CN116318909A - A multi-identity authentication method, device and storage medium - Google Patents

A multi-identity authentication method, device and storage medium Download PDF

Info

Publication number
CN116318909A
CN116318909A CN202310181285.2A CN202310181285A CN116318909A CN 116318909 A CN116318909 A CN 116318909A CN 202310181285 A CN202310181285 A CN 202310181285A CN 116318909 A CN116318909 A CN 116318909A
Authority
CN
China
Prior art keywords
parameter
identity authentication
hash
local server
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310181285.2A
Other languages
Chinese (zh)
Other versions
CN116318909B (en
Inventor
胡雪晖
朱静熹
洪华军
吴天祺
褚学森
董俊伟
李金库
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Tongtai Information Technology Co ltd
Xidian University
702th Research Institute of CSIC
Original Assignee
Shanghai Tongtai Information Technology Co ltd
Xidian University
702th Research Institute of CSIC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Tongtai Information Technology Co ltd, Xidian University, 702th Research Institute of CSIC filed Critical Shanghai Tongtai Information Technology Co ltd
Priority to CN202310181285.2A priority Critical patent/CN116318909B/en
Publication of CN116318909A publication Critical patent/CN116318909A/en
Application granted granted Critical
Publication of CN116318909B publication Critical patent/CN116318909B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Health & Medical Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提供一种多重身份认证的方法、设备及存储介质,利用硬件设备将用户的生物特征信息加密后应用于身份认证。结合生物特征信息、硬件设备及网络环境,以软件服务所在的服务器的IP、MAC地址及用户录入的生物特征作为身份认证因素进行身份认证,实现更高安全等级的身份认证同时简化认证流程。

Figure 202310181285

The invention provides a method, device and storage medium for multiple identity authentication, which uses hardware equipment to encrypt user's biometric information and apply it to identity authentication. Combined with biometric information, hardware equipment and network environment, the IP, MAC address of the server where the software service is located and the biometrics entered by the user are used as identity authentication factors for identity authentication, achieving a higher security level of identity authentication and simplifying the authentication process.

Figure 202310181285

Description

一种多重身份认证方法、设备及存储介质A multi-identity authentication method, device and storage medium

技术领域technical field

本发明涉及加密技术领域,特别涉及一种多重身份认证方法、设备及存储介质,可用于网络环境中不同数据节点的身份认证过程。The invention relates to the field of encryption technology, in particular to a multiple identity authentication method, device and storage medium, which can be used in the identity authentication process of different data nodes in a network environment.

背景技术Background technique

身份验证是确定某人或某物实际上是否是它所说的人或物的过程。身份验证技术通过检查用户的凭据是否与授权用户数据库或数据身份验证服务器中的凭据匹配,从而为系统提供访问控制。在此过程中,身份验证确保了安全的系统、安全的进程和企业信息安全。Authentication is the process of determining whether someone or something is actually who or what it says it is. Authentication technologies provide access control to systems by checking that a user's credentials match those in an authorized user database or data authentication server. In the process, authentication ensures secure systems, secure processes, and corporate information security.

有几种身份验证类型。出于用户身份的目的,通常使用用户ID识别用户,并且当用户提供符合其用户ID的密码之类的凭据时,就会发生身份验证。需要用户ID和密码的实践称为单因素身份验证(SFA)。近年来,公司通过要求其他身份验证因素(例如尝试登录时通过移动设备提供给用户提供的独特代码或生物特征识别签名)来加强身份验证。这被称为两因素身份验证(2FA)。There are several authentication types. For user identity purposes, a user is typically identified using a user ID, and authentication occurs when a user provides credentials such as a password that match their user ID. The practice of requiring a user ID and password is called single-factor authentication (SFA). In recent years, companies have strengthened authentication by requiring other authentication factors, such as a unique code or biometric signature provided to users via mobile devices when they attempt to log in. This is known as two-factor authentication (2FA).

身份验证因素甚至可以比SFA更进一步,SFA需要用户ID和密码或2FA,它需要用户ID,密码和生物识别签名。当使用三个或多个身份验证因素进行身份验证时,例如,用户ID和密码,生物特征签名以及用户必须回答的个人问题-被称为多因素身份验证(MFA)。Authentication factors can go even further than SFA, which requires a user ID and password, or 2FA, which requires a user ID, password, and biometric signature. When authentication is done using three or more authentication factors—for example, a user ID and password, a biometric signature, and a personal question that the user must answer—it’s called multi-factor authentication (MFA).

身份验证使组织只允许经过身份验证的用户或进程访问其受保护的资源,从而保证其网络的安全。这可能包括计算机系统、网络、数据库、网站和其他基于网络的应用程序或服务。为了使2FA尽可能安全,可以向流程添加额外的步骤。例如,客户可能会被要求输入个人识别码(PIN)和一段生物识别信息。在这些情况下,这个过程被称为双重身份验证(mFA)。要求客户完成的步骤越多,流程就越安全。然而,添加步骤也使得这个过程对客户来说更加繁琐。Authentication enables organizations to keep their networks secure by allowing only authenticated users or processes to access their protected resources. This may include computer systems, networks, databases, websites and other web-based applications or services. To make 2FA as secure as possible, additional steps can be added to the process. For example, customers may be asked to enter a personal identification number (PIN) and a piece of biometric information. In these cases, the process is known as two-factor authentication (mFA). The more steps the customer is required to complete, the more secure the process. However, adding steps also makes the process more cumbersome for customers.

发明内容Contents of the invention

本发明的旨在解决现有技术身份认证安全性低或步骤繁琐的问题,提出了一种新的多重身份认证方法、设备及存储介质。该身份认证方法,包括用户注册阶段及用户登录阶段,其中用户注册阶段包括:The purpose of the present invention is to solve the problem of low security or cumbersome steps of identity authentication in the prior art, and proposes a new multiple identity authentication method, device and storage medium. The identity authentication method includes a user registration stage and a user login stage, wherein the user registration stage includes:

步骤一:本地服务端接收用户的注册信息,启动信息采集器获取并存储用户的特征信息,并将特征信息返还本地服务端;Step 1: The local server receives the user's registration information, starts the information collector to obtain and store the user's characteristic information, and returns the characteristic information to the local server;

步骤二:本地服务端获取本地设备网卡的IP地址及MAC地址,生成随机盐s,并利用哈希函数生成IP地址的IP参数P、MAC地址的MAC参数I以及参数X和参数v,生成公式如下,其中g为固定的大素数N范围内的一个固定参数:Step 2: The local server obtains the IP address and MAC address of the network card of the local device, generates a random salt s, and uses the hash function to generate the IP parameter P of the IP address, the MAC parameter I of the MAC address, and the parameters X and v to generate the formula As follows, where g is a fixed parameter within the range of a fixed large prime number N:

P=Hash(IP地址+特征信息+随机数)P=Hash(IP address+feature information+random number)

I=Hash(MAC地址+特征信息)I=Hash(MAC address+characteristic information)

X=Hash(随机盐s,P)X = Hash(random salt s, P)

V=g^XV=g^X

步骤三:启动密钥管理设备对特征信息及参数P进行加密,并将加密后的特征信息及参数P返还至本地服务端;本地服务端将注册信息、参数I、加密后的参数P、加密后的特征信息存储在第一数据库中,并将注册信息、参数I、参数v及随机盐s发送至身份认证服务端;Step 3: Start the key management device to encrypt the characteristic information and parameter P, and return the encrypted characteristic information and parameter P to the local server; the local server will register information, parameter I, encrypted parameter P, encrypted The final feature information is stored in the first database, and the registration information, parameter I, parameter v and random salt s are sent to the identity authentication server;

步骤四:身份认证服务端将接收到的参数I、参数v及随机盐s存储至第二数据库中,并将用户注册完成信息发送至本地服务端。Step 4: The identity authentication server stores the received parameter I, parameter v and random salt s in the second database, and sends the user registration completion information to the local server.

具体的,信息采集器包括指纹采集器、面容采集器、虹膜采集器;特征信息为信息采集器对应的指纹特征、面容特征、虹膜特征。Specifically, the information collector includes a fingerprint collector, a face collector, and an iris collector; the feature information is the fingerprint feature, face feature, and iris feature corresponding to the information collector.

进一步地,用户登录阶段包括:Further, the user login phase includes:

步骤一:用户发出登录请求至本地服务端,本地服务端启动信息采集器,采集特征信息;Step 1: The user sends a login request to the local server, and the local server starts the information collector to collect characteristic information;

步骤二:密钥管理设备对特征信息进行加密,并返还至本地服务端;本地服务端根据加密后的特征信息在第一数据库中搜索,获取对应的参数I及加密后的参数P;密钥管理设备对加密后的参数P进行解密,获得参数P并返还至本地服务端;Step 2: The key management device encrypts the feature information and returns it to the local server; the local server searches the first database according to the encrypted feature information to obtain the corresponding parameter I and the encrypted parameter P; the key The management device decrypts the encrypted parameter P, obtains the parameter P and returns it to the local server;

步骤三:本地服务端计算参数A=g^a,其中a为随机数,g为系统中的固定参数,将参数I和参数A发送给身份认证服务端;Step 3: The local server calculates parameter A=g^a, wherein a is a random number, g is a fixed parameter in the system, and sends parameter I and parameter A to the identity authentication server;

步骤四:身份认证服务端根据参数I在第二数据库中找到参数v及参数s,并计算参数B=kv+g^b其中参数k=Hash(N,g),N为一个固定的大素数g固定为N内的数;Step 4: The identity authentication server finds parameter v and parameter s in the second database according to parameter I, and calculates parameter B=kv+g^b wherein parameter k=Hash(N, g), and N is a fixed large prime number g is fixed as a number within N;

步骤五:身份认证服务端将参数s及参数B发送至本地服务端;Step 5: The identity authentication server sends the parameter s and parameter B to the local server;

步骤六:本地服务端与身份认证服务端同时计算参数u=Hash(A,B),本地服务端计算参数x=Hash(s,p),参数S1=(B-kg^x)^(a+ux),参数K1=Hash(S),身份认证服务端计算参数S2=(Av^u)^b,K2=Hash(S);Step 6: The local server and the authentication server simultaneously calculate the parameter u=Hash(A, B), the local server calculates the parameter x=Hash(s,p), and the parameter S1=(B-kg^x)^(a +ux), parameter K1=Hash (S), identity authentication server calculation parameter S2=(Av^u)^b, K2=Hash(S);

步骤七:本地服务端计算参数M1=Hash(Hash(N)xor Hash(g),Hash(I),s,A,B,K1)并发送给身份认证服务端;Step 7: The local server calculates the parameter M1=Hash(Hash(N)xor Hash(g),Hash(I),s,A,B,K1) and sends it to the identity authentication server;

步骤八:身份认证服务端同样计算参数M2并和接收到的参数M1进行校验,校验通过后将参数K1作为会话密钥存储在内存中;Step 8: The identity authentication server also calculates the parameter M2 and verifies it with the received parameter M1, and stores the parameter K1 as a session key in the memory after the verification is passed;

步骤九:身份认证服务端计算Hash(A,M,K2),并将该hash值返回给本地服务端;Step 9: The identity authentication server calculates Hash (A, M, K2), and returns the hash value to the local server;

步骤十:本地服务端接收到Hash(A,M,K2),同样计算Hash(A,M,K1)进行校验,校验通过后将参数K2作为会话密钥存储在内存中。Step 10: The local server receives the Hash (A, M, K2), and also calculates the Hash (A, M, K1) for verification. After the verification is passed, the parameter K2 is stored in the memory as the session key.

具体的,当步骤十的校验通过后,参数K1和参数K2作为用户的可信任token。Specifically, after the verification in step ten is passed, the parameters K1 and K2 are used as the user's trusted token.

进一步地,第一数据库为本地服务端的本地存储系统,第二数据库为身份认证服务端的本地存储系统;本地服务端和身份认证服务端可以是集线器、交换机等数据电路端接设备和/或主机、服务器等数据终端设备。Further, the first database is the local storage system of the local server, and the second database is the local storage system of the identity authentication server; the local server and the identity authentication server can be data circuit termination devices such as hubs and switches and/or hosts, Data terminal equipment such as servers.

进一步地,密钥管理设备为一种可以对信息进行加密、解密的移动设备。Further, the key management device is a mobile device capable of encrypting and decrypting information.

本发明还提出一种多重身份认证系统,包括用户终端和服务器,其中用户终端包括信息采集器、密钥管理设备。The present invention also proposes a multi-identity authentication system, including a user terminal and a server, wherein the user terminal includes an information collector and a key management device.

本发明还提出一种计算机设备,包括存储器和处理器,存储器中存储有可执行代码,处理器执行可执行代码时,实现上述任一项方法。The present invention also proposes a computer device, which includes a memory and a processor. Executable codes are stored in the memory. When the processor executes the executable codes, any one of the above methods is implemented.

本发明还提出一种计算机可读存储介质,其特征在于,计算机可读存储介质存储有计算机可执行指令,计算机可执行指令在被处理器调用和执行时,计算机可执行指令促使处理器实现上述任一项方法。The present invention also proposes a computer-readable storage medium, which is characterized in that the computer-readable storage medium stores computer-executable instructions, and when the computer-executable instructions are called and executed by the processor, the computer-executable instructions prompt the processor to realize the above-mentioned Either method.

本发明与现有技术相比,解决了现有技术存在的多重身份认证步骤繁琐,安全性较低的问题:首先通过增加信息采集步骤,确保用户根据个人识别码或一段生物识别信息即可进行身份认证,同时将生物信息在移动加解密设备中进行加密,保证数据不外露。Compared with the prior art, the present invention solves the problems of cumbersome multiple identity authentication steps and low security in the prior art: firstly, by adding an information collection step, it is ensured that the user can perform identification according to a personal identification code or a piece of biometric information. Identity authentication, and at the same time encrypt the biological information in the mobile encryption and decryption device to ensure that the data is not exposed.

附图说明Description of drawings

图1为本发明实施例中用户注册流程示意图;FIG. 1 is a schematic diagram of a user registration process in an embodiment of the present invention;

图2为本发明实施例中用户登录流程示意图;FIG. 2 is a schematic diagram of a user login process in an embodiment of the present invention;

图3为本发明实施例提供的计算机设备架构图。FIG. 3 is an architecture diagram of a computer device provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图,以文本识别为例,对本发明进行详细说明。The present invention will be described in detail below by taking text recognition as an example in conjunction with the accompanying drawings.

本实施例以本发明技术方案为前提进行实施,给出了详细的实施方式和具体的操作过程,但本发明的保护范围不限于下述的实施例。This embodiment is carried out on the premise of the technical solution of the present invention, and detailed implementation and specific operation process are given, but the protection scope of the present invention is not limited to the following embodiments.

本发明实施例提供一种多重身份认证方法,本实施例以信息采集器采集指纹信息为例,详细说明本发明实施例提供的身份认证方法的具体步骤。身份认证包含有两个阶段,分别是用户注册阶段及用户登录阶段。参考图1,用户注册阶段步骤如下:An embodiment of the present invention provides a multiple identity authentication method. In this embodiment, taking fingerprint information collected by an information collector as an example, the specific steps of the identity authentication method provided by the embodiment of the present invention are described in detail. Identity authentication includes two phases, which are user registration phase and user login phase. Referring to Figure 1, the steps in the user registration phase are as follows:

步骤一:本地服务端接收用户的注册信息,启动信息采集器获取并存储所述用户的特征信息,并将所述特征信息返还所述本地服务端;Step 1: The local server receives the registration information of the user, starts the information collector to obtain and store the characteristic information of the user, and returns the characteristic information to the local server;

本发明实施例中,本地服务端部署于用户的终端(台式机、笔记本电脑),主要作用是与指纹采集设备和硬件加密设备如Ukey进行交互完成指纹的采集识别、对关键参数进行加密。本地服务端对用户开放注册接口,用于接收用户的注册信息,主要是姓名、性别等。当用户输入注册信息后,本地服务端启动指纹采集器的驱动程序并等待用户按压识别区域,当指纹采集器采集到用户指纹后,指纹特征会存储在指纹采集器中并将指纹特征返还给本地服务器。In the embodiment of the present invention, the local server is deployed on the user's terminal (desktop, laptop), and its main function is to interact with fingerprint collection equipment and hardware encryption equipment such as Ukey to complete fingerprint collection and identification and encrypt key parameters. The local server opens a registration interface to the user to receive the user's registration information, mainly name, gender, etc. When the user enters the registration information, the local server starts the driver of the fingerprint collector and waits for the user to press the identification area. When the fingerprint collector collects the user's fingerprint, the fingerprint features will be stored in the fingerprint collector and returned to the local server. server.

步骤二:所述本地服务端获取本地设备网卡的IP地址及MAC地址,生成随机盐s,并利用哈希函数生成所述IP地址的IP参数P、所述MAC地址的MAC参数I以及参数X和参数v,生成公式如下,其中g为固定的大素数N范围内的一个固定参数:Step 2: The local server obtains the IP address and the MAC address of the network card of the local device, generates a random salt s, and uses a hash function to generate the IP parameter P of the IP address, the MAC parameter I and the parameter X of the MAC address and parameter v, the generation formula is as follows, where g is a fixed parameter within the range of a fixed large prime number N:

P=Hash(IP地址+特征信息+随机数)P=Hash(IP address+feature information+random number)

I=Hash(MAC地址+特征信息)I=Hash(MAC address+characteristic information)

X=Hash(随机盐s,P)X = Hash(random salt s, P)

V=g^XV=g^X

本发明实施例中参数P中随机数不做限制,可以是任一自然数。生成上述参数后,启动密钥管理设备。密钥管理设备是一种可以对信息进行加密、解密的移动设备,本发明实施例中优选为Ukey。The random number in the parameter P in the embodiment of the present invention is not limited, and may be any natural number. After generating the above parameters, start the key management device. The key management device is a mobile device capable of encrypting and decrypting information, and is preferably Ukey in the embodiment of the present invention.

步骤三:启动密钥管理设备对所述特征信息及所述参数P进行加密,并将加密后的所述特征信息及所述参数P返还至所述本地服务端;所述本地服务端将所述注册信息、所述参数I、加密后的所述参数P、加密后的所述特征信息存储在第一数据库中,并将所述注册信息、所述参数I、所述参数v及所述随机盐s发送至身份认证服务端;Step 3: Start the key management device to encrypt the feature information and the parameter P, and return the encrypted feature information and the parameter P to the local server; the local server sends the The registration information, the parameter I, the encrypted parameter P, and the encrypted feature information are stored in a first database, and the registration information, the parameter I, the parameter v and the The random salt s is sent to the authentication server;

步骤四:所述身份认证服务端将接收到的所述参数I、所述参数v及所述随机盐s存储至第二数据库中,并将用户注册完成信息发送至所述本地服务端。Step 4: The identity authentication server stores the received parameter I, the parameter v and the random salt s in the second database, and sends user registration completion information to the local server.

本发明实施例提供的身份认证方法中,用户注册阶段通过线下身份信息注册的方式规避了在网络中进行身份信息注册时信息泄露,信息被篡改或假冒的风险,同时加入了用户的生物特征,使得在不增加操作步骤的情况下,加强了安全性。后续在用户登录和加密传输过程中,还可以以软件服务所在的服务器的IP、MAC地址作为身份认证因素进行身份认证,一旦网络环境改变,则身份认证无法通过,后续操作将终止。In the identity authentication method provided by the embodiment of the present invention, in the user registration stage, the offline identity information registration method avoids the risk of information leakage, tampering or counterfeiting when the identity information is registered in the network, and at the same time adds the user's biological characteristics , so that the security is enhanced without increasing the operation steps. In the subsequent process of user login and encrypted transmission, the IP and MAC address of the server where the software service is located can also be used as identity authentication factors for identity authentication. Once the network environment changes, identity authentication will fail and subsequent operations will be terminated.

进一步地,参考图2,用户登录阶段步骤如下:Further, referring to Figure 2, the steps in the user login phase are as follows:

步骤一:用户发出登录请求至本地服务端,本地服务端启动信息采集器,采集特征信息;Step 1: The user sends a login request to the local server, and the local server starts the information collector to collect characteristic information;

本发明实施例中,当用户向本地服务端请求登录接口后,本地服务端启动指纹采集器的驱动程序,进行指纹采集,并将采集后的指纹特征发送至密钥管理设备Ukey。In the embodiment of the present invention, after the user requests the login interface from the local server, the local server starts the driver of the fingerprint collector to collect fingerprints, and sends the collected fingerprint features to the key management device Ukey.

步骤二:密钥管理设备对特征信息进行加密,并返还至本地服务端;本地服务端根据加密后的特征信息在第一数据库中搜索,获取对应的参数I及加密后的参数P;密钥管理设备对加密后的参数P进行解密,获得参数P并返还至本地服务端;Step 2: The key management device encrypts the feature information and returns it to the local server; the local server searches the first database according to the encrypted feature information to obtain the corresponding parameter I and the encrypted parameter P; the key The management device decrypts the encrypted parameter P, obtains the parameter P and returns it to the local server;

步骤三:本地服务端计算参数A=g^a,其中a为随机数,g为系统中的固定参数,将参数I和参数A发送给身份认证服务端;Step 3: The local server calculates parameter A=g^a, wherein a is a random number, g is a fixed parameter in the system, and sends parameter I and parameter A to the identity authentication server;

步骤四:身份认证服务端根据参数I在第二数据库中找到参数v及参数s,并计算参数B=kv+g^b其中参数k=Hash(N,g),N为一个固定的大素数g固定为N内的数;Step 4: The identity authentication server finds parameter v and parameter s in the second database according to parameter I, and calculates parameter B=kv+g^b wherein parameter k=Hash(N, g), and N is a fixed large prime number g is fixed as a number within N;

步骤五:身份认证服务端将参数s及参数B发送至本地服务端;Step 5: The identity authentication server sends the parameter s and parameter B to the local server;

步骤六:本地服务端与身份认证服务端同时计算参数u=Hash(A,B),本地服务端计算参数x=Hash(s,p),参数S1=(B-kg^x)^(a+ux),参数K1=Hash(S),身份认证服务端计算参数S2=(Av^u)^b,K2=Hash(S);Step 6: The local server and the authentication server simultaneously calculate the parameter u=Hash(A, B), the local server calculates the parameter x=Hash(s,p), and the parameter S1=(B-kg^x)^(a +ux), parameter K1=Hash (S), identity authentication server calculation parameter S2=(Av^u)^b, K2=Hash(S);

步骤七:本地服务端计算参数M1=Hash(Hash(N)xor Hash(g),Hash(I),s,A,B,K1)并发送给身份认证服务端;Step 7: The local server calculates the parameter M1=Hash(Hash(N)xor Hash(g),Hash(I),s,A,B,K1) and sends it to the identity authentication server;

步骤八:身份认证服务端同样计算参数M2并和接收到的参数M1进行校验,校验通过后将参数K1作为会话密钥存储在内存中;Step 8: The identity authentication server also calculates the parameter M2 and verifies it with the received parameter M1, and stores the parameter K1 as a session key in the memory after the verification is passed;

步骤九:身份认证服务端计算Hash(A,M,K2),并将该hash值返回给本地服务端;Step 9: The identity authentication server calculates Hash (A, M, K2), and returns the hash value to the local server;

步骤十:本地服务端接收到Hash(A,M,K2),同样计算Hash(A,M,K1)进行校验,校验通过后将参数K2作为会话密钥存储在内存中。Step 10: The local server receives the Hash (A, M, K2), and also calculates the Hash (A, M, K1) for verification. After the verification is passed, the parameter K2 is stored in the memory as the session key.

本发明实施例中,将指纹信息与传统身份认证方法相结合,并将指纹特征加入到参数运算中,在不增加操作步骤的情况下,提高了身份认证的安全性。本发明实施例中信息采集器还可以采集虹膜信息、面容信息、声纹信息等其他生物特征,本发明实施例以指纹信息为例。In the embodiment of the present invention, the fingerprint information is combined with the traditional identity authentication method, and the fingerprint feature is added into the parameter calculation, which improves the security of the identity authentication without adding operation steps. In the embodiment of the present invention, the information collector can also collect other biological characteristics such as iris information, face information, and voiceprint information. The embodiment of the present invention takes fingerprint information as an example.

本发明实施例还提供一种多重身份认证系统,包括用户终端和服务器。其中,用户终端包括信息采集器、密钥管理设备。该系统运行方法与上述实施例相同,不再过多描述。The embodiment of the present invention also provides a multi-identity authentication system, including a user terminal and a server. Wherein, the user terminal includes an information collector and a key management device. The operation method of the system is the same as that of the above-mentioned embodiment, and no more description is given here.

本发明实施例还提供一种计算机设备,参考图3,该计算机设备包括处理器以及存储器。其中,处理器用于执行存储器中存储的可执行模块,例如计算机程序。An embodiment of the present invention also provides a computer device. Referring to FIG. 3 , the computer device includes a processor and a memory. Wherein, the processor is used to execute executable modules stored in the memory, such as computer programs.

其中,存储器可能包含高速随机存取存储器(RAM,Random Access Memory),也可能还包括非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。该存储器用于存储程序,所述处理器在接收到执行指令后,执行上述程序,前述本发明实施例任一实施例揭示的、方法可以应用于处理器中,或者由处理器实现。Wherein, the memory may include a high-speed random access memory (RAM, Random Access Memory), and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The memory is used to store a program, and the processor executes the program after receiving an execution instruction. The method disclosed in any of the foregoing embodiments of the present invention may be applied to the processor or implemented by the processor.

处理器可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器,包括中央处理器(Central Processing Unit,简称CPU)、网络处理器(Network Processor,简称NP)等;还可以是数字信号处理器(Digital SignalProcessing,简称DSP)、专用集成电路(Application Specific Integrated Circuit,简称ASIC)、现成可编程门阵列(Field-Programmable Gate Array,简称FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本发明实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器读取存储器中的信息,结合其硬件完成上述方法的步骤。A processor may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by an integrated logic circuit of hardware in a processor or an instruction in the form of software. Above-mentioned processor can be general-purpose processor, comprises central processing unit (Central Processing Unit, be called for short CPU), network processor (Network Processor, be called for short NP) etc.; Can also be Digital Signal Processor (Digital Signal Processing, be called for short DSP), Application Specific Integrated Circuit (ASIC for short), off-the-shelf programmable gate array (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. Various methods, steps and logic block diagrams disclosed in the embodiments of the present invention may be implemented or executed. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like. The steps of the methods disclosed in the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register. The storage medium is located in the memory, and the processor reads the information in the memory, and completes the steps of the above method in combination with its hardware.

本发明实施例所提供的身份认证方法、设备和计算机可读存储介质的计算机程序产品,包括存储了程序代码的计算机可读存储介质,所述程序代码包括的指令可用于执行前面方法实施例中所述的方法,具体实现可参见方法实施例,在此不再赘述。The computer program product of the identity authentication method, device, and computer-readable storage medium provided by the embodiments of the present invention includes a computer-readable storage medium storing program codes, and the instructions included in the program codes can be used to execute the above method embodiments. For the specific implementation of the method, refer to the method embodiments, and details are not repeated here.

本发明实施例在传统身份认证方法的基础上,增加了信息采集器和密钥管理设备两个硬件,将生物特征信息加密后用于身份认证,既简化了身份认证的流程,也加强了身份认证的安全性,保障了用户的个人信息不被泄露。On the basis of the traditional identity authentication method, the embodiment of the present invention adds two pieces of hardware, an information collector and a key management device, and encrypts the biometric information for identity authentication, which not only simplifies the identity authentication process, but also strengthens the identity authentication process. The security of authentication ensures that the user's personal information is not leaked.

本发明的权利保护范围由所附权利要求书限定,所述技术、方法,以及使用所述技术、方法,可用于文本识别、语音识别,还是图像识别和视频信号处理,凡以本发明构造的激活函数作为神经网络的组成部分,用于文本识别、语音识别,以及图像识别和视频信号处理,均应当被视为权利说明书要求权利保护的一部分,理应受到相关法律的保护。The protection scope of the present invention is defined by the appended claims. The technology, method, and use of the technology and method can be used for text recognition, speech recognition, or image recognition and video signal processing. As a component of the neural network, the activation function is used for text recognition, speech recognition, image recognition and video signal processing, and should be regarded as a part of the protection claimed in the claim specification and should be protected by relevant laws.

Claims (9)

1.一种多重身份认证方法,其特征在于,包括用户注册阶段及用户登录阶段;所述用户注册阶段包括:1. A multi-identity authentication method, characterized in that, comprises a user registration stage and a user login stage; the user registration stage includes: 步骤一:本地服务端接收用户的注册信息,启动信息采集器获取并存储所述用户的特征信息,并将所述特征信息返还所述本地服务端;Step 1: The local server receives the registration information of the user, starts the information collector to obtain and store the characteristic information of the user, and returns the characteristic information to the local server; 步骤二:所述本地服务端获取本地设备网卡的IP地址及MAC地址,生成随机盐s,并利用哈希函数生成所述IP地址的IP参数P、所述MAC地址的MAC参数I以及参数X和参数v,生成公式如下,其中g为固定的大素数N范围内的一个固定参数:Step 2: The local server obtains the IP address and the MAC address of the network card of the local device, generates a random salt s, and uses a hash function to generate the IP parameter P of the IP address, the MAC parameter I and the parameter X of the MAC address and parameter v, the generation formula is as follows, where g is a fixed parameter within the range of a fixed large prime number N: P=Hash(IP地址+特征信息+随机数)P=Hash(IP address+feature information+random number) I=Hash(MAC地址+特征信息)I=Hash(MAC address+characteristic information) X=Hash(随机盐s,P)X = Hash(random salt s, P) V=g^XV=g^X 步骤三:启动密钥管理设备对所述特征信息及所述参数P进行加密,并将加密后的所述特征信息及所述参数P返还至所述本地服务端;所述本地服务端将所述注册信息、所述参数I、加密后的所述参数P、加密后的所述特征信息存储在第一数据库中,并将所述注册信息、所述参数I、所述参数v及所述随机盐s发送至身份认证服务端;Step 3: Start the key management device to encrypt the feature information and the parameter P, and return the encrypted feature information and the parameter P to the local server; the local server sends the The registration information, the parameter I, the encrypted parameter P, and the encrypted feature information are stored in a first database, and the registration information, the parameter I, the parameter v and the The random salt s is sent to the authentication server; 步骤四:所述身份认证服务端将接收到的所述参数I、所述参数v及所述随机盐s存储至第二数据库中,并将用户注册完成信息发送至所述本地服务端。Step 4: The identity authentication server stores the received parameter I, the parameter v and the random salt s in the second database, and sends user registration completion information to the local server. 2.根据权利要求1所述的一种多重身份认证方法,其特征在于,所述信息采集器包括指纹采集器、面容采集器、虹膜采集器;所述特征信息为所述信息采集器对应的指纹特征、面容特征、虹膜特征。2. A kind of multiple identity authentication method according to claim 1, it is characterized in that, described information collector comprises fingerprint collector, face collector, iris collector; Described feature information is that described information collector corresponds Fingerprint features, facial features, iris features. 3.根据权利要求1所述的一种多重身份认证方法,其特征在于,所述用户登录阶段包括:3. The multi-identity authentication method according to claim 1, wherein the user login stage includes: 步骤一:用户发出登录请求至所述本地服务端,所述本地服务端启动所述信息采集器,采集所述特征信息;Step 1: the user sends a login request to the local server, and the local server starts the information collector to collect the characteristic information; 步骤二:所述密钥管理设备对所述特征信息进行加密,并返还至所述本地服务端;所述本地服务端根据加密后的所述特征信息在所述第一数据库中搜索,获取对应的所述参数I及所述加密后的所述参数P;所述密钥管理设备对所述加密后的所述参数P进行解密,获得所述参数P并返还至所述本地服务端;Step 2: The key management device encrypts the feature information and returns it to the local server; the local server searches the first database according to the encrypted feature information to obtain the corresponding The parameter I and the encrypted parameter P; the key management device decrypts the encrypted parameter P, obtains the parameter P and returns it to the local server; 步骤三:所述本地服务端计算参数A=g^a,其中a为随机数,g为系统中的固定参数,将所述参数I和所述参数A发送给所述身份认证服务端;Step 3: The local server calculates parameter A=g^a, wherein a is a random number, g is a fixed parameter in the system, and sends the parameter I and the parameter A to the identity authentication server; 步骤四:所述身份认证服务端根据所述参数I在所述第二数据库中找到所述参数v及所述参数s,并计算参数B=kv+g^b其中参数k=Hash(N,g),N为一个固定的大素数g固定为N内的数;Step 4: The identity authentication server finds the parameter v and the parameter s in the second database according to the parameter I, and calculates the parameter B=kv+g^b where the parameter k=Hash(N, g), N is a fixed large prime number g is fixed as the number in N; 步骤五:所述身份认证服务端将所述参数s及所述参数B发送至所述本地服务端;Step 5: The identity authentication server sends the parameter s and the parameter B to the local server; 步骤六:所述本地服务端与所述身份认证服务端同时计算参数u=Hash(A,B),所述本地服务端计算所述参数x=Hash(s,p),参数S1=(B-kg^x)^(a+ux),参数K1=Hash(S),所述身份认证服务端计算参数S2=(Av^u)^b,K2=Hash(S);Step 6: The local server and the identity authentication server simultaneously calculate the parameter u=Hash(A, B), the local server calculates the parameter x=Hash(s,p), and the parameter S1=(B -kg^x)^(a+ux), parameter K1=Hash(S), said identity authentication server calculation parameter S2=(Av^u)^b, K2=Hash(S); 步骤七:所述本地服务端计算参数M1=Hash(Hash(N)xor Hash(g),Hash(I),s,A,B,K1)并发送给所述身份认证服务端;Step 7: The local server calculates the parameter M1=Hash(Hash(N)xor Hash(g), Hash(I), s, A, B, K1) and sends it to the identity authentication server; 步骤八:所述身份认证服务端同样计算参数M2并和接收到的所述参数M1进行校验,校验通过后将所述参数K1作为会话密钥存储在内存中;Step 8: The identity authentication server also calculates the parameter M2 and checks it with the received parameter M1, and stores the parameter K1 as a session key in the memory after the verification is passed; 步骤九:所述身份认证服务端计算Hash(A,M,K2),并将该hash值返回给所述本地服务端;Step 9: The identity authentication server calculates Hash (A, M, K2), and returns the hash value to the local server; 步骤十:所述本地服务端接收到Hash(A,M,K2),同样计算Hash(A,M,K1)进行校验,校验通过后将所述参数K2作为会话密钥存储在内存中。Step 10: The local server receives Hash (A, M, K2), calculates Hash (A, M, K1) for verification, and stores the parameter K2 in the memory as a session key after the verification is passed . 4.根据权利要求2所述的一种多重身份认证方法,其特征在于,还包括:当所述步骤十的校验通过后,所述参数K1和所述参数K2作为所述用户的可信任token。4. The multi-identity authentication method according to claim 2, further comprising: after the verification in step ten is passed, the parameter K1 and the parameter K2 are used as the user's trusted token. 5.根据权利要求1所述的一种多重身份认证方法,其特征在于,所述第一数据库为所述本地服务端的本地存储系统,所述第二数据库为所述身份认证服务端的本地存储系统;所述本地服务端和所述身份认证服务端可以是集线器、交换机等数据电路端接设备和/或主机、服务器等数据终端设备。5. A multi-identity authentication method according to claim 1, wherein the first database is the local storage system of the local server, and the second database is the local storage system of the identity authentication server ; The local server and the identity authentication server may be data circuit termination devices such as hubs and switches and/or data terminal devices such as hosts and servers. 6.根据权利要求1所述的一种多重身份认证方法,其特征在于,所述密钥管理设备为一种可以对信息进行加密、解密的移动设备。6. A multi-identity authentication method according to claim 1, wherein the key management device is a mobile device capable of encrypting and decrypting information. 7.一种多重身份认证系统,其特征在于,包括用户终端和服务器;所述用户终端包括信息采集器、密钥管理设备。7. A multi-identity authentication system, characterized in that it includes a user terminal and a server; the user terminal includes an information collector and a key management device. 8.一种计算机设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现权利要求1-6中任一项所述的方法。8. A computer device, comprising a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, the method according to any one of claims 1-6 is realized. 9.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机可执行指令,所述计算机可执行指令在被处理器调用和执行时,计算机可执行指令促使处理器实现如权利要求1-5任一项所述的一种身份认证方法。9. A computer-readable storage medium, wherein the computer-readable storage medium stores computer-executable instructions, and when the computer-executable instructions are invoked and executed by a processor, the computer-executable instructions prompt the processor Realize an identity authentication method as described in any one of claims 1-5.
CN202310181285.2A 2023-02-27 2023-02-27 A multi-factor authentication method, device and storage medium Active CN116318909B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310181285.2A CN116318909B (en) 2023-02-27 2023-02-27 A multi-factor authentication method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310181285.2A CN116318909B (en) 2023-02-27 2023-02-27 A multi-factor authentication method, device and storage medium

Publications (2)

Publication Number Publication Date
CN116318909A true CN116318909A (en) 2023-06-23
CN116318909B CN116318909B (en) 2026-01-02

Family

ID=86837236

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310181285.2A Active CN116318909B (en) 2023-02-27 2023-02-27 A multi-factor authentication method, device and storage medium

Country Status (1)

Country Link
CN (1) CN116318909B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101621794A (en) * 2009-07-07 2010-01-06 董志 Method for realizing safe authentication of wireless application service system
WO2012098543A2 (en) * 2011-01-18 2012-07-26 Fortress Gb Ltd. System and method for computerized negotiations based on coded integrity
US20160192194A1 (en) * 2014-12-29 2016-06-30 Gongming Yang Secure way to build internet credit system and protect private information
CN111835752A (en) * 2020-07-09 2020-10-27 国网山西省电力公司信息通信分公司 Lightweight authentication method and gateway based on device identity
CN111931144A (en) * 2020-06-03 2020-11-13 南京南瑞信息通信科技有限公司 Unified safe login authentication method and device for operating system and service application

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101621794A (en) * 2009-07-07 2010-01-06 董志 Method for realizing safe authentication of wireless application service system
WO2012098543A2 (en) * 2011-01-18 2012-07-26 Fortress Gb Ltd. System and method for computerized negotiations based on coded integrity
US20160192194A1 (en) * 2014-12-29 2016-06-30 Gongming Yang Secure way to build internet credit system and protect private information
CN111931144A (en) * 2020-06-03 2020-11-13 南京南瑞信息通信科技有限公司 Unified safe login authentication method and device for operating system and service application
CN111835752A (en) * 2020-07-09 2020-10-27 国网山西省电力公司信息通信分公司 Lightweight authentication method and gateway based on device identity

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘晓畅: "多服务器环境下三因子认证与密钥协商协议的研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》, 15 March 2021 (2021-03-15) *

Also Published As

Publication number Publication date
CN116318909B (en) 2026-01-02

Similar Documents

Publication Publication Date Title
US10798087B2 (en) Apparatus and method for implementing composite authenticators
CN113114624B (en) Biometric-based identity authentication method and device
JP7309261B2 (en) Authentication method for biometric payment device, authentication device for biometric payment device, computer device, and computer program
US9485098B1 (en) System and method of user authentication using digital signatures
US20160269393A1 (en) Protecting passwords and biometrics against back-end security breaches
US20090132828A1 (en) Cryptographic binding of authentication schemes
US20150163211A1 (en) Unclonable id based chip-to-chip communication
JP7686619B2 (en) Systems and methods relating to biometric protocol standards - Patents.com
WO2017000829A1 (en) Method for checking security based on biological features, client and server
US20130067217A1 (en) System and method for protecting access to authentication systems
CN110659467A (en) Remote user identity authentication method, device, system, terminal and server
US20190311100A1 (en) System and methods for securing security processes with biometric data
CN115696329B (en) Zero trust authentication method and device, zero trust client device and storage medium
Ziyad et al. Critical review of authentication mechanisms in cloud computing
US20220263818A1 (en) Using a service worker to present a third-party cryptographic credential
CN119005980A (en) Block chain account generation method and system
CN115442136A (en) Application system access method and device
CN117675309A (en) Data access method and device, storage medium and electronic equipment
CN116545681A (en) Level2FIDO verifier based on trusted execution environment
Catuogno et al. Off-line enterprise rights management leveraging biometric key binding and secure hardware
US20250240290A1 (en) Authentication using sequence of facial images
Sudha et al. A survey on different authentication schemes in cloud computing environment
CN116318909B (en) A multi-factor authentication method, device and storage medium
TW202145036A (en) Method of identity verification based on biometrics which is implemented by a verification server
PRIYA et al. TRUSTED HYBRID MULTIFACTOR AUTHENTICATION FOR CLOUD USERS.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant