CN112651036B - Identity authentication method based on collaborative signature and computer readable storage medium - Google Patents
Identity authentication method based on collaborative signature and computer readable storage medium Download PDFInfo
- Publication number
- CN112651036B CN112651036B CN202011632649.7A CN202011632649A CN112651036B CN 112651036 B CN112651036 B CN 112651036B CN 202011632649 A CN202011632649 A CN 202011632649A CN 112651036 B CN112651036 B CN 112651036B
- Authority
- CN
- China
- Prior art keywords
- mobile terminal
- signature
- request
- authentication
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
本发明公开了一种基于协同签名的身份认证方法及计算机可读存储介质,方法包括:移动端生成移动端密钥因子,并发送至认证服务器;认证服务器生成服务端密钥因子,并根据服务端密钥因子和移动端密钥因子进行协同运算,得到协同公钥;认证服务器从数字认证中心请求移动端对应的数字证书,并进行存储;移动端和认证服务器分别通过移动端密钥因子和服务端密钥因子对业务数据请求进行协同签名,得到完整请求签名;移动端将业务数据请求及其完整请求签名发送至业务服务器;业务服务器从认证服务器获取移动端对应的数字证书;业务服务器进行验签;若验签成功,则判定移动端的身份认证通过。本发明可在不增加额外设备的情况下,对移动端进行身份认证。
The invention discloses a collaborative signature-based identity authentication method and a computer-readable storage medium. The method includes: a mobile terminal generates a mobile terminal key factor and sends it to an authentication server; the authentication server generates a server terminal key factor, and according to the service The terminal key factor and the mobile terminal key factor perform cooperative operation to obtain the collaborative public key; the authentication server requests the digital certificate corresponding to the mobile terminal from the digital certification center and stores it; the mobile terminal and the authentication server respectively pass the mobile terminal key factor and The server key factor co-signs the service data request to obtain a complete request signature; the mobile terminal sends the service data request and its complete request signature to the service server; the service server obtains the digital certificate corresponding to the mobile terminal from the authentication server; Signature verification; if the signature verification is successful, it is determined that the identity authentication of the mobile terminal is passed. The present invention can perform identity authentication on the mobile terminal without adding additional equipment.
Description
Technical Field
The invention relates to the technical field of data security, in particular to an identity authentication method based on a collaborative signature and a computer readable storage medium.
Background
In recent years, with the continuous expansion of the scale of power transmission and distribution networks of power grids, the power grid equipment resources required to be managed by power grids and provinces are increasing. In order to improve the management efficiency, the power grid GIS technology visually displays huge and complex power grid resource information in a management system. The power grid data contains many sensitive information and needs to be kept secret to a high degree, and if the data is leaked or tampered, a serious security accident can be caused. Therefore, when the system is put into use, it is necessary to ensure that the data is sufficiently secured and the identity of the system user is authenticated.
Currently, the following schemes are mainly adopted for identity authentication.
1. Username + password, which is the most widely used way of identity authentication today.
2. Electronic password used in banking system: the password matrix table is stored in the intelligent card, and the intelligent card is read through the portable card reading terminal, so that authentication is performed, and the risk that the password is photographed and copied can be effectively avoided.
3. Encrypting a U shield: the communication with the third party App is realized through the circuit board, the chip and the bus interface used for being connected with the mobile terminal. The intelligent card chip comprises an identity authentication module and a data storage module, wherein the identity authentication module is used for checking a user PIN code and an application characteristic value, and the data storage module is in communication connection through an encryption and decryption interface and used for realizing encryption and decryption storage of data after the user identity authentication is passed.
4. An SD password card: the SD password card stores a user side certificate, a CA public key and a public key of a web server certificate, and the client side certificate stores a user identity ID. The SD password card has a unique serial number, the client certificate and the server certificate are based on a public key certificate and a CA authentication protocol, and the CA public key is used for verifying the client certificate and the WEB server certificate.
However, with respect to scheme 1, in order to facilitate remembering, many users tend to use the same password in different applications, or set weak passwords, which makes the password easy to guess, steal, or crack, and the security is worried. For the above schemes 2 and 3, most users are not used to carry hardware devices with them; with the scheme 4, part of the terminals are not equipped with SD card slots, which reduces the practicality of the above scheme.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the identity authentication method based on the cooperative signature and the computer readable storage medium can perform safe and reliable identity authentication on the mobile terminal under the condition of not adding additional equipment.
In order to solve the technical problems, the invention adopts the technical scheme that: an identity authentication method based on collaborative signatures comprises the following steps:
the mobile terminal generates a mobile terminal key factor;
after the mobile terminal is successfully activated and passes the authorization authentication, sending a key pair generation request to an authentication server, wherein the key pair generation request comprises a key factor of the mobile terminal;
after receiving the key pair generation request, the authentication server generates a server-side key factor;
the authentication server performs cooperative operation according to the server side key factor and the mobile side key factor to obtain a cooperative public key;
the authentication server requests the digital certificate corresponding to the mobile terminal from a digital authentication center and stores the digital certificate, wherein the digital certificate corresponding to the mobile terminal comprises the collaborative public key;
the mobile terminal and the authentication server perform collaborative signing on the service data request through the mobile terminal key factor and the server terminal key factor respectively to obtain a complete request signature;
the mobile terminal sends the service data request and the complete request signature thereof to a service server;
the service server acquires a digital certificate corresponding to the mobile terminal from an authentication server;
the service server checks the signature according to the cooperative public key in the digital certificate, the service data request and the complete request signature;
and if the signature verification is successful, judging that the identity authentication of the mobile terminal passes.
The invention also proposes a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method as described above.
The invention has the beneficial effects that: the security of the secret key is improved by storing the secret key in the mobile terminal and the cloud terminal (authentication server) in a segmented manner; the mobile terminal is changed into a U shield through the cooperative operation of the mobile terminal and the cloud terminal, so that the identity authentication of the mobile terminal is easily realized, and the portability of the identity authentication is improved; the cloud + terminal service mode is adopted, so that the system has high performance and high expansibility; the security protection functions such as identity authentication, collaborative signature verification and the like can be provided without additional hardware equipment investment, and the cost is reduced; the identity of the mobile terminal is safely and reliably authenticated, and the safety of the application service data is ensured. The invention can carry out safe and reliable identity authentication on the mobile terminal under the condition of not adding additional equipment.
Drawings
FIG. 1 is a flow chart of a collaborative signature-based identity authentication method according to the present invention;
FIG. 2 is a flowchart of a first method according to a first embodiment of the present invention;
FIG. 3 is a flowchart of a method of the first embodiment of the present invention;
fig. 4 is a system architecture diagram of a second embodiment of the invention.
Detailed Description
In order to explain technical contents, objects and effects of the present invention in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
Referring to fig. 1, an identity authentication method based on a collaborative signature includes:
the mobile terminal generates a mobile terminal key factor;
after the mobile terminal is successfully activated and passes the authorization authentication, sending a key pair generation request to an authentication server, wherein the key pair generation request comprises a key factor of the mobile terminal;
after receiving the key pair generation request, the authentication server generates a server-side key factor;
the authentication server performs cooperative operation according to the server side key factor and the mobile side key factor to obtain a cooperative public key;
the authentication server requests the digital certificate corresponding to the mobile terminal from a digital authentication center and stores the digital certificate, wherein the digital certificate corresponding to the mobile terminal comprises the collaborative public key;
the mobile terminal and the authentication server perform collaborative signing on the service data request through the mobile terminal key factor and the server terminal key factor respectively to obtain a complete request signature;
the mobile terminal sends the service data request and the complete request signature thereof to a service server;
the service server acquires a digital certificate corresponding to the mobile terminal from an authentication server;
the service server checks the signature according to the cooperative public key in the digital certificate, the service data request and the complete request signature;
and if the signature verification is successful, judging that the identity authentication of the mobile terminal passes.
From the above description, the beneficial effects of the present invention are: the method can provide safe and reliable identity authentication service for the user without adding additional equipment.
Further, after the mobile terminal successfully activates and authorizes the authentication, and before sending the key pair generation request to the authentication server, the method further includes:
the mobile terminal sends an activation request to an authentication server, wherein the activation request comprises application information and user information;
the authentication server checks the activation request, and if the activation request passes the check, an activation success message is returned to the mobile terminal.
Further, after the mobile terminal successfully activates and authorizes the authentication, and before sending the key pair generation request to the authentication server, the method further includes:
the mobile terminal sends an authorization authentication request to an authentication server, wherein the authorization authentication request comprises identity identification information, and the identity identification information comprises a preset PIN code and biological identification information;
the authentication server verifies the authorization authentication request, and if the authorization authentication request passes the verification, the authentication server returns an authorization authentication passing message to the mobile terminal.
As can be seen from the above description, before generating the cooperative key pair, the steps of activating and authorizing the mobile terminal are performed first, so as to ensure that the user using the mobile terminal has the right to the application on the mobile terminal; here, the authorization authentication also corresponds to one identity authentication.
Further, the authentication server requests the digital certificate corresponding to the mobile terminal from the digital authentication center, and the storing specifically includes:
the mobile terminal sends a certificate application request to an authentication server;
after receiving the certificate application request, the authentication server generates a certificate application file and returns the certificate application file to the mobile terminal;
the mobile terminal signs the certificate application file through the mobile terminal key factor to obtain a first file signature, and sends the first file signature to an authentication server;
the authentication server signs the certificate application file through the server-side key factor to obtain a second file signature;
the authentication server carries out merging operation on the first signature and the second signature to obtain a complete file signature, and sends the complete file signature and the collaborative public key to a digital authentication center;
the digital authentication center decrypts the complete file signature through the cooperative public key to obtain the certificate application file;
the digital authentication center generates a digital certificate corresponding to the mobile terminal according to the certificate application file and sends the digital certificate to an authentication server, wherein the digital certificate corresponding to the mobile terminal comprises the collaborative public key;
and the authentication server stores the digital certificate corresponding to the mobile terminal.
It can be known from the above description that the mobile terminal key factor, the server terminal key factor and the collaborative public key are not tampered by performing collaborative signature on the certificate application file and performing signature verification in the digital authentication center.
Further, the mobile terminal and the authentication server perform collaborative signing on the service data request through the mobile terminal key factor and the server terminal key factor respectively, and the specific steps of obtaining a complete request signature are as follows:
the mobile terminal generates a service data request and sends the service data request to an authentication server;
the mobile terminal signs the service data request through the mobile terminal key factor to obtain a first request signature;
the authentication server signs the service data request through the server-side key factor to obtain a second request signature, and returns the second request signature to the mobile terminal;
and the mobile terminal carries out merging operation according to the first request signature and the second request signature to obtain a complete request signature.
Further, the verifying the signature by the service server according to the collaborative public key in the digital certificate, the service data request and the complete request signature specifically includes:
the service server decrypts the complete request signature through the cooperative public key and judges whether decryption is successful;
if the decryption is successful, judging whether the data obtained by decryption is consistent with the power grid data request;
and if the two are consistent, judging that the signature verification is successful.
As can be seen from the above description, the verification of the complete request signature obtained by the collaborative signature indicates that the mobile terminal key factor used for collaborative encryption, the server key factor and the collaborative public key in the digital certificate are corresponding if the verification of the signature is successful, so that the identity authentication of the mobile terminal can be performed.
Further, after determining that the identity authentication of the mobile terminal passes, the method further includes:
and the service server acquires service data according to the service data request and returns the service data to the mobile terminal.
As can be seen from the above description, it is ensured that the service data is sent to a legitimate mobile terminal, thereby preventing the data from being leaked or tampered.
The invention also proposes a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method as described above.
Example one
Referring to fig. 2-3, a first embodiment of the present invention is: an identity authentication method based on collaborative signature is used for identity authentication of system use and is suitable for a plurality of fields of power grid, finance, electronic government affairs, OA collaboration and the like. In this embodiment, the mobile terminal is authenticated. The method mainly comprises three parts of cooperative key generation, digital certificate issuing and service data request.
As shown in fig. 2, the cooperative key generation part includes the following steps:
s101: the mobile terminal randomly generates a mobile terminal key factor.
S102: and activating the mobile terminal. Specifically, the mobile terminal sends an activation request to the authentication server, where the activation request includes application information (application unique identifier, version number, and the like) and user information (user unique identifier, user name, mobile phone number, and the like); the authentication server checks the activation request, if the mobile terminal is registered and the information is checked successfully, the current user is activated, and an activation success message is returned to the mobile terminal. If the mobile terminal is not registered, the mobile terminal is reminded to register first.
If the current user does not log in other equipment, the mobile terminal can keep the activated state only by activating the current user once.
S103: and the mobile terminal performs authorization authentication. Specifically, the mobile terminal sends an authorization authentication request to an authentication server, wherein the authorization authentication request includes identity identification information, and the identity identification information includes a preset PIN code and biometric information (a human face or a fingerprint); the authentication server verifies the authorization authentication request, and if the authorization authentication request passes the verification, the authentication server returns an authorization authentication passing message to the mobile terminal.
In a specific implementation scenario, a default PIN code is set by default when the mobile terminal is activated, and a subsequent user can modify the default PIN code through a mobile terminal; when the authentication is authorized for the first time, only the PIN code can be used for identity recognition. After authorization and authentication, fingerprint or face recognition can be started, and a user can be required to input face information or fingerprint information and store the face information or fingerprint information when the fingerprint or face recognition is started for the first time. When the authentication is authorized again, the identity can be directly identified by the face or the fingerprint.
S104: the mobile terminal sends a key pair generation request to the authentication server, wherein the key pair generation request comprises a mobile terminal key factor. Namely, the mobile terminal sends the key factor of the mobile terminal to the authentication server.
S105: and after receiving the cooperative key pair generation request, the authentication server generates a server side key factor. Namely, after the authentication server receives the mobile terminal key factor, a server terminal key factor is also generated in a peer-to-peer manner.
S106: and the authentication server performs cooperative operation according to the server side key factor and the mobile side key factor to obtain a cooperative public key. Further, after the authentication server calculates the cooperative public key, the mobile terminal key factor may be deleted.
That is to say, in this embodiment, the private key is divided into two parts, one part is stored in the mobile terminal, the other part is stored in the authentication server (cloud), and neither the mobile terminal nor the authentication server stores a complete private key, so that even if an attack is made, a hacker cannot obtain the complete private key.
As shown in fig. 2, the digital certificate issuing section includes the steps of:
s201: the mobile terminal sends a certificate application request to the authentication server.
S202: and after receiving the certificate application request, the authentication server generates a certificate application file CSR and returns the certificate application file to the mobile terminal.
S203: and the mobile terminal signs the certificate application file through the mobile terminal key factor to obtain a first file signature, and sends the first file signature to an authentication server.
S204: and the authentication server signs the certificate application file through the server-side key factor to obtain a second file signature.
S205: and the authentication server performs merging operation on the first file signature and the second file signature to obtain a complete file signature, and sends the complete file signature and the collaborative public key to a digital authentication Center (CA).
In this embodiment, the authentication server supports any third party CA.
S206: and the digital authentication center decrypts the complete file signature through the cooperative public key to obtain the certificate application file CSR. The CA verifies and signs the complete file signature according to the cooperative public key, if decryption is successful, the CA shows that the signature verification is successful, the CSR is obtained, and the key factor of the mobile terminal, the key factor of the mobile terminal and the cooperative public key are guaranteed not to be tampered.
S207: and the digital authentication center signs the certificate application file through a CA root certificate key, generates a digital certificate corresponding to the mobile terminal, and sends the digital certificate to an authentication server, wherein the digital certificate corresponding to the mobile terminal comprises the collaborative public key.
Further, the format of the digital certificate in this embodiment is an international x.509v3 standard, and a standard x.509 digital certificate includes the following contents:
1. version information of the certificate;
2. serial numbers of certificates, each certificate having a unique certificate serial number;
3. the signature algorithm used by the certificate;
4. the name of the issuing authority of the certificate;
5. the validity period of the certificate;
6. the name of the certificate owner (CSR contains owner information, information for identifying the holder, such as mobile phone number, organization, etc., in addition to the public key);
7. the public key of the certificate owner;
8. the signature of the certificate by the certificate issuer.
S208: and after receiving the digital certificate corresponding to the mobile terminal, the authentication server stores the digital certificate corresponding to the mobile terminal. Specifically, the authentication server checks the signature of the data sent by the digital authentication center through the public key of the digital authentication center, and the digital certificate corresponding to the mobile terminal can be obtained and stored after the signature is successfully checked.
As shown in fig. 3, the service data request part includes the following steps:
s301: the mobile terminal generates a service data request and sends the service data request to an authentication server;
s302: and the mobile terminal signs the service data request through the mobile terminal key factor to obtain a first request signature.
S303: and the authentication server signs the service data request through the server-side key factor to obtain a second request signature, and returns the second request signature to the mobile terminal.
S304: and the mobile terminal carries out merging operation according to the first request signature and the second request signature to obtain a complete request signature.
S305: and the mobile terminal sends the service data request and the complete request signature to a service server.
S306: and the service server acquires the digital certificate corresponding to the mobile terminal from the authentication server.
S307: and the service server checks the signature according to the cooperative public key in the digital certificate, the service data request and the complete request signature, judges whether the signature is successfully checked, and if so, executes the step S308.
Specifically, the service server decrypts the complete request signature through the cooperative public key, and judges whether decryption is successful; if the decryption is unsuccessful, the signature verification is judged to be failed; if the decryption is successful, judging whether the data obtained by decryption is consistent with the service data request; if the two are consistent, the signature verification is judged to be successful; and if the two are not consistent, judging that the signature verification fails.
S308: and judging that the identity authentication of the mobile terminal passes.
S309: and the service server acquires service data according to the service data request and returns the service data to the mobile terminal. Specifically, the service server obtains the corresponding service data from the service database according to the service data request, and then returns the service data to the mobile terminal.
Further, the mobile terminal displays the service data in the mobile application after acquiring the service data, or performs other operations on the service data.
In the embodiment, a cryptographic technology is taken as a core, and a trusted identity authentication service in a full-terminal environment such as a mobile terminal and a PC terminal is provided for a user by fusing a plurality of security technologies such as a cloud key, a digital certificate, biometric identification and device fingerprint. On the premise of not adding extra equipment, the secret key is stored in the mobile terminal and the cloud terminal in a segmented mode, the mobile terminal is changed into the U shield through the cooperative operation of the mobile terminal and the cloud terminal, the mobile terminal can complete the cryptographic operations of signature verification, encryption and decryption and the like of the SM2 digital certificate, the security strength of the mobile terminal is equal to that of terminal hardware equipment such as the U shield and an SD (secure digital) password card, and the user experience is excellent.
Example two
The embodiment is a specific implementation scenario of the first embodiment.
1. Data model design
According to the combination and authentication system of a user, an application, a group to which the application belongs (an application set with unified authority is called a group), a data model structure capable of conveniently managing the access of the user authorized to apply to the power grid data after the user passes the authentication is designed, and the required data model table structure is described as follows:
table 1.1: APPLICATION information table CONF _ APPLICATION
Table 1.2: USER information table CONF _ USER
Table 1.3: group table CONF _ COLLECT _ APP
Table 1.4: authorization configuration table CONF _ AUTH
Table 1.5: RESOURCE table CONF _ RESOURCE
Table 1.6: authentication configuration table CONF _ AUTH
Table 1.7: RESOURCE authentication configuration relation table CONF _ RESOURCE _ AUTH
Before the user carries out authorization authentication, acquiring application, user and group relation, and judging whether the request initiated by the current user in the application passes through configured authority and carries out password authentication or biological authentication according to the acquired application, user and group relation.
2. System architecture
Because the power grid resource data relates to greater privacy and security, the conventional encryption mechanism has the risk of being intercepted and cracked, and the overall security is lower. Therefore, a deeper level of data security processing under the new model is required.
The main flow is a double-end protection mechanism + authentication system: before the power grid data is loaded, equipment or an account needs to be registered and activated at a mobile terminal, and secondary signature verification and authentication are carried out on the equipment or the account through a service terminal after authentication and authorization are passed.
The system architecture of the present embodiment is shown in fig. 4, and mainly includes a mobile application (integrated SDK) in the mobile terminal, an authentication server, a digital authentication center, a service server, and a commercial data service.
The authentication server is used for clouding the SM2 secret key, realizing management of the cloud secret key and user management, and completing cryptographic operations such as signature and decryption by cooperating with the mobile terminal private key factor. The authentication server supports any third party CA by submitting a certificate request to the third party CA.
The integrated SDK is provided for the mobile terminal App to call, and the cryptographic operations of SM2 signature verification, encryption, decryption and the like are completed. The interface SDK adopts a similar SKF interface, the App end does not need to care about interaction between the integrated SDK and the cloud key server, and application calling can be realized through simple API calling.
The mobile application realizes management of the mobile terminal certificate, including mobile terminal private key factors, and completes cryptographic operations such as SM2 signature and decryption by cooperating with the authentication server.
And the service server is used for realizing authentication after signature verification passes, and the authentication comprises authentication processing on the application of the mobile terminal, the mobile equipment, the access domain name and the like. And finally loading and rendering the power grid data and other operations of the power grid data.
According to the embodiment, a set of data model structure is designed according to a user, application, group combination and authentication system, and the authorized application user can be conveniently and conveniently managed to access the power grid data after passing authentication. Subsequently, an encryption and decryption algorithm can be provided and packaged into a simple and easy-to-use client SDK.
The embodiment has the following advantages:
1. safety: financial encryption protection, national cryptographic algorithm support, and various security authentication modes such as biological identification, equipment fingerprint, user password and the like are supported.
2. Convenience: the mobile terminal, namely the token, is activated, namely logged in, and the identity authentication of the mobile terminal is easily realized.
3. Expansibility: the cloud + terminal service mode is adopted, so that the system has high performance and high expansibility and supports various mobile terminal environments.
4. Ease of use: the simple and easy-to-use client SDK is provided, Android and iOS platforms are covered, rapid butt joint with an application system can be achieved, and user experience is improved.
5. The cost is low: the security protection functions of identity authentication, collaborative signature verification, encryption and decryption and the like can be provided without additional hardware equipment investment.
EXAMPLE III
The present embodiment is a computer-readable storage medium corresponding to the above-mentioned embodiments, on which a computer program is stored, which when executed by a processor implements the steps of:
the mobile terminal generates a mobile terminal key factor;
after the mobile terminal is successfully activated and passes the authorization authentication, sending a key pair generation request to an authentication server, wherein the key pair generation request comprises a key factor of the mobile terminal;
after receiving the key pair generation request, the authentication server generates a server-side key factor;
the authentication server performs cooperative operation according to the server side key factor and the mobile side key factor to obtain a cooperative public key;
the authentication server requests the digital certificate corresponding to the mobile terminal from a digital authentication center and stores the digital certificate, wherein the digital certificate corresponding to the mobile terminal comprises the collaborative public key;
the mobile terminal and the authentication server perform collaborative signature on the service data request through the mobile terminal key factor and the server terminal key factor respectively to obtain a complete request signature;
the mobile terminal sends the service data request and the complete request signature thereof to a service server;
the service server acquires a digital certificate corresponding to the mobile terminal from an authentication server;
the service server checks the signature according to the cooperative public key in the digital certificate, the service data request and the complete request signature;
and if the signature verification is successful, judging that the identity authentication of the mobile terminal passes.
Further, after the mobile terminal successfully activates and authorizes the authentication, and before sending the key pair generation request to the authentication server, the method further includes:
the mobile terminal sends an activation request to an authentication server, wherein the activation request comprises application information and user information;
the authentication server checks the activation request, and if the activation request passes the check, an activation success message is returned to the mobile terminal.
Further, after the mobile terminal successfully activates and authorizes the authentication, and before sending the key pair generation request to the authentication server, the method further includes:
the mobile terminal sends an authorization authentication request to an authentication server, wherein the authorization authentication request comprises identity identification information, and the identity identification information comprises a preset PIN code and biological identification information;
the authentication server verifies the authorization authentication request, and if the authorization authentication request passes the verification, the authentication server returns an authorization authentication passing message to the mobile terminal.
Further, the authentication server requests the digital certificate corresponding to the mobile terminal from the digital authentication center, and the storing specifically includes:
the mobile terminal sends a certificate application request to an authentication server;
after receiving the certificate application request, the authentication server generates a certificate application file and returns the certificate application file to the mobile terminal;
the mobile terminal signs the certificate application file through the mobile terminal key factor to obtain a first file signature, and sends the first file signature to an authentication server;
the authentication server signs the certificate application file through the server-side key factor to obtain a second file signature;
the authentication server carries out merging operation on the first signature and the second signature to obtain a complete file signature, and sends the complete file signature and the collaborative public key to a digital authentication center;
the digital authentication center decrypts the complete file signature through the cooperative public key to obtain the certificate application file;
the digital authentication center generates a digital certificate corresponding to the mobile terminal according to the certificate application file and sends the digital certificate to an authentication server, wherein the digital certificate corresponding to the mobile terminal comprises the collaborative public key;
and the authentication server stores the digital certificate corresponding to the mobile terminal.
Further, the mobile terminal and the authentication server perform collaborative signing on the service data request through the mobile terminal key factor and the server terminal key factor respectively, and the specific steps of obtaining a complete request signature are as follows:
the mobile terminal generates a service data request and sends the service data request to an authentication server;
the mobile terminal signs the service data request through the mobile terminal key factor to obtain a first request signature;
the authentication server signs the service data request through the server-side key factor to obtain a second request signature, and returns the second request signature to the mobile terminal;
and the mobile terminal carries out merging operation according to the first request signature and the second request signature to obtain a complete request signature.
Further, the verifying the signature by the service server according to the collaborative public key in the digital certificate, the service data request and the complete request signature specifically includes:
the service server decrypts the complete request signature through the cooperative public key and judges whether decryption is successful;
if the decryption is successful, judging whether the data obtained by decryption is consistent with the power grid data request;
and if the two are consistent, judging that the signature verification is successful.
Further, after determining that the identity authentication of the mobile terminal passes, the method further includes:
and the service server acquires service data according to the service data request and returns the service data to the mobile terminal.
In summary, the identity authentication method and the computer-readable storage medium based on the collaborative signature provided by the present invention improve the security of the secret key by storing the private key in the mobile terminal and the cloud (authentication server) in segments; the mobile terminal is changed into a U shield through the cooperative operation of the mobile terminal and the cloud terminal, so that the identity authentication of the mobile terminal is easily realized, and the portability of the identity authentication is improved; the cloud + terminal service mode is adopted, so that the system has high performance and high expansibility; the security protection functions such as identity authentication, collaborative signature verification and the like can be provided without additional hardware equipment investment, and the cost is reduced; the identity of the mobile terminal is safely and reliably authenticated, and the safety of the application service data is ensured. The invention can carry out safe and reliable identity authentication on the mobile terminal under the condition of not adding additional equipment.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all equivalent changes made by using the contents of the present specification and the drawings, or applied directly or indirectly to the related technical fields, are included in the scope of the present invention.
Claims (7)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011632649.7A CN112651036B (en) | 2020-12-31 | 2020-12-31 | Identity authentication method based on collaborative signature and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011632649.7A CN112651036B (en) | 2020-12-31 | 2020-12-31 | Identity authentication method based on collaborative signature and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112651036A CN112651036A (en) | 2021-04-13 |
| CN112651036B true CN112651036B (en) | 2022-05-27 |
Family
ID=75368049
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011632649.7A Active CN112651036B (en) | 2020-12-31 | 2020-12-31 | Identity authentication method based on collaborative signature and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112651036B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113742705B (en) * | 2021-08-30 | 2024-05-24 | 北京一砂信息技术有限公司 | Method and system for realizing authentication service based on IFAA numbers |
| CN115966038A (en) * | 2021-10-13 | 2023-04-14 | 华为技术有限公司 | Digital key opening method, equipment and system |
| CN115378623B (en) * | 2022-03-17 | 2024-05-07 | 中国移动通信集团有限公司 | Identity authentication method, device, equipment and storage medium |
| CN114553600B (en) * | 2022-04-22 | 2022-09-09 | 深圳市永达电子信息股份有限公司 | Digital certificate authentication method |
| CN115883104B (en) * | 2022-11-30 | 2023-07-21 | 北京时代亿信科技股份有限公司 | Secure login method and device for terminal equipment and nonvolatile storage medium |
| CN115549929B (en) * | 2022-11-30 | 2023-03-10 | 北京时代亿信科技股份有限公司 | SPA single packet authentication method and device based on zero trust network stealth |
| CN115632778B (en) * | 2022-12-20 | 2023-04-18 | 四川省数字证书认证管理中心有限公司 | A multi-terminal encryption and decryption intercommunication method |
| CN117544318B (en) * | 2023-11-29 | 2024-10-01 | 中金金融认证中心有限公司 | Collaborative signature enhanced authentication method and enhanced authentication system |
| CN118473715A (en) * | 2024-04-24 | 2024-08-09 | 中信银行股份有限公司 | Collaborative signature opening method and system based on ukey certificates |
| CN119496620A (en) * | 2024-11-12 | 2025-02-21 | 航天信息股份有限公司 | A collaborative signature method, device, storage medium and electronic device |
| CN119167407B (en) * | 2024-11-22 | 2025-05-27 | 北京中认环宇信息安全技术有限公司 | Data security information processing method and device based on mobile collaborative signature |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2013218446A (en) * | 2012-04-06 | 2013-10-24 | Hitachi Ltd | Service providing device, collaborative signature verification device, method for identifying/authenticating user and program |
| US10469487B1 (en) * | 2016-05-31 | 2019-11-05 | Wells Fargo Bank, N.A. | Biometric electronic signature authenticated key exchange token |
| CN111404696A (en) * | 2020-03-31 | 2020-07-10 | 中国建设银行股份有限公司 | Collaborative signature method, security service middleware, related platform and system |
| CN111800377A (en) * | 2020-05-20 | 2020-10-20 | 中国电力科学研究院有限公司 | A mobile terminal identity authentication system based on secure multi-party computing |
-
2020
- 2020-12-31 CN CN202011632649.7A patent/CN112651036B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2013218446A (en) * | 2012-04-06 | 2013-10-24 | Hitachi Ltd | Service providing device, collaborative signature verification device, method for identifying/authenticating user and program |
| US10469487B1 (en) * | 2016-05-31 | 2019-11-05 | Wells Fargo Bank, N.A. | Biometric electronic signature authenticated key exchange token |
| CN111404696A (en) * | 2020-03-31 | 2020-07-10 | 中国建设银行股份有限公司 | Collaborative signature method, security service middleware, related platform and system |
| CN111800377A (en) * | 2020-05-20 | 2020-10-20 | 中国电力科学研究院有限公司 | A mobile terminal identity authentication system based on secure multi-party computing |
Non-Patent Citations (1)
| Title |
|---|
| 云端协同密钥保护机制的研究;李向锋;《信息安全研究》;20190531;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112651036A (en) | 2021-04-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112651036B (en) | Identity authentication method based on collaborative signature and computer readable storage medium | |
| CN105429760B (en) | A TEE-based digital certificate authentication method and system | |
| CN101350723B (en) | USB Key equipment and method for implementing verification thereof | |
| CN101183932B (en) | Security identification system of wireless application service and login and entry method thereof | |
| WO2020073513A1 (en) | Blockchain-based user authentication method and terminal device | |
| CN112765626B (en) | Method, device, system and storage medium for authorized signature based on managed key | |
| US20140298412A1 (en) | System and Method for Securing a Credential via User and Server Verification | |
| CN108833114A (en) | A blockchain-based decentralized identity authentication system and method | |
| CN101527634B (en) | System and method for binding account information with certificates | |
| CN109981287B (en) | Code signing method and storage medium thereof | |
| CN109495268B (en) | A two-dimensional code authentication method, device and computer-readable storage medium | |
| CN115529591B (en) | Authentication method, device, equipment and storage medium based on token | |
| KR100939725B1 (en) | Mobile terminal authentication method | |
| CN115442037B (en) | Account management method, device, equipment and storage medium | |
| WO2010128451A2 (en) | Methods of robust multi-factor authentication and authorization and systems thereof | |
| WO2022042745A1 (en) | Key management method and apparatus | |
| CN114257410A (en) | Identity authentication method and device based on digital certificate, and computer equipment | |
| CN113904850B (en) | Blockchain-based private key keystore secure login method, electronic device, storage medium | |
| US20070180507A1 (en) | Information security device of universal serial bus human interface device class and data transmission method for same | |
| CN109474431A (en) | Client certificate method and computer readable storage medium | |
| CN112311534A (en) | Method for generating asymmetric algorithm key pair | |
| CN114398620B (en) | Single sign-on method, system, electronic device and readable medium | |
| CN115987598A (en) | WebAuthn protocol-based national cryptographic algorithm identity authentication system, method and device | |
| CN115643081A (en) | Industrial control system authentication method and device and computer equipment | |
| CN115988495A (en) | A Commercial Password Security Authentication Method Applicable to Mobile Communications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |