 according to the touch event. The type provides a corresponding visual output on the display panel 1341.
  • the touch panel 1331 and the display panel 1341 are used as two independent components to implement the input and input functions of the mobile phone 1300 in FIG. 13, in some embodiments, the touch panel 1331 and the display panel 1341 may be integrated.
  • the input and output functions of the mobile phone 1300 are implemented.
  • the display 1340 can be used to display content, including a user interface, such as a boot interface of the terminal, a user interface of the application.
  • the content may include information and data in addition to the user interface.
  • Display 640 can be a built-in screen of the terminal or other external display device.
  • the touch panel used by the input unit 1330 can also serve as the display panel of the display screen 1340.
  • the touch panel detects a touch or proximity gesture operation thereon, it is transmitted to the processor 1380 to determine the type of the touch event, and then the processor 1380 provides a corresponding visual output on the display panel according to the type of the touch event.
  • the input unit 1330 and the display screen 1340 are used as two independent components to implement the input and output functions of the terminal, in some embodiments, the touch panel and the display panel may be integrated to implement the terminal. Input and output functions.
  • the handset 1300 can also include at least one type of sensor 1350, such as a light sensor, motion sensor, position sensor, and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor can acquire the brightness of the ambient light, adjust the brightness of the display panel 1341 according to the brightness of the ambient light, and the proximity sensor can be moved to the ear of the mobile phone 1300. When the display panel 1341 and/or the backlight are turned off.
  • the motion sensor includes an acceleration sensor that can detect the magnitude of acceleration in each direction (usually three axes), and can detect the magnitude and direction of gravity when stationary, and can be used to identify the gesture of the mobile phone (such as horizontal and vertical screen switching, related games, Magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping).
  • the position sensor can be used to acquire the geographic location coordinates of the terminal, which can be passed through a Global Positioning System (GPS), a COMPASS System, a GLONASS System, and a Galileo system (GALILEO). System) and so on.
  • GPS Global Positioning System
  • COMPASS System COMPASS System
  • GLONASS System GLONASS System
  • Galileo system GALILEO
  • the location sensor can also be located through a base station of a mobile operation network, a local area network such as Wi-Fi or Bluetooth, or a combination of the above-mentioned positioning methods, thereby obtaining more accurate mobile phone location information.
  • Other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, an infrared sensor, and the like that can be configured in the mobile phone 1300 are not described herein.
  • Audio circuitry 1360, speaker 1361, and microphone 1362 can provide an audio interface between the user and handset 1300.
  • the audio circuit 1360 can transmit the converted electrical data of the received audio data to the speaker 1361, and convert it into a sound signal output by the speaker 1361; on the other hand, the microphone 1362 converts the collected sound signal into an electrical signal, by the audio circuit 1360. After receiving, it is converted into audio data, and then processed by the audio data output processor 1380, sent to, for example, another mobile phone via the RF circuit 1310, or outputted to the memory 1320 for further processing.
  • WiFi is a short-range wireless transmission technology.
  • the mobile phone 1300 can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module 1370, which provides users with wireless broadband Internet access.
  • FIG. 13 shows the WiFi module 1370, it can be understood that it does not belong to the essential configuration of the mobile phone 1300, and may be omitted as needed within the scope of not changing the essence of the invention.
  • the processor 1380 is a control center for the handset 1300 that connects various portions of the entire handset using various interfaces and lines, by running or executing software programs and/or modules stored in the memory 1320, and recalling data stored in the memory 1320, The various functions and processing data of the mobile phone 1300 are performed to perform overall monitoring of the mobile phone.
  • the processor 1380 can be a central processing unit (CPU), a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array ( Field programmable gate array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof.
  • the processor 1380 can implement or perform various exemplary logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor 1380 can also be a combination of computing functions, such as one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • processor 1380 can include one or more processor units.
  • the processor 1380 can also integrate an application processor and a modem processor, wherein the application processor mainly processes an operating system, a user interface, an application, and the like, and the modem processor mainly processes wireless communications. It will be appreciated that the above described modem processor may also not be integrated into the processor 1380.
  • the processor 1380 can be used to perform the operations of the service APP and the eID client. For details, refer to the method embodiments described above.
  • the handset 1300 also includes a power source 1390 (such as a battery) that powers the various components.
  • a power source 1390 such as a battery
  • the power source can be logically coupled to the processor 1380 via a power management system to enable management of charging, discharging, and power management functions through the power management system.
  • the mobile phone 1300 may further include a camera, a Bluetooth module, and the like, and details are not described herein.
  • the memory 1320 is configured to store program instructions.
  • the processor 1380 is configured to perform the following operations according to the program instructions stored in the memory 1320:
  • the communication interface 1310 Transmitting, by the communication interface 1310, the first message, where the first message includes first electronic identity data and first information, where the first electronic identity data is used by the verification server to verify that the first electronic identity data corresponds to The identity of the electronic identity holder, and when the identity verification of the electronic identity holder passes, the first information is used by the verification server to obtain the first of all identity information of the electronic identity holder Identity information required by the business;
  • a second message is received by the communication interface 1310, the second message including the required identity information or an identity information collation result obtained based on the required identity information.
  • the processor 1380 after the processor 1380 performs the operation of receiving the second message through the communication interface 1310, the processor 1380 is further configured to perform the following operations according to the program instructions stored in the memory 1320:
  • the first service is executed when the required identity information satisfies the requirement of executing the first service or the identity information check result is yes.
  • the processor 1380 performs the operation of transmitting the first message through the communication interface 1310, including:
  • the communication interface 1310 Sending, by the communication interface 1310, the first message to the service server corresponding to the first service, where the first message further includes indication information, where the indication information is used to indicate that the service server sends the service server to the verification server.
  • the performing, by the processor 1380, the receiving, by the communication interface 1310, the second message includes:
  • the second message is received from the service server via the communication interface 1310.
  • processor 1380 is further configured to perform the following operations according to program instructions stored in the memory 1320:
  • the first service is executed.
  • the processor 1380 before the processor 1380 executes the first service, the processor 1380 is further configured to perform the following operations according to the program instructions stored in the memory 1320:
  • the result of the comparison is received from the service server via the communication interface 1310.
  • the first information is the required identity information identifier; or the first information is a service application identifier that performs the first service and a service type identifier of the first service.
  • the processor 1380 before the processor 1380 performs the operation of transmitting the first message through the communication interface 1310, the processor 1380 is further configured to perform the following operations according to the program instructions stored in the memory 1320:
  • the processor 1380 before the processor 1380 performs the sending of the first message through the communication interface 1310, the processor 1380 is further configured to perform the following operations according to the program instructions stored in the memory 1320:
  • the processor 1380 is further configured to: according to the program instructions stored in the memory 1320, perform the following operations: determining an identity information identifier required by the first service;
  • the processor 1380 performs the operation of determining the identity information identifier required by the first service, including:
  • the processor 1380 before the processor 1380 performs the operation of transmitting the first message through the communication interface 1310, the processor 1380 is further configured to perform the following operations according to the program instructions stored in the memory 1320:
  • the processor 1380 after the processor 1380 performs the operation of receiving the fourth message from the service server through the communication interface 1310, the processor 1380 is further configured to execute according to program instructions stored in the memory. The following operations:
  • determining that the whitelist includes the service application identifier of the first service.
  • the first message sent by the communication interface 1310 includes not only the first electronic identity data but also the first information, so that the verification server can verify the first electronic identity data according to the first electronic identity data.
  • the identity of the electronic identity holder and on the other hand, when the identity verification of the electronic identity holder is passed, the verification server may obtain the identity information from all the identity information of the electronic identity holder according to the first information. Determining the required identity information, receiving a second message through the communication interface 1310, the second message including the required identity information or identity information collation result.
  • the terminal can obtain the required identity information at the same time as the identity authentication, and does not need the service request to provide the plaintext information to the service provider, can avoid the leakage of the key privacy data, and avoid the redundancy of the non-essential information.
  • FIG. 14 is a schematic diagram of a communication apparatus according to an embodiment of the present disclosure.
  • the communication apparatus 1400 may be a chip, and the chip includes a processing unit and a communication unit.
  • the processing unit may be a processor 1410, which may be various types of processors as described above.
  • the communication unit may be, for example, an input/output interface 1420, a pin or a circuit, etc., and the communication unit may include or be coupled to a system bus.
  • the communication device further includes a storage unit, and the storage unit may be a memory 1430 inside the chip, such as a register, a cache, a random access memory (RAM), an EEPROM, or a FLASH.
  • RAM random access memory
  • EEPROM electrically erasable programmable read-only memory
  • the memory unit may also be a memory external to the chip, which may be various types of memory as described above.
  • the processor is coupled to the memory, and the processor can execute instructions stored in the memory to cause the communication device to perform the functions of the terminal in the method illustrated in Figures 2A, 2B, 2C, and 4 to 11 above.
  • FIG. 15 shows a possible structural diagram of the authentication server involved in the above embodiment.
  • the verification server 1500 includes a processing module 1502 and a communication module 1503.
  • the processing module 1502 is configured to control and manage the actions of the verification server.
  • the communication module 1503 is configured to receive a fifth message, where the fifth message includes first electronic identity data and first information;
  • the processing module 1502 is configured to verify, according to the first electronic identity data, an identity of an electronic identity holder corresponding to the first electronic identity data; when the identity verification of the electronic identity holder passes, according to the The information obtains the identity information required by the first service from all the identity information of the electronic identity holder;
  • the communication module 1503 is further configured to send a sixth message, where the sixth message includes the required identity information.
  • the communication module 1503 receives the fifth message, including:
  • the sending, by the communication module 1503, the sixth message includes:
  • the communication module 1503 before the communication module 1503 sends the sixth message, the communication module 1503 is further configured to receive biometric information of the service requester of the first service from the terminal; when the service requester The sixth message is sent when the biometric information is consistent with the biometric information of the electronic identity holder.
  • the first information is the required identity information identifier; or the first information is a service application identifier that performs the first service and a service type identifier of the first service.
  • the first electronic identity data is signature data generated by signing a service data of the first service using a private key of the electronic identity holder; or the first electronic identity data Calculating the generated signature data by using the private key of the electronic identity holder to sign the service data of the first service and the first information;
  • the processing module 1502 according to the first electronic identity data, the identity of the electronic identity holder corresponding to the first electronic identity data, including:
  • the signature data is verified against the public key of the electronic identity holder to verify the identity of the electronic identity holder.
  • the processing module 1502 obtains the identity information required by the first service from all the identity information of the electronic identity holder according to the first information, including:
  • the first information is the service application identifier of the first service and the service type identifier of the first service, determining the first according to the mapping table of the pre-stored service application identifier and the required identity information identifier.
  • the required identity information identifier corresponding to the service and obtaining the required identity information from all the identity information of the electronic identity holder according to the required identity information identifier; or
  • the required identity information is obtained from all identity information of the electronic identity holder according to the required identity information identifier.
  • the communication module 1503 before the communication module 1503 receives the fifth message, the communication module 1503 is further configured to receive a seventh message from the service server corresponding to the first service, where the seventh message includes the first message Customized instructions for the information and identity information of the service provider of the service;
  • the processing module 1502 is further configured to determine, according to the information of the service provider of the first service, that the service provider is legal, and customize the registration identity information customization service according to the identity information;
  • the communication module 1503 is further configured to send an eighth message to the service server, where the eighth message is used to notify the service provider that the service provider is legal and the identity information customization service is successfully registered.
  • the seventh message further includes a service application identifier of the first service; after the processing module 1502 determines, according to the information of the service provider of the first service, that the service provider is legal, The processing module 1502 is further configured to add a service application identifier of the first service to a whitelist;
  • the processing module 1502 is further configured to determine a service application identifier that includes the first service in the whitelist.
  • the seventh message further includes an identity information identifier required by the first service
  • the processing module 1502 is further configured to: use the service application identifier that is required to correspond to the service application identifier.
  • the identity information identifier is saved in the mapping table.
  • the communication module 1503 is configured to receive the fifth message, where the fifth message includes the first electronic identity data and the first information, and the processing module 1502 is configured to verify the location according to the first electronic identity data. Determining, by the first electronic identity data, an identity of the electronic identity holder; when the identity verification of the electronic identity holder is passed, obtaining, according to the first information, all identity information of the electronic identity holder The identity information required by the first service; the communication module 1503 is further configured to send a sixth message, where the sixth message includes the required identity information.
  • the verification server can send the required identity information at the same time as the identity authentication, and does not need the service request to provide the plaintext information to the service provider, can avoid the leakage of the key private data, and avoid the redundancy of the non-essential information.
  • the processing module 1502 may be a processor or a controller, for example, may be a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application specific integrated circuit (Application-Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication module 1503 may be a communication interface, a transceiver, a transceiver circuit, etc., wherein the communication interface is a collective name and may include one or more interfaces.
  • the storage module 1501 may be a memory.
  • the verification server may be the verification server shown in FIG. 16.
  • the verification server 1600 includes a processor 1602, a communication interface 1603, and a memory 1601.
  • the communication interface 1603, the processor 1602, and the memory 1601 may be connected to each other through a communication connection.
  • FIG. 17 is a schematic diagram of a communication device according to an embodiment of the present disclosure.
  • the communication device 1700 may be a chip, and the chip includes a processing unit and a communication unit.
  • the processing unit may be a processor 1710, which may be various types of processors as described above.
  • the communication unit may for example be an input/output interface 1720, a pin or a circuit, etc., which may comprise or be connected to a system bus.
  • the communication device further includes a storage unit, and the storage unit may be a memory 1730 inside the chip, such as a register, a cache, a random access memory (RAM), an EEPROM, or a FLASH.
  • RAM random access memory
  • EEPROM electrically erasable programmable read-only memory
  • the memory unit may also be a memory external to the chip, which may be various types of memory as described above.
  • the processor is coupled to the memory, and the processor can execute instructions stored in the memory to cause the communication device to perform the functions of the verification server in the method illustrated in Figures 4 through 11 above.
  • the present invention may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are generated in whole or in part.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer instructions can be stored in a computer readable storage medium or transferred from one computer readable medium to another computer readable medium, for example, the computer instructions can be wired from a website site, computer, server or data center (for example, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg infrared, wireless, microwave, etc.) to another website site, computer, server or data center.
  • the computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
  • the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (eg, a solid state hard disk) or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Des modes de réalisation de la présente invention concernent un procédé, un terminal, et un serveur d'authentification pour récupérer des informations d'identité. Le procédé comprend les étapes suivantes : un terminal envoie un premier message, le premier message comprenant des premières données d'identité électronique et des premières informations, les premières données d'identité électronique sont utilisées par le serveur d'authentification pour authentifier une identité d'un détenteur d'identité électronique correspondant aux premières données d'identité électronique, et si l'identité du détenteur d'identité électronique est authentifiée, les premières informations sont utilisées par le serveur d'authentification pour récupérer des informations d'identité requises pour un premier service à partir de toutes les informations d'identité du détenteur d'identité électronique; et le terminal reçoit un second message, le second message comprenant les informations d'identité requises ou un résultat de vérification d'informations d'identité acquis sur la base des informations d'identité requises. Les modes de réalisation de la présente invention récupèrent des informations d'identité ou un résultat de vérification d'informations d'identité requis pour un service, empêchant ainsi une fuite de données de confidentialité critique ou une redondance d'informations non nécessaires provoquées par un utilisateur présentant un document d'identité, améliorant ainsi l'expérience d'utilisateur.
PCT/CN2019/078502 2018-03-22 2019-03-18 Procédé, terminal et serveur d'authentification pour récupérer des informations d'identité WO2019179394A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810238350.XA CN110300083B (zh) 2018-03-22 2018-03-22 一种获取身份信息的方法、终端及验证服务器
CN201810238350.X 2018-03-22

Publications (1)

Publication Number Publication Date
WO2019179394A1 true WO2019179394A1 (fr) 2019-09-26

Family

ID=67986745

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/078502 WO2019179394A1 (fr) 2018-03-22 2019-03-18 Procédé, terminal et serveur d'authentification pour récupérer des informations d'identité

Country Status (2)

Country Link
CN (1) CN110300083B (fr)
WO (1) WO2019179394A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111342975A (zh) * 2020-03-04 2020-06-26 中国联合网络通信集团有限公司 烟草销售方法及装置
CN114499891A (zh) * 2022-03-21 2022-05-13 宁夏凯信特信息科技有限公司 一种签名服务器系统以及签名验证方法
CN116319067A (zh) * 2023-05-10 2023-06-23 金联汇通信息技术有限公司 信息的验证方法、终端、云服务器、后台及电子设备
CN114499891B (zh) * 2022-03-21 2024-05-31 宁夏凯信特信息科技有限公司 一种签名服务器系统以及签名验证方法

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111212075B (zh) * 2020-01-02 2022-06-03 腾讯云计算(北京)有限责任公司 业务请求的处理方法、装置、电子设备及计算机存储介质
WO2021243594A1 (fr) * 2020-06-03 2021-12-09 铨鸿资讯有限公司 Procédé basé sur une vérification collective pour vérifier des données partielles
CN112036527A (zh) * 2020-08-19 2020-12-04 苏州国芯科技股份有限公司 无源身份识别装置及其控制方法、无源身份识别系统
CN112464194A (zh) * 2020-11-25 2021-03-09 数字广东网络建设有限公司 资源获取方法、装置、计算机设备和存储介质
CN112132122B (zh) * 2020-11-26 2021-03-16 飞天诚信科技股份有限公司 一种指纹卡的实现方法及指纹卡
CN112583807A (zh) * 2020-12-04 2021-03-30 锐捷网络股份有限公司 一种验证方法、装置、电子设备及存储介质
CN113096391A (zh) * 2021-03-25 2021-07-09 合肥革绿信息科技有限公司 一种基于人脸识别的交通管理系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150356523A1 (en) * 2014-06-07 2015-12-10 ChainID LLC Decentralized identity verification systems and methods
CN106034031A (zh) * 2016-01-21 2016-10-19 李明 一种获取身份信息的方法、装置、终端和云认证平台
CN107800725A (zh) * 2017-12-11 2018-03-13 公安部第研究所 一种数字证书远程在线管理装置及方法

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH05289612A (ja) * 1992-04-06 1993-11-05 Nhk Spring Co Ltd 情報記録システム及び情報通信システム
CN1818971A (zh) * 2006-03-10 2006-08-16 湖南省公民信息管理局 结合第二代居民身份证应用的公民身份信息核查方法及其核查装置
CN101778380A (zh) * 2009-12-31 2010-07-14 卓望数码技术(深圳)有限公司 一种身份认证方法、设备及系统
CN102271041B (zh) * 2011-07-30 2013-08-14 杨勇 个人身份认证的根服务系统
CN102364527A (zh) * 2011-10-21 2012-02-29 中国科学技术大学 一种实时的用于银行自助设备系统的身份识别认证方法
CN102833074A (zh) * 2012-08-31 2012-12-19 珠海市魅族科技有限公司 一种鉴权方法和相关设备
CN104731836A (zh) * 2013-12-21 2015-06-24 方文淋 一种快速获取用户身份信息的系统及方法
CN104376401A (zh) * 2014-10-29 2015-02-25 中国建设银行股份有限公司 一种信息管理方法及装置
CN105791256B (zh) * 2014-12-26 2019-06-21 华为技术有限公司 一种获取用户信息的方法、装置及系统
CN106921496A (zh) * 2015-12-25 2017-07-04 卓望数码技术(深圳)有限公司 一种数字签名方法和系统
CN106487518A (zh) * 2016-10-31 2017-03-08 金联汇通信息技术有限公司 一种用于快递行业的实名认证系统和方法
CN107302435B (zh) * 2017-07-21 2020-12-04 金联汇通信息技术有限公司 身份信息处理方法、系统及其对应服务器
CN107767117A (zh) * 2017-10-16 2018-03-06 国家电网公司 电力业务自助办理的方法及系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150356523A1 (en) * 2014-06-07 2015-12-10 ChainID LLC Decentralized identity verification systems and methods
CN106034031A (zh) * 2016-01-21 2016-10-19 李明 一种获取身份信息的方法、装置、终端和云认证平台
CN107800725A (zh) * 2017-12-11 2018-03-13 公安部第研究所 一种数字证书远程在线管理装置及方法

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111342975A (zh) * 2020-03-04 2020-06-26 中国联合网络通信集团有限公司 烟草销售方法及装置
CN111342975B (zh) * 2020-03-04 2022-07-29 中国联合网络通信集团有限公司 烟草销售方法及装置
CN114499891A (zh) * 2022-03-21 2022-05-13 宁夏凯信特信息科技有限公司 一种签名服务器系统以及签名验证方法
CN114499891B (zh) * 2022-03-21 2024-05-31 宁夏凯信特信息科技有限公司 一种签名服务器系统以及签名验证方法
CN116319067A (zh) * 2023-05-10 2023-06-23 金联汇通信息技术有限公司 信息的验证方法、终端、云服务器、后台及电子设备
CN116319067B (zh) * 2023-05-10 2023-08-29 金联汇通信息技术有限公司 信息的验证方法、终端、云服务器、后台及电子设备

Also Published As

Publication number Publication date
CN110300083A (zh) 2019-10-01
CN110300083B (zh) 2021-02-12

Similar Documents

Publication Publication Date Title
WO2019179394A1 (fr) Procédé, terminal et serveur d'authentification pour récupérer des informations d'identité
US20230351377A1 (en) Document importation into secure element
US10289996B2 (en) Apparatuses and methods for operating a portable electronic device to conduct mobile payment transactions
US20230289787A1 (en) Authentication using a secure circuit
US11157905B2 (en) Secure on device cardholder authentication using biometric data
KR102216877B1 (ko) 전자장치에서 생체 정보를 이용한 인증 방법 및 장치
US8239684B2 (en) Software IC card system, management server, terminal, service providing server, service providing method, and program
US8108318B2 (en) Trusted service manager (TSM) architectures and methods
CN110826043B (zh) 一种数字身份申请系统及方法、身份认证系统及方法
TWI605397B (zh) 用於金融交易之安全元件及攜帶型電子裝置
WO2017050093A1 (fr) Procédé d'entrée d'informations d'ouverture de session, procédé de stockage d'informations d'ouverture de session et dispositif associé
CN111512618B (zh) 发送和接收包括表情符号的消息的电子设备以其控制方法
US20140172741A1 (en) Method and system for security information interaction based on internet
US11658959B2 (en) User authentication framework
US10489565B2 (en) Compromise alert and reissuance
WO2020024929A1 (fr) Procédé de mise à niveau d'une plage d'application de service d'une carte d'identité électronique, et dispositif de terminal
CN108475304A (zh) 一种关联应用程序和生物特征的方法、装置以及移动终端
US11449631B2 (en) Electronic device for managing personal information and operating method thereof
US20140150116A1 (en) Controlling release of secure data
KR101625065B1 (ko) 휴대단말기에서의 사용자 인증방법
US11936649B2 (en) Multi-factor authentication
US20240146531A1 (en) Mobile identification techniques
WO2019145452A1 (fr) Procédé et appareil permettant l'amélioration de la sécurité d'un site web

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19771701

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19771701

Country of ref document: EP

Kind code of ref document: A1