CN115733630A - Identity authentication method and related equipment thereof - Google Patents

Identity authentication method and related equipment thereof Download PDF

Info

Publication number
CN115733630A
CN115733630A CN202110988997.6A CN202110988997A CN115733630A CN 115733630 A CN115733630 A CN 115733630A CN 202110988997 A CN202110988997 A CN 202110988997A CN 115733630 A CN115733630 A CN 115733630A
Authority
CN
China
Prior art keywords
information
server
terminal
identity
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110988997.6A
Other languages
Chinese (zh)
Inventor
朱成康
康鑫
王贵林
王海光
李铁岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202110988997.6A priority Critical patent/CN115733630A/en
Publication of CN115733630A publication Critical patent/CN115733630A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Telephonic Communication Services (AREA)

Abstract

The application provides an identity authentication method and related equipment thereof, which can enable the autonomous identity and the business identity of a user to be isolated and stored in two terminals respectively, can effectively protect the autonomous identity of a target user from being in direct contact with a business side, and even if the terminal storing the business identity is lost, the autonomous identity cannot be falsely used, so that the potential safety problem can be avoided. The method comprises the following steps: the method comprises the steps that a first terminal obtains first information from a first server, wherein the first information is used for describing a first identity of a target user; the first terminal generates second information based on the first information, wherein the second information is used for describing a second identity of the target user; and the first terminal sends second information to the second terminal, wherein the second information is used for the second terminal to realize identity authentication at the second server.

Description

Identity authentication method and related equipment thereof
Technical Field
The present application relates to the field of information security technologies, and in particular, to an identity authentication method and related devices.
Background
With the rapid development of the technology, business can be developed between users and enterprises on the internet, and enterprises providing services generally need to authenticate the true identity of users in order to ensure information security.
For convenience of introduction, a server of a government organization is hereinafter referred to as a first server, a device used by a user is referred to as a terminal, and a server of an enterprise is referred to as a second server. In particular, the first server may issue to the terminal information describing a user autonomous identity (SSI), such as an identity private key and an identity credential containing an identity public key, and so on. When the terminal needs to register with the second server, the terminal can complete identity authentication at the second server based on the information. Then, after the identity authentication, the terminal can communicate with the second server based on the information, so as to perform the service on line.
However, the information describing the autonomous identity of the user often relates to the privacy of the user, and once the terminal storing the information is lost, the identity of the user may be falsely used, so that a certain security problem exists.
Disclosure of Invention
The embodiment of the application provides an identity authentication method and related equipment thereof, which can enable the autonomous identity and the business identity of a user to be isolated and stored in two terminals respectively, can effectively protect the autonomous identity of a target user from being in direct contact with a business side, can prevent the autonomous identity from being falsely used even if the terminal storing the business identity is lost, and can avoid potential safety problems.
A first aspect of an embodiment of the present application provides an identity authentication method, including:
when the target user needs to acquire first information for describing the first identity of the target user, a request can be sent to the first server, so that the first server generates the first information based on the request and sends the first information to the first terminal. It should be noted that the first identity of the target user may also be understood as the autonomous identity of the target user.
After the first terminal acquires the first information from the first server, second information can be generated based on the first information, and the second information is used for describing a second identity of the target user. It should be noted that the second identity of the target user may also be understood as a service identity of the target user.
After the second information is obtained, the first terminal sends the second information to the second terminal, so that the second terminal can realize identity authentication at the second server according to the second information. After the identity authentication is completed, the second terminal can utilize the second information to realize subsequent communication with the second server so as to expand the service on line.
From the above method, it can be seen that: after the first server sends the first information describing the first identity of the target user to the first terminal, the first terminal may generate second information describing the second identity of the target user based on the first information. Then, the first terminal sends the second information to the second terminal, so that the second terminal completes identity authentication at the second server by using the second information. In the process, because the first information is stored in the first terminal, the second information is stored in the second terminal, and the second terminal only relates to the second information when performing identity authentication with the second server, the first identity (autonomous identity) and the second identity (service identity) of the target user are successfully isolated and respectively stored in the two terminals, so that the first identity of the target user can be effectively protected from being in direct contact with the second server (service side), even if the second terminal is lost, the first identity of the target user cannot be falsely used, and potential safety problems can be avoided.
In a possible implementation manner, the first information includes a first private key of the target user, the first private key is one private key of private keys of a plurality of users matched with the first public key, and the plurality of users include the target user; the first terminal generating the second information based on the first information includes: the first terminal generates a second private key of the target user and a second public key matched with the second private key; the first terminal signs the second public key based on the first private key to obtain a first certificate containing the second public key; the second information comprises a first certificate and a second private key, the first certificate is used for the second server to perform first signature verification based on the first public key, and the second private key is used for the second terminal to prove that the second terminal has the second private key to the second server after the first signature verification is successful. In the foregoing implementation manner, the first private key of the target user is stored in the first terminal as the most sensitive information for describing the autonomous identity of the target user, and the second private key of the target user is stored in the second terminal as the most sensitive information for describing the business identity of the target user. The second terminal only uses the second private key of the target user to complete identity authentication at the second server, namely the second server only can contact the most sensitive information for describing the business identity of the target user but cannot contact the most sensitive information for describing the autonomous identity of the target user, so that the autonomous identity of the target user and the business identity of the target user can be isolated (namely, the information is respectively stored in the first terminal and the second terminal), and even if the second terminal is lost, the information for describing the autonomous identity of the target user is still stored in the first terminal, so that the target user can revoke the old business identity and register a new business identity at the second server by using the autonomous identity of the target user through the first terminal, and in this case, the autonomous identity of the target user can be effectively protected and cannot be falsely used.
In one possible implementation, the first private key is generated based on an identity attribute that each of the plurality of users has. In the foregoing implementation manner, since the first private key is generated based on the identity attributes of the multiple users, if the single-layer signature verification is successful (i.e., the first certificate is successfully verified by using the first public key, and the first certificate is obtained based on the signature of the first private key), the second server can confirm that the target user is indeed the user with the identity attributes, and confirm that the identity attributes of the target user are indeed originated from the first server.
In a possible implementation manner, the first information and the second information further include a second certificate, the second certificate includes a first public key, the second certificate is obtained by signing based on a third private key of the first server, the second certificate is used for the second server to perform second signature verification based on a third public key matched with the third private key, and the first certificate is used for performing first signature verification based on the first public key after the second signature verification is successful. Further, the second credentials also include an identity attribute that each of the plurality of users has. In the foregoing implementation manner, since the first private key is not generated based on the identity attributes of all the users, and the second credential includes the identity attributes of all the users, the second server can confirm that the target user is indeed the user having the identity attributes, and confirm that the identity attributes of the target user are indeed originated from the first server if the double-layer signature verification is successful (i.e., the third public key is used to successfully verify the signature of the second credential, and then the first public key in the second credential is used to successfully verify the signature of the first credential, the second credential is obtained based on the signature of the third private key, and the first credential is obtained based on the signature of the first private key).
A second aspect of an embodiment of the present application provides an identity authentication method, including:
when the target user needs to acquire first information for describing the first identity of the target user, a request can be sent to the first server, so that the first server generates the first information based on the request and sends the first information to the first terminal. It should be noted that the first identity of the target user may also be understood as the autonomous identity of the target user.
After the first terminal obtains the first information from the first server, second information can be generated based on the first information and sent to the second terminal, and the second information is used for describing a second identity of the target user. It should be noted that the second identity of the target user may also be understood as a service identity of the target user.
And after the second terminal acquires the second information from the first terminal, sending part of information in the second information to the second server so as to realize identity authentication at the second server.
From the above method, it can be seen that: after the first server sends the first information describing the first identity of the target user to the first terminal, the first terminal may generate second information describing the second identity of the target user based on the first information. Then, the first terminal sends the second information to the second terminal, so that the second terminal completes identity authentication at the second server by using the second information. In the process, because the first information is stored in the first terminal, the second information is stored in the second terminal, and the second terminal only relates to the second information when performing identity authentication with the second server, the first identity (autonomous identity) and the second identity (service identity) of the target user are successfully isolated and respectively stored in the two terminals, so that the first identity of the target user can be effectively protected from being in direct contact with the second server (service side), even if the second terminal is lost, the first identity of the target user cannot be falsely used, and potential safety problems can be avoided.
In a possible implementation manner, the first information includes a first private key of a target user, the first private key is one private key of private keys of multiple users matched with the first public key, the multiple users include the target user, the second information includes a first certificate and a second private key of the target user, part of the information includes a first certificate, the first certificate includes a second public key matched with the second private key, the first certificate is obtained by signing based on the first private key, and the first certificate is used for a second server to perform first signature verification based on the first public key; the second terminal realizes identity authentication at the second server and comprises the following steps: and after the first signature verification is successful, the second terminal proves to the second server that the second terminal has the second private key.
In one possible implementation, the first private key is generated based on an identity attribute that each of the plurality of users has.
In a possible implementation manner, the first information and the part of the information further include a second certificate, the second certificate includes a first public key, the second certificate is obtained by signing based on a third private key of the first server, the second certificate is used for the second server to perform second signature verification based on a third public key matched with the third private key, and the first certificate is used for performing first signature verification based on the first public key by the second server after the second signature verification is successful.
In one possible implementation, the second credentials further include a target attribute that each of the plurality of users has.
A third aspect of an embodiment of the present application provides an identity authentication method, including:
when the target user needs to obtain first information describing a first identity of the target user, a request may be sent to the first server, so that the first server generates the first information based on the request. It should be noted that the first identity of the target user may also be understood as the autonomous identity of the target user.
After the first information is obtained, the first server can send the first information to the first terminal, so that the first terminal generates second information based on the first information and sends the second information to the second terminal, and further the second terminal achieves identity authentication at the second server according to the second information, and the second information is used for describing a second identity of the target user. It should be noted that the second identity of the target user may also be understood as a service identity of the target user.
From the above method, it can be seen that: after the first server sends the first information describing the first identity of the target user to the first terminal, the first terminal may generate second information describing the second identity of the target user based on the first information. Then, the first terminal sends the second information to the second terminal, so that the second terminal completes identity authentication at the second server by using the second information. In the process, because the first information is stored in the first terminal, the second information is stored in the second terminal, and the second terminal only relates to the second information when the second terminal and the second server perform identity authentication, the first identity (autonomous identity) and the second identity (service identity) of the target user are successfully separated and are respectively stored in the two terminals, the first identity of the target user can be effectively protected from being in direct contact with the second server (service side), even if the second terminal is lost, the first identity of the target user cannot be falsely used, and potential safety problems can be avoided.
In one possible implementation, the method further includes: the first server generates a first private key, wherein the first private key is one of private keys of a plurality of users matched with the first public key, and the plurality of users comprise target users; the first information comprises a first private key of a target user, the second information comprises a first certificate and a second private key of the target user, the first certificate comprises a second public key matched with the second private key, the first certificate is obtained by signing based on the first private key, the first certificate is used for a second server to perform first signature verification based on the first public key, and the second private key is used for proving that the second terminal has the second private key to the second server after the first signature verification is successful.
In one possible implementation, the first private key is generated based on an identity attribute that each of the plurality of users has.
In one possible implementation, the method further includes: the first server signs the first public key based on a third private key of the first server to obtain a second certificate containing the first public key; the first information and the second information further comprise a second certificate, the second certificate is used for the second server to perform second signature verification based on a third public key matched with a third private key, and the first certificate is used for the second server to perform first signature verification based on the first public key after the second signature verification is successful.
In one possible implementation, the second credentials further include a target attribute that each of the plurality of users has.
A fourth aspect of the embodiments of the present application provides an identity authentication method, including:
when a target user needs to acquire first information for describing a first identity of the target user, a request can be sent to a first server, so that the first server generates the first information based on the request and sends the first information to a first terminal, so that the first terminal generates second information based on the first information and sends the second information to a second terminal, and further the second terminal sends part of information in the second information to a second server, wherein the second information is used for describing a second identity of the target user. It should be noted that the first identity of the target user may also be understood as the autonomous identity of the target user, and the second identity of the target user may also be understood as the business identity of the target user.
After the second server obtains the partial information in the second information from the second terminal, the second server can perform identity authentication on the second terminal according to the partial information in the second information.
From the above method, it can be seen that: after the first server sends first information describing a first identity of the target user to the first terminal, the first terminal may generate second information describing a second identity of the target user based on the first information. Then, the first terminal sends the second information to the second terminal, so that the second terminal completes identity authentication at the second server by using the second information. In the process, because the first information is stored in the first terminal, the second information is stored in the second terminal, and the second terminal only relates to the second information when the second terminal and the second server perform identity authentication, the first identity (autonomous identity) and the second identity (service identity) of the target user are successfully separated and are respectively stored in the two terminals, the first identity of the target user can be effectively protected from being in direct contact with the second server (service side), even if the second terminal is lost, the first identity of the target user cannot be falsely used, and potential safety problems can be avoided.
In a possible implementation manner, the first information includes a first private key of a target user, the first private key is one private key of private keys of a plurality of users matched with the first private key, the plurality of users include the target user, the second information includes a first certificate and a second private key of the target user, part of the information includes the first certificate, the first certificate includes a second public key matched with the second private key, and the first certificate is obtained by signing based on the first private key; the second server, according to the partial information, performing identity authentication on the second terminal includes: the second server performs first signature verification on the first certificate based on the first public key;
and after the first signature verification is successful, the second server controls the second terminal and proves that the second terminal has the second private key to the second server.
In one possible implementation, the first private key is generated based on an identity attribute that each of the plurality of users has.
In a possible implementation manner, the first information and the partial information further include a second credential, the second credential includes a first public key, the second credential is obtained by signing based on a third private key of the first server, and before the second server performs the first signature verification on the first credential based on the first public key, the method further includes: the second server conducts second signature verification on the second certificate based on a third public key matched with the third private key; the second server performs first signature verification on the first certificate based on the first public key, and the first signature verification comprises the following steps: and after the second signature verification is successful, the second server performs first signature verification on the first certificate based on the first public key.
In one possible implementation, the second credentials further include a target attribute that each of the plurality of users has.
A fifth aspect of an embodiment of the present application provides a terminal, which serves as a first terminal, and includes: the acquisition module is used for acquiring first information from a first server, wherein the first information is used for describing a first identity of a target user; the processing module is used for generating second information based on the first information, and the second information is used for describing a second identity of the target user; and the sending module is used for sending second information to the second terminal, wherein the second information is used for realizing identity authentication of the second terminal at the second server.
In a possible implementation manner, the first information includes a first private key of the target user, the first private key is one private key of private keys of multiple users matched with the first public key, and the multiple users include the target user; a processing module to: generating a second private key of the target user and a second public key matched with the second private key; signing the second public key based on the first private key to obtain a first certificate containing the second public key; the second information comprises a first certificate and a second private key, the first certificate is used for the second server to perform first signature verification based on the first public key, and the second private key is used for the second terminal to prove that the second terminal has the second private key to the second server after the first signature verification is successful.
In one possible implementation, the first private key is generated based on an identity attribute that each of the plurality of users has.
In a possible implementation manner, the first information and the second information further include a second certificate, the second certificate includes a first public key, the second certificate is obtained by signing based on a third private key of the first server, the second certificate is used for the second server to perform second signature verification based on a third public key matched with the third private key, and the first certificate is used for performing first signature verification based on the first public key after the second signature verification is successful.
In one possible implementation, the second credentials further include an identity attribute that each of the plurality of users has.
A sixth aspect of the embodiments of the present application provides a terminal, where the terminal is a second terminal, and the second terminal includes: the acquisition module is used for acquiring second information from the first terminal, the second information is generated by the first terminal based on first information from the first server, the first information is used for describing a first identity of a target user, and the second information is used for describing a second identity of the target user; and the sending module is used for sending part of the information in the second information to the second server so as to realize identity authentication at the second server.
In a possible implementation manner, the first information includes a first private key of a target user, the first private key is one private key of private keys of multiple users matched with the first public key, the multiple users include the target user, the second information includes a first certificate and a second private key of the target user, part of the information includes a first certificate, the first certificate includes a second public key matched with the second private key, the first certificate is obtained by signing based on the first private key, and the first certificate is used for a second server to perform first signature verification based on the first public key; and the sending module is used for proving that the second terminal has the second private key to the second server after the first signature verification is successful.
In one possible implementation, the first private key is generated based on an identity attribute that each of the plurality of users has.
In a possible implementation manner, the partial information of the first information and the second information further includes a second certificate, the second certificate includes a first public key, the second certificate is obtained by signing based on a third private key of the first server, the second certificate is used for the second server to perform a second signature verification based on a third public key matched with the third private key, and the first certificate is used for performing a first signature verification based on the first public key after the second signature verification is successful.
In one possible implementation, the second credentials further include a target attribute that each of the plurality of users has.
A seventh aspect of an embodiment of the present application provides a server, where the server serves as a first server, and the first server includes: the sending module is used for sending first information to the first terminal, the first information is used for describing a first identity of the target user, the first information is also used for generating second information by the first terminal, the second information is used for describing a second identity of the target user, and the second information is also used for realizing identity authentication at the second server by the second terminal.
In one possible implementation manner, the first server further includes: the processing module is used for generating a first private key, the first private key is one of private keys of a plurality of users matched with the first public key, and the plurality of users comprise target users; the first information comprises a first private key of a target user, the second information comprises a first certificate and a second private key of the target user, the first certificate comprises a second public key matched with the second private key, the first certificate is obtained by signing based on the first private key, the first certificate is used for the second server to perform first signature verification based on the first public key, and the second private key is used for proving that the second terminal has the second private key to the second server after the first signature verification is successful.
In one possible implementation, the first private key is generated based on an identity attribute that each of the plurality of users has.
In a possible implementation manner, the processing module is further configured to sign the first public key based on a third private key of the first server to obtain a second certificate containing the first public key; the first information and the second information further comprise a second certificate, the second certificate is used for the second server to conduct second signature verification based on a third public key matched with a third private key, and the first certificate is used for conducting first signature verification based on the first public key after the second signature verification is successful.
In one possible implementation, the second credentials further include a target attribute that each of the plurality of users has.
An eighth aspect of embodiments of the present application provides a server as a second server, where the second server includes: the acquisition module is used for acquiring partial information in second information from a second terminal, the second information is generated by the first terminal based on first information from a first server, the first information is used for describing a first identity of a target user, and the second information is used for describing a second identity of the target user; and the processing module is used for carrying out identity authentication on the second terminal according to the partial information.
In a possible implementation manner, the first information includes a first private key of a target user, the first private key is one private key of private keys of a plurality of users matched with the first private key, the plurality of users include the target user, the second information includes a first certificate and a second private key of the target user, part of the information includes the first certificate, the first certificate includes a second public key matched with the second private key, and the first certificate is obtained by signing based on the first private key; a processing module to: performing first signature verification on the first certificate based on the first public key; and after the first signature verification is successful, controlling the second terminal, and proving that the second terminal has the second private key to the second server.
In one possible implementation, the first private key is generated based on an identity attribute that each of the plurality of users has.
In a possible implementation manner, the first information and the partial information further include a second certificate, the second certificate includes a first public key, the second certificate is obtained by signing based on a third private key of the first server, and the processing module is further configured to perform second signature verification on the second certificate based on a third public key matched with the third private key before the second server performs first signature verification on the first certificate based on the first public key; and the processing module is used for carrying out first signature verification on the first certificate based on the first public key after the second signature verification is successful.
In one possible implementation, the second credentials further include a target attribute that each of the plurality of users has.
A ninth aspect of an embodiment of the present application provides a terminal, which serves as a first terminal, and includes a memory and a processor; the memory stores code and the processor is configured to execute the code, when executed, the first terminal performs the method according to the first aspect or any one of the possible implementations of the first aspect.
A tenth aspect of the embodiments of the present application provides a terminal, where the terminal is used as a second terminal, and a first terminal includes a memory and a processor; the memory stores code and the processor is configured to execute the code, when executed, the second terminal performs the method according to the second aspect or any one of the possible implementations of the second aspect.
An eleventh aspect of embodiments of the present application provides a server as a first server, the first server including a memory and a processor; the memory stores code and the processor is configured to execute the code, and when executed, the first server performs the method according to the third aspect or any one of the possible implementations of the third aspect.
A twelfth aspect of an embodiment of the present application provides a server, as a second server, including a memory and a processor; the memory stores code and the processor is configured to execute the code, and when executed, the first server performs the method according to the fourth aspect or any one of the possible implementations of the fourth aspect.
A thirteenth aspect of embodiments of the present application provides an identity authentication system, which comprises the first terminal according to the ninth aspect, the second terminal according to the tenth aspect, the first server according to the eleventh aspect, and the second server according to the twelfth aspect.
A fourteenth aspect of an embodiment of the present application provides a computer storage medium storing one or more instructions that, when executed by one or more computers, cause the one or more computers to implement a method according to any one of the first aspect, any one of the possible implementations of the first aspect, the second aspect, any one of the possible implementations of the second aspect, the third aspect, any one of the possible implementations of the third aspect, the fourth aspect, or any one of the possible implementations of the fourth aspect.
A fifteenth aspect of embodiments of the present application provides a computer program product, which stores instructions that, when executed by a computer, cause the computer to implement the method according to any one of the first aspect, any one of the possible implementations of the first aspect, the second aspect, any one of the possible implementations of the second aspect, the third aspect, any one of the possible implementations of the third aspect, the fourth aspect, or any one of the possible implementations of the fourth aspect.
In this embodiment of the application, after the first server sends, to the first terminal, first information for describing a first identity of the target user, the first terminal may generate, based on the first information, second information for describing a second identity of the target user. Then, the first terminal sends the second information to the second terminal, so that the second terminal completes identity authentication at the second server by using the second information. In the process, because the first information is stored in the first terminal, the second information is stored in the second terminal, and the second terminal only relates to the second information when performing identity authentication with the second server, the first identity (autonomous identity) and the second identity (service identity) of the target user are successfully isolated and respectively stored in the two terminals, so that the first identity of the target user can be effectively protected from being in direct contact with the second server (service side), even if the second terminal is lost, the first identity of the target user cannot be falsely used, and potential safety problems can be avoided.
Drawings
Fig. 1 is a schematic structural diagram of an identity authentication system according to an embodiment of the present application;
fig. 2 is a schematic flowchart of an identity authentication method according to an embodiment of the present application;
fig. 3 is another schematic flow chart of an identity authentication method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a terminal according to an embodiment of the present application;
fig. 5 is another schematic structural diagram of a terminal according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a server according to an embodiment of the present application;
fig. 7 is another schematic structural diagram of a server according to an embodiment of the present application;
fig. 8 is another schematic structural diagram of a terminal according to an embodiment of the present application;
fig. 9 is another schematic structural diagram of a terminal according to an embodiment of the present application;
fig. 10 is another schematic structural diagram of a server according to an embodiment of the present application;
fig. 11 is another schematic structural diagram of a server according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides an identity authentication method and related equipment thereof, which can enable the autonomous identity and the business identity of a user to be isolated and stored in two terminals respectively, can effectively protect the autonomous identity of a target user from being in direct contact with a business side, can prevent the autonomous identity from being falsely used even if the terminal storing the business identity is lost, and can avoid potential safety problems.
The terms "first," "second," and the like in the description and in the claims of the present application and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances and are merely descriptive of the various embodiments of the application and how objects of the same nature can be distinguished. Furthermore, the terms "comprises," "comprising," and any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of elements is not necessarily limited to those elements, but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
With the rapid development of technologies, businesses between users and enterprises can develop business on the internet, and enterprises providing services generally need to authenticate the true identities of users in order to ensure information security.
For convenience of introduction, a server of a government organization is hereinafter referred to as a first server, a device used by a user is referred to as a terminal, and a server of an enterprise is referred to as a second server. In particular, the first server may issue to the terminal information describing the autonomous identity of the user, e.g. an identity private key and an identity credential containing an identity public key, etc. When the terminal needs to register with the second server, the terminal may send the identity credential to the second server. The identity certificate is usually obtained by signing based on the identity private key, so the second server can verify the identity certificate based on the identity public key, and after the verification is successful, the terminal can prove that the terminal has the identity private key to prove the identity of the terminal to the second server, so that the terminal completes identity authentication. Then, after the identity authentication, the terminal can log in the second server based on the identity public and private keys to develop the business on line.
However, the information describing the autonomous identity of the user often relates to the privacy of the user, and once the terminal storing the information is lost, the identity of the user may be falsely used, so that a certain security problem exists.
In order to solve the above problem, an embodiment of the present application provides an identity authentication method, which is applied to a new identity authentication system, as shown in fig. 1 (fig. 1 is a schematic structural diagram of an identity authentication system provided in an embodiment of the present application), where the identity authentication system includes: the first server is in communication connection with the first terminal, the first terminal is in communication connection with the second terminal, and the second terminal is in communication connection with the second server, wherein the communication connection may be a wired communication connection or a wireless communication connection, and is not limited herein.
The first server is a server of an organization issuing the user autonomous identity, the second server is a server of an enterprise providing business services, the first terminal and the second terminal are devices used by the user, the first terminal can be some terminal devices with higher safety level, such as wearable devices (e.g., smart watches, smart bracelets, smart glasses and the like), personal computers and the like, and the second terminal can be some portable terminal devices with lower safety level, such as mobile phones, tablet computers and the like.
The first server may provide the first terminal with information describing the autonomous identity of the user, and the first terminal may store the information and generate and store information describing the service identity of the user based on the information. Then, the first terminal sends the information for describing the service identity of the user to the second terminal, and the second terminal can store the part of information and forward the part of information to the second server so as to complete identity authentication at the second server according to the part of information.
To further understand the above process, it will be further described below. For convenience of explanation, the information for describing the autonomous identity of the user is hereinafter referred to as first information, and the information for describing the service identity of the user is hereinafter referred to as second information. It should be noted that the process may include two cases, and in different cases, the content included in the first information and the content included in the second information are different. First, a first case is explained below, and fig. 2 is a schematic flow chart of an identity authentication method provided in an embodiment of the present application, as shown in fig. 2, the method includes:
201. the first server generates a first private key of the target user, the first private key is one of private keys of a plurality of users matched with the first public key, and the plurality of users comprise the target user.
202. The first server signs the first public key based on a third private key of the first server to obtain a second certificate containing the first public key.
In this embodiment, when the target user needs to obtain the first information describing the first identity of the target user, a first request may be sent to the first server, so that the first server generates the first information based on the first request, where the first information includes a first private key of the target user and a second credential including a first public key. The first private key of the target user is one of private keys of a plurality of users matched with the first public key, the plurality of users have the same identity attribute, the plurality of users comprise the target user, and the second certificate comprising the identity attribute and the first public key is obtained by signing the first public key. It can be seen that when the first private key and the second credential are combined together, they can be used to describe the first identity of the target user, indicating that the target user is a user with certain identity attributes.
In particular, the first identity of the target user may comprise at least one identity attribute of the target user, for example, the autonomous identity of the user a may comprise identity attributes of a name of the user a, a year, month, day of birth of the user a, an address of the user a, and a household identity of the user a. It should be noted that all identity attributes of the target user are generated and issued by the first serverFor each identity attribute of the target user, the operation performed by the first server on each identity attribute is the same, so for convenience of description, the jth identity attribute Attr of the target user is used hereinafter j Illustratively, the first server may also perform the same for the remaining identity attributes of the target user as for the jth identity attribute Attr j The steps (i.e., step 201 to step 210) are not described in detail later.
Identity attribute Attr for target user j To assign the identity attribute Attr j Securely issuing to a first terminal, a first server may perform the steps of:
(1) The first server may be an identity attribute Attr j A cluster is established, then the identity attribute Attr is possessed j The first server may also generate a master public key MPK for the group that is common to all members j (i.e., the first public key) and generates different private keys SK for different members of the group j . The target user is set as the ith member of the group, so the private key of the target user in the group can be expressed as
Figure BDA0003231650670000091
(i.e., the first private key of the target user), wherein the MSK j A master private key common to all members of the group, the private key of the target user in the group being visible
Figure BDA0003231650670000092
Is based on the master private key MSK of the group j The generated private keys of the rest members in the group are the same, and the details are not repeated here. It should be noted that the master public key MPK of the group j And the master private key MSK of the group j A public and private key pair randomly generated for the group for the first server, private keys SK of different members of the group j Master public key MPK of the group j Match (because of the private keys SK of the different members of the group j All based on the master private key MSK of the group j Generated).
(2) The first server may also obtain a public-private key pair representing the first server itself, i.e., the first serverPrivate key SK of server I (i.e. the third private key of the first server) and the private key SK I Public key PK of the first server I (i.e., the third public key of the first server). Then, the first server uses the private key SK I For identity attribute Attr j And master public key MPK j Signing (e.g., a signing operation based on a conventional signing algorithm, etc.) to obtain a credential
Figure BDA0003231650670000093
(i.e., the second credential).
So far, the first server obtains the private key of the target user
Figure BDA0003231650670000101
And a credential Cred j It is equivalent to that the first server obtains the first private key and the second credential of the target user, i.e. the first information.
203. The first server sends the first private key and the second certificate to the first terminal.
After obtaining first information for describing a first identity of a target user, the first server may send the first information to the first terminal for processing. Specifically, after obtaining a first private key of the target user and a second certificate containing the first public key, the first server may send the first private key and the second certificate to the first terminal.
Still as in the above example, the first server obtains the private key of the target user
Figure BDA0003231650670000104
And a voucher Cred j Thereafter, the first server may use the private key of the target user
Figure BDA0003231650670000105
And a voucher Cred j And sending the information to the first terminal.
204. And the first terminal generates a second private key of the target user and a second public key matched with the second private key.
205. The first terminal signs the second public key based on the first private key to obtain a first certificate containing the second public key.
After obtaining the first private key of the target user and the second certificate containing the first public key, the first terminal can generate second information for describing the second identity of the target user based on the part of information, wherein the second information contains the second certificate, the second private key of the target user and the first certificate containing the second public key. The second public key is matched with the second private key, and the first certificate containing the second public key is obtained by signing the second public key. It can be seen that the second private key, the first credential, and the second credential, when combined together, can be used to describe the second identity of the target user, indicating that the target user is a user with certain identity attributes (i.e., the identity attributes included in the second credential).
Specifically, the second identity of the target user may also include at least one identity attribute of the target user, and the identity attributes included in the first identity and the second identity of the target user may be the same, for example, the autonomous identity and the business identity of the user a may each include identity attributes such as a name of the user a, a birth year, month and day of the user a, an address of the user a, and a household address of the user a.
Still as in the above example, the identity attribute Attr for the target user j The first terminal obtains the private key of the target user
Figure BDA0003231650670000102
And a voucher Cred j Thereafter, the first terminal may perform the following steps:
(1) The first terminal may obtain (e.g., randomly generated in advance or in real-time, etc.) a new public-private key pair, i.e., the target user's new private key, SK, on behalf of the target user itself 2 (i.e., the second private key of the target user) and the new private key SK 2 New public key PK of matched target user 2 (i.e., the second public key of the target user).
(2) The first terminal can use the private key of the target user
Figure BDA0003231650670000106
New public key PK to target user 2 Carry out the signature (E.g., signature operations based on the Group Signature (GS) algorithm, etc.), to obtain new credentials
Figure BDA0003231650670000103
(i.e., the first credential).
Thus, the first terminal obtains a new private key SK of the target user 2 Certificate Cred j And a new credential σ, which is equivalent to the second private key, the second credential, and the first credential of the target user, i.e., the second information, obtained by the first terminal.
206. The first terminal sends the first certificate, the second certificate and the second private key to the second terminal.
After the first terminal obtains second information for describing a second identity of the target user, if the target user needs to register at the second server, the second information can be sent to the second terminal, so that the second terminal can realize identity authentication at the second server according to the second information. Specifically, after the first terminal obtains the second private key, the first certificate, and the second certificate containing the second public key of the target user, the first terminal may send the second private key, the first certificate, and the second certificate to the second terminal.
Still as in the above example, the first terminal obtains a new private key SK for the target user 2 Certificate Cred j After the new certificate sigma, the first terminal can use the new private key SK of the target user 2 Certificate Cred j And the new voucher sigma is sent to the second terminal.
207. The second terminal sends the first credentials and the second credentials to the second server.
After the second terminal obtains the second information, part of the information in the second information can be sent to the second server. Specifically, after obtaining the second private key of the target user, the first credential, and the second credential including the second public key, the second terminal may send the first credential and the second credential to the second server.
Still as in the above example, the second terminal obtains the new private key SK of the target user 2 Certificate Cred j And the new voucher sigma, the second terminal may credit the voucher Cred j And new credentials sigma to the second serviceA device.
208. And the second server performs second signature verification on the second certificate based on a third public key matched with the third private key.
209. And after the second signature verification is successful, the second server performs first signature verification on the first certificate based on the first public key.
After the second server obtains the first certificate and the second certificate, because the second certificate is obtained by signing the first public key based on the third private key of the first server, the second server can obtain a third public key matched with the third private key (the third public key is public, and the second server can directly obtain the third public key), and perform second signature verification (for example, signature verification operation based on a conventional signature algorithm) on the second certificate by using the third public key, if the second signature verification is successful, it is indicated that information in the second certificate is originated from the first server (that is, the information is not tampered in the transmission process), and the second signature verification is performed by the second server. If the first signature verification fails, it indicates that the information in the second certificate does not originate from the first server (i.e., the information is tampered during transmission), and the second server ends the operation.
After the second verification is successful, the second server can perform first verification (for example, verification signature operation based on group signature algorithm) on the first certificate by using the first public key in the second certificate, because the first certificate is obtained by signing the second public key based on the first private key of the target user, and if the first verification is successful, it indicates that the information in the first certificate is originated from the first terminal (i.e., the information is not tampered during transmission). So far, the first and second verification checks are successful, the second server approves the second identity of the target user (i.e. confirms that the target user is indeed a user with certain identity attributes), and confirms that the identity attribute included in the second identity of the target user is issued by the first server (i.e. confirms that the identity attribute included in the target user is indeed originated from the first server), so that the second server can implement step 210. If the first authentication fails, it indicates that the information in the first certificate does not originate from the first terminal (i.e., the information is tampered during transmission), and the second server ends the operation.
Still as in the above example, the second server obtains the credential Cred j After the new credential σ, the public key PK of the first server may be used I To certificate
Figure BDA0003231650670000111
Checking the signature, if the signature is successfully checked, the second server continues to use the master public key MPK j For new certificate
Figure BDA0003231650670000112
Checking the signature, if the signature is successfully checked, the second server recognizes that the target user really has the identity attribute Attr j And identity attribute Attr, and j and issuing the target user by the first server.
In the above process, because of the master public key MPK j And Attr based on identity attribute j Private keys SK of multiple members of the established group j And (4) matching. Then the second server is utilizing the master public key MPK j After the new credential σ is successfully signed, the second server cannot know which user in the group the target user is (i.e., cannot determine which user's private key SK the new credential σ is based on j Obtained by signing) only the target user can be determined as having the identity attribute Attr j To the user.
210. And after the first signature verification is successful, the second terminal proves to the second server that the second terminal has the second private key.
After the first signature verification is successful, the second server sends a second request to the second terminal, so that the second terminal can prove that the second terminal has the second private key to the second server based on the second request, and identity authentication is completed. And then, if the target user has service requirements, logging in a second server by using a second private key and a second public key through a second terminal so as to online develop the service.
Still as in the above example, after the double-layer signature verification is successful, the second server may send a request to the second terminal, so that the second terminal performs zero-knowledge proof on the second server, thereby proving that the second terminal owns the new public key PK of the target user 2 Matched new private key SK 2 So far, the second terminal implements identity authentication at the second server, so that the second terminal can subsequently use the new public key PK of the target user 2 And a new private key SK of the target user 2 And communicating with a second server to spread the service on the line.
In the above process, the private key of the target user
Figure BDA0003231650670000121
(i.e. the first private key of the target user) is stored in the first terminal as the most sensitive information describing the autonomous identity of the target user, the new private key SK of the target user 2 (i.e. the second private key of the target user) is stored in the second terminal as the most sensitive information describing the service identity of the target user. The second terminal only uses the new private key SK of the target user 2 The identity authentication is completed at the second server, that is, the second server can only contact the most sensitive information for describing the business identity of the target user, but cannot contact the most sensitive information for describing the autonomous identity of the target user, so that the autonomous identity of the target user and the business identity of the target user can be isolated (that is, stored in two terminals respectively), even if the second terminal is lost, the information for describing the autonomous identity of the target user is still stored on the first terminal, so that the target user can utilize the autonomous identity of the target user through the first terminal, withdraw the old business identity at the second server in time, and register a new business identity, and in this case, the autonomous identity of the target user can be effectively protected and cannot be falsely used.
In this embodiment of the application, after the first server sends, to the first terminal, first information for describing a first identity of the target user, the first terminal may generate, based on the first information, second information for describing a second identity of the target user. Then, the first terminal sends the second information to the second terminal, so that the second terminal completes identity authentication at the second server by using the second information. In the process, because the first information is stored in the first terminal, the second information is stored in the second terminal, and the second terminal only relates to the second information when performing identity authentication with the second server, the first identity (autonomous identity) and the second identity (service identity) of the target user are successfully isolated and respectively stored in the two terminals, so that the first identity of the target user can be effectively protected from being in direct contact with the second server (service side), even if the second terminal is lost, the first identity of the target user cannot be falsely used, and potential safety problems can be avoided.
The above is a detailed description of the first case, and the second case will be described below. Fig. 3 is another schematic flow chart of the identity authentication method according to the embodiment of the present application, and as shown in fig. 3, the method includes:
301. the first server generates a first private key of the target user, the first private key is one of private keys of a plurality of users matched with the first public key, and the plurality of users comprise the target user.
In this embodiment, when the target user needs to obtain the first information describing the first identity of the target user, a first request may be sent to the first server, so that the first server generates the first information based on the first request, where the first information includes the first private key of the target user. The first private key of the target user is one of private keys of a plurality of users matched with the first public key, the first private key is generated based on the plurality of users having the same identity attribute, and the plurality of users include the target user. Therefore, the first private key can be used to describe the first identity of the target user, which indicates that the target user is a user with certain identity attributes.
In particular, the first identity of the target user may comprise at least one identity attribute of the target user, for example, the autonomous identity of the user a may comprise identity attributes of a name of the user a, a year, month, day of birth of the user a, an address of the user a, and a household identity of the user a. It should be noted that all identity attributes of the target user are generated and issued by the first server, and it is assumed that the first identity of the target user includes N identity attributes, that is, attr 1 ,Attr 2 ,...,Attr N . In order to assign the identity attribute Attr 1 ,Attr 2 ,...,Attr N Securely issuing to a first terminal, a first serviceThe server may be an identity attribute Attr 1 ,Attr 2 ,...,Attr N A cluster is established, then the identity attribute Attr is possessed 1 ,Attr 2 ,...,Attr N The first server may also generate a master public key MPK (i.e., the first public key) common to all members for the group, and generate different private keys SK for different members of the group. Let the target user be the ith member of the group, so the private key of the target user in the group can be represented as SK i =AttrIssue(Attr 1 ,Attr 2 ,...,Attr N MSK) (i.e. the first private key of the target user), where MSK is the master private key common to all members of the group, and the private key SK of the target user in the group is visible i Is based on the identity attribute Attr 1 ,Attr 2 ,...,Attr N And the master private key MSK of the group, as well as the private keys of the other members in the group, which are not described herein again. It should be noted that the master public key MPK of the group and the master private key MSK of the group are a public-private key pair randomly generated by the first server for the group, and the private keys SK of different members in the group are all matched with the master public key MPK of the group (because the private keys SK of different members in the group are all generated based on the master private key MSK of the group).
Thus, the first server obtains the private key SK of the target user i It is equivalent to that the first server obtains the first private key of the target user, that is, the first information.
302. The first server sends the first private key to the first terminal.
After obtaining first information for describing a first identity of a target user, the first server may send the first information to the first terminal for processing. Specifically, the first server obtains a first private key of the target user, and may send the first private key to the first terminal.
Still as in the above example, the first server obtains the private key SK of the target user i Afterwards, the first server can use the private key SK of the target user i And sending the information to the first terminal.
303. And the first terminal generates a second private key of the target user and a second public key matched with the second private key.
304. The first terminal signs the second public key based on the first private key to obtain a first certificate containing the second public key.
After obtaining the first private key of the target user, the first terminal may generate second information for describing a second identity of the target user based on the part of information, where the second information includes a second private key of the target user and a first certificate including a second public key. The second public key is matched with the second private key, and the first certificate containing the second public key is obtained by signing the second public key. It can be seen that the second private key, when combined with the first credential, can be used to describe the second identity of the target user, indicating that the target user is a user with certain identity attributes (i.e., the identity attributes included in the second credential).
Specifically, the second identity of the target user may also include at least one identity attribute of the target user, and the identity attributes included in the first identity and the second identity of the target user may be the same, for example, the autonomous identity and the business identity of the user a may each include identity attributes such as a name of the user a, a birth year, month and day of the user a, an address of the user a, and a household address of the user a.
Still as in the above example, the identity attribute Attr for the target user 1 ,Attr 2 ,...,Attr N The first terminal obtains a private key SK of a target user i Then, the first terminal may perform the following steps:
(1) The first terminal may obtain (e.g., randomly generated in advance or in real-time, etc.) a new public-private key pair representing the target user itself, i.e., a new private key SK of the target user 2 (i.e., the second private key of the target user) and the new private key SK 2 New public key PK of matched target user 2 (i.e., the second public key of the target user).
(2) The first terminal can use the private key SK of the target user i New public key PK to target user 2 Perform a signature (e.g., a signature operation based on a Group Signature (GS) algorithm, etc.) to obtain a credential
Figure BDA0003231650670000141
(i.e., the first credential).
So far, the first terminal obtains a new private key SK of the target user 2 And the certificate Cred is equivalent to that the first terminal obtains a second private key and a first certificate of the target user, namely second information.
305. The first terminal sends the first certificate and the second private key to the second terminal.
After the first terminal obtains the second information for describing the second identity of the target user, the second information can be sent to the second terminal for processing. Specifically, after the first terminal obtains the second private key and the first certificate of the target user, the first terminal can send the second private key and the first certificate to the second terminal.
Still as in the above example, the first terminal obtains a new private key SK for the target user 2 After the credential Cred is added, the first terminal can use the new private key SK of the target user 2 And the credential Cred is sent to the second terminal.
306. The second terminal sends the first credentials to the second server.
After the second terminal obtains the second information, part of the information in the second information can be sent to the second server. Specifically, after obtaining the second private key and the first certificate of the target user, the second terminal may send the first certificate to the second server.
Still as in the above example, the second terminal obtains the new private key SK of the target user 2 And the credential Cred, the second terminal may send the credential Cred to the second server.
307. And the second server performs first signature verification on the first certificate based on the first public key.
After the second server obtains the first certificate, since the first certificate is obtained by signing the second public key based on the first private key of the target user, the second server may use the first public key (the first public key is public, so the second server may directly obtain) to perform the first verification (for example, a verification signature operation based on a group signature algorithm) on the first certificate, if the first verification is successful, it is indicated that the information in the first certificate originates from the first terminal (i.e., in the transmission process, the information is not tampered), the second server approves the second identity of the target user (i.e., confirms that the target user is indeed a user with some identity attributes), and confirms that the identity attribute included in the second identity of the target user is issued by the first server (i.e., confirms that the identity attribute included in the target user actually originates from the first server), so the second server may implement step 210. If the first authentication fails, it indicates that the information in the first certificate does not originate from the first terminal (i.e., the information is tampered during transmission), and the second server ends the operation.
Still in the above example, after the second server obtains the credential Cred, the master public key MPK can be used to pair the credential
Figure BDA0003231650670000142
Checking the signature, if the signature is successfully checked, the second server recognizes that the target user really has the identity attribute Attr 1 ,Attr 2 ,...,Attr N And identity attribute Attr, and 1 ,Attr 2 ,...,Attr N the target user is issued by the first server.
In the above process, the master public key MPK and the identity attribute Attr are used 1 ,Attr 2 ,...,Attr N The private keys SK of the members of the established group match. Then the second server is utilizing the master public key MPK j After the credential Cred is successfully checked, the second server cannot know which user in the group the target user is (that is, cannot determine which user's private key SK the credential Cred is signed based on), and can only determine that the target user is the user with the identity attribute Attr 1 ,Attr 2 ,...,Attr N The user of (1).
308. And after the first signature verification is successful, the second terminal proves to the second server that the second terminal has the second private key.
After the first signature verification is successful, the second server sends a second request to the second terminal, so that the second terminal can prove that the second terminal has the second private key to the second server based on the second request, and identity authentication is completed. And then, if the target user has service requirements, logging in a second server by using a second private key and a second public key through a second terminal so as to expand the service on line.
Still as in the above example, after the successful signature verification, the second server may send a request to the second terminal to enable the second terminal to perform zero knowledge attestation on the second server to prove that the second terminal owns the new public key PK of the target user 2 Matched new private key SK 2 So far, the second terminal implements identity authentication at the second server, so that the second terminal can subsequently use the new public key PK of the target user 2 And a new private key SK of the target user 2 And communicating with a second server to spread the service on the line.
In the above process, the private key SK of the target user i (i.e. the first private key of the target user) is stored in the first terminal as the most sensitive information describing the autonomous identity of the target user, the new private key SK of the target user 2 (i.e. the second private key of the target user) is stored in the second terminal as the most sensitive information describing the service identity of the target user. The second terminal only uses the new private key SK of the target user 2 The identity authentication is completed at the second server, that is, the second server can only contact the most sensitive information for describing the business identity of the target user, but cannot contact the most sensitive information for describing the autonomous identity of the target user, so that the autonomous identity of the target user and the business identity of the target user can be isolated (that is, stored in two terminals respectively), even if the second terminal is lost, the information for describing the autonomous identity of the target user is still stored in the first terminal, so that the target user can utilize the autonomous identity of the target user through the first terminal, withdraw the old business identity at the second server in time, and register a new business identity, and under the condition, the autonomous identity of the target user can be effectively protected and cannot be falsely used.
In this embodiment of the application, after the first server sends, to the first terminal, first information for describing a first identity of the target user, the first terminal may generate, based on the first information, second information for describing a second identity of the target user. Then, the first terminal sends the second information to the second terminal, so that the second terminal completes identity authentication at the second server by using the second information. In the process, because the first information is stored in the first terminal, the second information is stored in the second terminal, and the second terminal only relates to the second information when performing identity authentication with the second server, the first identity (autonomous identity) and the second identity (service identity) of the target user are successfully isolated and respectively stored in the two terminals, so that the first identity of the target user can be effectively protected from being in direct contact with the second server (service side), even if the second terminal is lost, the first identity of the target user cannot be falsely used, and potential safety problems can be avoided.
The above is a detailed description of the identity authentication method provided in the embodiment of the present application, and the first server, the first terminal, the second terminal, and the second server provided in the embodiment of the present application are described below. Fig. 4 is a schematic structural diagram of a terminal provided in an embodiment of the present application, and as shown in fig. 4, the terminal serves as a first terminal, and the first terminal includes:
an obtaining module 401, configured to obtain first information from a first server, where the first information is used to describe a first identity of a target user;
a processing module 402, configured to generate second information based on the first information, where the second information is used to describe a second identity of the target user;
a sending module 403, configured to send second information to the second terminal, where the second information is used for the second terminal to implement identity authentication at the second server.
In a possible implementation manner, the first information includes a first private key of the target user, the first private key is one private key of private keys of a plurality of users matched with the first public key, and the plurality of users include the target user; a processing module 402 for: generating a second private key of the target user and a second public key matched with the second private key; signing the second public key based on the first private key to obtain a first certificate containing the second public key; the second information comprises a first certificate and a second private key, the first certificate is used for the second server to perform first signature verification based on the first public key, and the second private key is used for the second terminal to prove that the second terminal has the second private key to the second server after the first signature verification is successful.
In one possible implementation, the first private key is generated based on an identity attribute that each of the plurality of users has.
In a possible implementation manner, the first information and the second information further include a second certificate, the second certificate includes a first public key, the second certificate is obtained by signing based on a third private key of the first server, the second certificate is used for the second server to perform second signature verification based on a third public key matched with the third private key, and the first certificate is used for performing first signature verification based on the first public key after the second signature verification is successful.
In one possible implementation, the second credentials further include an identity attribute that each of the plurality of users has.
Fig. 5 is another schematic structural diagram of a terminal provided in the embodiment of the present application, and as shown in fig. 5, the terminal serves as a second terminal, and the second terminal includes:
an obtaining module 501, configured to obtain second information from the first terminal, where the second information is generated by the first terminal based on first information from the first server, the first information is used to describe a first identity of the target user, and the second information is used to describe a second identity of the target user;
a sending module 502, configured to send part of the second information to the second server, so as to implement identity authentication at the second server.
In a possible implementation manner, the first information includes a first private key of a target user, the first private key is one private key of private keys of multiple users matched with the first public key, the multiple users include the target user, the second information includes a first certificate and a second private key of the target user, part of the information includes a first certificate, the first certificate includes a second public key matched with the second private key, the first certificate is obtained by signing based on the first private key, and the first certificate is used for a second server to perform first signature verification based on the first public key; the sending module 502 is configured to prove, to the second server, that the second terminal possesses the second private key after the first signature verification is successful.
In one possible implementation, the first private key is generated based on an identity attribute that each of the plurality of users has.
In a possible implementation manner, the partial information of the first information and the second information further includes a second certificate, the second certificate includes a first public key, the second certificate is obtained by signing based on a third private key of the first server, the second certificate is used for the second server to perform a second signature verification based on a third public key matched with the third private key, and the first certificate is used for performing a first signature verification based on the first public key after the second signature verification is successful.
In one possible implementation, the second credentials further include a target attribute that each of the plurality of users has.
Fig. 6 is a schematic structural diagram of a server according to an embodiment of the present application, and as shown in fig. 6, the server serves as a first server, where the first server includes:
a sending module 601, configured to send first information to a first terminal, where the first information is used to describe a first identity of a target user, the first information is further used for the first terminal to generate second information, the second information is used to describe a second identity of the target user, and the second information is further used for a second terminal to implement identity authentication at a second server.
In one possible implementation manner, the first server further includes: the processing module is used for generating a first private key, the first private key is one of private keys of a plurality of users matched with the first public key, and the plurality of users comprise target users; the first information comprises a first private key of a target user, the second information comprises a first certificate and a second private key of the target user, the first certificate comprises a second public key matched with the second private key, the first certificate is obtained by signing based on the first private key, the first certificate is used for a second server to perform first signature verification based on the first public key, and the second private key is used for proving that the second terminal has the second private key to the second server after the first signature verification is successful.
In one possible implementation, the first private key is generated based on an identity attribute that each of the plurality of users has.
In a possible implementation manner, the processing module is further configured to sign the first public key based on a third private key of the first server, so as to obtain a second certificate containing the first public key; the first information and the second information further comprise a second certificate, the second certificate is used for the second server to conduct second signature verification based on a third public key matched with a third private key, and the first certificate is used for conducting first signature verification based on the first public key after the second signature verification is successful.
In one possible implementation, the second credentials further include a target attribute that each of the plurality of users has.
Fig. 7 is another schematic structural diagram of a server provided in the embodiment of the present application, and as shown in fig. 7, the server serves as a second server, and the second server includes:
an obtaining module 701, configured to obtain partial information in second information from a second terminal, where the second information is generated by the first terminal based on first information from the first server, the first information is used to describe a first identity of a target user, and the second information is used to describe a second identity of the target user;
and the processing module 702 is configured to perform identity authentication on the second terminal according to the partial information.
In a possible implementation manner, the first information includes a first private key of a target user, the first private key is one private key of private keys of a plurality of users matched with the first private key, the plurality of users include the target user, the second information includes a first certificate and a second private key of the target user, part of the information includes a first certificate, the first certificate includes a second public key matched with the second private key, and the first certificate is obtained by signing based on the first private key; a processing module 702 configured to: performing first signature verification on the first certificate based on the first public key; and after the first signature verification is successful, controlling the second terminal, and proving that the second terminal has the second private key to the second server.
In one possible implementation, the first private key is generated based on an identity attribute that each of the plurality of users has.
In a possible implementation manner, the first information and the partial information further include a second certificate, the second certificate includes a first public key, the second certificate is obtained by signing based on a third private key of the first server, and the processing module 702 is further configured to perform a second signature verification on the second certificate based on a third public key matched with the third private key before the second server performs the first signature verification on the first certificate based on the first public key; the processing module 702 is configured to, after the second signature verification is successful, perform a first signature verification on the first credential based on the first public key.
In one possible implementation, the second credentials further include a target attribute that each of the plurality of users has.
It should be noted that, because the contents of information interaction, execution process, and the like between the modules/units of the apparatus are based on the same concept as the method embodiment of the present application, the technical effect brought by the contents is the same as the method embodiment of the present application, and specific contents may refer to the description in the foregoing method embodiment of the present application, and are not repeated herein.
Fig. 8 is another schematic structural diagram of a terminal according to an embodiment of the present application. Referring to fig. 8, the terminal is used as a first terminal, and the first terminal may be a smart watch, a smart bracelet, smart glasses, and the like. The intelligent wrist-watch includes: radio Frequency (RF) circuitry 810, memory 820, input unit 830, display unit 840, sensor 850, audio circuitry 860, wireless fidelity (WiFi) module 870, processor 880, and power supply 890. Those skilled in the art will appreciate that the smart watch configuration shown in fig. 8 does not constitute a limitation of a smart watch, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
The following specifically describes each component of the smart watch with reference to fig. 8:
the RF circuit 810 may be used for receiving and transmitting signals during information transmission and reception or during a call, and in particular, for processing downlink information of a base station after receiving the downlink information to the processor 880; in addition, the data for designing uplink is transmitted to the base station. In general, RF circuit 810 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, the RF circuit 810 may also communicate with networks and other devices via wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to global system for mobile communications (GSM), general Packet Radio Service (GPRS), code Division Multiple Access (CDMA), wideband Code Division Multiple Access (WCDMA), long Term Evolution (LTE), email, short Message Service (SMS), etc.
The memory 820 may be used to store software programs and modules, and the processor 880 executes various functional applications and data processing of the smart watch by operating the software programs and modules stored in the memory 820. The memory 820 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the stored data area may store data (such as audio data, a phonebook, etc.) created according to the use of the smart watch, and the like. Further, the memory 820 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
The input unit 830 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the smart watch. Specifically, the input unit 830 may include a touch panel 831 and other input devices 832. The touch panel 831, also referred to as a touch screen, can collect touch operations performed by a user on or near the touch panel 831 (e.g., operations performed by the user on the touch panel 831 or near the touch panel 831 using any suitable object or accessory such as a finger, a stylus, etc.) and drive the corresponding connection device according to a preset program. Alternatively, the touch panel 831 may include two portions of a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts it to touch point coordinates, and sends the touch point coordinates to the processor 880, and can receive and execute commands from the processor 880. In addition, the touch panel 831 may be implemented by various types such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. The input unit 830 may include other input devices 832 in addition to the touch panel 831. In particular, other input devices 832 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
The display unit 840 may be used to display information input by the user or information provided to the user, as well as various menus of the smart watch. The display unit 840 may include a display panel 841, and the display panel 841 may be optionally configured in the form of a Liquid Crystal Display (LCD), an organic light-emitting diode (OLED), or the like. Further, touch panel 831 can overlay display panel 841, and when touch panel 831 detects a touch operation thereon or nearby, communicate to processor 880 to determine the type of touch event, and processor 880 can then provide a corresponding visual output on display panel 841 based on the type of touch event. Although in fig. 8, touch panel 831 and display panel 841 are two separate components to implement the input and output functions of a smart watch, in some embodiments, touch panel 831 and display panel 841 may be integrated to implement the input and output functions of a smart watch.
The smart watch may also include at least one sensor 850, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor that may adjust the brightness of the display panel 841 according to the brightness of ambient light, and a proximity sensor that may turn off the display panel 841 and/or backlight when the smart watch is moved to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally three axes), can detect the magnitude and direction of gravity when stationary, and can be used for applications (such as horizontal and vertical screen switching, related games, magnetometer attitude calibration) for identifying the attitude of the smart watch, and related functions (such as pedometer and tapping) for vibration identification; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, infrared, IMU, and SLAM sensors, which may be further configured to the smart watch, detailed description thereof is omitted.
Audio circuitry 860, speaker 861, microphone 862 may provide an audio interface between the user and the smart watch. The audio circuit 860 can transmit the electrical signal converted from the received audio data to the speaker 861, and the electrical signal is converted into a sound signal by the speaker 861 and output; on the other hand, the microphone 862 converts collected sound signals into electrical signals, which are received by the audio circuit 860 and converted into audio data, which are then processed by the audio data output processor 880 and sent to, for example, another smart watch via the RF circuit 810, or output to the memory 820 for further processing.
WiFi belongs to short-distance wireless transmission technology, and the smart watch can help a user to receive and send e-mails, browse webpages, access streaming media and the like through the WiFi module 870, and provides wireless broadband internet access for the user. Although fig. 8 illustrates WiFi module 870, it is understood that it does not belong to a necessary component of a smart watch.
The processor 880 is a control center of the smart watch, connects various parts of the whole smart watch using various interfaces and lines, and performs various functions of the smart watch and processes data by operating or executing software programs and/or modules stored in the memory 820 and calling data stored in the memory 820, thereby performing overall monitoring of the smart watch. Optionally, processor 880 may include one or more processing units; preferably, the processor 880 may integrate an application processor, which mainly handles operating systems, user interfaces, applications, etc., and a modem processor, which mainly handles wireless communication. It will be appreciated that the modem processor described above may not be integrated into processor 880.
The smart watch also includes a power source 890 (e.g., a battery) for powering the various components, which may preferably be logically coupled to the processor 880 via a power management system to manage charging, discharging, and power consumption management functions via the power management system.
Although not shown, the smart watch may further include a camera, a bluetooth module, and the like, which are not described herein.
In this embodiment of the application, the processor 880 included in the smart watch may perform the functions of the first terminal in the embodiments shown in fig. 2 or fig. 3, which are not described herein again.
Fig. 9 is another schematic structural diagram of a terminal according to an embodiment of the present application. Referring to fig. 9, the terminal may be used as a second terminal, and the second terminal may be a mobile phone, a tablet computer, or the like. The mobile phone comprises: radio Frequency (RF) circuitry 910, memory 920, input unit 930, display unit 940, sensor 950, audio circuitry 960, wireless fidelity (WiFi) module 970, processor 980, and power supply 990. Those skilled in the art will appreciate that the handset configuration shown in fig. 9 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
The following describes each component of the mobile phone in detail with reference to fig. 9:
the RF circuit 910 may be used for receiving and transmitting signals during information transmission and reception or during a call, and in particular, for receiving downlink information of a base station and then processing the received downlink information to the processor 980; in addition, the data for designing uplink is transmitted to the base station. In general, RF circuit 910 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, the RF circuit 910 may also communicate with networks and other devices via wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to global system for mobile communications (GSM), general Packet Radio Service (GPRS), code Division Multiple Access (CDMA), wideband Code Division Multiple Access (WCDMA), long Term Evolution (LTE), email, short Message Service (SMS), etc.
The memory 920 may be used to store software programs and modules, and the processor 980 may execute various functional applications and data processing of the mobile phone by operating the software programs and modules stored in the memory 920. The memory 920 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. Further, the memory 920 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
The input unit 930 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the cellular phone. Specifically, the input unit 930 may include a touch panel 931 and other input devices 932. The touch panel 931, also referred to as a touch screen, may collect a touch operation performed by a user on or near the touch panel 931 (e.g., a user's operation on or near the touch panel 931 using a finger, a stylus, or any other suitable object or accessory), and drive a corresponding connection device according to a preset program. Alternatively, the touch panel 931 may include two parts, a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, sends the touch point coordinates to the processor 980, and can receive and execute commands sent by the processor 980. In addition, the touch panel 931 may be implemented by various types, such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. The input unit 930 may include other input devices 932 in addition to the touch panel 931. In particular, other input devices 932 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
The display unit 940 may be used to display information input by the user or information provided to the user and various menus of the mobile phone. The display unit 940 may include a display panel 941, and optionally, the display panel 941 may be configured in the form of a Liquid Crystal Display (LCD), an organic light-emitting diode (OLED), or the like. Further, the touch panel 931 may cover the display panel 941, and when the touch panel 931 detects a touch operation on or near the touch panel 931, the touch panel transmits the touch operation to the processor 980 to determine the type of the touch event, and then the processor 980 provides a corresponding visual output on the display panel 941 according to the type of the touch event. Although in fig. 9, the touch panel 931 and the display panel 941 are two independent components to implement the input and output functions of the mobile phone, in some embodiments, the touch panel 931 and the display panel 941 may be integrated to implement the input and output functions of the mobile phone.
The handset may also include at least one sensor 950, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor that adjusts the brightness of the display panel 941 according to the brightness of ambient light, and a proximity sensor that turns off the display panel 941 and/or backlight when the mobile phone is moved to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when stationary, and can be used for applications of recognizing the gesture of the mobile phone (such as horizontal and vertical screen switching, related games, magnetometer gesture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, an infrared sensor, an IMU, and a SLAM sensor, which are also configurable to the mobile phone, are not described herein again.
Audio circuitry 960, speaker 961, microphone 962 may provide an audio interface between a user and a cell phone. The audio circuit 960 may transmit the electrical signal converted from the received audio data to the speaker 961, and convert the electrical signal into a sound signal for output by the speaker 961; on the other hand, the microphone 962 converts the collected sound signal into an electrical signal, converts the electrical signal into audio data after being received by the audio circuit 960, and outputs the audio data to the processor 980 for processing, and then transmits the audio data to, for example, another mobile phone through the RF circuit 910, or outputs the audio data to the memory 920 for further processing.
WiFi belongs to short-distance wireless transmission technology, and the mobile phone can help a user to receive and send e-mails, browse webpages, access streaming media and the like through the WiFi module 970, and provides wireless broadband Internet access for the user. Although fig. 9 shows a WiFi module 970, it is understood that it does not belong to the essential components of the handset.
The processor 980 is a control center of the mobile phone, connects various parts of the entire mobile phone by using various interfaces and lines, and performs various functions of the mobile phone and processes data by operating or executing software programs and/or modules stored in the memory 920 and calling data stored in the memory 920, thereby integrally monitoring the mobile phone. Alternatively, processor 980 may include one or more processing units; preferably, the processor 980 may integrate an application processor, which primarily handles operating system, user interface, and applications, etc., and a modem processor, which primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 980.
The handset also includes a power supply 990 (e.g., a battery) for supplying power to the various components, which may preferably be logically connected to the processor 980 via a power management system, such that the power management system may manage charging, discharging, and power consumption.
Although not shown, the mobile phone may further include a camera, a bluetooth module, etc., which are not described herein.
In this embodiment, the processor 980 included in the mobile phone may perform the functions of the second terminal in the embodiments shown in fig. 2 or fig. 3, which are not described herein again.
Fig. 10 is another schematic structural diagram of a server according to an embodiment of the present application. As shown in fig. 10, the server in the embodiment of the present application may be used as a first server, and one embodiment of the first server may include one or more central processing units 1001, a memory 1002, an input/output interface 1003, a wired or wireless network interface 1004, and a power supply 1005.
The memory 1002 may be transient storage or persistent storage. Still further, the central processing unit 1001 may be configured to communicate with the memory 1002 to execute a series of instruction operations in the memory 1002 on the first server.
In this embodiment, the central processing unit 1001 may execute the operations executed by the first server in the embodiments shown in fig. 2 or fig. 3, which are not described herein again.
In this embodiment, the specific functional module division in the central processing unit 1001 may be similar to the division of the processing module and the sending module described in fig. 6, and details are not repeated here.
Fig. 11 is another schematic structural diagram of a server according to an embodiment of the present application. As shown in fig. 11, the server in the embodiment of the present application may be used as a second server, and one embodiment of the second server may include one or more central processing units 1101, a memory 1102, an input/output interface 1103, a wired or wireless network interface 1104, and a power supply 1105.
Memory 1102 may be transient storage or persistent storage. Still further, the central processor 1101 may be configured to communicate with the memory 1102 to execute a series of instruction operations in the memory 1102 on a second server.
In this embodiment, the central processor 1101 may perform the operations performed by the second server in the embodiments shown in fig. 2 or fig. 3, which are not described herein again.
In this embodiment, the specific functional module division in the central processing unit 1101 may be similar to the division of the modules such as the obtaining module and the processing module described in fig. 7, and is not described herein again.
Embodiments of the present application also relate to a computer storage medium storing one or more instructions that, when executed by one or more computers, cause the one or more computers to implement a method as described in fig. 2 or fig. 3.
Embodiments of the present application also relate to a computer program product having instructions stored thereon, which when executed by a computer, cause the computer to implement the method of fig. 2 or 3.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application, which are essential or part of the technical solutions contributing to the prior art, or all or part of the technical solutions, may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Claims (31)

1. An identity authentication method, the method comprising:
the method comprises the steps that a first terminal obtains first information from a first server, wherein the first information is used for describing a first identity of a target user;
the first terminal generates second information based on the first information, wherein the second information is used for describing a second identity of the target user;
and the first terminal sends the second information to a second terminal, wherein the second information is used for the second terminal to realize identity authentication at a second server.
2. The method of claim 1, wherein the first information comprises a first private key of the target user, the first private key being one of private keys of a plurality of users matched by a first public key, the plurality of users comprising the target user;
the first terminal generating second information based on the first information comprises:
the first terminal generates a second private key of the target user and a second public key matched with the second private key;
the first terminal signs the second public key based on the first private key to obtain a first certificate containing the second public key;
the second information comprises the first certificate and the second private key, the first certificate is used for the second server to perform first signature verification based on the first public key, and the second private key is used for proving that the second terminal has the second private key to the second server after the first signature verification is successful.
3. The method of claim 2, wherein the first private key is generated based on an identity attribute that each of the plurality of users has.
4. The method of claim 2, wherein the first information and the second information further comprise a second credential, the second credential comprises the first public key, the second credential is signed based on a third private key of the first server, the second credential is used for the second server to perform a second signature verification based on a third public key matched with the third private key, and the first credential is used for the second server to perform a first signature verification based on the first public key after the second signature verification is successful.
5. The method of claim 4, wherein the second credentials further comprise an identity attribute that each of the plurality of users has.
6. An identity authentication method, the method comprising:
the method comprises the steps that a second terminal obtains second information from a first terminal, wherein the second information is generated by the first terminal based on first information from a first server, the first information is used for describing a first identity of a target user, and the second information is used for describing a second identity of the target user;
and the second terminal sends part of information in the second information to a second server so as to realize identity authentication at the second server.
7. The method of claim 6, wherein the first information comprises a first private key of the target user, the first private key is one of private keys of a plurality of users matched by a first public key, the plurality of users comprises the target user, the second information comprises a first credential and a second private key of the target user, the partial information comprises the first credential, the first credential comprises a second public key matched by the second private key, the first credential is signed based on the first private key, and the first credential is used for the second server to perform a first signature verification based on the first public key;
the second terminal implementing identity authentication at the second server comprises:
and after the first signature verification is successful, the second terminal proves to the second server that the second terminal has the second private key.
8. The method of claim 7, wherein the first private key is generated based on an identity attribute that each of the plurality of users has.
9. The method of claim 6, wherein the first information and the partial information further comprise a second credential, the second credential comprises the first public key, the second credential is signed based on a third private key of the first server, the second credential is used for the second server to perform a second signature verification based on a third public key matched with the third private key, and the first credential is used for the second server to perform a first signature verification based on the first public key after the second signature verification is successful.
10. The method of claim 9, wherein the second credentials further comprise a target attribute that each of the plurality of users has.
11. An identity authentication method, the method comprising:
the first server sends the first information to a first terminal, the first information is used for describing a first identity of a target user, the first information is also used for generating second information by the first terminal, the second information is used for describing a second identity of the target user, and the second information is also used for realizing identity authentication at a second server by a second terminal.
12. The method of claim 11, further comprising:
the first server generates a first private key, wherein the first private key is one of private keys of a plurality of users matched with the first public key, and the plurality of users comprise the target user;
the first information comprises a first private key of the target user, the second information comprises a first certificate and a second private key of the target user, the first certificate comprises a second public key matched with the second private key, the first certificate is obtained by signing based on the first private key, the first certificate is used for the second server to perform first signature verification based on the first public key, and the second private key is used for proving that the second terminal has the second private key to the second server after the first signature verification is successful.
13. The method of claim 12, wherein the first private key is generated based on an identity attribute that each of the plurality of users has.
14. The method of claim 12, further comprising:
the first server signs the first public key based on a third private key of the first server to obtain a second certificate containing the first public key;
the first information and the second information further comprise a second certificate, the second certificate is used for the second server to perform second signature verification based on a third public key matched with the third private key, and the first certificate is used for the second server to perform first signature verification based on the first public key after the second signature verification is successful.
15. The method of claim 14, wherein the second credentials further comprise a target attribute that each of the plurality of users has.
16. An identity authentication method, the method comprising:
the second server acquires partial information in second information from the second terminal, wherein the second information is generated by the first terminal based on first information from the first server, the first information is used for describing a first identity of a target user, and the second information is used for describing a second identity of the target user;
and the second server performs identity authentication on the second terminal according to the partial information.
17. The method of claim 16, wherein the first information comprises a first private key of the target user, the first private key is one of private keys of a plurality of users matched by a first public key, the plurality of users comprises the target user, the second information comprises a first credential and a second private key of the target user, the portion of information comprises the first credential, the first credential comprises a second public key matched by the second private key, and the first credential is signed based on the first private key;
the second server, according to the partial information, implementing identity authentication for the second terminal includes:
the second server performs first signature verification on the first certificate based on the first public key;
and after the first signature verification is successful, the second server controls the second terminal, and proves that the second terminal has the second private key to the second server.
18. The method of claim 17, wherein the first private key is generated based on an identity attribute that each of the plurality of users has.
19. The method of claim 17, wherein the first information and the portion of information further comprise a second credential, wherein the second credential comprises the first public key, wherein the second credential is signed based on a third private key of the first server, and wherein before the second server performs a first signature verification on the first credential based on the first public key, the method further comprises:
the second server conducts second signature verification on the second certificate based on a third public key matched with the third private key;
the second server performing a first signature verification on the first certificate based on the first public key comprises:
and after the second signature verification is successful, the second server performs first signature verification on the first certificate based on the first public key.
20. The method of claim 19, wherein the second credentials further comprise a target attribute that each of the plurality of users has.
21. A terminal, characterized in that the terminal is a first terminal, the first terminal comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring first information from a first server, and the first information is used for describing a first identity of a target user;
the processing module is used for generating second information based on the first information, and the second information is used for describing a second identity of the target user;
and the sending module is used for sending the second information to a second terminal, wherein the second information is used for realizing identity authentication of the second terminal at a second server.
22. A terminal, wherein the terminal is a second terminal, and wherein the second terminal comprises:
the system comprises an acquisition module, a first server and a second server, wherein the acquisition module is used for acquiring second information from the first terminal, the second information is generated by the first terminal based on first information from the first server, the first information is used for describing a first identity of a target user, and the second information is used for describing a second identity of the target user;
and the sending module is used for sending part of the second information to a second server so as to realize identity authentication at the second server.
23. A server, wherein the server is a first server, and wherein the first server comprises:
a sending module, configured to send the first information to a first terminal, where the first information is used to describe a first identity of a target user, the first information is further used for the first terminal to generate second information, the second information is used to describe a second identity of the target user, and the second information is further used for the second terminal to implement identity authentication at a second server.
24. A server, wherein the server is a second server, and wherein the second server comprises:
the acquiring module is used for acquiring partial information in second information from a second terminal, wherein the second information is generated by the first terminal based on first information from a first server, the first information is used for describing a first identity of a target user, and the second information is used for describing a second identity of the target user;
and the processing module is used for carrying out identity authentication on the second terminal according to the partial information.
25. A terminal, characterized in that the terminal is a first terminal comprising a memory and a processor; the memory stores code, the processor is configured to execute the code, and when executed, the first terminal performs the method of any of claims 1 to 5.
26. A terminal, characterized in that the terminal acts as a second terminal, the first terminal comprising a memory and a processor; the memory stores code, the processor is configured to execute the code, and when executed, the second terminal performs the method of any of claims 6 to 10.
27. A server, wherein the server is a first server comprising a memory and a processor; the memory stores code, the processor is configured to execute the code, and when executed, the first server performs the method of any of claims 11 to 15.
28. A server, wherein the server acts as a second server, the second server comprising a memory and a processor; the memory has stored thereon code, the processor being configured to execute the code, the second server performing the method of any of claims 16 to 20 when the code is executed.
29. An identity authentication system comprising a first terminal as claimed in claim 25, a second terminal as claimed in claim 26, a first server as claimed in claim 27 and a second server as claimed in claim 28.
30. A computer storage medium, characterized in that the computer storage medium stores one or more instructions that, when executed by one or more computers, cause the one or more computers to implement the method of any one of claims 1 to 20.
31. A computer program product having stored thereon instructions which, when executed by a computer, cause the computer to carry out the method of any one of claims 1 to 20.
CN202110988997.6A 2021-08-26 2021-08-26 Identity authentication method and related equipment thereof Pending CN115733630A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110988997.6A CN115733630A (en) 2021-08-26 2021-08-26 Identity authentication method and related equipment thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110988997.6A CN115733630A (en) 2021-08-26 2021-08-26 Identity authentication method and related equipment thereof

Publications (1)

Publication Number Publication Date
CN115733630A true CN115733630A (en) 2023-03-03

Family

ID=85289744

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110988997.6A Pending CN115733630A (en) 2021-08-26 2021-08-26 Identity authentication method and related equipment thereof

Country Status (1)

Country Link
CN (1) CN115733630A (en)

Similar Documents

Publication Publication Date Title
US12041165B2 (en) Key updating method, apparatus, and system
US11057376B2 (en) Method, apparatus, and system for controlling intelligent device, and storage medium
US11488234B2 (en) Method, apparatus, and system for processing order information
CN106293751B (en) Method for displaying information on terminal equipment and terminal equipment
WO2015101273A1 (en) Security verification method, and related device and system
US10304461B2 (en) Remote electronic service requesting and processing method, server, and terminal
WO2017118437A1 (en) Service processing method, device, and system
US10762542B2 (en) Item transfer apparatus, system and method
US11227042B2 (en) Screen unlocking method and apparatus, and storage medium
EP3401864A1 (en) Method for selecting transaction application, and terminal
WO2018049893A1 (en) Data transmission method and terminal device
CN103457951A (en) Method and device for allowing multiple terminals to login to server
WO2017211205A1 (en) Method and device for updating whitelist
US11017066B2 (en) Method for associating application program with biometric feature, apparatus, and mobile terminal
CN106550361B (en) Data transmission method, equipment and computer readable storage medium
CN108632454B (en) Information processing method and device, computer readable storage medium and terminal
CN116541865A (en) Password input method, device, equipment and storage medium based on data security
CN106447325B (en) NFC communication-based processing method and device and mobile terminal
CN109446794B (en) Password input method and mobile terminal thereof
CN107577933B (en) Application login method and device, computer equipment and computer readable storage medium
CN108256466B (en) Data processing method and device, electronic equipment and computer readable storage medium
CN113923005B (en) Method and system for writing data
CN115733630A (en) Identity authentication method and related equipment thereof
US9633227B2 (en) Method, apparatus, and system of detecting unauthorized data modification
CN109257441B (en) Wireless local area network position acquisition method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination