CN116599719A - User login authentication method, device, equipment and storage medium - Google Patents
User login authentication method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116599719A CN116599719A CN202310548033.9A CN202310548033A CN116599719A CN 116599719 A CN116599719 A CN 116599719A CN 202310548033 A CN202310548033 A CN 202310548033A CN 116599719 A CN116599719 A CN 116599719A
- Authority
- CN
- China
- Prior art keywords
- user
- private key
- key
- public key
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 78
- 239000012634 fragment Substances 0.000 claims abstract description 48
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 22
- 238000012795 verification Methods 0.000 claims abstract description 21
- 238000004590 computer program Methods 0.000 claims description 16
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000005538 encapsulation Methods 0.000 claims description 3
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 230000002194 synthesizing effect Effects 0.000 abstract 1
- 238000012545 processing Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000007547 defect Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000009434 installation Methods 0.000 description 5
- 230000003068 static effect Effects 0.000 description 4
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses a user login authentication method, a device, equipment and a medium, which relate to the technical field of information security and comprise the following steps: acquiring an initial public key and user identity information generated after a client logs in a target applet for the first time; forwarding a key generation request carrying user identity information to a key generation center so that the key generation center generates a first private key fragment; calculating a complete public key of the user by a certificateless public key cryptographic algorithm based on user identity information and an initial public key; the first private key segment is sent to the client so that the client generates a user complete private key based on the first private key segment and the second private key segment, and corresponding user authentication is carried out by using the saved user complete private key and the user complete public key in the process of logging in the target applet; the second private key fragment of the user is an initial private key generated after the client logs in for the first time. And synthesizing the generated first private key fragment and the second private key fragment into a complete private key of the user, so as to realize the identity verification of the applet login process.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a user login authentication method, device, equipment, and storage medium.
Background
Currently, it is explicitly pointed out in network security level protection, commercial password application and security evaluation requirements that user identity authentication in an information system needs to be realized by adopting a password technology. The existing product has the problems of installation and deployment of browser plug-ins and password equipment in the using process of a browser end or a WeChat applet, and the existing typical identity authentication mode is a digital certificate authentication mode in a traditional public key password system based on PKI (Public Key Infrastructure ) technology, wherein certificate authentication needs to relate to a professional CA certificate system for certificate full life cycle management; in addition, an identification password mechanism based on user identification is provided; the private key based on the user identity needs to be generated and managed in the third party key management system, so that if a hacker attacks the third party key management system, the private key for authenticating the user identity can cause the problems of information disclosure and identity impersonation.
In summary, how to generate secure public and private key information without relying on the installation of a cryptographic module, and enable a client to implement secure identity authentication when performing applet login is a problem to be solved in the art.
Disclosure of Invention
In view of the above, an object of the present application is to provide a user login authentication method, apparatus, device, and storage medium that can generate secure public and private key information without depending on the installation of a cryptographic module, and that can realize secure identity authentication when a client performs applet login. The specific scheme is as follows:
the application discloses a user login authentication method, which is applied to a server and comprises the following steps:
acquiring an initial public key and user identity information generated after a client logs in a target applet for the first time;
forwarding a key generation request carrying the user identity information to a key generation center so that the key generation center generates a first private key fragment based on the user identity information;
calculating a complete public key of a user through a certificateless public key cryptographic algorithm and based on the user identity information and the initial public key;
the first private key segment is sent to the client so that the client generates a user complete private key based on the first private key segment and the second private key segment, and corresponding user authentication is carried out by utilizing the user complete private key stored by the client and the user complete public key stored by the server in the process of logging in the target applet; the second private key segment of the user is an initial private key generated after the client logs in for the first time.
Optionally, before the obtaining the initial public key and the user identity information generated after the client logs in the target applet for the first time, the method further includes:
acquiring an access request generated by the client and initializing login of the target applet based on the access request;
and generating the initial public key, the second private key fragment and the user identity information of the user through the target applet.
Optionally, in the process of sending the first private key fragment to the client, the method further includes:
and sending the user complete public key to a client so that the client performs key pairing verification on the user complete public key and the user complete private key after generating the user complete private key based on the first private key segment and the second private key segment.
Optionally, the sending the first private key fragment to the client includes:
and encrypting the first private key fragment, the user complete public key and preset calculation parameters by using the initial public key to obtain a corresponding encryption result, and sending the encryption result to the client.
Optionally, after the computing the complete public key of the user by using the certificateless public key cryptographic algorithm and based on the user identity information and the initial public key, the method further includes:
Binding and storing the user complete public key and the user identity information so as to inquire the corresponding user complete public key based on the user identity information and finish user authentication.
In a second aspect, the application discloses a user login authentication method, which is applied to a client and comprises the following steps:
sending a login request carrying user identity information to a server, and then acquiring a corresponding random number generated by the server;
calling a user complete private key which is stored in advance locally through a target applet to sign the random number to obtain a signature value, and packaging the signature value and the user identity information to obtain a packaged identity authentication request;
and sending the identity authentication request to the server side so that the server side can verify the validity of the signature value by using a user complete public key corresponding to the user identity information, and determining whether to allow logging in the target applet or not based on a verification result.
In a third aspect, the present application discloses a user login authentication device, which is applied to a server, and includes:
the information acquisition module is used for acquiring an initial public key and user identity information generated after the client logs in the target applet for the first time;
The first private key generation module is used for forwarding a key generation request carrying the user identity information to a key generation center so that the key generation center generates a first private key fragment based on the user identity information;
the complete public key generation module is used for calculating a complete public key of a user through a certificateless public key cryptographic algorithm and based on the user identity information and the initial public key;
the login authentication module is used for sending the first private key fragment to the client so that the client generates a user complete private key based on the first private key fragment and the second private key fragment, and performs corresponding user authentication by using the user complete private key stored by the client and the user complete public key stored by the server in the process of logging in the target applet; the second private key segment of the user is an initial private key generated after the client logs in for the first time.
In a fourth aspect, the present application discloses a user login authentication device, which is applied to a client, and includes:
the random number acquisition module is used for sending a login request carrying user identity information to the server and then acquiring a corresponding random number generated by the server;
The request encapsulation module is used for calling a user complete private key which is stored in advance locally through a target applet to sign the random number to obtain a signature value, and encapsulating the signature value and the user identity information to obtain an encapsulated identity authentication request;
and the identity login verification module is used for sending the identity authentication request to the server side so that the server side can verify the validity of the signature value by using a user complete public key corresponding to the user identity information, and determining whether to allow login of the target applet or not based on a verification result.
In a fifth aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
and a processor for executing the computer program to implement the steps of the disclosed user login authentication method.
In a sixth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program when executed by the processor implements the steps of the previously disclosed user login authentication method.
The application discloses a user login authentication method, which is applied to a server and comprises the following steps: acquiring an initial public key and user identity information generated after a client logs in a target applet for the first time; forwarding a key generation request carrying the user identity information to a key generation center so that the key generation center generates a first private key fragment based on the user identity information; calculating a complete public key of a user through a certificateless public key cryptographic algorithm and based on the user identity information and the initial public key; the first private key segment is sent to the client so that the client generates a user complete private key based on the first private key segment and the second private key segment, and corresponding user authentication is carried out by utilizing the user complete private key stored by the client and the user complete public key stored by the server in the process of logging in the target applet; the second private key segment of the user is an initial private key generated after the client logs in for the first time. Therefore, the application obtains the complete private key of the user by combining the first private key segment generated by the key generation center and the second private key segment automatically generated by the client, realizes the user authentication in the small program login process, avoids installing an additional password module or device, overcomes the defect that the complete private key of the user is directly stored in a third-party key management system, abandons the use of a digital certificate, and avoids the problem of disclosure of the complete private key of the user.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an identity authentication method disclosed by the application;
FIG. 2 is a flow chart of an identity authentication method based on a public key cryptographic algorithm without certificate, which is disclosed by the application;
FIG. 3 is a diagram showing a logical structure of an authentication service according to the present application;
FIG. 4 is a flowchart of a specific authentication method disclosed in the present application;
FIG. 5 is a flowchart of a specific authentication method disclosed in the present application;
FIG. 6 is a flowchart of a specific client login authentication method disclosed in the present application;
FIG. 7 is a schematic diagram of an apparatus structure of an identity authentication method according to the present application;
FIG. 8 is a schematic diagram of another apparatus for identity authentication method according to the present application;
fig. 9 is a block diagram of an electronic device according to the present disclosure.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Currently, it is explicitly pointed out in network security level protection, commercial password application and security evaluation requirements that user identity authentication in an information system needs to be realized by adopting a password technology. The existing product has the problems of installation and deployment of browser plug-ins and password equipment in the using process of a browser end or a WeChat applet, and the existing typical identity authentication mode is a digital certificate authentication mode in a traditional public key password system based on PKI (Public Key Infrastructure ) technology, wherein certificate authentication needs to relate to a professional CA certificate system for certificate full life cycle management; in addition, an identification password mechanism based on user identification is provided; the private key based on the user identity needs to be generated and managed in the third party key management system, so that if a hacker attacks the third party key management system, the private key for authenticating the user identity can cause the problems of information disclosure and identity impersonation.
Therefore, the invention correspondingly provides a user login authentication scheme which can generate the safe public and private key information without depending on the installation of the password module, and can realize safe identity authentication when the client performs applet login.
Referring to fig. 1, the embodiment of the invention discloses a user login authentication method, which is applied to a server and comprises the following steps:
step S11: and acquiring an initial public key and user identity information generated after the client logs in the target applet for the first time.
In this embodiment, before the obtaining the initial public key and the user identity information generated after the client logs in the target applet for the first time, the method further includes: acquiring an access request generated by the client and initializing login of the target applet based on the access request; and generating the initial public key, the second private key fragment and the user identity information of the user through the target applet. It can be understood that when a user logs in an applet on a certain non-trusted device for the first time, a corresponding access request is generated, corresponding identity information needs to be registered on the applet, and initial login is performed by using an account number and password mode, after the user logs in successfully for the first time, the applet can generate user identity information of the user and a part of public keys of the user, namely an initial public key and a second private key segment, and it is noted that the initial public key and the second private key segment are generated by the applet of the client, and are irrelevant to other third-party key generation systems.
In this embodiment, after the applet generates the user identity information, the initial public key, and the second private key fragment of the user, the client obtains the user identity information and the initial public key, and generates a key generation request carrying the user identity information, where in practical application, the user identity information may be a name+a communication address, a mobile phone number, an identification card number, or an E-Mail address.
Step S12: and forwarding a key generation request carrying the user identity information to a key generation center so that the key generation center generates a first private key fragment based on the user identity information.
In this embodiment, referring to fig. 2, the key generation request is received and forwarded to the key generation center, it may be understood that, since the key pair generated by the applet is a user part public-private key pair and is not a user complete key pair, it is necessary to additionally send the key generation request carrying user identity information to a KGC (Key Generation Center ) service, so that the KGC service generates a first private key fragment based on the user identity information, and it should be noted that the first private key fragment is not a complete private key of a user, so that, since only a part of private keys are generated each time the KGC service generates a first private key fragment of a different user, the unsafe of directly generating the user complete private key is avoided, and the leakage of a large number of user complete private keys caused when a hacker attacks the KGC service is prevented.
Step S13: and calculating a complete public key of the user by a certificateless public key cryptographic algorithm based on the user identity information and the initial public key.
In this embodiment, in the KGC service, the user identity information and the initial public key are calculated based on a public key cryptographic algorithm without credentials, which can be understood that the user complete public key is calculated based on the public key cryptographic algorithm without credentials and the obtained user identity information and the corresponding user part public key information, where the user complete public key is used for authentication when a subsequent user does not first log in the target applet, and the public key cryptographic system without credentials can solve the problem of numerous credentials management in the traditional public key cryptographic system based on credentials.
Step S14: the first private key segment is sent to the client so that the client generates a user complete private key based on the first private key segment and the second private key segment, and corresponding user authentication is carried out by utilizing the user complete private key stored by the client and the user complete public key stored by the server in the process of logging in the target applet; the second private key segment of the user is an initial private key generated after the client logs in for the first time.
In this embodiment, the first private key segment is sent to the client, so that the client generates a user complete private key based on the first private key segment and the second private key segment, synthesizes the user complete private key based on the certificate-free public key cryptographic algorithm, generates a corresponding signature value, and performs signature verification on the signature value, so as to ensure that the user complete public key and the user complete private key are successfully paired, and determine that a complete key pair corresponding to identity information of the user is the user complete private key and the user complete public key.
In this embodiment, referring to fig. 3, on the applet side of the client, generation of a partial key of a user, synthesis of a complete password of the user, and calculation of the password are performed, and in KGC service of the server, the KGC service performs generation of a main public key and a private key of a system, generation of a system identifier, generation of another private key of the user, and generation of a complete public key of the user.
In this embodiment, in the process of sending the first private key fragment to the client, the method further includes: and sending the user complete public key to a client so that the client performs key pairing verification on the user complete public key and the user complete private key after generating the user complete private key based on the first private key segment and the second private key segment. It can be understood that the first private key segment generated by the KGC service for the user identity information of the target user and the user complete public key are returned to the client again, then the client synthesizes the user complete private key by using the second private key segment generated by the applet and the first private key segment returned by the server and based on the certificateless public key cryptographic algorithm, and then the identity of the user logged in is authenticated by using the user complete public key and the user complete private key.
The application discloses a user login authentication method, which is applied to a server and comprises the following steps: acquiring an initial public key and user identity information generated after a client logs in a target applet for the first time; forwarding a key generation request carrying the user identity information to a key generation center so that the key generation center generates a first private key fragment based on the user identity information; calculating a complete public key of a user through a certificateless public key cryptographic algorithm and based on the user identity information and the initial public key; the first private key segment is sent to the client so that the client generates a user complete private key based on the first private key segment and the second private key segment, and corresponding user authentication is carried out by utilizing the user complete private key stored by the client and the user complete public key stored by the server in the process of logging in the target applet; the second private key segment of the user is an initial private key generated after the client logs in for the first time. Therefore, the application obtains the complete private key of the user by combining the first private key segment generated by the key generation center and the second private key segment automatically generated by the client, realizes the user authentication in the small program login process, avoids installing an additional password module or device, overcomes the defect that the complete private key of the user is directly stored in a third-party key management system, abandons the use of a digital certificate, and avoids the problem of disclosure of the complete private key of the user.
Referring to fig. 4, an embodiment of the present invention discloses a specific user login authentication method, and compared with the previous embodiment, the present embodiment further describes and optimizes a technical solution. Specific:
step S21: and acquiring an initial public key and user identity information generated after the client logs in the target applet for the first time.
Step S22: and forwarding a key generation request carrying the user identity information to a key generation center so that the key generation center generates a first private key fragment based on the user identity information.
Step S23: and calculating a complete public key of the user by a certificateless public key cryptographic algorithm based on the user identity information and the initial public key.
The more detailed process in steps S21, S22, S23 is referred to the above disclosed embodiments, and will not be described herein.
Step S24: binding and storing the user complete public key and the user identity information so as to inquire the corresponding user complete public key based on the user identity information and finish user authentication.
In this embodiment, after the KGC service generates a user complete public key and a first private key fragment, the user complete public key and the user identity information are bound and stored in a local database of the server, so that when a user does not log in an applet for the first time, the applet sends a login request including the user identity information to the server, and the server directly queries and obtains a corresponding user complete public key from the local database according to the user identity information, so as to complete identity authentication in a user login process by using the user complete public key.
Step S25: and encrypting the first private key fragment, the user complete public key and preset calculation parameters by using the initial public key to obtain a corresponding encryption result, and sending the encryption result to the client.
In this embodiment, after the KGC service generates the user complete public key and the first private key fragment, the user complete public key and the calculation parameter R are encrypted by using the user partial public key, and the encryption result is sent to the client, so that the client receives the protected first private key fragment, the user complete public key and the calculation parameter R.
Step S26: decrypting the encryption result based on a second private key fragment of the user through the client so that the client generates a complete private key of the user based on the first private key fragment and the second private key fragment, and performing corresponding user authentication by using the complete private key of the user stored by the client and the complete public key of the user stored by the server in the process of logging in the target applet; the second private key segment of the user is an initial private key generated after the client logs in for the first time.
In this embodiment, the encryption result is decrypted by using the second private key fragment of the user, and the required first private key fragment is obtained therefrom, and then the first private key fragment and the second private key fragment are synthesized into a complete user complete private key, so that identity verification is performed when the user is logged in by using the complete user private key and the complete user public key.
It can be seen that, in this embodiment, based on the certificateless public key cryptosystem, the complete private key of the user is determined by two cryptofactors: one is a key generated by a user, the other is a key related to the user identity and obtained from KGC service, and the other can not be calculated from a secret factor, namely the KGC can not calculate a partial key generated by the user, the user can not calculate a partial key generated by the KGC, and the server encrypts and transmits the first private key fragment and the complete public key of the user to the client, so that the security of the key transmission process is improved.
Referring to fig. 5, the embodiment of the invention discloses a specific user login authentication method, which is applied to a client and comprises the following steps:
step S31: and sending a login request carrying user identity information to a server, and then acquiring a corresponding random number generated by the server.
In this embodiment, referring to fig. 6, first, the client sends a login request carrying user identity information to the server, and then the server sends a random number t to the client according to the received login request.
Step S32: and calling a user complete private key which is stored in advance locally through a target applet to sign the random number to obtain a signature value, and packaging the signature value and the user identity information to obtain a packaged identity authentication request.
In this embodiment, the client invokes a user complete private key generated when the target user logs in for the first time to sign the random number t sent by the server to obtain a corresponding signature value, and encapsulates the signature value, the user identity information and the static password to obtain an encapsulated identity authentication request, where the encapsulated identity authentication request specifically may be: username + static password + signature value, the addition of the static password being optional.
Step S33: and sending the identity authentication request to the server side so that the server side can verify the validity of the signature value by using a user complete public key corresponding to the user identity information, and determining whether to allow logging in the target applet or not based on a verification result.
In this embodiment, the identity authentication request is sent to the server, so that the server searches a user complete public key corresponding to the user identity information from a local database according to the user identity information, then verifies the user identity validity and verifies the signature value and the static password by using the user complete public key to obtain a verification result, then the server selects whether to respond to the client according to the verification result, if the verification results are all passed, the identity verification of the server is successful, and the user of the client can log in the applet directly; if the verification result is not passed, it is indicated that the user identity information or other information has an error, and the response to the applet of the client is impossible, for example: if the attacker successfully replaces the public key of the victim user with the public key of the attacker in the process of requesting identity authentication, the attacker still cannot forge a signature of the victim or decrypt a piece of ciphertext information encrypted to the victim, so that the attacker cannot successfully log in the applet by utilizing the identity information of the victim user, and the safety of the user information is ensured.
The application discloses a user login authentication method, which is applied to a server and comprises the following steps: acquiring an initial public key and user identity information generated after a client logs in a target applet for the first time; forwarding a key generation request carrying the user identity information to a key generation center so that the key generation center generates a first private key fragment based on the user identity information; calculating a complete public key of a user through a certificateless public key cryptographic algorithm and based on the user identity information and the initial public key; the first private key segment is sent to the client so that the client generates a user complete private key based on the first private key segment and the second private key segment, and corresponding user authentication is carried out by utilizing the user complete private key stored by the client and the user complete public key stored by the server in the process of logging in the target applet; the second private key segment of the user is an initial private key generated after the client logs in for the first time. Therefore, the application obtains the complete private key of the user by combining the first private key segment generated by the key generation center and the second private key segment automatically generated by the client, realizes the user authentication in the small program login process, avoids installing an additional password module or device, overcomes the defect that the complete private key of the user is directly stored in a third-party key management system, abandons the use of a digital certificate, and avoids the problem of disclosure of the complete private key of the user.
Referring to fig. 7, the embodiment of the invention discloses a specific user login authentication device, which is applied to a server and comprises:
the information acquisition module 11 is used for acquiring an initial public key and user identity information generated after the client logs in the target applet for the first time;
a first private key generation module 12, configured to forward a key generation request carrying the user identity information to a key generation center, so that the key generation center generates a first private key fragment based on the user identity information;
a complete public key generation module 13, configured to calculate a complete public key of a user through a certificateless public key cryptographic algorithm and based on the user identity information and the initial public key;
the login authentication module 14 is configured to send the first private key segment to the client, so that the client generates a user complete private key based on the first private key segment and the second private key segment, and performs corresponding user authentication by using the user complete private key stored by the client and the user complete public key stored by the server in a process of logging in the target applet; the second private key segment of the user is an initial private key generated after the client logs in for the first time.
The application discloses a user login authentication method, which is applied to a server and comprises the following steps: acquiring an initial public key and user identity information generated after a client logs in a target applet for the first time; forwarding a key generation request carrying the user identity information to a key generation center so that the key generation center generates a first private key fragment based on the user identity information; calculating a complete public key of a user through a certificateless public key cryptographic algorithm and based on the user identity information and the initial public key; the first private key segment is sent to the client so that the client generates a user complete private key based on the first private key segment and the second private key segment, and corresponding user authentication is carried out by utilizing the user complete private key stored by the client and the user complete public key stored by the server in the process of logging in the target applet; the second private key segment of the user is an initial private key generated after the client logs in for the first time. Therefore, the application obtains the complete private key of the user by combining the first private key segment generated by the key generation center and the second private key segment automatically generated by the client, realizes the user authentication in the small program login process, avoids installing an additional password module or device, overcomes the defect that the complete private key of the user is directly stored in a third-party key management system, abandons the use of a digital certificate, and avoids the problem of disclosure of the complete private key of the user.
Referring to fig. 8, an embodiment of the present application discloses a specific user login authentication device, which is applied to a client, and includes:
the random number acquisition module 21 is configured to send a login request carrying user identity information to a server, and then acquire a corresponding random number generated by the server;
the request encapsulation module 22 is configured to invoke a user complete private key stored in advance locally through a target applet to sign the random number to obtain a signature value, and encapsulate the signature value and the user identity information to obtain an encapsulated identity authentication request;
the identity login verification module 23 is configured to send the identity authentication request to the server side, so that the server side performs validity verification on the signature value by using a user complete public key corresponding to the user identity information, and determines whether to allow login to the target applet based on a verification result.
The application discloses a user login authentication method, which is applied to a server and comprises the following steps: acquiring an initial public key and user identity information generated after a client logs in a target applet for the first time; forwarding a key generation request carrying the user identity information to a key generation center so that the key generation center generates a first private key fragment based on the user identity information; calculating a complete public key of a user through a certificateless public key cryptographic algorithm and based on the user identity information and the initial public key; the first private key segment is sent to the client so that the client generates a user complete private key based on the first private key segment and the second private key segment, and corresponding user authentication is carried out by utilizing the user complete private key stored by the client and the user complete public key stored by the server in the process of logging in the target applet; the second private key segment of the user is an initial private key generated after the client logs in for the first time. Therefore, the application obtains the complete private key of the user by combining the first private key segment generated by the key generation center and the second private key segment automatically generated by the client, realizes the user authentication in the small program login process, avoids installing an additional password module or device, overcomes the defect that the complete private key of the user is directly stored in a third-party key management system, abandons the use of a digital certificate, and avoids the problem of disclosure of the complete private key of the user.
Further, the embodiment of the present application further discloses an electronic device, and fig. 9 is a block diagram of an electronic device 30 according to an exemplary embodiment, where the content of the figure is not to be considered as any limitation on the scope of use of the present application.
Fig. 9 is a schematic structural diagram of an electronic device 30 according to an embodiment of the present application. The electronic device 30 may specifically include: at least one processor 31, at least one memory 32, a power supply 33, a communication interface 34, an input-output interface 35, and a communication bus 36. The memory 32 is configured to store a computer program, which is loaded and executed by the processor 31 to implement relevant steps in the identity authentication method disclosed in any one of the foregoing embodiments. In addition, the electronic device 30 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 33 is configured to provide an operating voltage for each hardware device on the electronic device 30; the communication interface 34 can create a data transmission channel between the electronic device 30 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 35 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
Processor 31 may include one or more processing cores, such as a 4-core processor, an 8-core processor, etc. The processor 31 may be implemented in at least one hardware form of DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor 31 may also comprise a main processor, which is a processor for processing data in an awake state, also called CPU (Central Processing Unit ); a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 31 may integrate a GPU (Graphics Processing Unit, image processor) for rendering and drawing of content required to be displayed by the display screen. In some embodiments, the processor 31 may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.
The memory 32 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 321, a computer program 322, and the like, and the storage may be temporary storage or permanent storage.
The operating system 321 is used for managing and controlling various hardware devices on the electronic device 20 and the computer program 322 to implement the operation and processing of the processor 31 on the mass data 323 in the memory 32, which may be Windows Server, netware, unix, linux, etc. The computer program 322 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the authentication method performed by the electronic device 30 as disclosed in any of the previous embodiments. The data 323 may include, in addition to data received by the electronic device and transmitted from the external device, data collected by the input/output interface 35 itself, and the like.
Further, the application also discloses a computer readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the previously disclosed identity authentication method. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The identity authentication method, device, equipment and storage medium provided by the invention are described in detail, and specific examples are applied to illustrate the principle and implementation of the invention, and the description of the above examples is only used for helping to understand the method and core idea of the invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Claims (10)
1. The user login authentication method is characterized by being applied to a server and comprising the following steps of:
acquiring an initial public key and user identity information generated after a client logs in a target applet for the first time;
forwarding a key generation request carrying the user identity information to a key generation center so that the key generation center generates a first private key fragment based on the user identity information;
calculating a complete public key of a user through a certificateless public key cryptographic algorithm and based on the user identity information and the initial public key;
the first private key segment is sent to the client so that the client generates a user complete private key based on the first private key segment and the second private key segment, and corresponding user authentication is carried out by utilizing the user complete private key stored by the client and the user complete public key stored by the server in the process of logging in the target applet; the second private key segment of the user is an initial private key generated after the client logs in for the first time.
2. The method for authenticating an identity according to claim 1, further comprising, before the step of obtaining the initial public key and the user identity information generated after the client first logs in to the target applet:
acquiring an access request generated by the client and initializing login of the target applet based on the access request;
and generating the initial public key, the second private key fragment and the user identity information of the user through the target applet.
3. The identity authentication method of claim 1, wherein the step of sending the first private key fragment to the client further comprises:
and sending the user complete public key to a client so that the client performs key pairing verification on the user complete public key and the user complete private key after generating the user complete private key based on the first private key segment and the second private key segment.
4. The identity authentication method of claim 1, wherein the sending the first private key fragment to the client comprises:
and encrypting the first private key fragment, the user complete public key and preset calculation parameters by using the initial public key to obtain a corresponding encryption result, and sending the encryption result to the client.
5. The authentication method according to any one of claims 1 to 4, further comprising, after said computing a user complete public key by a certificateless public key cryptography algorithm and based on said user identity information and said initial public key:
binding and storing the user complete public key and the user identity information so as to inquire the corresponding user complete public key based on the user identity information and finish user authentication.
6. A user login authentication method, which is applied to a client, comprising:
sending a login request carrying user identity information to a server, and then acquiring a corresponding random number generated by the server;
calling a user complete private key which is stored in advance locally through a target applet to sign the random number to obtain a signature value, and packaging the signature value and the user identity information to obtain a packaged identity authentication request;
and sending the identity authentication request to the server side so that the server side can verify the validity of the signature value by using a user complete public key corresponding to the user identity information, and determining whether to allow logging in the target applet or not based on a verification result.
7. A user login authentication device, which is applied to a server, comprising:
the information acquisition module is used for acquiring an initial public key and user identity information generated after the client logs in the target applet for the first time;
the first private key generation module is used for forwarding a key generation request carrying the user identity information to a key generation center so that the key generation center generates a first private key fragment based on the user identity information;
the complete public key generation module is used for calculating a complete public key of a user through a certificateless public key cryptographic algorithm and based on the user identity information and the initial public key;
the login authentication module is used for sending the first private key fragment to the client so that the client generates a user complete private key based on the first private key fragment and the second private key fragment, and performs corresponding user authentication by using the user complete private key stored by the client and the user complete public key stored by the server in the process of logging in the target applet; the second private key segment of the user is an initial private key generated after the client logs in for the first time.
8. A user login authentication device, applied to a client, comprising:
The random number acquisition module is used for sending a login request carrying user identity information to the server and then acquiring a corresponding random number generated by the server;
the request encapsulation module is used for calling a user complete private key which is stored in advance locally through a target applet to sign the random number to obtain a signature value, and encapsulating the signature value and the user identity information to obtain an encapsulated identity authentication request;
and the identity login verification module is used for sending the identity authentication request to the server side so that the server side can verify the validity of the signature value by using a user complete public key corresponding to the user identity information, and determining whether to allow login of the target applet or not based on a verification result.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the user login authentication method according to any one of claims 1 to 6.
10. A computer-readable storage medium storing a computer program; wherein the computer program when executed by a processor implements the steps of the user login authentication method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310548033.9A CN116599719A (en) | 2023-05-15 | 2023-05-15 | User login authentication method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310548033.9A CN116599719A (en) | 2023-05-15 | 2023-05-15 | User login authentication method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116599719A true CN116599719A (en) | 2023-08-15 |
Family
ID=87605715
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310548033.9A Pending CN116599719A (en) | 2023-05-15 | 2023-05-15 | User login authentication method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116599719A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117156440A (en) * | 2023-10-27 | 2023-12-01 | 中电科网络安全科技股份有限公司 | Certificate authentication method, system, storage medium and electronic equipment |
-
2023
- 2023-05-15 CN CN202310548033.9A patent/CN116599719A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117156440A (en) * | 2023-10-27 | 2023-12-01 | 中电科网络安全科技股份有限公司 | Certificate authentication method, system, storage medium and electronic equipment |
| CN117156440B (en) * | 2023-10-27 | 2024-01-30 | 中电科网络安全科技股份有限公司 | Certificate authentication method, system, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11799656B2 (en) | Security authentication method and device | |
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| CN107070657B (en) | Secure chip and application processor and operating method thereof | |
| CN110855671B (en) | Trusted computing method and system | |
| CN111416807B (en) | Data acquisition method, device and storage medium | |
| WO2021022701A1 (en) | Information transmission method and apparatus, client terminal, server, and storage medium | |
| CN107295011B (en) | Webpage security authentication method and device | |
| CN107040513B (en) | Trusted access authentication processing method, user terminal and server | |
| CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
| KR20190028787A (en) | A method and device for providing and obtaining graphics code information, | |
| JP2010514000A (en) | Method for securely storing program state data in an electronic device | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN113674456B (en) | Unlocking method, unlocking device, electronic equipment and storage medium | |
| CN112672342A (en) | Data transmission method, device, equipment, system and storage medium | |
| CN111654503A (en) | Remote control method, device, equipment and storage medium | |
| CN113411187A (en) | Identity authentication method and system, storage medium and processor | |
| CN116599719A (en) | User login authentication method, device, equipment and storage medium | |
| CN107104888B (en) | Safe instant messaging method | |
| CN109302425A (en) | Identity identifying method and terminal device | |
| CN110417722B (en) | Business data communication method, communication equipment and storage medium | |
| CN117240453A (en) | Data transmission method, device, equipment and storage medium | |
| CN109949457B (en) | Intelligent door lock control method and related device | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| WO2015104567A1 (en) | Secure communication between a server and a client web browser | |
| CN116244750A (en) | Secret-related information maintenance method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |