CN110321682A - A kind of unified identity authentication method and device based on UAF and IBC - Google Patents

Abstract

The invention discloses a kind of unified identity authentication method and device based on UAF and IBC, method includes: to be authenticated by user identity of the UAF and IBC to registration, after completing user identity authentication, passes through OAuth agreement and executes resource access process.The present invention can realize the certification of " no password " by UAF, IBC can be crossed and realize that user can pass through unification authentication platform authenticating identity, user bound account and public key are distinguished without each service server, are realized unified authentication, are effectively improved the safety and efficiency of certification.

Description

A kind of unified identity authentication method and device based on UAF and IBC

Technical field

The present invention relates to identity identifying technology fields, more particularly to one kind to be based on UAF (Universal Authentication Framework, universal authentication framework) and IBC (Identity-Based Cryptography, is based on The cryptographic technique of mark) unified identity authentication method and device.

Background technique

State Grid Corporation of China carries forward vigorously the construction such as " Guo Shang state net " electric power emerging service at present, pays dues, does electricity, energy clothes The business such as business are various, and that there are identification authentication modes is single for existing static, closed identity management mechanisms, security risk investigation is difficult The problem of.In order to enhance power business authentication security intensity, certification cost is reduced, needs to study new unified identity authentication Mandated program realizes the target of various power businesses " card is logical to be done ".

Most of operation systems realize the online identity certification of user using " user name+password " mode at present, and user is first It first passes through online service or website is registered, the user name and password and user account are bound, subsequent logged Cheng Zhong, it is only necessary to user's on-line authentication is completed by way of the user name and password.But there are passwords easily to let out for this authentication mode The problems such as dew, complicated password easily forget, weak passwurd.

To solve the above-mentioned problems, FIDO (Fast Identity Online, online quick authentication) alliance sets up, It is intended to create standard set open protocol and realizes strong user authentication, the dependence eliminated with this or weaken user to password.At present FIDO provides two sets of agreements of UAF and U2F (Universal Second Factor, general factor Ⅱ agreement), and UAF can be real The strong user authentication of existing " no password ", U2F then increase the safety that factor Ⅱ promotes existing password authentication mechanism.UAF is being infused Volume when by user server end account together with UAF apparatus bound, then in verification process, user be not necessarily to input port It enables, it is only necessary to certification can be completed by living things feature recognition or simple PIN in UAF equipment and realize Account Logon.But UAF It needs user to register in server end, user account and public key is bound, there is no unified identity authentication is solved the problems, such as, especially When it is that user identity authentication is related to multiple business systems or the access of cross-domain more resources, it is respectively necessary for being registered and is authenticated, used And it is inconvenient.

IBC can be bound, therefore be highly suitable for identity and recognize using the identity information of user as public key without digital certificate Card.In IBC, Your Majesty's key and main private key are generated by KGC (Key Generation Center, key generation centre) first, so KGC recycles the key of oneself to be existed according to the identity information ID (such as title, e-mail, identification card number) of user for user is raw afterwards Private key, the ID of user are public key, can particularly simple realize user identity authentication.But there are key updating problems by IBC, i.e., If some private key for user is revealed, or needs user to replace ID, the card property certainly of identity can have a greatly reduced quality at this time, or more by KGC Change owner private key and Your Majesty's key, the private key of all users requires to update again at this time, causes very big trouble.

Therefore, how significantly more efficient carry out unified identity authentication, be a urgent problem to be solved.

Summary of the invention

In view of this, UAF reality can be passed through the present invention provides a kind of unified identity authentication method based on UAF and IBC The certification of existing " no password " can cross IBC and realize that user can be by unification authentication platform authenticating identity, without each service server point Other user bound account and public key, realize unified authentication, effectively improve the safety and efficiency of certification.

The present invention provides a kind of unified identity authentication methods based on UAF and IBC, comprising:

It is authenticated by user identity of the UAF and IBC to registration；

After completing user identity authentication, resource access process is executed by OAuth agreement.

It is preferably, described before being authenticated by user identity of the UAF and IBC to registration, further includes:

Register user identity.

Preferably, the registration user identity, comprising:

User terminal generates User ID, and the User ID is sent to unification authentication platform；

The unification authentication platform authenticates the User ID, and private is generated for user according to Your Majesty's key and main private key Key, and the private key is back to the user terminal and is stored.

It is preferably, described to be authenticated by user identity of the UAF and IBC to registration, comprising:

Application in the user terminal generates resource access request, and the resource access request is sent to resource clothes Business device；

The Resource Server is required by challenge response mode to user's after receiving the resource access request Identity is authenticated；

The user terminal is signed by the private key, and signing messages is sent to the Resource Server；

The signing messages that the Resource Server is received using the main public key verifications of the unification authentication platform, verifying By rear, completion user identity authentication.

Preferably, described after completing user identity authentication, resource access process is executed by OAuth agreement, comprising:

The Resource Server sends access mandate request to authorization server；

The authorization server is user by inquiring the access authority of User ID after receiving access mandate request Issue resource access token；

Corresponding resource is sent in the user terminal by the Resource Server after receiving resource access token Application.

A kind of unified identity authentication device based on UAF and IBC, comprising:

User identity authentication module, for being authenticated by user identity of the UAF and IBC to registration；

Resource access authorization module, for executing resource by OAuth agreement and accessing after completing user identity authentication Journey.

Preferably, described device further include:

Customer identity registration module, for registering user identity.

Preferably, the customer identity registration module includes: user terminal and unification authentication platform；Wherein:

The user terminal generates User ID, and the User ID is sent to the unification authentication platform；

The unification authentication platform authenticates the User ID, and private is generated for user according to Your Majesty's key and main private key Key, and the private key is back to the user terminal and is stored.

Preferably, the user identity authentication module includes: Resource Server, in which:

Application in the user terminal generates resource access request, and the resource access request is sent to the money Source server；

The Resource Server is required by challenge response mode to user's after receiving the resource access request Identity is authenticated；

The user terminal is signed by the private key, and signing messages is sent to the Resource Server；

The signing messages that the Resource Server is received using the main public key verifications of the unification authentication platform, verifying By rear, completion user identity authentication.

Preferably, the resource access authorization module includes: authorization server, in which:

The Resource Server sends access mandate request to the authorization server；

The authorization server is user by inquiring the access authority of User ID after receiving access mandate request Issue resource access token；

Corresponding resource is sent in the user terminal by the Resource Server after receiving resource access token Application.

In conclusion the invention discloses a kind of unified identity authentication method based on UAF and IBC, when uniting It when one authentication, is authenticated first by user identity of the UAF and IBC to registration, then completes user identity authentication Afterwards, resource access process is executed by OAuth agreement.The present invention can realize the certification of " no password " by UAF, can cross IBC Realize that user can be real without each service server difference user bound account and public key by unification authentication platform authenticating identity Now unified authentication effectively improves the safety and efficiency of certification.

Detailed description of the invention

In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.

Fig. 1 is a kind of method flow of the unified identity authentication method embodiment 1 based on UAF and IBC disclosed by the invention Figure；

Fig. 2 is a kind of method flow of the unified identity authentication method embodiment 2 based on UAF and IBC disclosed by the invention Figure；

Fig. 3 is a kind of method flow of the unified identity authentication method embodiment 3 based on UAF and IBC disclosed by the invention Figure；

Fig. 4 is a kind of structural representation of the unified identity authentication Installation practice 1 based on UAF and IBC disclosed by the invention Figure；

Fig. 5 is a kind of structural representation of the unified identity authentication Installation practice 2 based on UAF and IBC disclosed by the invention Figure；

Fig. 6 is a kind of structural representation of the unified identity authentication Installation practice 3 based on UAF and IBC disclosed by the invention Figure.

Specific embodiment

Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.

As shown in Figure 1, being a kind of side of the unified identity authentication method embodiment 1 based on UAF and IBC disclosed by the invention Method flow chart, the method may include following steps:

S101, it is authenticated by user identity of the UAF and IBC to registration；

When needing to carry out unified identity authentication, authenticated first by user identity of the UAF and IBC to registration；Its In:

UAF is a set of open authentication agreement formulated by FIDO alliance, realizes the strong identity authentication of user " no password ". UAF registration when by user server end account together with UAF apparatus bound, then in verification process, Yong Huwu Password need to be inputted, it is only necessary to certification can be completed by living things feature recognition or simple PIN code in UAF equipment and realize account It logs in.

IBC is based on the basis of traditional PKI (Public Key Infrastructure, Public Key Infrastructure) It develops, it is main to simplify in specific security application exchangeing problem in a large amount of digital certificates, make security application more easily portion Administration and use.IBC cryptographic technique uses asymmetric cryptography system, and encryption uses two sets of different keys from decryption, each The public key of people is exactly his identity, such as the address email, telephone number etc..And private key is then in the form of data by user Oneself is grasped, and key management is comparatively simple, very easily can carry out encryption and decryption to data information.The basic technology of IBC includes Data encryption, digital signature, data integrity mechanism, digital envelope, user's identification, user authentication etc..

During authenticating by user identity of the UAF and IBC to registration, protect IBC private by UAF mechanism Key prevents its leakage, then realizes unified identity authentication by IBC.

S102, after completing user identity authentication, pass through OAuth agreement execute resource access process.

OAuth agreement is open authorization criteria, and third party is allowed to obtain by the interim token that service provider provides User resources are not necessarily to username and password, have the characteristics that simple, open, safety.

In conclusion in the above-described embodiments, when needing to carry out unified identity authentication, first by UAF and IBC to note The user identity of volume is authenticated, and then after completing user identity authentication, executes resource access process by OAuth agreement. The present invention can realize the certification of " no password " by UAF, can cross IBC and realize that user can authenticate body by unification authentication platform Part, without each service server difference user bound account and public key, realizes unified authentication, effectively improve certification Safety and efficiency.

As shown in Fig. 2, being a kind of side of the unified identity authentication method embodiment 2 based on UAF and IBC disclosed by the invention Method flow chart, the method may include following steps:

S201, registration user identity；

When needing to carry out unified identity authentication, it is necessary first to be registered to the initial id information of user, that is, to user Identity registered.Wherein, the ID of user can be name, mailbox, the identification card number etc. of user.

S202, it is authenticated by user identity of the UAF and IBC to registration；

S203, after completing user identity authentication, pass through OAuth agreement execute resource access process.

In conclusion in the above-described embodiments, when needing to carry out unified identity authentication, registering user identity first, so It is authenticated afterwards by user identity of the UAF and IBC to registration, then after completing user identity authentication, passes through OAuth agreement Execute resource access process.The present invention can realize the certification of " no password " by UAF, can cross IBC and realize that user can pass through system One authentication platform authenticating identity realizes unified authentication without each service server difference user bound account and public key, Effectively improve the safety and efficiency of certification.

As shown in figure 3, being a kind of side of the unified identity authentication method embodiment 3 based on UAF and IBC disclosed by the invention Method flow chart, the method may include following steps:

S301, user terminal generate User ID, and User ID are sent to unification authentication platform；

When needing to carry out unified identity authentication, user is firstly the need of the initial id information registration of progress, wherein initial ID can Think the name, mailbox, identification card number etc. of user, and User ID is transmitted to unification authentication platform.

S302, unification authentication platform authenticate User ID, and private key is generated for user according to Your Majesty's key and main private key, and Private key is back to the user terminal to store；

Unification authentication platform act mainly as key generation centre in IBC cipher system (Key Generation Center, KGC private key is generated for user according to Your Majesty's key and main private key after authenticating to User ID in role), and by generation Private key is back to user terminal, is stored in UAF equipment by user security, completes registration process.

Application in S303, user terminal generates resource access request, and resource access request is sent to resource service Device；

When the third-party application (APP of such as user mobile phone) in user terminal needs to access application server by user When resource, the application in user terminal generates resource access request, sends resource access request to Resource Server.

S304, Resource Server require the body to user after receiving resource access request, through challenge response mode Part is authenticated；

After Resource Server receives resource access request, require to recognize the identity of user by challenge response mode Card, i.e., selection one is with several N, it is desirable that user signs to N with private key.

S305, user terminal are signed by private key, and signing messages is sent to Resource Server；

After user receives challenge number N, UAF equipment is locked by the biological particular solution such as fingerprint, then N is carried out using private key Signature, is then sent to Resource Server for signing messages.

The signing messages that S306, Resource Server are received using the main public key verifications of unification authentication platform, after being verified, Complete user identity authentication；

The user's signature information that Resource Server is then received using the main public key verifications of unification authentication platform, is verified Afterwards, User ID authentication can be completed.

S307, Resource Server send access mandate request to authorization server；

After completing User ID authentication, Resource Server sends access mandate request to authorization server.

S308, authorization server are user by inquiring the access authority of User ID after receiving access mandate request Issue resource access token；

Authorization server issues resource access token by the access authority of inquiry User ID for user.

During S309, Resource Server are sent to the user terminal after receiving resource access token, by corresponding resource Using.

After the resource access permission for receiving User ID, corresponding resource is sent to third party and answered by Resource Server With completing entire authentication and licensing process.

In conclusion the present invention is based on UAF and IBC to propose a kind of unified authentication mandated program, realized by UAF The certification of " no password " realizes that user can be distinguished by unification authentication platform authenticating identity without each service server by IBC User bound account and public key realize unified authentication, improve the safety and efficiency of certification.In addition, private key is deposited Storage is only realized signature function in inside, will not be used outside hardware, to effectively improve IBC key in UAF hardware device Safety, it is therefore prevented that private key leakage.

As shown in figure 4, being a kind of knot of the unified identity authentication Installation practice 1 based on UAF and IBC disclosed by the invention Structure schematic diagram, the apparatus may include:

User identity authentication module 401, for being authenticated by user identity of the UAF and IBC to registration；

When needing to carry out unified identity authentication, authenticated first by user identity of the UAF and IBC to registration；Its In:

UAF is a set of open authentication agreement formulated by FIDO alliance, realizes the strong identity authentication of user " no password ". UAF registration when by user server end account together with UAF apparatus bound, then in verification process, Yong Huwu Password need to be inputted, it is only necessary to certification can be completed by living things feature recognition or simple PIN code in UAF equipment and realize account It logs in.

IBC is based on the basis of traditional PKI (Public Key Infrastructure, Public Key Infrastructure) It develops, it is main to simplify in specific security application exchangeing problem in a large amount of digital certificates, make security application more easily portion Administration and use.IBC cryptographic technique uses asymmetric cryptography system, and encryption uses two sets of different keys from decryption, each The public key of people is exactly his identity, such as the address email, telephone number etc..And private key is then in the form of data by user Oneself is grasped, and key management is comparatively simple, very easily can carry out encryption and decryption to data information.The basic technology of IBC includes Data encryption, digital signature, data integrity mechanism, digital envelope, user's identification, user authentication etc..

During authenticating by user identity of the UAF and IBC to registration, protect IBC private by UAF mechanism Key prevents its leakage, then realizes unified identity authentication by IBC.

Resource access authorization module 402, for executing resource by OAuth agreement and visiting after completing user identity authentication Ask process.

OAuth agreement is open authorization criteria, and third party is allowed to obtain by the interim token that service provider provides User resources are not necessarily to username and password, have the characteristics that simple, open, safety.

In conclusion in the above-described embodiments, when needing to carry out unified identity authentication, first by UAF and IBC to note The user identity of volume is authenticated, and then after completing user identity authentication, executes resource access process by OAuth agreement. The present invention can realize the certification of " no password " by UAF, can cross IBC and realize that user can authenticate body by unification authentication platform Part, without each service server difference user bound account and public key, realizes unified authentication, effectively improve certification Safety and efficiency.

As shown in figure 5, being a kind of knot of the unified identity authentication Installation practice 2 based on UAF and IBC disclosed by the invention Structure schematic diagram, the apparatus may include:

Customer identity registration module 501, for registering user identity；

When needing to carry out unified identity authentication, it is necessary first to be registered to the initial id information of user, that is, to user Identity registered.Wherein, the ID of user can be name, mailbox, the identification card number etc. of user.

User identity authentication module 502, for being authenticated by user identity of the UAF and IBC to registration；

Resource access authorization module 503, for executing resource by OAuth agreement and visiting after completing user identity authentication Ask process.

In conclusion in the above-described embodiments, when needing to carry out unified identity authentication, registering user identity first, so It is authenticated afterwards by user identity of the UAF and IBC to registration, then after completing user identity authentication, passes through OAuth agreement Execute resource access process.The present invention can realize the certification of " no password " by UAF, can cross IBC and realize that user can pass through system One authentication platform authenticating identity realizes unified authentication without each service server difference user bound account and public key, Effectively improve the safety and efficiency of certification.

As shown in fig. 6, being a kind of knot of the unified identity authentication Installation practice 3 based on UAF and IBC disclosed by the invention Structure schematic diagram, the apparatus may include: user terminal 601, unification authentication platform 602, Resource Server 603 and authorization service Device 604；Wherein:

User terminal 601 generates User ID, and User ID is sent to unification authentication platform 602；

When needing to carry out unified identity authentication, user is firstly the need of the initial id information registration of progress, wherein initial ID can Think the name, mailbox, identification card number etc. of user, and User ID is transmitted to unification authentication platform.

Unification authentication platform 602 authenticates User ID, private key is generated for user according to Your Majesty's key and main private key, and will Private key is back to user terminal 601 and is stored；

Unification authentication platform act mainly as key generation centre in IBC cipher system (Key Generation Center, KGC private key is generated for user according to Your Majesty's key and main private key after authenticating to User ID in role), and by generation Private key is back to user terminal, is stored in UAF equipment by user security, completes registration process.

Application in user terminal 601 generates resource access request, and resource access request is sent to Resource Server 603；

When the third-party application (APP of such as user mobile phone) in user terminal needs to access application server by user When resource, the application in user terminal generates resource access request, sends resource access request to Resource Server.

Resource Server 603 requires the identity to user after receiving resource access request, through challenge response mode It is authenticated；

After Resource Server receives resource access request, require to recognize the identity of user by challenge response mode Card, i.e., selection one is with several N, it is desirable that user signs to N with private key.

User terminal 601 is signed by private key, and signing messages is sent to Resource Server 603；

After user receives challenge number N, UAF equipment is locked by the biological particular solution such as fingerprint, then N is carried out using private key Signature, is then sent to Resource Server for signing messages.

The signing messages that Resource Server 603 is received using the main public key verifications of unification authentication platform 602, is verified Afterwards, user identity authentication is completed；

The user's signature information that Resource Server is then received using the main public key verifications of unification authentication platform, is verified Afterwards, User ID authentication can be completed.

Resource Server 603 sends access mandate request to authorization server 604；

After completing User ID authentication, Resource Server sends access mandate request to authorization server.

Authorization server 604, by inquiring the access authority of User ID, is issued after receiving access mandate request for user Send out resource access token；

Authorization server issues resource access token by the access authority of inquiry User ID for user.

Corresponding resource is sent to the user terminal in 601 by Resource Server 603 after receiving resource access token Using.

After the resource access permission for receiving User ID, corresponding resource is sent to third party and answered by Resource Server With completing entire authentication and licensing process.

In conclusion the present invention is based on UAF and IBC to propose a kind of unified authentication mandated program, realized by UAF The certification of " no password " realizes that user can be distinguished by unification authentication platform authenticating identity without each service server by IBC User bound account and public key realize unified authentication, improve the safety and efficiency of certification.In addition, private key is deposited Storage is only realized signature function in inside, will not be used outside hardware, to effectively improve IBC key in UAF hardware device Safety, it is therefore prevented that private key leakage.

Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other The difference of embodiment, the same or similar parts in each embodiment may refer to each other.For device disclosed in embodiment For, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is said referring to method part It is bright.

Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered Think beyond the scope of this invention.

The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.

The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest scope of cause.

Claims (10)

1. a kind of unified identity authentication method based on UAF and IBC characterized by comprising

It is authenticated by user identity of the UAF and IBC to registration；

After completing user identity authentication, resource access process is executed by OAuth agreement.

2. the method according to claim 1, wherein it is described by UAF and IBC to the user identity of registration into Before row certification, further includes:

Register user identity.

3. according to the method described in claim 2, it is characterized in that, the registration user identity, comprising:

User terminal generates User ID, and the User ID is sent to unification authentication platform；

The unification authentication platform authenticates the User ID, and private key is generated for user according to Your Majesty's key and main private key, and The private key is back to the user terminal to store.

4. according to the method described in claim 3, it is characterized in that, described carried out by user identity of the UAF and IBC to registration Certification, comprising:

Application in the user terminal generates resource access request, and the resource access request is sent to resource service Device；

The Resource Server requires the identity to user after receiving the resource access request, through challenge response mode It is authenticated；

The user terminal is signed by the private key, and signing messages is sent to the Resource Server；

The signing messages that the Resource Server is received using the main public key verifications of the unification authentication platform, is verified Afterwards, user identity authentication is completed.

5. according to the method described in claim 4, being assisted by OAuth it is characterized in that, described after completing user identity authentication View executes resource access process, comprising:

The Resource Server sends access mandate request to authorization server；

The authorization server, by inquiring the access authority of User ID, is issued after receiving access mandate request for user Resource access token；

The Resource Server is sent to answering in the user terminal after receiving resource access token, by corresponding resource With.

6. a kind of unified identity authentication device based on UAF and IBC characterized by comprising

User identity authentication module, for being authenticated by user identity of the UAF and IBC to registration；

Resource access authorization module, for executing resource access process by OAuth agreement after completing user identity authentication.

7. device according to claim 6, which is characterized in that further include:

Customer identity registration module, for registering user identity.

8. device according to claim 7, which is characterized in that the customer identity registration module include: user terminal and Unification authentication platform；Wherein:

The user terminal generates User ID, and the User ID is sent to the unification authentication platform；

The unification authentication platform authenticates the User ID, and private key is generated for user according to Your Majesty's key and main private key, and The private key is back to the user terminal to store.

9. device according to claim 8, which is characterized in that the user identity authentication module includes: Resource Server, Wherein:

Application in the user terminal generates resource access request, and the resource access request is sent to the resource and is taken Business device；

The Resource Server requires the identity to user after receiving the resource access request, through challenge response mode It is authenticated；

The user terminal is signed by the private key, and signing messages is sent to the Resource Server；

The signing messages that the Resource Server is received using the main public key verifications of the unification authentication platform, is verified Afterwards, user identity authentication is completed.

10. device according to claim 9, which is characterized in that the resource access authorization module includes: authorization service Device, in which:

The Resource Server sends access mandate request to the authorization server；

The authorization server, by inquiring the access authority of User ID, is issued after receiving access mandate request for user Resource access token；

The Resource Server is sent to answering in the user terminal after receiving resource access token, by corresponding resource With.