CN111371762B - Identity authentication method and device, electronic equipment and storage medium - Google Patents

Identity authentication method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN111371762B
CN111371762B CN202010120858.7A CN202010120858A CN111371762B CN 111371762 B CN111371762 B CN 111371762B CN 202010120858 A CN202010120858 A CN 202010120858A CN 111371762 B CN111371762 B CN 111371762B
Authority
CN
China
Prior art keywords
website
account information
server
public key
storage system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010120858.7A
Other languages
Chinese (zh)
Other versions
CN111371762A (en
Inventor
刘文印
吴鸿文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong University of Technology
Original Assignee
Guangdong University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong University of Technology filed Critical Guangdong University of Technology
Priority to CN202010120858.7A priority Critical patent/CN111371762B/en
Publication of CN111371762A publication Critical patent/CN111371762A/en
Application granted granted Critical
Publication of CN111371762B publication Critical patent/CN111371762B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an identity authentication method, an identity authentication device, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: acquiring a random character string from a server of a website, requesting account information corresponding to the website from a distributed storage system, encrypting the account information by using a public key of the website, and uploading the encrypted account information to the distributed storage system again; receiving a first hash value corresponding to the encrypted account information sent by the distributed storage system, encrypting the first hash value by using the random character string and broadcasting the first hash value to the server by using a decentralized message protocol, so that the server can acquire the encrypted account information from the distributed storage system based on the first hash value and verify the encrypted account information; and receiving the verification result sent by the server. The identity authentication method provided by the application improves the security of identity authentication.

Description

Identity authentication method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to an identity authentication method and apparatus, an electronic device, and a computer-readable storage medium.
Background
With the development of the internet, the identities of users on the network are increasing, and the traditional login mode of inputting user names and passwords also faces serious network security problems such as 'password fatigue', 'fishing' and 'library collision', so that the safe and effective management of the network identities of the users becomes a very valuable research direction under the current social form of developed networks.
In the OAuth2.0 mechanism, an authorization server issues a token to a third-party application in an http/https mode, and the third-party application with the token applies for information to a service party of a resource through a call interface. In this process, CSRF holes, replay attacks, man-in-the-middle attacks, etc. may result.
Therefore, how to improve the security of the identity authentication is a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide an identity authentication method, an identity authentication device, an electronic device and a computer readable storage medium, and the security of identity authentication is improved.
In order to achieve the above object, the present application provides an identity authentication method, including:
acquiring a random character string from a server of a website, requesting account information corresponding to the website from a distributed storage system, encrypting the account information by using a public key of the website, and uploading the encrypted account information to the distributed storage system again;
receiving a first hash value corresponding to the encrypted account information sent by the distributed storage system, encrypting the first hash value by using the random character string and broadcasting the first hash value to the server based on a decentralized message protocol, so that the server can acquire the encrypted account information from the distributed storage system based on the first hash value and verify the encrypted account information;
and receiving the verification result sent by the server.
The acquiring a random character string from a server corresponding to a website, requesting account information corresponding to the website from a distributed storage system, encrypting the account information by using a public key of the website, and uploading the encrypted account information to the distributed storage system again includes:
acquiring a domain name and a random character string of a website from a server corresponding to the website; the website is a website which is registered in an authoritative node, and the authoritative node writes the corresponding relation between the domain name of the website which is registered and the public key into an intelligent contract;
requesting account information corresponding to the website from a distributed storage system, and acquiring a public key of the website from the intelligent contract by using the domain name;
and the public key is used for encrypting the account information and then uploading the account information to the distributed storage system again.
Wherein, still include:
after receiving a password modification command, packaging a target domain name of a target website corresponding to the password modification command, original account information and modified target account information into password modification information;
encrypting the modified password information by using a target public key corresponding to the target domain name in the intelligent contract and broadcasting the modified password information to a server of the target website based on a decentralized message protocol so that the server of the target website modifies the original account information into the target account information after verifying the target domain name and the original account information;
and receiving modification confirmation information sent by the server of the target website.
Wherein, still include:
acquiring user information through an input interface, encrypting the user information by using a public key of the client, and uploading the encrypted user information to the distributed storage system;
receiving a second hash value corresponding to the encrypted user information sent by the distributed storage system, signing the second hash value by using a private key of the client, and broadcasting the second hash value to the authoritative node based on a decentralized message protocol, so that the authoritative node performs signature verification by using a public key of the client and writes the second hash value into an intelligent contract;
and receiving a verification result of the authoritative node on the user information.
Wherein, still include:
acquiring the domain name of the website and account information for logging in the website through an input interface, and generating a public key and a private key of the client;
encrypting binding information by using a public key of the website and broadcasting the binding information to the server based on a decentralized message protocol so that the server can write the corresponding relation between the account information and the domain name into the intelligent contract by using the authoritative node after the account information is verified; wherein the binding information includes the account information, the public key of the client, and the domain name;
and receiving the binding result sent by the authority node.
Wherein the decentralized message protocol comprises a whisper protocol.
In order to achieve the above object, the present application provides an authentication apparatus, comprising:
the acquisition module is used for acquiring the random character string from a server of a website, requesting account information corresponding to the website from a distributed storage system, encrypting the account information by using a public key of the website and then uploading the encrypted account information to the distributed storage system again;
the first broadcast module is used for receiving a first hash value corresponding to the encrypted account information sent by the distributed storage system, encrypting the first hash value by using the random character string and broadcasting the first hash value to the server based on a decentralized message protocol, so that the server can acquire the encrypted account information from the distributed storage system based on the first hash value and verify the encrypted account information;
and the first receiving module is used for receiving the verification result sent by the server.
Wherein, still include:
the generating module is used for acquiring the domain name of the website and the account information for logging in the website through an input interface, and generating a public key and a private key of the client;
the second broadcasting module is used for encrypting the binding information by using the public key of the website and broadcasting the binding information to the server based on a decentralized message protocol so that the server can write the corresponding relation between the account information and the domain name into the intelligent contract by using the authoritative node after the account information is verified to be passed; wherein the binding information includes the account information, the public key of the client, and the domain name;
and the second receiving module is used for receiving the binding result sent by the authority node.
To achieve the above object, the present application provides an electronic device including:
a memory for storing a computer program;
a processor for implementing the steps of the authentication method as described above when executing the computer program.
To achieve the above object, the present application provides a computer-readable storage medium having stored thereon a computer program, which when executed by a processor, performs the steps of the authentication method as described above.
According to the scheme, the identity authentication method provided by the application comprises the following steps: acquiring a random character string from a server of a website, requesting account information corresponding to the website from a distributed storage system, encrypting the account information by using a public key of the website, and uploading the encrypted account information to the distributed storage system again; receiving a first hash value corresponding to the encrypted account information sent by the distributed storage system, encrypting the first hash value by using the random character string and broadcasting the first hash value to the server based on a decentralized message protocol, so that the server can acquire the encrypted account information from the distributed storage system based on the first hash value and verify the encrypted account information; and receiving the verification result sent by the server.
According to the identity authentication method, the distributed storage system for storing the account information is a decentralized system, and the problem of single point of failure does not exist. Based on a decentralized message protocol to replace http/https, a website accessed to a blockchain network can be better protected. The client can encrypt the account information by using the public key of the website, and compared with OAuth2.0, the client does not need to realize a callback interface any more, thereby thoroughly avoiding CSRF loopholes, replay attacks and man-in-the-middle attacks and improving the security of identity verification. The application also discloses an identity authentication device, an electronic device and a computer readable storage medium, which can also realize the technical effects.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
FIG. 1 is a flow chart illustrating a method of identity verification in accordance with an exemplary embodiment;
FIG. 2 is a flow diagram illustrating another method of identity verification in accordance with an exemplary embodiment;
FIG. 3 is a flow diagram illustrating a method of modifying a password in accordance with an exemplary embodiment;
FIG. 4 is a flow diagram illustrating a method of uploading user information in accordance with an example embodiment;
FIG. 5 is a flow diagram illustrating a user binding method in accordance with an exemplary embodiment;
FIG. 6 is a block diagram illustrating an authentication device in accordance with one exemplary embodiment;
FIG. 7 is a block diagram illustrating an electronic device in accordance with an exemplary embodiment.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application discloses an identity authentication method, which improves the security of identity authentication.
Referring to fig. 1, a flowchart of an authentication method according to an exemplary embodiment is shown, as shown in fig. 1, including:
s101: acquiring a random character string from a server of a website, requesting account information corresponding to the website from a distributed storage system, encrypting the account information by using a public key of the website, and uploading the encrypted account information to the distributed storage system again;
the execution subject of this embodiment is a client, in which a third-party application that needs to use a server resource of a website is installed, and the purpose is to perform authentication on the third-party application. In this step, the website generates a random character string as topic, as shown in fig. 2, which may be displayed in a browser in the form of a two-dimensional code, and a user scans the two-dimensional code through a client to obtain a domain name and topic of the website. The client requests the decentralized distributed storage System for account information corresponding to the website, the specific form of the distributed storage System is not limited in this embodiment, and an IPFS (international File System, english term) or a SWARM (decentralized and distributed storage mechanism based on etherhouse) or the like may be adopted. And after the client acquires the account information, encrypting by using the public key of the website, and uploading the ciphertext to the distributed storage system again.
It should be noted that the client may use the domain name of the website to find the public key of the website from the smart contract. Namely, the step can comprise: acquiring a domain name and a random character string of a website from a server corresponding to the website; the website is a website which is registered in an authoritative node, and the authoritative node writes the corresponding relation between the domain name of the website which is registered and the public key into an intelligent contract; requesting account information corresponding to the website from a distributed storage system, and acquiring a public key of the website from the intelligent contract by using the domain name; and the public key is used for encrypting the account information and then uploading the account information to the distributed storage system again.
In specific implementation, a website accessing a blockchain network needs to be registered, that is, a corresponding blockchain node is allocated to the website in the blockchain network, a corresponding relationship between a domain name of the registered website and a public key is stored in an intelligent contract, an authority node in the blockchain network uploads the corresponding registered website, and at least three authority nodes need to be initialized in the blockchain network.
During the registration process of the website, a server of the website generates a pair of public and private keys, and broadcasts registration information, wherein the information content comprises the public key and a domain name, for example, the domain name is www.a.com. After receiving the registration information, the authority node generates a random character string and a random file name of a domain name and forwards the random character string and the random file name to the website. The random file name is to determine that the domain name really belongs to the website, the website server writes the random character string into the random file, a file is generated on a server directory and can be accessed by an authority node, and if the random file name is abc. After the authority node receives the registration information, 30 seconds later, the authority node accesses https:// www.a.com/abc.txt and checks whether the authority node is consistent with the random number in the second step of registration information. And if the domain name and the public key of the website are consistent, writing the domain name and the public key into an intelligent contract, wherein one domain name corresponds to one public key address.
S102: receiving a first hash value corresponding to the encrypted account information sent by the distributed storage system, encrypting the first hash value by using the random character string and broadcasting the first hash value to the server based on a decentralized message protocol, so that the server can acquire the encrypted account information from the distributed storage system based on the first hash value and verify the encrypted account information;
in this step, the distributed storage system returns a hash value corresponding to the ciphertext, that is, the first hash value in this step, after receiving the encrypted account information, where a specific form of the hash value is not limited, and may be, for example, a hash value. The client encrypts the first hash value by using the random character string and broadcasts the first hash value based on a decentralized message protocol, and only the server with the same random character string can decrypt the first hash value. In order to further improve the security, before broadcasting, the client can also sign the hash value by using the private key of the client, and even if the password and the user name are stolen by a hacker, the hacker can not finish login due to lack of the private key signature of the user. And the server of the website acquires the encrypted account information from the distributed storage system after acquiring the first hash value, and decrypts and verifies the account information by using the private key of the website.
The decentralized message protocol can comprise Whisper, Bitmessage and the like of the Etherlands, and compared with the use of http/https, the decentralized message protocol can better protect websites accessed to a blockchain network. The client can encrypt the account information by using the public key of the website, and compared with OAuth2.0, the client does not need to realize a callback interface any more, thereby thoroughly avoiding CSRF loopholes, replay attacks and man-in-the-middle attacks and improving the security of identity verification.
S103: and receiving the verification result sent by the server.
In this step, the server may return a verification result to the browser or the client after verifying the account information.
According to the identity authentication method provided by the embodiment of the application, the distributed storage system for storing the account information is a decentralized system, and the problem of single point of failure does not exist. Based on a decentralized message protocol to replace http/https, a website accessed to a blockchain network can be better protected. The client can encrypt the account information by using the public key of the website, and compared with OAuth2.0, the client does not need to realize a callback interface any more, thereby thoroughly avoiding CSRF loopholes, replay attacks and man-in-the-middle attacks and improving the security of identity verification.
The present embodiment will describe in detail the process of modifying a password, specifically, as shown in fig. 3, the process includes:
s201: after receiving a password modification command, packaging a target domain name of a target website corresponding to the password modification command, original account information and modified target account information into password modification information;
in this embodiment, the user may perform password modification on a registered website. Specifically, the user selects a target website needing password modification at the client, inputs a modified new password, and the client encapsulates the user name and the new password of the target website into target account information and encapsulates the target domain name, the original account information and the target account information of the target website into modified password information.
S202: encrypting the modified password information by using a target public key corresponding to the target domain name in the intelligent contract and broadcasting the modified password information to a server of the target website based on a decentralized message protocol so that the server of the target website modifies the original account information into the target account information after verifying the target domain name and the original account information;
s203: and receiving modification confirmation information sent by the server of the target website.
In specific implementation, a client acquires a target public key corresponding to a target website from an intelligent contract according to a target domain name, encrypts modified password information by using the target public key and broadcasts based on a decentralized message protocol, a server of the target website decrypts the modified password information by using a private key of the server after receiving a ciphertext of the modified password information, verifies original account information in the modified password information, updates the password if the original account information is confirmed, broadcasts modified confirmation information, wherein the modified confirmation information can comprise the target domain name, a user name of the target website and the public key of the client, and is signed by using a private key of the website.
In this embodiment, a detailed description will be given of a process of uploading user information to a distributed storage system by a client, specifically, as shown in fig. 4, the process includes:
s301: acquiring the user information through an input interface, encrypting the user information by using a public key of the client, and uploading the encrypted user information to the distributed storage system; the user information comprises account information for logging in the website;
in this embodiment, the user can upload user information through the client, and compared with a conventional authorization mechanism, after verification is successful, information such as a user name, a gender, and a head portrait of the user can be obtained, and the information is stored in a centralized node, so that the safety of the user information is ensured. In this step, the user inputs user information in the client, and the client encrypts the user information by using the public key of the client and uploads the encrypted user information to the distributed storage system.
S302: receiving a second hash value corresponding to the encrypted user information sent by the distributed storage system, signing the second hash value by using a private key of the client, and broadcasting the second hash value to the authoritative node based on a decentralized message protocol, so that the authoritative node performs signature verification by using a public key of the client and writes the second hash value into an intelligent contract;
s303: and receiving a verification result of the authoritative node on the user information.
In a specific implementation, the distributed storage system returns a hash value corresponding to the ciphertext, i.e., the second hash value in this step, after receiving the encrypted user information. The client signs the second hash value by using a private key of the client and broadcasts the second hash value, the authoritative node receives the broadcast information and then performs signature verification by using a public key of the client, and the second hash value is written into the intelligent contract after the verification is passed and a verification result is returned to the client.
In this embodiment, a detailed description will be given to a user binding process, specifically, as shown in fig. 5, the process includes:
s401: acquiring the domain name of the website and account information for logging in the website through an input interface, and generating a public key and a private key of the client;
in this embodiment, the user inputs a domain name of a website and account information for logging in the website in the client, which may include a user name and a password, and the client obtains a public key of the website from the smart contract according to the domain name and generates a public key and a private key of the client.
S402: encrypting binding information by using a public key of the website and broadcasting the binding information to the server based on a decentralized message protocol so that the server can write the corresponding relation between the account information and the domain name into the intelligent contract by using the authoritative node after the account information is verified; wherein the binding information includes the account information, the public key of the client, and the domain name;
s403: and receiving the binding result sent by the authority node.
In specific implementation, a client encapsulates account information input by a user, a public key of the client and a domain name of a website into binding information, the binding information is encrypted by using the public key of the website and broadcast based on a decentralized message protocol, a server of the website decrypts the binding information after receiving the binding information by using a private key of the server, verifies the account information in the binding information, verifies that the broadcast topic is 'user _ bind _ confirm' after the verification is passed, and signs the information content by using the private key of the website, wherein the information content comprises the domain name of the website, the user name and the public key of a client terminal. After receiving the user _ bind _ confirm information, the authority node checks by using the public key of the website, records the relationship between the user and the website into the intelligent contract after passing the verification, namely writes the corresponding relationship between the account information and the domain name into the intelligent contract, and sends a binding success broadcast.
In the following, an identity authentication apparatus provided in the embodiments of the present application is introduced, and an identity authentication apparatus described below and an identity authentication method described above may be referred to each other.
Referring to fig. 6, a block diagram of an authentication apparatus according to an exemplary embodiment is shown, as shown in fig. 6, including:
an obtaining module 601, configured to obtain a random character string from a server of a website, request account information corresponding to the website from a distributed storage system, encrypt the account information by using a public key of the website, and upload the encrypted account information to the distributed storage system again;
a first broadcast module 602, configured to receive a first hash value corresponding to encrypted account information sent by the distributed storage system, encrypt the first hash value using the random character string, and broadcast the first hash value to the server based on a decentralized message protocol, so that the server obtains the encrypted account information from the distributed storage system based on the first hash value and verifies the encrypted account information;
a first receiving module 603, configured to receive the verification result sent by the server.
The identity authentication device provided by the embodiment of the application has the advantages that the distributed storage system for storing the account information is a decentralized system, and the problem of single-point failure does not exist. Based on a decentralized message protocol to replace http/https, a website accessed to a blockchain network can be better protected. The client can encrypt the account information by using the public key of the website, and compared with OAuth2.0, the client does not need to realize a callback interface any more, thereby thoroughly avoiding CSRF loopholes, replay attacks and man-in-the-middle attacks and improving the security of identity verification.
On the basis of the foregoing embodiment, as a preferred implementation, the obtaining module 601 includes:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a domain name and a random character string of a website from a server corresponding to the website; the website is a website which is registered in an authoritative node, and the authoritative node writes the corresponding relation between the domain name of the website which is registered and the public key into an intelligent contract;
a request unit, configured to request a distributed storage system for account information corresponding to the website, and obtain a public key of the website from the intelligent contract by using the domain name;
and the uploading unit is used for encrypting the account information by using the public key and then uploading the encrypted account information to the distributed storage system again.
On the basis of the above embodiment, as a preferred implementation, the method further includes:
the generating module is used for acquiring the domain name of the website and the account information for logging in the website through an input interface, and generating a public key and a private key of the client;
the second broadcasting module is used for encrypting the binding information by using the public key of the website and broadcasting the binding information to the server based on a decentralized message protocol so that the server can write the corresponding relation between the account information and the domain name into the intelligent contract by using the authoritative node after the account information is verified to be passed; wherein the binding information includes the account information, the public key of the client, and the domain name;
and the second receiving module is used for receiving the binding result sent by the authority node.
On the basis of the above embodiment, as a preferred implementation, the method further includes:
the packaging module is used for packaging a target domain name, original account information and modified target account information of a target website corresponding to a password modification command into password modification information after receiving the password modification command;
a third broadcasting module, configured to encrypt the modified password information by using a target public key corresponding to the target domain name in the intelligent contract and broadcast the encrypted modified password information to a server of the target website based on a decentralized message protocol, so that the server of the target website modifies the original account information into the target account information after verifying the target domain name and the original account information;
and the third receiving module is used for receiving the modification confirmation information sent by the server of the target website.
On the basis of the above embodiment, as a preferred implementation, the method further includes:
the uploading module is used for acquiring user information through an input interface, encrypting the user information by using the public key of the client and uploading the encrypted user information to the distributed storage system;
the fourth broadcast module is used for receiving a second hash value corresponding to the encrypted user information sent by the distributed storage system, signing the second hash value by using a private key of the client and broadcasting the second hash value to the authoritative node based on a decentralized message protocol, so that the authoritative node can conveniently perform signature verification by using a public key of the client and write the second hash value into an intelligent contract;
and the fourth receiving module is used for receiving the verification result of the authoritative node on the user information.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
The present application further provides an electronic device, and referring to fig. 7, a structure diagram of an electronic device 700 provided in an embodiment of the present application may include a processor 11 and a memory 12, as shown in fig. 7. The electronic device 700 may also include one or more of a multimedia component 13, an input/output (I/O) interface 14, and a communication component 15.
The processor 11 is configured to control the overall operation of the electronic device 700, so as to complete all or part of the steps in the above-mentioned authentication method. The memory 12 is used to store various types of data to support operation at the electronic device 700, such as instructions for any application or method operating on the electronic device 700 and application-related data, such as contact data, transmitted and received messages, pictures, audio, video, and so forth. The Memory 12 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk. The multimedia component 13 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 12 or transmitted via the communication component 15. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 14 provides an interface between the processor 11 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication module 15 is used for wired or wireless communication between the electronic device 700 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G or 4G, or a combination of one or more of them, so that the corresponding Communication component 15 may include: Wi-Fi module, bluetooth module, NFC module.
In an exemplary embodiment, the electronic Device 700 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components for performing the above-described authentication methods.
In another exemplary embodiment, a computer readable storage medium comprising program instructions which, when executed by a processor, implement the steps of the above-described authentication method is also provided. For example, the computer readable storage medium may be the above-mentioned memory 12 comprising program instructions which are executable by the processor 11 of the electronic device 700 to perform the above-mentioned authentication method.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (9)

1. An identity authentication method applied to a client side comprises the following steps:
acquiring a random character string from a server of a website, requesting account information corresponding to the website from a distributed storage system, encrypting the account information by using a public key of the website, and uploading the encrypted account information to the distributed storage system again;
receiving a first hash value corresponding to the encrypted account information sent by the distributed storage system, encrypting the first hash value by using the random character string and broadcasting the first hash value to the server based on a decentralized message protocol, so that the server can acquire the encrypted account information from the distributed storage system based on the first hash value and verify the encrypted account information;
receiving a verification result sent by the server;
the acquiring a random character string from a server corresponding to a website, requesting account information corresponding to the website from a distributed storage system, encrypting the account information by using a public key of the website, and uploading the encrypted account information to the distributed storage system again includes:
acquiring a domain name and a random character string of a website from a server corresponding to the website; the website is a website which is registered in an authoritative node, and the authoritative node writes the corresponding relation between the domain name of the website which is registered and the public key into an intelligent contract;
requesting account information corresponding to the website from a distributed storage system, and acquiring a public key of the website from the intelligent contract by using the domain name;
and the public key is used for encrypting the account information and then uploading the account information to the distributed storage system again.
2. The identity verification method of claim 1, further comprising:
after receiving a password modification command, packaging a target domain name of a target website corresponding to the password modification command, original account information and modified target account information into password modification information;
encrypting the modified password information by using a target public key corresponding to the target domain name in the intelligent contract and broadcasting the modified password information to a server of the target website based on a decentralized message protocol so that the server of the target website modifies the original account information into the target account information after verifying the target domain name and the original account information;
and receiving modification confirmation information sent by the server of the target website.
3. The identity verification method of claim 1, further comprising:
acquiring user information through an input interface, encrypting the user information by using a public key of the client, and uploading the encrypted user information to the distributed storage system;
receiving a second hash value corresponding to the encrypted user information sent by the distributed storage system, signing the second hash value by using a private key of the client, and broadcasting the second hash value to the authoritative node based on a decentralized message protocol, so that the authoritative node performs signature verification by using a public key of the client and writes the second hash value into an intelligent contract;
and receiving a verification result of the authoritative node on the user information.
4. The identity verification method of claim 1, further comprising:
acquiring the domain name of the website and account information for logging in the website through an input interface, and generating a public key and a private key of the client;
encrypting binding information by using a public key of the website and broadcasting the binding information to the server based on a decentralized message protocol so that the server can write the corresponding relation between the account information and the domain name into the intelligent contract by using the authoritative node after the account information is verified; wherein the binding information includes the account information, the public key of the client, and the domain name;
and receiving the binding result sent by the authority node.
5. The authentication method according to claim 1, wherein the decentralized message protocol comprises whisper protocol.
6. An identity authentication device applied to a client side comprises:
the acquisition module is used for acquiring the random character string from a server of a website, requesting account information corresponding to the website from a distributed storage system, encrypting the account information by using a public key of the website and then uploading the encrypted account information to the distributed storage system again;
the first broadcast module is used for receiving a first hash value corresponding to the encrypted account information sent by the distributed storage system, encrypting the first hash value by using the random character string and broadcasting the first hash value to the server based on a decentralized message protocol, so that the server can acquire the encrypted account information from the distributed storage system based on the first hash value and verify the encrypted account information;
the first receiving module is used for receiving the verification result sent by the server;
wherein the acquisition module comprises:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a domain name and a random character string of a website from a server corresponding to the website; the website is a website which is registered in an authoritative node, and the authoritative node writes the corresponding relation between the domain name of the website which is registered and the public key into an intelligent contract;
a request unit, configured to request a distributed storage system for account information corresponding to the website, and obtain a public key of the website from the intelligent contract by using the domain name;
and the uploading unit is used for encrypting the account information by using the public key and then uploading the encrypted account information to the distributed storage system again.
7. The authentication device according to claim 6, further comprising:
the generating module is used for acquiring the domain name of the website and the account information for logging in the website through an input interface, and generating a public key and a private key of the client;
the second broadcasting module is used for encrypting the binding information by using the public key of the website and broadcasting the binding information to the server based on a decentralized message protocol so that the server can write the corresponding relation between the account information and the domain name into the intelligent contract by using the authoritative node after the account information is verified to be passed; wherein the binding information includes the account information, the public key of the client, and the domain name;
and the second receiving module is used for receiving the binding result sent by the authority node.
8. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the authentication method according to any one of claims 1 to 5 when executing the computer program.
9. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the authentication method according to any one of claims 1 to 5.
CN202010120858.7A 2020-02-26 2020-02-26 Identity authentication method and device, electronic equipment and storage medium Active CN111371762B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010120858.7A CN111371762B (en) 2020-02-26 2020-02-26 Identity authentication method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010120858.7A CN111371762B (en) 2020-02-26 2020-02-26 Identity authentication method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111371762A CN111371762A (en) 2020-07-03
CN111371762B true CN111371762B (en) 2021-03-16

Family

ID=71211540

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010120858.7A Active CN111371762B (en) 2020-02-26 2020-02-26 Identity authentication method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111371762B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422132B (en) * 2022-03-29 2022-08-26 天聚地合(苏州)科技股份有限公司 Account login method and system based on block chain

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN207442908U (en) * 2017-11-16 2018-06-01 广东工业大学 A kind of network ID authentication device and a kind of logger
CN109598663A (en) * 2018-11-16 2019-04-09 阿里巴巴集团控股有限公司 There is provided and obtain the method and device of secure identity information
CN109815684A (en) * 2019-01-30 2019-05-28 广东工业大学 A kind of identity identifying method, system and server and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9521130B2 (en) * 2012-09-25 2016-12-13 Virnetx, Inc. User authenticated encrypted communication link
CN103679436B (en) * 2013-12-17 2018-08-14 重庆邮电大学 A kind of electronic contract security system and method based on biological information identification
US10333705B2 (en) * 2016-04-30 2019-06-25 Civic Technologies, Inc. Methods and apparatus for providing attestation of information using a centralized or distributed ledger
CN106453271B (en) * 2016-09-21 2019-05-03 江苏通付盾科技有限公司 Identity registration method and system, identity identifying method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN207442908U (en) * 2017-11-16 2018-06-01 广东工业大学 A kind of network ID authentication device and a kind of logger
CN109598663A (en) * 2018-11-16 2019-04-09 阿里巴巴集团控股有限公司 There is provided and obtain the method and device of secure identity information
CN109815684A (en) * 2019-01-30 2019-05-28 广东工业大学 A kind of identity identifying method, system and server and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"登录易:安全认证及管理机制助推网络身份安全";刘文印等;《中国高新科技》;20190201;全文 *

Also Published As

Publication number Publication date
CN111371762A (en) 2020-07-03

Similar Documents

Publication Publication Date Title
US11606352B2 (en) Time-based one time password (TOTP) for network authentication
US11218460B2 (en) Secure authentication for accessing remote resources
US9871791B2 (en) Multi factor user authentication on multiple devices
CN111355726B (en) Identity authorization login method and device, electronic equipment and storage medium
TWI725958B (en) Cloud host service authority control method, device and system
JP5694344B2 (en) Authentication using cloud authentication
WO2017202312A1 (en) Message permission management method and device, and storage medium
US20220394026A1 (en) Network identity protection method and device, and electronic equipment and storage medium
KR20220133206A (en) Identity authentication method and apparatus, and related devices
US11196561B2 (en) Authorized data sharing using smart contracts
EP3525415A1 (en) Information processing system and control method therefor
US11200334B2 (en) Data sharing via distributed ledgers
US20140075513A1 (en) Device token protocol for authorization and persistent authentication shared across applications
CN109815684B (en) Identity authentication method, system, server and storage medium
US11363007B2 (en) Methods and systems for accessing a resource
JP2011175394A (en) Web server constituting single sign-on system, method of controlling operation of the same, and program for controlling operation of the same
US10516653B2 (en) Public key pinning for private networks
US11146552B1 (en) Decentralized application authentication
CN111563734A (en) Digital asset transfer method and device, electronic equipment and storage medium
JP2023518662A (en) Verifying cryptographically secure claims
CN111371762B (en) Identity authentication method and device, electronic equipment and storage medium
CN115834051A (en) DID (digital information device) certificate data based secure storage method and device, authorization method and device, electronic equipment and storage medium
CN115242471A (en) Information transmission method and device, electronic equipment and computer readable storage medium
CN112260997A (en) Data access method and device, computer equipment and storage medium
KR102639244B1 (en) Method, server and system for providing integrated authentication solution based on single sign on

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant