CN115065559B - Identity authentication system, method and device, electronic equipment and storage medium - Google Patents
Identity authentication system, method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115065559B CN115065559B CN202210974735.9A CN202210974735A CN115065559B CN 115065559 B CN115065559 B CN 115065559B CN 202210974735 A CN202210974735 A CN 202210974735A CN 115065559 B CN115065559 B CN 115065559B
- Authority
- CN
- China
- Prior art keywords
- identity
- authentication
- session identifier
- identifier
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides an identity authentication system, method, device, electronic equipment and storage medium, comprising: the client equipment acquires and displays the session identification and the access address of the authentication equipment; polling the authentication device according to the session identifier; the proxy equipment sends a session identifier and an identity identifier of the proxy equipment to the authentication equipment based on the access address; the authentication equipment obtains a public key corresponding to the identity; encrypting the original information by using the public key to generate encrypted information; the proxy equipment decrypts the encrypted information by using a private key corresponding to the identity identification to obtain plaintext information; correspondingly sending the plaintext information and the session identifier to the authentication equipment; the authentication equipment sets the polling result of the session identifier as the identity identifier authentication success under the condition that the original information corresponding to the session identifier is matched with the corresponding plaintext information; the client device enters a logged-on state corresponding to the identity. In this way, the centralization degree of data and the risk of data leakage are reduced.
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to an identity authentication system, method, apparatus, electronic device, and storage medium.
Background
To maintain data security, a user needs to be authenticated when accessing data. In conventional centralized identity management systems, identity information for each user is typically maintained by a centralized identity management system.
Specifically, the user registers in the centralized identity management system in advance, and when the verifier needs to verify the identity of the user, the verifier may send an identity verification request to the centralized identity management system, and obtain the identity information of the user from the centralized identity management system, thereby implementing the functions of verifying the identity of the user, authorizing the user, and determining the role and the authority corresponding to the role.
However, in the above method, identity information of a large number of users is stored in a centralized identity management system, the degree of centralization of data is high, and the risk of data leakage is also high.
Disclosure of Invention
In order to solve the above technical problems, the present application shows an identity authentication system, method, apparatus, electronic device, and storage medium, so as to at least solve the problems that in the related art, a large amount of user identity information is stored in a centralized identity management system, the degree of data centralization is high, and the risk of data leakage is also high. The technical scheme of the disclosure is as follows.
In a first aspect, the present application illustrates an identity authentication system, comprising:
the client device is used for responding to the preset login operation, and acquiring and displaying the session identifier and the access address of the authentication device; polling the authentication device according to the session identification;
the proxy equipment is used for acquiring the session identifier and the access address and sending the session identifier and the identity identifier of the proxy equipment to the authentication equipment based on the access address;
the authentication device is used for analyzing the identity to obtain a public key corresponding to the identity; acquiring original information corresponding to the session identifier, and encrypting the original information by using the public key to generate encrypted information; returning the encrypted information to the proxy device;
the proxy equipment is also used for decrypting the encrypted information by using a private key corresponding to the identity identification to obtain plaintext information; correspondingly sending the plaintext information and the session identification to the authentication device;
the authentication device is further configured to set a polling result of the session identifier as successful authentication of the identity identifier under the condition that the original information corresponding to the session identifier matches with the corresponding plaintext information;
and the client device is used for entering a logged-in state corresponding to the identity identifier under the condition that the polling result of the session identifier is that the identity identifier is successfully authenticated.
Optionally, the client device is specifically configured to respond to a preset login operation, and acquire and display the session identifier and the access address of the authentication device from the server;
the server is used for polling the authentication equipment according to the session identification; under the condition that the polling result of the session identifier is that the identity identifier is successfully authenticated, sending a session token of the identity identifier to the client equipment;
the client device is further configured to enter a logged-in state corresponding to the identity after the session token is acquired.
Optionally, the client device is specifically configured to respond to a preset login operation, and acquire and display image information, where the image information carries a session identifier and an access address of the authentication device;
the proxy device is specifically configured to scan the image information to obtain the session identifier and the access address.
Optionally, the client device is specifically configured to asynchronously poll the authentication device according to the session identifier according to a preset frequency.
Optionally, the authentication device includes a verification unit and an analysis unit, wherein:
the analysis unit is used for analyzing the identity to obtain a public key corresponding to the identity and sending the public key to the verification unit;
and the verification unit is used for acquiring original information corresponding to the session identifier, and encrypting the original information by using the public key to generate encrypted information.
Optionally, the authentication device is specifically configured to obtain a document corresponding to the identity from the blockchain; verifying the integrity of the document based on a hash algorithm; and after the verification is passed, obtaining a public key corresponding to the identity from the document.
Optionally, the authentication device is specifically configured to determine a target random number as original information corresponding to the session identifier; encrypting the target random number by using the public key to generate encryption information; and under the condition that the target random number and the corresponding plaintext information are equal, setting the polling result of the session identifier as the successful authentication of the identity identifier.
In a second aspect, the present application shows an identity authentication method applied to a client device, the method including:
responding to a preset login operation, acquiring and displaying a session identifier and an access address of authentication equipment, so that proxy equipment sends the session identifier and an identity identifier of the proxy equipment to the authentication equipment based on the access address, the authentication equipment authenticates the identity identifier and determines a polling result of the session identifier according to an authentication result;
polling the authentication device according to the session identification;
and entering a logged-in state corresponding to the identity identification under the condition that the polling result of the session identification is that the identity identification is successfully authenticated.
Optionally, the obtaining and displaying the session identifier and the access address of the authentication device in response to the preset login operation includes:
responding to a preset login operation, and acquiring and displaying a session identifier and an access address of authentication equipment from a server;
the polling the authentication device according to the session identifier includes:
receiving a session token returned by the server, wherein the session token is sent by the server under the condition that the server polls the authentication equipment according to the session identifier to obtain a polling result representing successful authentication of the identity identifier;
entering a logged-in state corresponding to the identity identifier under the condition that the polling result of the session identifier is that the identity identifier is successfully authenticated, including:
and after the session token is obtained, entering a logged-in state corresponding to the identity.
Optionally, the obtaining and displaying the session identifier and the access address of the authentication device in response to the preset login operation includes:
and responding to a preset login operation, acquiring and displaying image information, wherein the image information carries a session identifier and an access address of authentication equipment, so that the proxy equipment obtains the session identifier and the access address by scanning the image information.
Optionally, the polling the authentication device according to the session identifier includes:
and according to a preset frequency, asynchronously polling the authentication equipment according to the session identifier.
In a third aspect, the present application shows an identity authentication method applied to a proxy device, including:
acquiring a session identifier and an access address of authentication equipment, wherein the session identifier and the access address are acquired and displayed by client equipment in response to a preset login operation;
sending the session identifier and the identity identifier of the proxy device to the authentication device based on the access address so that the authentication device generates and returns encrypted information based on the identity identifier;
decrypting the encrypted information by using a private key corresponding to the identity to obtain plaintext information;
and correspondingly sending the plaintext information and the session identifier to the authentication equipment, so that the authentication equipment sets the polling result of the session identifier as the identity identifier authentication success under the condition that the original information corresponding to the session identifier is matched with the corresponding plaintext information, and the client equipment enters the logged-in state corresponding to the identity identifier based on the polling result of the session identifier.
Optionally, the client device obtains and displays image information in response to a preset login operation, where the image information carries a session identifier and an access address of the authentication device;
the acquiring the session identifier and the access address of the authentication device includes:
and scanning the image information to obtain the session identifier and the access address.
In a fourth aspect, the present application shows an identity authentication method applied to an authentication device, including:
acquiring a session identifier sent by agent equipment and an identity identifier of the agent equipment;
analyzing the identity to obtain a public key corresponding to the identity;
acquiring original information corresponding to the session identifier, and encrypting the original information by using the public key to generate encrypted information;
returning the encrypted information to the proxy equipment so that the proxy equipment correspondingly sends plaintext information and the session identifier to the authentication equipment, wherein the plaintext information is obtained by decrypting the encrypted information;
and under the condition that the original information corresponding to the session identifier is matched with the corresponding plaintext information, setting the polling result of the session identifier as the identity identifier authentication success, so that the client device enters the logged-in state corresponding to the identity identifier under the condition that the polling result of the session identifier is the identity identifier authentication success.
Optionally, the analyzing the identity to obtain a public key corresponding to the identity includes:
analyzing the identity identification by an analyzing unit to obtain a public key corresponding to the identity identification, and sending the public key to a verification unit;
the acquiring original information corresponding to the session identifier, encrypting the original information by using the public key, and generating encrypted information includes:
and the verification unit acquires original information corresponding to the session identifier, and encrypts the original information by using the public key to generate encrypted information.
Optionally, the analyzing the identity to obtain the public key corresponding to the identity includes:
obtaining a document corresponding to the identity from a block chain;
verifying the integrity of the document based on a hash algorithm;
and after the verification is passed, obtaining a public key corresponding to the identity from the document.
Optionally, the obtaining original information corresponding to the session identifier, and encrypting the original information by using the public key to generate encrypted information includes:
determining a target random number as original information corresponding to the session identifier;
encrypting the target random number by using the public key to generate encryption information;
the setting of the polling result of the session identifier as the identity identifier authentication success under the condition that the original information corresponding to the session identifier is matched with the plaintext information corresponding to the session identifier comprises:
and under the condition that the target random number and the corresponding plaintext information are equal, setting the polling result of the session identifier as the successful authentication of the identity identifier.
In a fifth aspect, the present application shows an identity authentication apparatus applied to a client device, including:
the response module is used for responding to preset login operation, acquiring and displaying a session identifier and an access address of authentication equipment, so that the proxy equipment sends the session identifier and the identity identifier of the proxy equipment to the authentication equipment based on the access address, the authentication equipment authenticates the identity identifier and determines a polling result of the session identifier according to an authentication result;
the polling module is used for polling the authentication equipment according to the session identification;
and the login module is used for entering a logged-in state corresponding to the identity identification under the condition that the polling result of the session identification is that the identity identification is successfully authenticated.
Optionally, the response module is specifically configured to respond to a preset login operation, and acquire and display the session identifier and the access address of the authentication device from the server;
the polling module is specifically configured to receive a session token returned by the server, where the session token is sent by the server when polling the authentication device according to the session identifier to obtain a polling result indicating that the identity identifier is successfully authenticated;
the login module is specifically used for entering a logged-in state corresponding to the identity after the session token is acquired.
Optionally, the response module is specifically configured to:
and responding to a preset login operation, acquiring and displaying image information, wherein the image information carries a session identifier and an access address of authentication equipment, so that the proxy equipment obtains the session identifier and the access address by scanning the image information.
Optionally, the polling module is specifically configured to:
and according to a preset frequency, asynchronously polling the authentication equipment according to the session identifier.
In a sixth aspect, the present application shows an identity authentication apparatus applied to a proxy device, including:
the system comprises an acquisition module, a storage module and a display module, wherein the acquisition module is used for acquiring a session identifier and an access address of authentication equipment, and the session identifier and the access address are acquired and displayed by client equipment in response to a preset login operation;
a sending module, configured to send the session identifier and the identity identifier of the proxy device to the authentication device based on the access address, so that the authentication device generates and returns encrypted information based on the identity identifier;
the decryption module is used for decrypting the encrypted information by using a private key corresponding to the identity identification to obtain plaintext information;
and the verification module is used for correspondingly sending the plaintext information and the session identifier to the authentication equipment, so that the authentication equipment sets the polling result of the session identifier as the identity identifier authentication success under the condition that the original information corresponding to the session identifier is matched with the corresponding plaintext information, and the client equipment enters the logged-in state corresponding to the identity identifier based on the polling result of the session identifier.
Optionally, the client device obtains and displays image information in response to a preset login operation, where the image information carries a session identifier and an access address of an authentication device;
the obtaining module is specifically configured to scan the image information to obtain the session identifier and the access address.
In a seventh aspect, the present application shows an identity authentication apparatus, applied to an authentication device, including:
the acquisition module is used for acquiring a session identifier sent by the proxy equipment and an identity identifier of the proxy equipment;
the analysis module is used for analyzing the identity to obtain a public key corresponding to the identity;
the encryption module is used for acquiring original information corresponding to the session identifier, and encrypting the original information by using the public key to generate encrypted information;
the return module is used for returning the encrypted information to the proxy equipment so that the proxy equipment correspondingly sends plaintext information and the session identifier to the authentication equipment, and the plaintext information is obtained by decrypting the encrypted information;
and the authentication module is used for setting the polling result of the session identifier as the identity identifier authentication success under the condition that the original information corresponding to the session identifier is matched with the corresponding plaintext information, so that the client equipment enters the logged-in state corresponding to the identity identifier under the condition that the polling result of the session identifier is the identity identifier authentication success.
Optionally, the parsing module is specifically configured to parse the identity identifier by a parsing unit, obtain a public key corresponding to the identity identifier, and send the public key to a verification unit;
the encryption module is specifically configured to obtain, by the verification unit, original information corresponding to the session identifier, and encrypt, by using the public key, the original information to generate encrypted information.
Optionally, the parsing module is specifically configured to:
obtaining a document corresponding to the identity from a block chain; verifying the integrity of the document based on a hash algorithm; and after the verification is passed, obtaining a public key corresponding to the identity from the document.
Optionally, the encryption module is specifically configured to determine a target random number as original information corresponding to the session identifier; encrypting the target random number by using the public key to generate encryption information;
the authentication module is specifically configured to set the polling result of the session identifier as the identity identifier authentication success when the target random number and the corresponding plaintext information are equal to each other.
According to an eighth aspect of embodiments of the present disclosure, there is provided an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the identity authentication method as described in any one of the above when executing the program.
According to a ninth aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the identity authentication method of any one of the above.
Compared with the prior art, the method has the following advantages:
the client device responds to a preset login operation, and acquires and displays a session identifier and an access address of the authentication device; polling the authentication device according to the session identifier; the proxy equipment acquires the session identifier and the access address, and sends the session identifier and the identity identifier of the proxy equipment to the authentication equipment based on the access address; the authentication equipment analyzes the identity identification to obtain a public key corresponding to the identity identification; acquiring original information corresponding to the session identifier, and encrypting the original information by using a public key to generate encrypted information; returning the encrypted information to the proxy equipment; the proxy equipment decrypts the encrypted information by using a private key corresponding to the identity to obtain plaintext information; correspondingly sending the plaintext information and the session identifier to the authentication equipment; the authentication equipment sets the polling result of the session identifier as the identity identifier authentication success under the condition that the original information corresponding to the session identifier is matched with the corresponding plaintext information; and the client equipment enters a logged-in state corresponding to the identity identification under the condition that the polling result of the session identification is that the identity identification is successfully authenticated.
Therefore, in the scheme, the identity of the user is stored and managed by the agent device, the identity of the user is authenticated by the authentication device, login and subsequent operation are realized by the client device, namely, in the process of logging in the client device, the client device does not need to acquire the identity of the user and authenticate the user, only the authentication result of the authentication device on the identity of the user needs to be acquired, and the identity information and the operation information of the user are stored in different devices in a scattered manner, so that the centralization degree of data and the risk of data leakage are reduced.
Drawings
FIG. 1 is an interaction diagram of an identity authentication system of the present application;
FIG. 2 is a logical schematic of an identity authentication scheme of the present application;
FIG. 3 is a flow chart of the steps of a method of identity authentication of the present application;
FIG. 4 is a flow chart of the steps of a method of identity authentication of the present application;
FIG. 5 is a flow chart of the steps of a method of identity authentication of the present application;
fig. 6 is a block diagram of an identity authentication apparatus according to the present application;
fig. 7 is a block diagram of an identity authentication apparatus according to the present application;
fig. 8 is a block diagram of an identity authentication apparatus according to the present application;
fig. 9 is a schematic diagram of an electronic device of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the disclosure described herein are capable of operation in other sequences than those illustrated or described herein. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the disclosure, as detailed in the appended claims.
Referring to fig. 1, an interaction schematic diagram of an identity authentication system of the present application is shown, where the system includes a client device, an agent device, and an authentication device, and specifically includes the following steps:
in step S11, the client device obtains and displays the session identifier and the access address of the authentication device in response to the preset login operation.
In order to maintain data security, when a user accesses data, the user needs to be authenticated. In the present application, the user identity authentication may be performed when the user logs in to the client device. And the client device responds to the preset login operation and acquires and displays the session identifier and the access address of the authentication device.
The session identifier uniquely corresponds to a current preset login operation of the user and may be represented as loginID, the authentication device is a device for authenticating the identity of the user, a server connected to the client device, or a third-party device dedicated to identity authentication, or any device for providing authentication service, and an access address of the authentication device may be represented as 3 rdparatyURL. The session identifier and the access address may be displayed in a form of text, or may be displayed in a form of image, which is not limited specifically.
In this step, the preset login operation may be set according to the requirements of the system, for example, the preset login operation may be a selection operation of a login button on a login interface for a user, and the like, which is not limited specifically.
In step S12, the client device polls the authentication device according to the session identification.
In this step, after obtaining the session identifier, the client device may poll the authentication device according to the session identifier, that is, according to a preset algorithm rule, regularly send a polling request based on the session identifier to the authentication device to obtain a polling result corresponding to the session identifier, and according to the polling result, may determine whether the user is authenticated successfully, thereby determining the next operation.
In one implementation, the client device may asynchronously poll the authentication device based on the session identifier at a preset frequency. The asynchronous polling refers to that after the client device sends a polling request based on the session identifier to the authentication device, the client device adds polling tasks based on the session identifier into a task queue, and then sequentially executes the tasks in the task queue without waiting for the completion of the execution of the polling tasks.
It can be understood that, in general, the client device sequentially executes tasks, that is, continuously sends a polling request to the authentication device until a polling result is obtained, but the authentication device needs to spend a certain amount of time for authenticating the user identity, which results in low system efficiency. In this case, the operating efficiency of the client device may be improved by the asynchronous polling mechanism.
In one implementation, a client device implements polling of authentication devices through a server to which it is communicatively connected, specifically: firstly, a client device responds to a preset login operation, and acquires and displays a session identifier and an access address of an authentication device from a server; then, the server polls the authentication device according to the session identifier; and sending the session token of the identity identifier to the client equipment under the condition that the polling result of the session identifier is that the identity identifier is successfully authenticated.
That is to say, the client device and the server respectively execute different operations, the client device interacts with the user, and the server initiates polling to the authentication device, so that the division of labor of different devices in the system is further determined, and the efficiency of the authentication system is improved.
In step S13, the proxy device acquires the session identifier and the access address.
In this application, a proxy device is a device for running a decentralized identity application, through which a user can generate an identity, manage identity data and permissions, issue or verify claims related to the identity, and so on. For example, the decentralized identity application may be a digital wallet application.
In the foregoing steps, the client device responds to a preset login operation of the user and displays the session identifier and the access address, so that the proxy device can acquire the session identifier and the access address and further execute the next operation. The session identifier and the access address may be manually input to the proxy device by the user, or may be directly obtained from the client device by the proxy device, which is not limited specifically.
For example, the client device may also display a corresponding verification code or verification website, and the proxy device may also obtain the session identifier and the access address by inputting the verification code or accessing the verification website in the proxy device.
In one implementation, the client device obtains and displays image information in response to a preset login operation, where the image information carries a session identifier and an access address of the authentication device, and then the proxy device may scan the image information to obtain the session identifier and the access address. The image information can be two-dimensional code information or bar code information, so that the session identifier and the access address can be obtained by executing scanning operation through the proxy equipment without manual input of a user, the operation required by the user can be reduced, and the authentication efficiency and accuracy of the system are improved.
In step S14, the proxy device sends the session identifier and the identity identifier of the proxy device to the authentication device based on the access address.
The identity of the agent device may be a DID (Decentralized identity), may be generated, managed and controlled independently of other organizations, has global uniqueness, high availability, resolvability and encryption verifiability, may be used to identify people, organizations and things, and has security and privacy protection guarantee.
In this step, the proxy device may access the authentication device based on the access address, and send the session identifier and the identity identifier of the proxy device to the authentication device, so that the authentication device performs identity authentication on the user based on the identity identifier.
In step S15, the authentication device parses the identity to obtain a public key corresponding to the identity; acquiring original information corresponding to the session identifier, and encrypting the original information by using a public key to generate encrypted information; and returning the encrypted information to the proxy equipment.
In the application, the authentication device is a device for performing identity authentication on a user, and after acquiring the session identifier and the identity identifier of the proxy device, the authentication device may analyze the identity identifier to acquire a public key corresponding to the identity identifier.
In one implementation, the step of obtaining, by the authentication device, the public key corresponding to the identity identifier may include: obtaining a document corresponding to the identity from the block chain; verifying the integrity of the document based on a hash algorithm; and after the verification is passed, obtaining the public key corresponding to the identity identification from the document.
The block chain is equivalent to a de-intermediation database and is composed of a series of data blocks, a user registers in the block chain, and the document corresponding to the identity is stored in the block chain, so that data de-centralization can be further realized. Identity data, verifiable claim data, DID-related identity asset data, DID-related identity inventory data, and the like may also be stored in the blockchain, wherein the verifiable claim data is a descriptive claim issued by the issuing party endorsed the user with some attribute of the DID of the issuing party using his or her own DID, and attached with his or her digital signature, which may be considered as a digital certificate. After obtaining the document corresponding to the identity from the block chain, the authentication device can check the integrity of the document based on the hash algorithm, so that the accuracy of subsequently encrypting the original information is facilitated, and the accuracy of the efficiency of the authentication system is improved. In addition, the authentication device may also obtain a document corresponding to the identity from the distributed ledger.
After the authentication device obtains the public key corresponding to the identity identifier, original information corresponding to the session identifier can be obtained, and the public key is used for encrypting the original information to generate encrypted information; and returning the encrypted information to the proxy equipment.
In this application, the way of encrypting the original information is an asymmetric encryption algorithm, that is, two keys are required: a public key (public key) and a private key (private key), which are a pair, and if the original information is encrypted by the public key, the original information can only be decrypted by the corresponding private key; if the original information is encrypted with the private key, only the corresponding public key can be used for decryption. The asymmetric encryption Algorithm may adopt a DSA (Digital Signature Algorithm) or an RSA Algorithm, and the like, which is not limited specifically.
In one implementation, the original information may be randomly generated, and the authentication device may determine a target random number as the original information corresponding to the session identifier; then, the target random number is encrypted by the public key to generate encrypted information. Therefore, the encrypted information has stronger randomness and lower probability of being cracked, and the efficiency accuracy of the authentication system and the data security maintenance are facilitated.
In addition, in one implementation, the authentication device includes a verification unit and an analysis unit, wherein:
the analysis unit is used for analyzing the identity to obtain a public key corresponding to the identity and sending the public key to the verification unit; and the verification unit is used for acquiring the original information corresponding to the session identifier, and encrypting the original information by using the public key to generate encrypted information.
That is to say, the parsing unit integrates the function of searching and parsing based on DID, and the verification unit can realize application, issuance, grant and verification of verifiable statements, so that the identity of a user is authenticated, the division of labor of different units is further determined, and the efficiency of the authentication system is improved.
In step S16, the proxy device decrypts the encrypted information using the private key corresponding to the identity to obtain plaintext information; and correspondingly sending the plaintext information and the session identification to the authentication device.
As can be seen from the foregoing, in the present application, the way of encrypting the original information is an asymmetric encryption algorithm, and the decentralized identity application is run in the proxy device, so that the private key corresponding to the identity is stored in the proxy device.
Then, after the encrypted information returned by the authentication device is obtained, the proxy device may decrypt the encrypted information by using the private key corresponding to the identity identifier to obtain plaintext information, and further, correspondingly send the plaintext information and the session identifier to the authentication device, and the authentication device verifies the decrypted plaintext information.
In step S17, the authentication device sets the polling result of the session identifier as successful id authentication if the original information corresponding to the session identifier matches the plaintext information corresponding to the session identifier.
In this step, the authentication device verifies the received plaintext information, compares the plaintext information with the corresponding original information, and if the original information matches the plaintext information, it indicates that the public key used for encrypting the original information and the private key stored in the proxy device are a pair of public and private keys, that is, the private key of the identity stored in the proxy device and the public key of the obtained identity are a pair of public and private keys, so that the authentication device can set the polling result of the session identifier as the successful identity authentication.
In one implementation, the original information corresponding to the session identifier is a target random number determined by the authentication device, and then the authentication device may determine whether the target random number is equal to the corresponding plaintext information when comparing the plaintext information with the corresponding original information, and set the polling result of the session identifier as successful authentication of the identity identifier when the target random number is equal to the corresponding plaintext information.
Therefore, the random number is obtained randomly, so that the encrypted information has stronger randomness and lower probability of being cracked, and the random number is simpler than other text information, has simpler encryption and decryption processes, and is beneficial to improving the efficiency accuracy of the authentication system and maintaining the data security.
In step S18, the client device enters a logged-in state corresponding to the identity identifier when the polling result of the session identifier is that the identity identifier authentication is successful.
Therefore, the client device polls the authentication device according to the session identifier, and when the authentication device sets the polling result of the session identifier as the identity identifier authentication success, the client device also obtains the corresponding polling result, so that the client device can enter the logged-in state corresponding to the identity identifier to complete the identity authentication of the user under the condition that the polling result of the session identifier is the identity identifier authentication success, and further, the user can execute corresponding operation on the client device.
Therefore, in the authentication system, the client device executes application operation, the authentication device executes verification operation, the identity verification is separated from the system application, the client device can obtain the user use information but cannot obtain the user identity information, the collection of the user identity information and the matching of the identity and the behavior are avoided, the decentralization of data is further improved, and the data safety degree is improved.
In one implementation, the client device implements polling of the authentication device through a server in communication connection with the client device, that is, the server polls the authentication device according to the session identifier, and sends a session token of the identifier to the client device when the polling result of the session identifier is that the identifier is successfully authenticated, so that the client device can determine that the polling result of the session identifier is that the identifier is successfully authenticated after obtaining the session token, and then enters a logged-in state corresponding to the identifier.
For example, as shown in fig. 2, which is a logic diagram of the present application in an implementation manner, the agent device may be a mobile terminal running a digital wallet application, and the application program may be divided into a front end and a back end, where the front end of the application program is a client device, and the back end of the application program is a server.
Firstly, a user selects DID login authentication on a login interface at the front end of an application program, acquires a session identifier and an access address of authentication equipment from the rear end of the application program, displays a two-dimensional code at the front end of the application program, wherein the two-dimensional code carries the session identifier and the access address of the authentication equipment, and the rear end of the application program carries the session identifier to initiate asynchronous polling to the authentication equipment at a preset frequency.
And the digital wallet application of the mobile terminal is used for identifying the two-dimensional code displayed at the front end of the application program, acquiring the session identifier and the access address of the authentication equipment, and sending the session identifier and the DID to the authentication equipment, wherein the DID is the identity identifier.
And after the authentication equipment receives the session identifier and the DID, the DID is sent to a DID analyzer in DID service, the document corresponding to the DID is obtained from the block chain according to the analysis result of the DID analyzer, the integrity of the document is verified by comparing through a Hash algorithm, a public key in the document is obtained after the verification is passed, a random number is encrypted by using the public key to obtain an encryption result, and the encryption result is sent to the digital wallet for application.
The digital wallet application decrypts the encrypted result by using a private key corresponding to the DID to obtain a plaintext, and sends the plaintext and the session identifier to the authentication device. The authentication device compares the received plaintext with the original random number, if the received plaintext and the original random number are equal, the DID is indicated to be an effective identity identifier, the identity authentication is successful, and the DID is set to be in a verification state.
And polling the back end of the application program to obtain an identity authentication result, if the identity authentication is successful, sending a session token to the front end of the application program to indicate that the login is successful, and displaying a login success interface to the user.
As can be seen from the above, according to the technical scheme provided by the embodiment of the present disclosure, the identity of the user is stored and managed by the agent device, and is authenticated by the authentication device, and login and subsequent operations are implemented by the client device, that is, in the process of logging in the client device, the client device does not need to obtain the identity of the user and authenticate the user, and only needs to obtain the authentication result of the authentication device on the identity of the user, and the identity information and the operation information of the user are stored in different devices in a dispersed manner, thereby reducing the centralization degree of data and the risk of data leakage.
Referring to fig. 3, a flowchart illustrating steps of an identity authentication method according to the present application is shown, and applied to a client device, the method specifically includes the following steps:
in step S21, in response to a preset login operation, a session identifier and an access address of an authentication device are acquired and displayed, so that an agent device sends the session identifier and an identity identifier of the agent device to the authentication device based on the access address, and the authentication device authenticates the identity identifier and determines a polling result of the session identifier according to an authentication result.
In step S22, the authentication device is polled according to the session identifier.
In step S23, when the polling result of the session identifier is that the identity identifier authentication is successful, the login state corresponding to the identity identifier is entered.
In one implementation manner, the obtaining and displaying a session identifier and an access address of an authentication device in response to a preset login operation includes:
responding to a preset login operation, and acquiring and displaying a session identifier and an access address of authentication equipment from a server;
the polling the authentication device according to the session identifier includes:
receiving a session token returned by the server, wherein the session token is sent by the server under the condition that the server polls the authentication equipment according to the session identifier to obtain a polling result representing successful authentication of the identity identifier;
entering a logged-in state corresponding to the identity identifier under the condition that the polling result of the session identifier is that the identity identifier is successfully authenticated, including:
and after the session token is acquired, entering a logged-in state corresponding to the identity.
In one implementation manner, the obtaining and displaying a session identifier and an access address of an authentication device in response to a preset login operation includes:
and responding to a preset login operation, acquiring and displaying image information, wherein the image information carries a session identifier and an access address of authentication equipment, so that the proxy equipment obtains the session identifier and the access address by scanning the image information.
In one implementation, the polling the authentication device according to the session identifier includes:
and according to a preset frequency, asynchronously polling the authentication equipment according to the session identifier.
As can be seen from the above, according to the technical scheme provided by the embodiment of the present disclosure, the identity of the user is stored and managed by the agent device, and is authenticated by the authentication device, and login and subsequent operations are implemented by the client device, that is, in the process of logging in the client device, the client device does not need to obtain the identity of the user and authenticate the user, and only needs to obtain the authentication result of the authentication device on the identity of the user, and the identity information and the operation information of the user are stored in different devices in a dispersed manner, thereby reducing the centralization degree of data and the risk of data leakage.
Referring to fig. 4, a flowchart illustrating steps of an identity authentication method according to the present application is shown, and applied to a proxy device, the method may specifically include the following steps:
in step S31, a session identifier and an access address of an authentication device are obtained, and the session identifier and the access address are obtained and displayed by a client device in response to a preset login operation.
In step S32, the session identifier and the identity identifier of the proxy device are sent to the authentication device based on the access address, so that the authentication device generates and returns encrypted information based on the identity identifier.
In step S33, the encrypted information is decrypted by using the private key corresponding to the identity, so as to obtain plaintext information.
In step S34, the plaintext information and the session identifier are correspondingly sent to the authentication device, so that the authentication device sets the polling result of the session identifier as the identity identifier authentication success when the original information corresponding to the session identifier matches with the corresponding plaintext information, and the client device enters the logged-in state corresponding to the identity identifier based on the polling result of the session identifier.
In one implementation, the client device obtains and displays image information in response to a preset login operation, wherein the image information carries a session identifier and an access address of an authentication device;
the acquiring the session identifier and the access address of the authentication device includes:
and scanning the image information to obtain the session identifier and the access address.
As can be seen from the above, according to the technical scheme provided by the embodiment of the present disclosure, the identity of the user is stored and managed by the agent device, and is authenticated by the authentication device, and login and subsequent operations are implemented by the client device, that is, in the process of logging in the client device, the client device does not need to obtain the identity of the user and authenticate the user, and only needs to obtain the authentication result of the authentication device on the identity of the user, and the identity information and the operation information of the user are stored in different devices in a dispersed manner, thereby reducing the centralization degree of data and the risk of data leakage.
Referring to fig. 5, a flowchart illustrating steps of an identity authentication method according to the present application is shown, and applied to an authentication device, the method specifically includes the following steps:
in step S41, a session identifier sent by the proxy device and an identity identifier of the proxy device are obtained.
In step S42, the identity is analyzed to obtain a public key corresponding to the identity.
In step S43, original information corresponding to the session identifier is obtained, and the original information is encrypted by using the public key to generate encrypted information.
In step S44, the encrypted information is returned to the proxy device, so that the proxy device correspondingly sends plaintext information and the session identifier to the authentication device, where the plaintext information is obtained by decrypting the encrypted information.
In step S45, when the original information corresponding to the session identifier matches the plaintext information corresponding to the session identifier, the polling result of the session identifier is set as the identity identifier authentication success, so that the client device enters the logged-in state corresponding to the identity identifier when the polling result of the session identifier is the identity identifier authentication success.
In one implementation, the analyzing the id to obtain a public key corresponding to the id includes:
analyzing the identity identification by an analysis unit to obtain a public key corresponding to the identity identification, and sending the public key to a verification unit;
the acquiring original information corresponding to the session identifier, encrypting the original information by using the public key, and generating encrypted information includes:
and the verification unit acquires original information corresponding to the session identifier, and encrypts the original information by using the public key to generate encrypted information.
In one implementation, the analyzing the id to obtain a public key corresponding to the id includes:
obtaining a document corresponding to the identity from a block chain;
verifying the integrity of the document based on a hash algorithm;
and after the verification is passed, obtaining a public key corresponding to the identity from the document.
In one implementation, the obtaining original information corresponding to the session identifier, and encrypting the original information by using the public key to generate encrypted information includes:
determining a target random number as original information corresponding to the session identifier;
encrypting the target random number by using the public key to generate encryption information;
the setting of the polling result of the session identifier as the identity identifier authentication success under the condition that the original information corresponding to the session identifier is matched with the plaintext information corresponding to the session identifier comprises:
and under the condition that the target random number and the corresponding plaintext information are equal, setting the polling result of the session identifier as the successful authentication of the identity identifier.
As can be seen from the above, according to the technical scheme provided by the embodiment of the present disclosure, the identity of the user is stored and managed by the agent device, and is authenticated by the authentication device, and login and subsequent operations are implemented by the client device, that is, in the process of logging in the client device, the client device does not need to obtain the identity of the user and authenticate the user, and only needs to obtain the authentication result of the authentication device on the identity of the user, and the identity information and the operation information of the user are stored in different devices in a dispersed manner, thereby reducing the centralization degree of data and the risk of data leakage.
It is noted that, for simplicity of explanation, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will appreciate that the present application is not limited by the order of acts, as some steps may, in accordance with the present application, occur in other orders and concurrently. Further, those skilled in the art will also appreciate that the embodiments described in the specification are exemplary and that no action is necessarily required in this application.
Referring to fig. 6, a block diagram of an identity authentication apparatus of the present application is shown, and is applied to a client device, where the apparatus may specifically include the following modules:
a response module 501, configured to, in response to a preset login operation, obtain and display a session identifier and an access address of an authentication device, so that an agent device sends the session identifier and an identity identifier of the agent device to the authentication device based on the access address, and the authentication device authenticates the identity identifier and determines a polling result of the session identifier according to an authentication result;
a polling module 502, configured to poll the authentication device according to the session identifier;
a login module 503, configured to enter a logged-in state corresponding to the identity identifier when the polling result of the session identifier is that the identity identifier is successfully authenticated.
In one implementation manner, the response module 501 is specifically configured to respond to a preset login operation, and obtain and display a session identifier and an access address of an authentication device from a server;
the polling module 502 is specifically configured to receive a session token returned by the server, where the session token is sent by the server when polling the authentication device according to the session identifier to obtain a polling result indicating that the identity identifier is successfully authenticated;
the login module 503 is specifically configured to enter a logged-in state corresponding to the identity after the session token is acquired.
In one implementation, the response module 501 is specifically configured to:
and responding to a preset login operation, acquiring and displaying image information, wherein the image information carries a session identifier and an access address of authentication equipment, so that the proxy equipment obtains the session identifier and the access address by scanning the image information.
In an implementation manner, the polling module 502 is specifically configured to:
and according to a preset frequency, asynchronously polling the authentication equipment according to the session identifier.
As can be seen from the above, according to the technical scheme provided by the embodiment of the present disclosure, the identity of the user is stored and managed by the agent device, and is authenticated by the authentication device, and login and subsequent operations are implemented by the client device, that is, in the process of logging in the client device, the client device does not need to obtain the identity of the user and authenticate the user, and only needs to obtain the authentication result of the authentication device on the identity of the user, and the identity information and the operation information of the user are stored in different devices in a dispersed manner, thereby reducing the centralization degree of data and the risk of data leakage.
Referring to fig. 7, a block diagram of an identity authentication apparatus according to the present application is shown, and the identity authentication apparatus is applied to a proxy device, and the identity authentication apparatus may specifically include the following modules:
an obtaining module 601, configured to obtain a session identifier and an access address of an authentication device, where the session identifier and the access address are obtained and displayed by a client device in response to a preset login operation;
a sending module 602, configured to send the session identifier and the identity identifier of the proxy device to the authentication device based on the access address, so that the authentication device generates and returns encrypted information based on the identity identifier;
a decryption module 603, configured to decrypt the encrypted information using a private key corresponding to the identity, to obtain plaintext information;
a verification module 604, configured to correspondingly send the plaintext information and the session identifier to the authentication device, so that the authentication device sets a polling result of the session identifier as a successful authentication of the identity identifier under the condition that the original information corresponding to the session identifier matches with the corresponding plaintext information, and makes the client device enter a logged-in state corresponding to the identity identifier based on the polling result of the session identifier.
In one implementation, the client device obtains and displays image information in response to a preset login operation, wherein the image information carries a session identifier and an access address of an authentication device;
the obtaining module 601 is specifically configured to scan the image information to obtain the session identifier and the access address.
As can be seen from the above, according to the technical scheme provided by the embodiment of the present disclosure, the identity of the user is stored and managed by the agent device, and is authenticated by the authentication device, and login and subsequent operations are implemented by the client device, that is, in the process of logging in the client device, the client device does not need to obtain the identity of the user and authenticate the user, and only needs to obtain the authentication result of the authentication device on the identity of the user, and the identity information and the operation information of the user are stored in different devices in a dispersed manner, thereby reducing the centralization degree of data and the risk of data leakage.
Referring to fig. 8, a block diagram of an identity authentication apparatus according to the present application is shown, and the identity authentication apparatus is applied to an authentication device, and the apparatus may specifically include the following modules:
an obtaining module 701, configured to obtain a session identifier sent by a proxy device and an identity identifier of the proxy device;
an analyzing module 702, configured to analyze the identity to obtain a public key corresponding to the identity;
an encryption module 703, configured to obtain original information corresponding to the session identifier, encrypt the original information by using the public key, and generate encrypted information;
a returning module 704, configured to return the encrypted information to the proxy device, so that the proxy device correspondingly sends plaintext information and the session identifier to the authentication device, where the plaintext information is obtained by decrypting the encrypted information;
the authentication module 705 is configured to set the polling result of the session identifier as the identity identifier authentication success when the original information corresponding to the session identifier matches with the corresponding plaintext information, so that the client device enters a logged-in state corresponding to the identity identifier when the polling result of the session identifier is the identity identifier authentication success.
In an implementation manner, the parsing module 702 is specifically configured to parse the identity identifier by a parsing unit, obtain a public key corresponding to the identity identifier, and send the public key to a verification unit;
the encryption module 703 is specifically configured to obtain, by the verification unit, original information corresponding to the session identifier, and encrypt, by using the public key, the original information to generate encrypted information.
In an implementation manner, the parsing module 702 is specifically configured to:
obtaining a document corresponding to the identity from a block chain; verifying the integrity of the document based on a hash algorithm; and after the verification is passed, obtaining a public key corresponding to the identity from the document.
In an implementation manner, the encryption module 703 is specifically configured to determine a target random number as original information corresponding to the session identifier; encrypting the target random number by using the public key to generate encryption information;
the authentication module 705 is specifically configured to set the polling result of the session identifier as the identity identifier authentication success when the target random number and the corresponding plaintext information are equal to each other.
As can be seen from the above, according to the technical scheme provided by the embodiment of the present disclosure, the identity of the user is stored and managed by the agent device, and is authenticated by the authentication device, and login and subsequent operations are implemented by the client device, that is, in the process of logging in the client device, the client device does not need to obtain the identity of the user and authenticate the user, and only needs to obtain the authentication result of the authentication device on the identity of the user, and the identity information and the operation information of the user are stored in different devices in a dispersed manner, thereby reducing the centralization degree of data and the risk of data leakage.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
FIG. 9 is a block diagram of an electronic device shown in accordance with an example embodiment.
In an exemplary embodiment, a computer-readable storage medium comprising instructions, such as a memory comprising instructions, executable by a processor of an electronic device to perform the above-described method is also provided. Alternatively, the computer-readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical audio playback device, and the like.
In an exemplary embodiment, a computer program product is also provided, which, when run on a computer, causes the computer to implement the above-described method of identity authentication.
As can be seen from the above, according to the technical scheme provided by the embodiment of the present disclosure, the identity of the user is stored and managed by the agent device, and is authenticated by the authentication device, and login and subsequent operations are implemented by the client device, that is, in the process of logging in the client device, the client device does not need to obtain the identity of the user and authenticate the user, and only needs to obtain the authentication result of the authentication device on the identity of the user, and the identity information and the operation information of the user are stored in different devices in a dispersed manner, thereby reducing the centralization degree of data and the risk of data leakage.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or terminal apparatus that comprises the element.
The identity authentication method, the identity authentication device, the electronic device and the storage medium provided by the present application are introduced in detail, and a specific example is applied in the present application to explain the principle and the implementation of the present application, and the description of the above embodiment is only used to help understanding the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (27)
1. An identity authentication system, comprising:
the client device is used for responding to the preset login operation, and acquiring and displaying the session identifier and the access address of the authentication device; polling the authentication device according to the session identification;
the proxy equipment is used for acquiring the session identifier and the access address and sending the session identifier and the identity identifier of the proxy equipment to the authentication equipment based on the access address;
the authentication device is used for analyzing the identity to obtain a public key corresponding to the identity; acquiring original information corresponding to the session identifier, wherein the original information is a target random number; encrypting the original information by using the public key to generate encrypted information; returning the encrypted information to the proxy device;
the proxy equipment is also used for decrypting the encrypted information by using a private key corresponding to the identity identification to obtain plaintext information; correspondingly sending the plaintext information and the session identifier to the authentication equipment;
the authentication device is further configured to set a polling result of the session identifier to the identity identifier authentication success under the condition that the original information corresponding to the session identifier and the corresponding plaintext information are equal;
and the client device is used for entering a logged-in state corresponding to the identity identifier under the condition that the polling result of the session identifier is that the identity identifier is successfully authenticated.
2. The system of claim 1,
the client device is specifically used for responding to a preset login operation, and acquiring and displaying a session identifier and an access address of the authentication device from the server;
the server is used for polling the authentication equipment according to the session identification; under the condition that the polling result of the session identifier is that the identity identifier is successfully authenticated, sending a session token of the identity identifier to the client equipment;
the client device is further configured to enter a logged-in state corresponding to the identity after the session token is acquired.
3. The system of claim 1,
the client device is specifically used for responding to a preset login operation, acquiring and displaying image information, wherein the image information carries a session identifier and an access address of the authentication device;
the proxy device is specifically configured to scan the image information to obtain the session identifier and the access address.
4. The system of claim 1,
the client device is specifically configured to asynchronously poll the authentication device according to the session identifier at a preset frequency.
5. The system according to claim 1, characterized in that the authentication device comprises a verification unit and a parsing unit, wherein:
the analysis unit is used for analyzing the identity to obtain a public key corresponding to the identity and sending the public key to the verification unit;
and the verification unit is used for acquiring original information corresponding to the session identifier, and encrypting the original information by using the public key to generate encrypted information.
6. The system of claim 1,
the authentication device is specifically configured to obtain a document corresponding to the identity from the blockchain; verifying the integrity of the document based on a hash algorithm; and after the verification is passed, obtaining a public key corresponding to the identity from the document.
7. An identity authentication method applied to a client device includes:
responding to a preset login operation, acquiring and displaying a session identifier and an access address of authentication equipment, so that proxy equipment sends the session identifier and an identity identifier of the proxy equipment to the authentication equipment based on the access address, the authentication equipment authenticates the identity identifier and determines a polling result of the session identifier according to an authentication result;
polling the authentication device according to the session identification;
and entering a logged-in state corresponding to the identity identification under the condition that the polling result of the session identification is that the identity identification is successfully authenticated.
8. The method of claim 7, wherein the obtaining and presenting the session identifier and the access address of the authentication device in response to the pre-set login operation comprises:
responding to a preset login operation, and acquiring and displaying a session identifier and an access address of authentication equipment from a server;
the polling the authentication device according to the session identifier comprises:
receiving a session token returned by the server, wherein the session token is sent by the server under the condition that the server polls the authentication equipment according to the session identifier to obtain a polling result representing successful authentication of the identity identifier;
entering a logged-in state corresponding to the identity identifier under the condition that the polling result of the session identifier is that the identity identifier is successfully authenticated, including:
and after the session token is obtained, entering a logged-in state corresponding to the identity.
9. The method of claim 7, wherein the obtaining and displaying the session identifier and the access address of the authentication device in response to the preset login operation comprises:
and responding to a preset login operation, acquiring and displaying image information, wherein the image information carries a session identifier and an access address of authentication equipment, so that the proxy equipment obtains the session identifier and the access address by scanning the image information.
10. The method of claim 7, wherein polling the authentication device according to the session identifier comprises:
and according to a preset frequency, asynchronously polling the authentication equipment according to the session identifier.
11. An identity authentication method applied to a proxy device includes:
acquiring a session identifier and an access address of authentication equipment, wherein the session identifier and the access address are acquired and displayed by client equipment in response to a preset login operation;
sending the session identifier and the identity identifier of the proxy device to the authentication device based on the access address so that the authentication device generates and returns encrypted information based on the identity identifier, wherein the encrypted information is generated by encrypting original information, and the original information is a target random number;
decrypting the encrypted information by using a private key corresponding to the identity to obtain plaintext information;
and correspondingly sending the plaintext information and the session identifier to the authentication equipment, so that the authentication equipment sets the polling result of the session identifier as the identity identifier authentication success under the condition that the original information corresponding to the session identifier and the corresponding plaintext information are equal, and the client equipment enters a logged-in state corresponding to the identity identifier based on the polling result of the session identifier.
12. The method according to claim 11, wherein the client device obtains and displays image information in response to a preset login operation, wherein the image information carries a session identifier and an access address of an authentication device;
the acquiring the session identifier and the access address of the authentication device includes:
and scanning the image information to obtain the session identifier and the access address.
13. An identity authentication method is applied to authentication equipment and comprises the following steps:
acquiring a session identifier sent by proxy equipment and an identity identifier of the proxy equipment;
analyzing the identity to obtain a public key corresponding to the identity;
acquiring original information corresponding to the session identifier, and encrypting the original information by using the public key to generate encrypted information, wherein the original information is a target random number;
returning the encrypted information to the proxy equipment so that the proxy equipment correspondingly sends plaintext information and the session identifier to the authentication equipment, wherein the plaintext information is obtained by decrypting the encrypted information;
and under the condition that the original information corresponding to the session identifier and the corresponding plaintext information are equal, setting the polling result of the session identifier as the identity identifier authentication success, so that the client equipment enters the logged-in state corresponding to the identity identifier under the condition that the polling result of the session identifier is the identity identifier authentication success.
14. The method of claim 13, wherein the parsing the identity to obtain a public key corresponding to the identity comprises:
analyzing the identity identification by an analyzing unit to obtain a public key corresponding to the identity identification, and sending the public key to a verification unit;
the acquiring original information corresponding to the session identifier, encrypting the original information by using the public key, and generating encrypted information includes:
and the verification unit acquires original information corresponding to the session identifier, and encrypts the original information by using the public key to generate encrypted information.
15. The method according to claim 13, wherein the parsing the id to obtain a public key corresponding to the id comprises:
obtaining a document corresponding to the identity from a block chain;
verifying the integrity of the document based on a hash algorithm;
and after the verification is passed, obtaining a public key corresponding to the identity from the document.
16. An identity authentication apparatus applied to a client device, comprising:
the response module is used for responding to preset login operation, acquiring and displaying a session identifier and an access address of authentication equipment, so that the proxy equipment sends the session identifier and the identity identifier of the proxy equipment to the authentication equipment based on the access address, the authentication equipment authenticates the identity identifier and determines a polling result of the session identifier according to an authentication result;
the polling module is used for polling the authentication equipment according to the session identification;
and the login module is used for entering a logged-in state corresponding to the identity identification under the condition that the polling result of the session identification is that the identity identification is successfully authenticated.
17. The apparatus of claim 16,
the response module is specifically used for responding to a preset login operation, and acquiring and displaying a session identifier and an access address of the authentication device from the server;
the polling module is specifically configured to receive a session token returned by the server, where the session token is sent by the server when polling the authentication device according to the session identifier to obtain a polling result indicating that the identity identifier is successfully authenticated;
the login module is specifically used for entering a logged-in state corresponding to the identity after the session token is acquired.
18. The apparatus of claim 16, wherein the response module is specifically configured to:
and responding to a preset login operation, acquiring and displaying image information, wherein the image information carries a session identifier and an access address of authentication equipment, so that the proxy equipment obtains the session identifier and the access address by scanning the image information.
19. The apparatus of claim 16, wherein the polling module is specifically configured to:
and according to a preset frequency, asynchronously polling the authentication equipment according to the session identifier.
20. An identity authentication device, applied to a proxy device, includes:
the system comprises an acquisition module, a storage module and a display module, wherein the acquisition module is used for acquiring a session identifier and an access address of authentication equipment, and the session identifier and the access address are acquired and displayed by client equipment in response to a preset login operation;
a sending module, configured to send the session identifier and the identity identifier of the proxy device to the authentication device based on the access address, so that the authentication device generates and returns encrypted information based on the identity identifier, where the encrypted information is generated by encrypting original information, and the original information is a target random number;
the decryption module is used for decrypting the encrypted information by using a private key corresponding to the identity identification to obtain plaintext information;
and the verification module is used for correspondingly sending the plaintext information and the session identifier to the authentication equipment, so that the authentication equipment sets the polling result of the session identifier as the identity identifier authentication success under the condition that the original information corresponding to the session identifier is equal to the corresponding plaintext information, and the client equipment enters the logged-in state corresponding to the identity identifier based on the polling result of the session identifier.
21. The apparatus according to claim 20, wherein the client device obtains and displays image information in response to a preset login operation, and the image information carries a session identifier and an access address of an authentication device;
the obtaining module is specifically configured to scan the image information to obtain the session identifier and the access address.
22. An identity authentication device, applied to an authentication device, includes:
the acquisition module is used for acquiring a session identifier sent by the proxy equipment and an identity identifier of the proxy equipment;
the analysis module is used for analyzing the identity to obtain a public key corresponding to the identity;
the encryption module is used for acquiring original information corresponding to the session identifier, encrypting the original information by using the public key and generating encrypted information, wherein the original information is a target random number;
the return module is used for returning the encrypted information to the proxy equipment so that the proxy equipment correspondingly sends plaintext information and the session identifier to the authentication equipment, and the plaintext information is obtained by decrypting the encrypted information;
and the authentication module is used for setting the polling result of the session identifier as the identity identifier authentication success under the condition that the original information corresponding to the session identifier and the corresponding plaintext information are equal, so that the client equipment enters the logged-in state corresponding to the identity identifier under the condition that the polling result of the session identifier is the identity identifier authentication success.
23. The apparatus of claim 22,
the analysis module is specifically used for analyzing the identity identifier by an analysis unit to obtain a public key corresponding to the identity identifier, and sending the public key to a verification unit;
the encryption module is specifically configured to obtain, by the verification unit, original information corresponding to the session identifier, and encrypt, by using the public key, the original information to generate encrypted information.
24. The apparatus of claim 22, wherein the parsing module is specifically configured to:
obtaining a document corresponding to the identity from a block chain; verifying the integrity of the document based on a hash algorithm; and after the verification is passed, obtaining a public key corresponding to the identity from the document.
25. The apparatus of claim 22,
the encryption module is specifically configured to determine a target random number as original information corresponding to the session identifier; encrypting the target random number by using the public key to generate encryption information;
the authentication module is specifically configured to set the polling result of the session identifier as the identity identifier authentication success when the target random number and the corresponding plaintext information are equal to each other.
26. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the identity authentication method according to any one of claims 7 to 10 or 11 to 12 or 13 to 15 are implemented by the processor when executing the program.
27. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the identity authentication method according to any one of claims 7 to 10 or 11 to 12 or 13 to 15.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210974735.9A CN115065559B (en) | 2022-08-15 | 2022-08-15 | Identity authentication system, method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210974735.9A CN115065559B (en) | 2022-08-15 | 2022-08-15 | Identity authentication system, method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115065559A CN115065559A (en) | 2022-09-16 |
| CN115065559B true CN115065559B (en) | 2022-12-27 |
Family
ID=83207516
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210974735.9A Active CN115065559B (en) | 2022-08-15 | 2022-08-15 | Identity authentication system, method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115065559B (en) |
Family Cites Families (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| MXPA04010624A (en) * | 2002-04-26 | 2004-12-13 | Thomson Licensing Sa | Transitive authentication authorization accounting in interworking between access networks. |
| CN101150533B (en) * | 2006-09-18 | 2010-05-12 | 联想(北京)有限公司 | A secure system and method for multi-point mail push |
| CN102143134B (en) * | 2010-08-05 | 2014-04-30 | 华为技术有限公司 | Method, device and system for distributed identity authentication |
| US9094388B2 (en) * | 2013-05-01 | 2015-07-28 | Dmitri Tkachev | Methods and systems for identifying, verifying, and authenticating an identity |
| CN105072087A (en) * | 2015-07-08 | 2015-11-18 | 安徽瑞宏信息科技有限公司 | Access authentication method based on two-dimension code and asymmetric encryption in agricultural material Internet-of-Things |
| CN105391734B (en) * | 2015-12-10 | 2019-01-11 | 布比(北京)网络技术有限公司 | A kind of Security Login System and method, login service device and certificate server |
| CN105897424B (en) * | 2016-03-14 | 2019-07-12 | 深圳奥联信息安全技术有限公司 | A kind of enhancing identity authentication method |
| CN110740116B (en) * | 2018-07-20 | 2023-06-30 | 北京思源理想控股集团有限公司 | System and method for multi-application identity authentication |
| CN110874464A (en) * | 2018-09-03 | 2020-03-10 | 巍乾全球技术有限责任公司 | Method and equipment for managing user identity authentication data |
| CN111314269B (en) * | 2018-12-11 | 2023-09-12 | 中兴通讯股份有限公司 | Address automatic allocation protocol security authentication method and equipment |
| CN109714167B (en) * | 2019-03-15 | 2020-08-25 | 北京邮电大学 | Identity authentication and key agreement method and equipment suitable for mobile application signature |
| CN110290134B (en) * | 2019-06-25 | 2022-05-03 | 神州融安科技(北京)有限公司 | Identity authentication method, identity authentication device, storage medium and processor |
| US10541995B1 (en) * | 2019-07-23 | 2020-01-21 | Capital One Services, Llc | First factor contactless card authentication system and method |
| CA3159014A1 (en) * | 2019-11-29 | 2021-06-03 | Sri Ram Kishore Vemulpali | Intelligent service layer for separating application from physical networks and extending service layer intelligence |
| CN111583023A (en) * | 2020-05-07 | 2020-08-25 | 中国工商银行股份有限公司 | Service processing method, device and computer system |
| CN111835752B (en) * | 2020-07-09 | 2022-04-12 | 国网山西省电力公司信息通信分公司 | Lightweight authentication method based on equipment identity and gateway |
| CN111949954A (en) * | 2020-07-10 | 2020-11-17 | 深圳市信锐网科技术有限公司 | Login verification method, system and computer storage medium |
| CN113341798A (en) * | 2021-05-28 | 2021-09-03 | 上海云盾信息技术有限公司 | Method, system, device, equipment and storage medium for remotely accessing application |
-
2022
- 2022-08-15 CN CN202210974735.9A patent/CN115065559B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN115065559A (en) | 2022-09-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11329981B2 (en) | Issuing, storing and verifying a rich credential | |
| CN106330850B (en) | Security verification method based on biological characteristics, client and server | |
| US11539690B2 (en) | Authentication system, authentication method, and application providing method | |
| US8636211B2 (en) | System and method for secure voting | |
| CN110138744B (en) | Method, device and system for replacing communication number, computer equipment and storage medium | |
| US20200028679A1 (en) | Public-private key pair protected password manager | |
| CN108234442B (en) | Method, system and readable storage medium for acquiring contract | |
| WO2017000479A1 (en) | Identity information authentication method, user terminal, service terminal, authentication server, and service system | |
| US20210234858A1 (en) | Authentication system, authentication method and authentication apparatus | |
| CN111444499A (en) | User identity authentication method and system | |
| CN113836506A (en) | Identity authentication method, device, system, electronic equipment and storage medium | |
| KR20160085143A (en) | Method for providing anonymous service and method for managing user information and system therefor | |
| CN111327629A (en) | Identity verification method, client and server | |
| CN114338212A (en) | Identity authentication token management method and device, electronic equipment and readable storage medium | |
| CN115065559B (en) | Identity authentication system, method and device, electronic equipment and storage medium | |
| CN109379371B (en) | Certificate verification method, device and system | |
| CN110719257A (en) | Method, device and equipment for managing authority of single-page application and storage medium | |
| CN112865981B (en) | Token acquisition and verification method and device | |
| US11502840B2 (en) | Password management system and method | |
| CN115225286A (en) | Application access authentication method and device | |
| CN111740938B (en) | Information processing method and device, client and server | |
| CN112836206B (en) | Login method, login device, storage medium and computer equipment | |
| CN116798153B (en) | Access control authorization opening method and device | |
| CN110351302B (en) | Bank account login method, equipment and storage medium | |
| CN112737790B (en) | Data transmission method and device, server and client terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |