Disclosure of Invention
The embodiment of the application provides an identity authority verification method, an identity authority verification device, a server, a storage medium and a product, which can effectively improve the safety of identity authority verification. The technical scheme is as follows:
In one aspect, there is provided an identity authority verification method, the method including:
Receiving a permission verification request of a terminal, wherein the permission verification request carries a first hash value, the first hash value is obtained based on a second hash value of identity information to be verified and a third hash value of permission information to be verified, the identity information to be verified is part of identity information in the identity information of a current login account, and the permission information to be verified is part of permission information in the permission information of the account;
The method comprises the steps that a generated hash value tree of an account is obtained, wherein the hash value tree comprises a first node, a second node and a third node, the third node is a father node of the first node and the second node, the first node stores a fourth hash value corresponding to reference identity information, the second node stores a fifth hash value corresponding to reference authority information, the third node stores a sixth hash value, and the sixth hash value is obtained based on the fourth hash value and the fifth hash value;
and based on the first hash value and the sixth hash value, verifying the identity authority of the terminal.
Optionally, the verifying the identity authority of the terminal based on the first hash value and the sixth hash value includes:
If the first hash value is the same as the sixth hash value, the second hash value is the same as the fourth hash value, the third hash value is the same as the fifth hash value, and the permission verification result is determined to pass verification;
and if the first hash value and the sixth hash value are different, indicating that the second hash value and the fourth hash value are different or the third hash value and the fifth hash value are different, and determining that the authority verification result is that verification is not passed.
Optionally, the hash value tree further includes a fourth node and a fifth node, where the fifth node is a parent node of the third node and the fourth node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, and the fifth node stores an eighth hash value, the eighth hash value is obtained based on the sixth hash value and the seventh hash value;
The verification of the identity authority of the terminal is performed based on the first hash value and the sixth hash value, and the verification comprises the following steps of;
If the first hash value is the same as the sixth hash value and a ninth hash value is the same as the eighth hash value, determining that the authority verification result is verification passing, wherein the ninth hash value is obtained based on the first hash value and the seventh hash value;
And if the first hash value is different from the sixth hash value or the ninth hash value is different from the eighth hash value, determining that the authority verification result is that verification is not passed.
Optionally, the permission verification request carries a hash value obtained by encrypting the first hash value based on a public key;
before the authentication of the identity authority of the terminal is performed based on the first hash value and the sixth hash value, the method further includes:
and decrypting the encrypted hash value based on a private key corresponding to the public key to obtain the first hash value.
Optionally, the method further comprises:
signing the sixth hash value based on the private key;
And sending a signature verification request to the terminal, wherein the signature verification request carries the public key, the sixth hash value and the signed sixth hash value, the signature verification request is used for indicating the terminal to decrypt the signed sixth hash value based on the public key, and if the decrypted hash value is the same as the sixth hash value, the public key is stored.
Optionally, the generating process of the hash value tree includes:
receiving an authorization request of the terminal, wherein the authorization request carries the reference identity information and the reference authority information;
respectively determining a hash value of the reference identity information and a hash value of the reference authority information to obtain a fourth hash value and a fifth hash value;
Determining the sixth hash value based on the fourth hash value and the fifth hash value;
the hash value tree is generated based on the fourth hash value, the fifth hash value, and the sixth hash value.
Optionally, the hash value tree further includes a fourth node and a fifth node, where the fifth node is a parent node of the fourth node and the third node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, and the eighth hash value is obtained based on the seventh hash value and the sixth hash value;
the generating the hash value tree based on the fourth hash value, the fifth hash value, and the sixth hash value includes:
Determining the seventh hash value based on the hash value of the identity information;
Determining the eighth hash value based on the sixth hash value and the seventh hash value;
the hash value tree is generated based on the fourth hash value, the fifth hash value, the sixth hash value, the seventh hash value, and the eighth hash value.
Optionally, the determining the seventh hash value based on the hash value of the identity information includes:
Acquiring hash value of the identity information and hash value of the current timestamp, determining the seventh hash value based on the hash value of the identity information and hash value of the current timestamp, or
And acquiring the hash value of the identity information, and determining the hash value of the identity information as the seventh hash value.
Optionally, the authorization request carries the reference identity information and the reference authority information after the reference identity information and the reference authority information are encrypted based on a symmetric key;
before the hash value of the reference identity information and the hash value of the reference authority information are respectively determined to obtain the fourth hash value and the fifth hash value, the method further includes:
and decrypting the encrypted reference identity information and the reference authority information based on the symmetric key to obtain the reference identity information and the reference authority information.
Optionally, the receiving the permission verification request of the terminal includes:
And receiving a permission verification request forwarded by an application server, wherein the permission verification request is sent to the application server by the terminal.
Optionally, the method further comprises:
receiving an announcement publishing request of the terminal, wherein the announcement publishing request carries announcement information of the current login account;
And if the authority verification result is that verification is passed, sending the notice information to a target group, wherein the target group is the group where the current login account is located.
In another aspect, there is provided an identity authority verification apparatus, the apparatus comprising:
The first receiving module is used for receiving a permission verification request of the terminal, wherein the permission verification request carries a first hash value, the first hash value is obtained based on a second hash value of identity information to be verified and a third hash value of permission information to be verified, the identity information to be verified is part of identity information in the identity information of a current login account, and the permission information to be verified is part of permission information in the permission information of the account;
The acquisition module is used for acquiring a generated hash value tree of the account, wherein the hash value tree comprises a first node, a second node and a third node, the third node is a father node of the first node and the second node, the first node stores a fourth hash value corresponding to the reference identity information, the second node stores a fifth hash value corresponding to the reference authority information, the third node stores a sixth hash value, and the sixth hash value is obtained based on the fourth hash value and the fifth hash value;
and the verification module is used for verifying the identity authority of the terminal based on the first hash value and the sixth hash value.
Optionally, the verification module is configured to:
If the first hash value is the same as the sixth hash value, the second hash value is the same as the fourth hash value, the third hash value is the same as the fifth hash value, and the permission verification result is determined to pass verification;
and if the first hash value and the sixth hash value are different, indicating that the second hash value and the fourth hash value are different or the third hash value and the fifth hash value are different, and determining that the authority verification result is that verification is not passed.
Optionally, the hash value tree further includes a fourth node and a fifth node, where the fifth node is a parent node of the third node and the fourth node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, and the fifth node stores an eighth hash value, the eighth hash value is obtained based on the sixth hash value and the seventh hash value;
the verification module is used for:
If the first hash value is the same as the sixth hash value and a ninth hash value is the same as the eighth hash value, determining that the authority verification result is verification passing, wherein the ninth hash value is obtained based on the first hash value and the seventh hash value;
And if the first hash value is different from the sixth hash value or the ninth hash value is different from the eighth hash value, determining that the authority verification result is that verification is not passed.
Optionally, the permission verification request carries a hash value obtained by encrypting the first hash value based on a public key, and the device further comprises:
And the first decryption module is used for decrypting the encrypted hash value based on the private key corresponding to the public key to obtain the first hash value.
Optionally, the apparatus further comprises:
A signature module for signing the sixth hash value based on the private key;
The first sending module is configured to send a signature verification request to the terminal, where the signature verification request carries the public key, the sixth hash value and the signed sixth hash value, and the signature verification request is configured to instruct the terminal to decrypt the signed sixth hash value based on the public key, and store the public key if the decrypted hash value is the same as the sixth hash value.
Optionally, the apparatus further includes:
The second receiving module is used for receiving an authorization request of the terminal, wherein the authorization request carries the reference identity information and the reference authority information;
The first determining module is used for respectively determining the hash value of the reference identity information and the hash value of the reference authority information to obtain the fourth hash value and the fifth hash value;
A second determining module configured to determine the sixth hash value based on the fourth hash value and the fifth hash value;
And the generation module is used for generating the hash value tree based on the fourth hash value, the fifth hash value and the sixth hash value.
Optionally, the hash value tree further includes a fourth node and a fifth node, where the fifth node is a parent node of the fourth node and the third node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, and the eighth hash value is obtained based on the seventh hash value and the sixth hash value;
the generating module comprises:
a first determining unit configured to determine the seventh hash value based on the hash value of the identity information;
a second determining unit configured to determine the eighth hash value based on the sixth hash value and the seventh hash value;
and a generating unit, configured to generate the hash value tree based on the fourth hash value, the fifth hash value, the sixth hash value, the seventh hash value, and the eighth hash value.
Optionally, the first determining unit is configured to:
Acquiring hash value of the identity information and hash value of the current timestamp, determining the seventh hash value based on the hash value of the identity information and hash value of the current timestamp, or
And acquiring the hash value of the identity information, and determining the hash value of the identity information as the seventh hash value.
Optionally, the authorization request carries the reference identity information and the reference authority information after the reference identity information and the reference authority information are encrypted based on a symmetric key, and the device further comprises:
And the second decryption module is used for decrypting the encrypted reference identity information and the reference authority information based on the symmetric key to obtain the reference identity information and the reference authority information.
Optionally, the first receiving module is configured to:
And receiving a permission verification request forwarded by an application server, wherein the permission verification request is sent to the application server by the terminal.
Optionally, the apparatus further comprises:
The third receiving module is used for receiving an announcement publishing request of the terminal, wherein the announcement publishing request carries announcement information of the current login account;
and the second sending module is used for sending the notice information to a target group if the authority verification result is that verification is passed, wherein the target group is the group where the current login account is located.
In another aspect, a server is provided, where the server includes one or more processors and one or more memories, where at least one program code is stored in the one or more memories, and the at least one program code is loaded and executed by the one or more processors to implement the identity authority checking method according to any of the above implementations.
In another aspect, a computer readable storage medium is provided, where at least one program code is stored, where the at least one program code is loaded and executed by a processor to implement the identity authority verification method according to any one of the above implementations.
In another aspect, a computer program product is provided, the computer program product comprising at least one piece of program code, the at least one piece of program code being loaded and executed by a processor to implement the identity authority verification method according to any one of the implementations described above.
The technical scheme provided by the embodiment of the application has the beneficial effects that at least:
The embodiment of the application provides an identity authority verification method, wherein the sixth hash value of a father node of a hash value tree in the method is generated based on the reference identity information and the reference authority information of an account, the reference identity information and the reference authority information are part of the identity information and part of the authority information of the account corresponding to the identity information to be verified and the authority information to be verified respectively, so that when the identity information to be verified and the authority information to be verified are verified, only the first hash value is required to be verified to be identical to the sixth hash value, whether the identity information to be verified and the authority information to be verified are identical to the reference identity information and the reference authority information respectively can be ensured, the process of verifying the identity authority based on the complete identity information and the complete authority information of the account is avoided, the exposure of the reference identity information and the reference authority information is avoided, the effective protection of the identity information and the authority information of the account is realized, and the safety of the authority verification is effectively improved.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.
The terms "first," "second," "third," and "fourth" and the like in the description and in the claims and drawings are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprising," "including," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
It should be noted that, the user information (including, but not limited to, user equipment information, user personal information, user identity information, user authority information, etc.) related to the present application is information authorized by the user or sufficiently authorized by each party.
Blockchains are novel application modes of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanisms, encryption algorithms, and the like. The blockchain (Blockchain), essentially a de-centralized database, is a string of data blocks that are generated in association using cryptographic methods, each of which contains information from a batch of network transactions for verifying the validity (anti-counterfeit) of its information and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, and an application services layer.
The blockchain underlying platform may include processing modules for user management, basic services, smart contracts, and operational monitoring. The system comprises a user management module, a base service module, a public and private key generation (account management), a key management and a corresponding relation maintenance (authority management) of a user real identity and a blockchain address, and the like, wherein the user management module is responsible for identity information management of all blockchain participants, comprises maintenance of public and private key generation (account management), key management, maintenance of a corresponding relation between the user real identity and the blockchain address (authority management) and the like, and provides rule configuration (wind control audit) of risk control under the authorized condition, the base service module is deployed on all blockchain node devices and is used for verifying the validity of service requests, recording the valid requests after the valid requests are completed, for a new service request, the base service firstly carries out interface adaptation analysis and authentication processing (interface adaptation), then carries out encryption (consensus management) on the service information, and carries out recording and storage on a shared account book (network communication) after the encryption, the intelligent contract module is responsible for registration issuing of contracts and contract triggering and contract execution, developers can define contract logic through programming languages, issue contract logic on the blockchain (contract registering), call keys or other event triggering execution according to contract logic, and complete contract logic, and provide updating and upgrading main function monitoring and main contract updating function, and monitoring device in real-time monitoring and monitoring conditions in a cloud monitoring and monitoring device.
The platform product service layer provides basic capabilities and implementation frameworks of typical applications, and developers can complete the blockchain implementation of business logic based on the basic capabilities and the characteristics of the superposition business. The application service layer provides the application service based on the block chain scheme to the business participants for use.
Fig. 1 is a schematic view of an implementation environment provided in an embodiment of the present application, and referring to fig. 1, the implementation environment includes a terminal 10 and a server 20. The terminal 10 and the server 20 are connected by a wired or wireless network. The server 20 is a server, or at least one of a server cluster cloud server, a cloud computing platform and a virtualization center, which are formed by a plurality of servers, and optionally, the server 20 is a server of a trusted CA (Certification Authority, authentication center) or a server for providing a trusted third party service. The terminal 10 may be at least one of a smart phone, a tablet computer, a vehicle-mounted terminal, a notebook computer, a desktop computer, or the like. The terminal 10 has a target application installed thereon, and the terminal 10 can realize functions such as data transmission, information interaction, and the like through the target application. The target application is an application in the operating system of the terminal 10 or an application provided for a third party. For example, the target application is a chat application program, the terminal 10 can send the permission verification request to the server 20 through the target application program, and the server 20 is used for verifying the identity permission of the terminal 10 by adopting the method provided by the application.
In another implementation, the implementation environment includes a terminal 10, a server 20, and an application server. The application server is connected to the terminal 10 and the server 20 via a wired or wireless network, respectively. Optionally, the application server is a background server of the terminal 10, the target application installed on the terminal 10 is served by the application server, after the terminal 10 can send the permission verification request to the application server through the target application program, the application server forwards the permission verification request to the server 20, and the server 20 is used for verifying the identity permission of the terminal 10 by adopting the method provided by the application.
Fig. 2 is a flowchart of an identity authority verification method provided in an embodiment of the present application. The execution body of the embodiment of the present application is a server, referring to fig. 2, the method includes:
201. And receiving a permission verification request of the terminal, wherein the permission verification request carries a first hash value, the first hash value is obtained based on a second hash value of identity information to be verified and a third hash value of permission information to be verified, the identity information to be verified is part of identity information in the identity information of the current login account, and the permission information to be verified is part of permission information in the permission information of the account.
202. The method comprises the steps of obtaining a generated hash value tree of an account, wherein the hash value tree comprises a first node, a second node and a third node, the third node is a father node of the first node and the second node, the first node stores a fourth hash value corresponding to reference identity information, the second node stores a fifth hash value corresponding to reference authority information, the third node stores a sixth hash value, and the sixth hash value is obtained based on the fourth hash value and the fifth hash value.
203. And based on the first hash value and the sixth hash value, verifying the identity authority of the terminal.
Optionally, based on the first hash value and the sixth hash value, verifying the identity authority of the terminal includes:
if the first hash value is the same as the sixth hash value, the second hash value is the same as the fourth hash value, the third hash value is the same as the fifth hash value, and the permission verification result is determined to be verification passing;
if the first hash value and the sixth hash value are different, the second hash value and the fourth hash value are different or the third hash value and the fifth hash value are different, and the permission verification result is determined to be that verification is not passed.
Optionally, the hash value tree further includes a fourth node and a fifth node, the fifth node is a father node of the third node and the fourth node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, and the eighth hash value is obtained based on the sixth hash value and the seventh hash value;
based on the first hash value and the sixth hash value, verifying the identity authority of the terminal, including;
if the first hash value is the same as the sixth hash value and the ninth hash value is the same as the eighth hash value, determining that the permission verification result is verification passing, wherein the ninth hash value is obtained based on the first hash value and the seventh hash value;
if the first hash value is different from the sixth hash value or the ninth hash value is different from the eighth hash value, determining that the authority verification result is that verification is not passed.
Optionally, the permission verification request carries a hash value obtained by encrypting the first hash value based on the public key;
Before verifying the identity authority of the terminal based on the first hash value and the sixth hash value, the method further comprises:
And decrypting the encrypted hash value based on the private key corresponding to the public key to obtain a first hash value.
Optionally, the method further comprises:
signing the sixth hash value based on the private key;
And sending a signature verification request to the terminal, wherein the signature verification request carries the public key, the sixth hash value and the signed sixth hash value, the signature verification request is used for indicating the terminal to decrypt the signed sixth hash value based on the public key, and if the decrypted hash value is the same as the sixth hash value, the public key is stored.
Optionally, the generating process of the hash value tree includes:
receiving an authorization request of a terminal, wherein the authorization request carries reference identity information and reference authority information;
Respectively determining a hash value of the reference identity information and a hash value of the reference authority information to obtain a fourth hash value and a fifth hash value;
determining a sixth hash value based on the fourth hash value and the fifth hash value;
a hash value tree is generated based on the fourth hash value, the fifth hash value, and the sixth hash value.
Optionally, the hash value tree further includes a fourth node and a fifth node, the fifth node is a father node of the fourth node and the third node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, the eighth hash value is obtained based on the seventh hash value and the sixth hash value, and the authorization request further carries the identity information;
generating a hash value tree based on the fourth hash value, the fifth hash value, and the sixth hash value, comprising:
determining a seventh hash value based on the hash value of the identity information;
Determining an eighth hash value based on the sixth hash value and the seventh hash value;
a hash value tree is generated based on the fourth hash value, the fifth hash value, the sixth hash value, the seventh hash value, and the eighth hash value.
Optionally, determining the seventh hash value based on the hash value of the identity information includes:
acquiring hash value of identity information and hash value of current time stamp, determining seventh hash value based on hash value of identity information and hash value of current time stamp, or
And acquiring the hash value of the identity information, and determining the hash value of the identity information as a seventh hash value.
Optionally, the authorization request carries the reference identity information and the reference authority information after the reference identity information and the reference authority information are encrypted based on the symmetric key;
the method further comprises the steps of before the hash value of the reference identity information and the hash value of the reference authority information are respectively determined to obtain a fourth hash value and a fifth hash value:
And decrypting the encrypted reference identity information and the reference authority information based on the symmetric key to obtain the reference identity information and the reference authority information.
Optionally, receiving the permission verification request of the terminal includes:
and receiving a permission verification request forwarded by the application server, wherein the permission verification request is sent to the application server by the terminal.
Optionally, the method further comprises:
receiving an announcement publishing request of a terminal, wherein the announcement publishing request carries announcement information of a current login account;
If the authority verification result is that verification is passed, sending notice information to a target group, wherein the target group is the group where the current login account is located.
The embodiment of the application provides an identity authority verification method, wherein the sixth hash value of a father node of a hash value tree in the method is generated based on the reference identity information and the reference authority information of an account, the reference identity information and the reference authority information are part of the identity information and part of the authority information of the account corresponding to the identity information to be verified and the authority information to be verified respectively, so that when the identity information to be verified and the authority information to be verified are verified, only the first hash value is required to be verified to be identical to the sixth hash value, whether the identity information to be verified and the authority information to be verified are identical to the reference identity information and the reference authority information respectively can be ensured, the process of verifying the identity authority based on the complete identity information and the complete authority information of the account is avoided, the exposure of the reference identity information and the reference authority information is avoided, the effective protection of the identity information and the authority information of the account is realized, and the safety of the authority verification is effectively improved.
Fig. 3 is a flowchart of a hash value tree generation process according to an embodiment of the present application. The execution body of the embodiment of the present application is a server, referring to fig. 3, the method includes:
301. the terminal sends an authorization request to the server.
Wherein the authorization request carries reference identity information and reference rights information. The reference identity information is part of identity information of the current login account of the terminal, and the reference authority information is part of authority information of the account corresponding to the part of identity information.
In some embodiments, the authorization request is triggered by the terminal based on a target control on a target application that it installs, and the terminal is a terminal used by the user. In some embodiments, after the target application is started for the first time, the target application displays an information input interface, after the user inputs the identity information of the target application, the account of the user obtains a plurality of rights of the target application, the plurality of rights are respectively part rights of the account, each right corresponds to part of the identity information of the account, and each part of the right information and the corresponding part of the identity information are respectively used as reference identity information and reference right information of the right.
In one implementation, the terminal sequentially sends each piece of authority information and the partial identity information corresponding to each piece of authority information to the server, so that the subsequent server can generate a hash value tree directly based on the partial authority information and the partial identity information. In another implementation manner, the terminal simultaneously transmits the plurality of authority information and the corresponding partial identity information to the server, and the server determines each authority information and the corresponding partial identity information, so that the transmission times are reduced, and the transmission efficiency is improved. Optionally, the server determines the corresponding partial identity information based on the identification of the partial identity information carried by the authority information.
302. And the server receives the authorization request sent by the terminal.
In one implementation, the authorization request carries the reference identity information and the reference rights information after encrypting the reference identity information and the reference rights information based on the symmetric key. After receiving the authorization request, the server decrypts the encrypted reference identity information and the encrypted reference authority information based on the symmetric key to obtain the reference identity information and the reference authority information.
The symmetric key is a key agreed in advance by the terminal and the server, and the passwords of the symmetric key for encryption and decryption are the same. Optionally, the terminal generates the symmetric key and then sends the symmetric key to the server through the trusted channel or the server generates the symmetric key and then sends the symmetric key to the terminal through the trusted channel.
Optionally, the server is a server of a trusted CA or a server providing a trusted third party service, so that when identity authority verification is performed by the server later, the security of performing the identity authority verification can be improved, and the accuracy and the credibility of the authority verification result can be improved.
303. The server respectively determines a hash value of the reference identity information and a hash value of the reference authority information to obtain a fourth hash value and a fifth hash value.
The hash algorithm for determining the hash value by the server may be set and changed according to needs, which is not particularly limited in the embodiment of the present application.
304. The server determines a sixth hash value based on the fourth hash value and the fifth hash value.
Optionally, after the server splices the fourth hash value and the fifth hash value, the server carries out hash operation again on the spliced hash value to obtain a sixth hash value.
305. The server generates a hash value tree based on the fourth hash value, the fifth hash value, and the sixth hash value.
Referring to fig. 4, fig. 4 is a schematic diagram of a hash value tree generated based on a fourth hash value, a fifth hash value and a sixth hash value, where the hash value tree includes a first node, a second node and a third node, the third node is a parent node of the first node and the second node, the first node stores a fourth hash value corresponding to reference identity information, the second node stores a fifth hash value corresponding to reference authority information, the third node stores a sixth hash value, and the sixth hash value is obtained based on the fourth hash value and the fifth hash value. The first node and the second node are leaf nodes of a hash value tree respectively, the leaf nodes store a fourth hash value and a fifth hash value of the reference identity information and the reference authority information respectively, and the third node is a root node and is used for storing a root hash value, namely a sixth hash value, of the hash value tree.
In the embodiment of the application, the server generates the hash value tree based on the hash value of the reference identity information and the hash value of the reference authority information, and then based on the hash value of the reference identity information, the hash value of the reference authority information and the hash value of the sixth hash value, so that when the subsequent server receives the authority verification request, the server can verify based on the sixth hash value in the hash value tree and the first hash value obtained based on the hash value of the identity information to be verified and the hash value of the authority information to be verified, thereby avoiding the verification process based on the complete identity information and the complete authority information of the account, avoiding the exposure of the reference identity information and the reference authority information, realizing the effective protection of the identity information and the authority information of the account, and effectively improving the safety of the identity authority verification.
306. The server generates a public key and a private key corresponding to the hash value tree.
The private key is stored in the server, and the public key is stored in the terminal. When the public key is used for the subsequent terminal to send the permission verification request to the server, the information carried by the permission verification request is encrypted, and the private key is used for decrypting the information carried by the permission verification request, so that the safety of information transmission between the terminal and the server is ensured.
307. The server signs the sixth hash value based on the private key.
In the embodiment of the application, the signature is performed on the sixth hash value through the private key, so that the public key of the terminal is checked and signed based on the signed sixth hash value in the subsequent process, the matching between the public key and the private key can be ensured, and the effectiveness of subsequent encryption or decryption based on the public key and the private key is ensured.
308. And the server sends a signature verification request to the terminal.
The signature verification request carries a public key, a sixth hash value and a signed sixth hash value, the signature verification request is used for indicating a terminal to decrypt the signed sixth hash value based on the public key, and if the decrypted hash value is the same as the sixth hash value, the public key is stored.
309. The terminal receives the signature verification request, decrypts the signed sixth hash value based on the public key, and stores the public key if the decrypted hash value is the same as the sixth hash value.
In some embodiments, if the decrypted hash value is the same as the sixth hash value, the terminal further stores the sixth hash value, so that when the subsequent terminal sends the permission check request to the server, the sixth hash value is directly used as the first hash value, so that the permission check request is sent to the server with the sixth hash value, further, the acquisition efficiency of the first hash value is improved, and further, the sending efficiency of the permission check request is improved.
In the embodiment of the application, signature verification is realized by decrypting the signed sixth hash value based on the public key, verification of the sixth hash value sent by the server is realized, verification of the identity of the server sending the sixth hash value is realized, and the pairing property of the public key and the private key is verified, so that in the subsequent process, after the server receives the message sent by the terminal and based on public key encryption, the message can be accurately and smoothly decrypted based on the private key, and the decrypting effectiveness is ensured.
Fig. 5 is a flowchart of an identity authority verification method provided in an embodiment of the present application. The execution body of the embodiment of the present application is a server, referring to fig. 5, the method includes:
501. And the terminal sends a permission verification request to the server.
The permission verification request carries a first hash value, wherein the first hash value is obtained based on a second hash value of to-be-verified identity information and a third hash value of to-be-verified permission information, the to-be-verified identity information is part of identity information in the identity information of the current login account, and the to-be-verified permission information is part of permission information in the permission information of the account.
In one implementation, the first hash value is obtained based on a sixth hash value stored in advance by the terminal, the first hash value is the stored sixth hash value if the sixth hash value is not tampered, and the first hash value is the tampered sixth hash value if the sixth hash value is tampered. In another implementation manner, the identity information to be checked and the authority information to be checked are new identity information and new authority information, the first hash value is obtained based on the new identity information and the new authority information, the first hash value is not obtained based on a sixth hash value stored in advance, a hash value tree corresponding to the new identity information and the new authority information is not generated in the server, and the corresponding subsequent authority verification result is failed.
In some embodiments, the permission verification request is triggered by the terminal based on a target control on a target application installed by the terminal, and the terminal is a terminal used by a user. In some embodiments, the target application is a chat application, the authority information to be checked of the account is the authority information of the publishing notice in the target group, the identity information to be checked of the account is the identity information of the manager of the target group, and the terminal sends the authority checking request to the server in response to the triggering of the control of the publishing notice. Optionally, the terminal sends the permission verification request through a trusted channel.
In the embodiment of the application, the identity information to be checked and the authority information to be checked are checked through the first hash value of the part of the identity information and the first hash value of the part of the authority information, so that the exposure of redundant information is avoided, and the verification of the identity information and the authority information is realized through one-time verification, thereby improving the reliability and the efficiency of the verification.
502. And the server receives the permission verification request of the terminal.
In one implementation, the rights verification request carries a hash value after encrypting the first hash value based on the public key. After receiving the permission verification request, the server decrypts the encrypted hash value based on the private key corresponding to the public key to obtain a first hash value.
In the embodiment of the application, the first hash value is encrypted based on the public key, so that the first hash value is prevented from being tampered in the process of being sent to the server, and the safety of the transmission of the first hash value is ensured.
503. The server obtains a hash value tree of the generated account.
The hash value tree generation process is implemented through the steps 301-305, which are not described herein.
It should be noted that each account may correspond to a plurality of different hash value trees, each hash value tree corresponds to a different part of rights of the account, and each hash value tree is associated with not only the corresponding account but also the corresponding part of rights.
In one implementation, a plurality of hash value trees of each account are stored in a set, the set carries account identification of the account, and each hash value tree in the set carries authority identification of partial authority information corresponding to the hash value tree. The first hash value carries an account number identifier and a permission identifier, the server determines a target set matched with the account number identifier from a plurality of sets of a plurality of account numbers, and then determines a hash value tree matched with the permission identifier from the target set.
In another implementation, the same partial rights of the plurality of accounts are stored in a set, the set carries the rights identification, and each hash value tree in the set carries the account identification of the account corresponding to the hash value tree. The first hash value carries an account number identifier and a permission identifier, the server determines a target set matched with the permission identifier from a plurality of sets of a plurality of permissions, and then determines a hash value tree matched with the account number identifier from the target set.
504. And the server verifies the identity authority of the terminal based on the first hash value and the sixth hash value.
In one implementation, if the first hash value and the sixth hash value are the same, the second hash value and the fourth hash value are the same, the third hash value and the fifth hash value are the same, and the permission verification result is determined to be verification passing. In another implementation manner, if the first hash value and the sixth hash value are different, it indicates that the second hash value is different from the fourth hash value or the third hash value is different from the fifth hash value, and it is determined that the permission verification result is that verification is failed. Optionally, the second hash value being different from the fourth hash value or the third hash value being different from the fifth hash value includes the second hash value being different from the fourth hash value or the third hash value being different from the fifth hash value or the second hash value being different from the fourth hash value and the third hash value being different from the fifth hash value.
Optionally, after determining the authority verification result, the server sends the authority verification result to the terminal, and the terminal is used for carrying out the next process based on the authority verification result, wherein the authority verification result is returned by the trusted channel of the trusted CA or the trusted third party service, so that the credibility of the authority verification result is improved.
In another implementation manner, after determining the permission verification result, the server directly instructs the terminal to perform the next flow corresponding to the permission verification result. In some embodiments, the server receives an advertisement publishing request of the terminal, where the advertisement publishing request carries advertisement information of the current login account. If the authority verification result is that verification is passed, the server sends notice information to a target group, wherein the target group is the group where the current login account is located. In this embodiment, the advertisement information is carried in the advertisement publishing request, so that the advertisement information can be directly published to the target group after the verification is passed, thereby improving the efficiency of publishing the advertisement information.
The embodiment of the application provides an identity authority verification method, wherein the sixth hash value of a father node of a hash value tree in the method is generated based on the reference identity information and the reference authority information of an account, the reference identity information and the reference authority information are part of the identity information and part of the authority information of the account corresponding to the identity information to be verified and the authority information to be verified respectively, so that when the identity information to be verified and the authority information to be verified are verified, only the first hash value is required to be verified to be identical to the sixth hash value, whether the identity information to be verified and the authority information to be verified are identical to the reference identity information and the reference authority information respectively can be ensured, the process of verifying the identity authority based on the complete identity information and the complete authority information of the account is avoided, the exposure of the reference identity information and the reference authority information is avoided, the effective protection of the identity information and the authority information of the account is realized, and the safety of the authority verification is effectively improved.
Fig. 6 is a flowchart of a hash value tree generation process according to an embodiment of the present application. The execution body of the embodiment of the present application is a server, referring to fig. 6, the method includes:
601. The terminal sends an authorization request to the server.
The authorization request carries reference identity information, reference authority information and identity information. The reference identity information is part of identity information of the current login account of the terminal, the reference authority information is part of authority information of the account corresponding to the part of identity information, and the identity information is all complete identity information of the account.
In some embodiments, the authorization request is triggered by the terminal based on a target control on a target application that it installs, and the terminal is a terminal used by the user. In some embodiments, after the target application is started for the first time, the target application displays an information input interface, after the user inputs the identity information of the target application, the account of the user obtains a plurality of rights of the target application, the plurality of rights are respectively part of rights of the account, each right corresponds to part of the identity information of the account, and each right information and the corresponding part of the identity information are respectively used as reference identity information and reference right information of the rights.
In one implementation, the terminal sequentially transmits each piece of authority information, part of identity information corresponding to each piece of authority information and identity information to the server, so that a subsequent server can generate a hash value tree directly based on the authority information, part of identity information and identity information. In another implementation manner, the terminal simultaneously transmits the identity information, the plurality of authority information and the corresponding part of the identity information to the server, and the server determines each authority information and the corresponding part of the identity information, so that the transmission times are reduced, and the transmission efficiency is improved. Optionally, the server determines the corresponding partial identity information based on the identification of the partial identity information carried by the authority information.
602. And the server receives the authorization request sent by the terminal.
In one implementation, the authorization request carries reference identity information, reference rights information, and identity information after encrypting the reference identity information, reference rights information, and identity information based on the symmetric key. After receiving the authorization request, the server decrypts the encrypted reference identity information, the encrypted reference authority information and the encrypted identity information based on the symmetric key to obtain the reference identity information, the encrypted reference authority information and the encrypted identity information.
Optionally, the terminal encrypts the reference identity information, the reference authority information and the identity information respectively based on the symmetric key, or the terminal packages the reference identity information, the reference authority information and the identity information and encrypts the information once based on the symmetric key.
603. The server respectively determines a hash value of the reference identity information and a hash value of the reference authority information, obtains a fourth hash value and a fifth hash value, and determines a seventh hash value based on the hash value of the identity information.
In one implementation, the server obtains a hash value of the identity information and determines the hash value of the identity information as a seventh hash value. In another implementation mode, the server acquires the hash value of the identity information and the hash value of the current timestamp, determines a seventh hash value based on the hash value of the identity information and the hash value of the current timestamp, and optionally, after splicing the hash value of the identity information and the hash value of the current timestamp, the server carries out hash operation again on the spliced hash value to obtain the seventh hash value, so that the identity information to be verified and the authority information to be verified can be ensured to be within the validity period from the current timestamp when the identity authority is verified later, and the timeliness of the identity authority verification is ensured.
604. The server determines a sixth hash value based on the fourth hash value and the fifth hash value.
Optionally, after the server splices the fourth hash value and the fifth hash value, the server carries out hash operation again on the spliced hash value to obtain a sixth hash value.
605. The server determines an eighth hash value based on the sixth hash value and the seventh hash value.
Optionally, after the server splices the sixth hash value and the seventh hash value, the server carries out hash operation again on the spliced hash value to obtain an eighth hash value.
606. The server generates a hash value tree based on the fourth hash value, the fifth hash value, the sixth hash value, the seventh hash value, and the eighth hash value.
The hash value tree comprises a first node, a second node, a third node, a fourth node and a fifth node, wherein the third node is a father node of the first node and the second node, the fifth node is a father node of the third node and the fourth node, the first node stores a fourth hash value corresponding to the standard identity information, the second node stores a fifth hash value corresponding to the standard authority information, the third node stores a sixth hash value, the sixth hash value is obtained based on the fourth hash value and the fifth hash value, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, and the eighth hash value is obtained based on the seventh hash value and the sixth hash value.
In the embodiment of the application, the server generates the hash value tree based on the reference identity information, the reference authority information and the identity information, and because the identity information is the whole complete identity information of the account, the hash value of the identity information is used as the node of the hash value tree, so that the stability of the hash value tree and the accuracy of the hash value tree can be ensured, and in the subsequent verification based on the hash value tree, the double verification can be performed based on the sixth hash value and the eighth hash value in the hash value tree, thereby ensuring the verification accuracy.
In another implementation, the hash value tree further comprises a sixth node and a seventh node, wherein the sixth node stores the hash value of the identity information, the seventh node stores the hash value of the current timestamp, the fourth node is a father node of the sixth node and the seventh node, and the fourth node stores a seventh hash value obtained based on the identity information, the hash value and the hash value of the current timestamp. Referring to fig. 7, fig. 7 is a schematic diagram of the hash value tree, where the first node, the second node, the sixth node, and the seventh node are leaf nodes of the hash value tree, and store a fourth hash value of the reference identity information, a fifth hash value of the reference authority information, a hash value of the identity information, and a hash value of the current timestamp, respectively. The third node and the fourth node are intermediate nodes, the fifth node is a root node, and the fifth node stores a root hash value of the hash value tree, namely an eighth hash value. Optionally, the hash value tree is a merkel tree.
In the embodiment of the application, the server generates the Meckel tree based on the reference identity information, the reference authority information, the identity information and the current timestamp, so that the hash value of the current timestamp is used as a node of the hash value tree, and the identity information to be checked and the authority information to be checked in the validity period from the current timestamp in the subsequent verification of the identity authority can be ensured, thereby ensuring the timeliness of the verification of the identity authority.
607. The server generates a public key and a private key corresponding to the hash value tree.
608. The server signs the sixth hash value based on the private key.
609. And the server sends a signature verification request to the terminal.
610. The terminal receives the signature verification request, decrypts the signed sixth hash value based on the public key, and stores the public key if the decrypted hash value is the same as the sixth hash value.
Steps 607-610 are identical to steps 306-309 and are not described in detail herein.
Fig. 8 is a flowchart of an identity authority verification method provided in an embodiment of the present application. The execution body of the embodiment of the present application is a server, referring to fig. 8, the method includes:
801. And the terminal sends a permission verification request to the server.
This step is the same as step 501 and will not be described in detail here.
802. And the server receives the permission verification request sent by the terminal.
This step is the same as step 502 and will not be described in detail here.
803. The server obtains a hash value tree of the generated account.
The hash value tree generation process is implemented through steps 601-605, and the process of obtaining the hash value tree by the server is the same as that of step 503, which is not described herein.
804. And the server verifies the identity authority of the terminal based on the first hash value, the sixth hash value, the seventh hash value and the eighth hash value.
In the embodiment of the application, if the first hash value is the same as the sixth hash value and the ninth hash value is the same as the eighth hash value, the server determines that the permission verification result is verification passing, wherein the ninth hash value is obtained based on the first hash value and the seventh hash value, and if the first hash value is different from the sixth hash value or the ninth hash value is different from the eighth hash value, the server determines that the permission verification result is verification failing.
In one implementation, after the server verifies the first hash value and the sixth hash value and the ninth hash value and the eighth hash value simultaneously based on the first hash value and the seventh hash value, if the first hash value is the same as the sixth hash value and the ninth hash value is the same as the eighth hash value, the server determines that the authority verification result is passed. If the first hash value is different from the sixth hash value, or the ninth hash value is different from the eighth hash value, or the first hash value is different from the sixth hash value, and the ninth hash value is different from the eighth hash value, the server determines that the authority verification result is that verification is not passed. Therefore, by simultaneously verifying the first hash value and the ninth hash value, time waste caused by respectively verifying the first hash value and the ninth hash value is avoided, verification time is shortened, and verification efficiency is improved.
In another implementation manner, after the server verifies the first hash value and the sixth hash value based on the first hash value and the seventh hash value, the server directly determines that the authority verification result is not passed without verifying the ninth hash value and the eighth hash value if the first hash value and the sixth hash value are different. And under the condition that the first hash value is the same as the sixth hash value, verifying the ninth hash value and the eighth hash value, and if the ninth hash value is the same as the eighth hash value, determining that the authority verification result is verification passing by the server. The implementation method avoids the waste of resources and time caused by verifying the ninth hash value and the eighth hash value under the condition that the first hash value is different from the sixth hash value.
In the embodiment of the application, the first hash value is verified based on the sixth hash value and the eighth hash value respectively through verification, so that when any one of the first hash value and the sixth hash value and the ninth hash value and the eighth hash value is different through double verification, namely, the verification result of the authority is determined as that the verification is not passed, thereby ensuring the accuracy of verifying the identity authority.
Fig. 9 is a flowchart of an identity authority verification method provided in an embodiment of the present application. The execution body of the embodiment of the present application is a server, referring to fig. 9, the method includes:
901. And the terminal sends a permission verification request to the application server.
The permission verification request carries identity information to be verified and permission information to be verified.
The procedure of the step is the same as that of the step 501 in which the terminal sends the permission verification request to the server, and will not be described in detail here.
902. And the application server receives the permission verification request sent by the terminal.
The application server is a background server of a target application installed on the terminal. After receiving the permission verification request sent by the terminal, the server sends the permission verification request to the server.
903. The application server sends a permission verification request to the server.
In some embodiments, the rights verification request carries the identity information to be verified and the rights information to be verified after encrypting the identity information to be verified and the rights information to be verified based on the public key. In one implementation, the terminal encrypts identity information to be verified and authority information to be verified based on the public key, sends an authority verification request carrying the encrypted identity information to be verified and the authority information to be verified to the application server, and forwards the authority verification request to the server. In another implementation mode, after receiving the permission verification request, the application server encrypts the identity information to be verified and the permission information to be verified based on the public key, and sends the permission verification request carrying the encrypted identity information to be verified and the permission information to be verified to the server.
904. The server receives a permission verification request of the application server.
In one implementation, the permission verification request carries the identity information to be verified and the permission information to be verified after the identity information to be verified and the permission information to be verified are encrypted based on the public key. After receiving the permission verification request, the server decrypts the encrypted identity information to be verified and the encrypted permission information to be verified based on the private key corresponding to the public key to obtain the identity information to be verified and the permission information to be verified.
In the embodiment of the application, the identity information to be checked and the authority information to be checked are encrypted based on the public key, so that the identity information to be checked and the authority information to be checked are prevented from being tampered in the process of being sent to the server, and the safety of transmitting the identity information to be checked and the authority information to be checked is ensured.
905. The server generates a first hash value based on the identity information to be checked and the authority information to be checked.
The server respectively determines a second hash value of the identity information to be checked and a third hash value of the authority information to be checked, generates a first hash value based on the second hash value and the third hash value, and optionally, after the server splices the second hash value and the third hash value, carries out hash operation again on the spliced hash value to obtain the first hash value.
906. The server obtains a hash value tree of the generated account.
The hash value tree generation process is implemented through steps 601-605, and the process of obtaining the hash value tree by the server is the same as that of step 503, which is not described herein.
907. And the server verifies the identity authority of the terminal based on the first hash value, the sixth hash value, the seventh hash value and the eighth hash value.
This step is identical to step 904 and will not be described in detail here.
In the embodiment of the application, the permission verification request of the terminal is forwarded through the application server, and the requirements of the application server on stability, safety, performance and the like are higher than those of the terminal, so that the permission verification request of the terminal is forwarded through the application server, and the stability and the safety of information transmission can be improved.
Fig. 10 is a schematic diagram of an interaction process between devices according to an embodiment of the present application. Referring to fig. 10, the interaction process includes an authorization phase and a verification phase, and the hash value tree is a merkel tree. Steps 1001-1005 are the flow of the authorization phase and steps 1006-1009 are the flow of the verification phase. In step 1001, the terminal transmits partial identity information, partial authority information, and complete identity information to the server. In step 1002, the server receives partial identity information, partial rights information, and complete identity information, and generates a merkel tree based on the partial identity information, the partial rights information, and the complete identity information. In step 1003, the server generates a public-private key pair corresponding to the merkel tree. In step 1004, the server performs hash operation again after splicing the hash value of the partial identity information and the hash value of the partial authority information corresponding to the partial identity information based on the private key to obtain a hash value signature. In step 1005, the server transmits the public key, the re-hashed hash value, and the signed hash value to the terminal. In step 1006, the terminal signs the public key based on the hashed value after the re-hash operation and the signed hashed value. In step 1007, i.e. during the subsequent verification process, the terminal sends the hash value obtained by encrypting the hash value obtained by the re-hash operation based on the public key to the server. In step 1008, the server verifies the identity rights of the terminal based on the merkel tree. In step 1009, the server transmits the rights verification result to the terminal.
In some embodiments, the method provided by the embodiment of the application is applied to an electronic competition scene, and an electronic competition application program is provided on a terminal, wherein the application program is an application of a one-stop electronic competition platform with functions of competition, sightseeing and the like. In the application program, an information communication channel is required to be established to help the players of the game with successful registration to communicate with each other, the players need to communicate with the game time and related information of the event, and the team leader or the game referee needs to inform the players of the key information of the game, so the information communication channel is generally a chat-room group. The method comprises the steps of participating in FIG. 11, entering a chat room by triggering an "enter team chat room" control on an "event of me entry" interface of the application, or participating in FIG. 12, entering a chat room by triggering an "enter fight chat room" control on an "event of me entry" interface of the application, or entering a chat room by triggering an "my chat" control on a personal main page, see FIG. 13. FIG. 14 is a schematic diagram of a team's chat room dialog interface including head portrait, nickname, character, chat content, time of transmission, and distinguishing own and other dialog styles, character including team leader, team friend, I, referee, title of "team leader" or "referee" when it is "team leader" or "referee" and title of "I" otherwise. FIG. 15 is a schematic diagram of a dialog interface of chat rooms of two teams in a fight, including head portrait, nickname, character, chat content, sending time, etc., and distinguishing own and other people's dialog styles, the character including team leader, team mate, i'm, referee, opponents, when they are "team leader" or "referee", will show the title of "team leader" or "referee", otherwise show the title of "i". Fig. 16 is a schematic diagram of an interface for "chat information" that includes member roles for chat rooms, group chat names, and chat bulletin setup controls. Fig. 17 is a schematic diagram of an interface for "chat messages" after a chat room publication, the interface including the chat room's member roles, group chat names, and chat publication content. If no referee exists in the group, the team leader of each team can edit the publication, i.e. if a plurality of teams exist, the team leader of the plurality of teams can edit the publication.
The embodiment of the application can verify the chat identity authority in the chat room in the application program and verify the authority for publishing the bulletin. When the chat identity authority is verified through the embodiment of the application, the terminal sends a chat request to the server, wherein the chat request carries a first hash value obtained based on the hash value of the identity information of the current login account in the target group and the hash value of the authority information of the release session. The server acquires a hash value tree of the current login account, wherein the hash value tree is a hash value tree corresponding to the identity information of the target group and the authority information of the release session, if the first hash value is the same as the sixth hash value in the hash value tree, the terminal determines that the authority verification result passes the verification, the server sends the authority verification result to the terminal, and the terminal releases the session information of the current login account in the target group based on the authority verification result. In another implementation manner, the chat request carries session information of the current login account, after the server determines that the permission verification result is verification, the session information is issued to the target group, and the permission verification result is sent to the terminal, where the permission verification result is used to instruct the terminal to display the session information on the session interface.
When verifying the authority of the publishing notice by the method provided by the embodiment of the application, the terminal sends a notice publishing request to the server, wherein the notice publishing request carries a first hash value obtained based on the hash value of the identity information of the current login account in the target group and the hash value of the authority information of the publishing notice. The server acquires a hash value tree of the current login account, wherein the hash value tree is a hash value tree corresponding to the identity information of the target group and the authority information of the release notice, if the first hash value is the same as the sixth hash value in the hash value tree, the terminal determines that the authority verification result passes the verification, the server sends the authority verification result to the terminal, and the terminal releases the notice information of the current login account in the target group based on the authority verification result. In another implementation manner, the chat request carries the advertisement information of the current login account, after the server determines that the permission verification result is verification, the advertisement information is published to the target group, and the permission verification result is sent to the terminal, wherein the permission verification result is used for indicating the terminal to display the advertisement information on the chat information interface.
The embodiment of the application provides an identity authority verification method, wherein the sixth hash value of a father node of a hash value tree in the method is generated based on the reference identity information and the reference authority information of an account, the reference identity information and the reference authority information are part of the identity information and part of the authority information of the account corresponding to the identity information to be verified and the authority information to be verified respectively, so that when the identity information to be verified and the authority information to be verified are verified, only the first hash value is required to be verified to be identical to the sixth hash value, whether the identity information to be verified and the authority information to be verified are identical to the reference identity information and the reference authority information respectively can be ensured, the process of verifying the identity authority based on the complete identity information and the complete authority information of the account is avoided, the exposure of the reference identity information and the reference authority information is avoided, the effective protection of the identity information and the authority information of the account is realized, and the safety of the authority verification is effectively improved.
It should be noted that, the method provided by the embodiment of the application is not only suitable for checking the chat identity authority in the chat room and checking the identity authority when the notice is issued, but also suitable for any identity authority checking scene.
The embodiment of the application also provides an identity authority verification device, referring to fig. 18, the device comprises:
The first receiving module 1801 is configured to receive a permission verification request of the terminal, where the permission verification request carries a first hash value, where the first hash value is obtained based on a second hash value of identity information to be verified and a third hash value of permission information to be verified, the identity information to be verified is part of identity information in the identity information of the current login account, and the permission information to be verified is part of permission information in the permission information of the account;
The obtaining module 1802 is configured to obtain a hash value tree of the generated account, where the hash value tree includes a first node, a second node, and a third node, the third node is a parent node of the first node and the second node, the first node stores a fourth hash value corresponding to the reference identity information, the second node stores a fifth hash value corresponding to the reference authority information, and the third node stores a sixth hash value, where the sixth hash value is obtained based on the fourth hash value and the fifth hash value;
and the verification module 1803 is configured to verify the identity authority of the terminal based on the first hash value and the sixth hash value.
Optionally, a verification module 1803 is configured to:
if the first hash value is the same as the sixth hash value, the second hash value is the same as the fourth hash value, the third hash value is the same as the fifth hash value, and the permission verification result is determined to be verification passing;
if the first hash value and the sixth hash value are different, the second hash value and the fourth hash value are different or the third hash value and the fifth hash value are different, and the permission verification result is determined to be that verification is not passed.
Optionally, the hash value tree further includes a fourth node and a fifth node, the fifth node is a father node of the third node and the fourth node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, and the eighth hash value is obtained based on the sixth hash value and the seventh hash value;
a verification module 1803, configured to:
if the first hash value is the same as the sixth hash value and the ninth hash value is the same as the eighth hash value, determining that the permission verification result is verification passing, wherein the ninth hash value is obtained based on the first hash value and the seventh hash value;
if the first hash value is different from the sixth hash value or the ninth hash value is different from the eighth hash value, determining that the authority verification result is that verification is not passed.
Optionally, the permission verification request carries a hash value obtained by encrypting the first hash value based on the public key, and the device further comprises:
and the first decryption module is used for decrypting the encrypted hash value based on the private key corresponding to the public key to obtain a first hash value.
Optionally, the apparatus further comprises:
the signature module is used for signing the sixth hash value based on the private key;
The first sending module is used for sending a signature verification request to the terminal, the signature verification request carries a public key, a sixth hash value and the signed sixth hash value, the signature verification request is used for indicating the terminal to decrypt the signed sixth hash value based on the public key, and if the decrypted hash value is the same as the sixth hash value, the public key is stored.
Optionally, the apparatus further comprises:
The second receiving module is used for receiving an authorization request of the terminal, wherein the authorization request carries reference identity information and reference authority information;
The first determining module is used for respectively determining the hash value of the reference identity information and the hash value of the reference authority information to obtain a fourth hash value and a fifth hash value;
a second determining module, configured to determine a sixth hash value based on the fourth hash value and the fifth hash value;
and the generation module is used for generating a hash value tree based on the fourth hash value, the fifth hash value and the sixth hash value.
Optionally, the hash value tree further includes a fourth node and a fifth node, the fifth node is a father node of the fourth node and the third node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, the eighth hash value is obtained based on the seventh hash value and the sixth hash value, and the authorization request further carries the identity information;
A generation module, comprising:
a first determining unit configured to determine a seventh hash value based on the hash value of the identity information;
a second determination unit configured to determine an eighth hash value based on the sixth hash value and the seventh hash value;
and a generation unit configured to generate a hash value tree based on the fourth hash value, the fifth hash value, the sixth hash value, the seventh hash value, and the eighth hash value.
Optionally, the first determining unit is configured to:
acquiring hash value of identity information and hash value of current time stamp, determining seventh hash value based on hash value of identity information and hash value of current time stamp, or
And acquiring the hash value of the identity information, and determining the hash value of the identity information as a seventh hash value.
Optionally, the authorization request carries the reference identity information and the reference authority information after the reference identity information and the reference authority information are encrypted based on the symmetric key, and the device further comprises:
and the second decryption module is used for decrypting the encrypted reference identity information and the reference authority information based on the symmetric key to obtain the reference identity information and the reference authority information.
Optionally, the first receiving module 1801 is configured to:
and receiving a permission verification request forwarded by the application server, wherein the permission verification request is sent to the application server by the terminal.
Optionally, the apparatus further comprises:
the third receiving module is used for receiving an announcement release request of the terminal, wherein the announcement release request carries announcement information of the current login account;
And the second sending module is used for sending notice information to a target group if the authority verification result is that verification is passed, wherein the target group is the group where the current login account is located.
Fig. 19 shows a block diagram of a terminal 1900 according to an exemplary embodiment of the present application. The terminal 1900 may be a portable mobile terminal such as a smart phone, tablet, MP3 player (Moving Picture Experts Group Audio Layer III, MPEG audio layer 3), MP4 (Moving Picture Experts Group Audio Layer IV, MPEG audio layer 4) player, notebook, or desktop. Terminal 1900 may also be referred to by other names as user equipment, portable terminal, laptop terminal, desktop terminal, etc.
Terminal 1900 typically includes a processor 1901 and memory 1902.
Processor 1901 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 1901 may be implemented in at least one hardware form of DSP (DIGITAL SIGNAL Processing), FPGA (Field-Programmable gate array), PLA (Programmable Logic Array ). The processor 1901 may also include a main processor, which is a processor for processing data in the awake state, also referred to as a CPU (Central Processing Unit ), and a coprocessor, which is a low-power-consumption processor for processing data in the standby state. In some embodiments, the processor 1901 may be integrated with a GPU (Graphics Processing Unit, image processor) for rendering and drawing of content that is required to be displayed by the display screen. In some embodiments, the processor 1901 may also include an AI (ARTIFICIAL INTELLIGENCE ) processor for processing computing operations related to machine learning.
Memory 1902 may include one or more computer-readable storage media, which may be non-transitory. Memory 1902 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 1902 is used to store at least one program code for execution by processor 1901 to implement the identity rights verification method provided by the method embodiments of the present application.
In some embodiments, terminal 1900 may optionally include a peripheral interface 1903 and at least one peripheral. The processor 1901, memory 1902, and peripheral interface 1903 may be connected by a bus or signal line. The individual peripheral devices may be connected to the peripheral device interface 1903 via buses, signal lines, or circuit boards. In particular, the peripheral devices include at least one of radio frequency circuitry 1904, a display screen 1905, a camera assembly 1906, an audio circuit 1907, a positioning assembly 1908, and a power supply 1909.
Peripheral interface 1903 may be used to connect at least one Input/Output (I/O) related peripheral to processor 1901 and memory 1902. In some embodiments, the processor 1901, memory 1902, and peripheral interface 1903 are integrated on the same chip or circuit board, and in some other embodiments, either or both of the processor 1901, memory 1902, and peripheral interface 1903 may be implemented on separate chips or circuit boards, which is not limited in this embodiment.
The Radio Frequency circuit 1904 is configured to receive and transmit RF (Radio Frequency) signals, also referred to as electromagnetic signals. The radio frequency circuit 1904 communicates with a communication network and other communication devices via electromagnetic signals. The radio frequency circuit 1904 converts an electrical signal into an electromagnetic signal for transmission, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 1904 includes an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and the like. The radio frequency circuit 1904 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to, the world wide web, metropolitan area networks, intranets, various generations of mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or WiFi (WIRELESS FIDELITY ) networks. In some embodiments, the radio frequency circuit 1904 may also include NFC (NEAR FIELD Communication) related circuits, which is not limited by the present application.
The display 1905 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When display 1905 is a touch display, display 1905 also has the ability to collect touch signals at or above the surface of display 1905. The touch signal may be input as a control signal to the processor 1901 for processing. At this point, the display 1905 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display 1905 may be one, disposed on the front panel of the terminal 1900, in other embodiments, the display 1905 may be at least two, disposed on different surfaces of the terminal 1900 or in a folded design, respectively, and in other embodiments, the display 1905 may be a flexible display, disposed on a curved surface or a folded surface of the terminal 1900. Even more, the display screen 1905 may be arranged in a non-rectangular irregular pattern, i.e., a shaped screen. The display 1905 may be made of LCD (Liquid CRYSTAL DISPLAY), OLED (Organic Light-Emitting Diode), or other materials.
The camera assembly 1906 is used to capture images or video. Optionally, camera assembly 1906 includes a front camera and a rear camera. Typically, the front camera is disposed on the front panel of the terminal and the rear camera is disposed on the rear surface of the terminal. In some embodiments, the at least two rear cameras are any one of a main camera, a depth camera, a wide-angle camera and a tele camera, so as to realize that the main camera and the depth camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize a panoramic shooting and Virtual Reality (VR) shooting function or other fusion shooting functions. In some embodiments, camera assembly 1906 may also include a flash. The flash lamp can be a single-color temperature flash lamp or a double-color temperature flash lamp. The dual-color temperature flash lamp refers to a combination of a warm light flash lamp and a cold light flash lamp, and can be used for light compensation under different color temperatures.
The audio circuit 1907 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, inputting the electric signals to the processor 1901 for processing, or inputting the electric signals to the radio frequency circuit 1904 for realizing voice communication. For purposes of stereo acquisition or noise reduction, the microphone may be multiple, each disposed at a different location on the terminal 1900. The microphone may also be an array microphone or an omni-directional pickup microphone. The speaker is used to convert electrical signals from the processor 1901 or the radio frequency circuit 1904 into sound waves. The speaker may be a conventional thin film speaker or a piezoelectric ceramic speaker. When the speaker is a piezoelectric ceramic speaker, not only the electric signal can be converted into a sound wave audible to humans, but also the electric signal can be converted into a sound wave inaudible to humans for ranging and other purposes. In some embodiments, audio circuit 1907 may also include a headphone jack.
The location component 1908 is used to locate the current geographic location of the terminal 1900 for navigation or LBS (Location Based Service, location based services). The positioning component 1908 may be a positioning component based on the united states GPS (Global Positioning System ), the beidou system of china, or the galileo system of russia.
A power supply 1909 is used to power the various components in terminal 1900. The power supply 1909 may be an alternating current, a direct current, a disposable battery, or a rechargeable battery. When the power supply 1909 includes a rechargeable battery, the rechargeable battery may be a wired rechargeable battery or a wireless rechargeable battery. The wired rechargeable battery is a battery charged through a wired line, and the wireless rechargeable battery is a battery charged through a wireless coil. The rechargeable battery may also be used to support fast charge technology.
In some embodiments, terminal 1900 also includes one or more sensors 1910. The one or more sensors 1910 include, but are not limited to, an acceleration sensor 1911, a gyroscope sensor 1912, a pressure sensor 1913, a fingerprint sensor 1914, an optical sensor 1915, and a proximity sensor 1916.
The acceleration sensor 1911 may detect the magnitudes of accelerations on three coordinate axes of a coordinate system established with the terminal 1900. For example, the acceleration sensor 1911 may be used to detect components of gravitational acceleration in three coordinate axes. The processor 1901 may control the display screen 1905 to display a user interface in either a landscape view or a portrait view based on gravitational acceleration signals acquired by the acceleration sensor 1911. Acceleration sensor 1911 may also be used for the acquisition of motion data of a game or user.
The gyro sensor 1912 may detect a body direction and a rotation angle of the terminal 1900, and the gyro sensor 1912 may collect a 3D motion of the user on the terminal 1900 in cooperation with the acceleration sensor 1911. The processor 1901 can realize functions such as motion sensing (e.g., changing a UI according to a tilting operation by a user), image stabilization at the time of photographing, game control, and inertial navigation, based on data collected by the gyro sensor 1912.
Pressure sensor 1913 may be disposed on a side border of terminal 1900 and/or below display 1905. When the pressure sensor 1913 is disposed on the side frame of the terminal 1900, a grip signal of the terminal 1900 by the user can be detected, and the processor 1901 performs left-right hand recognition or quick operation according to the grip signal collected by the pressure sensor 1913. When the pressure sensor 1913 is disposed at the lower layer of the display screen 1905, the processor 1901 controls the operability control on the UI interface according to the pressure operation of the user on the display screen 1905. The operability controls include at least one of a button control, a scroll bar control, an icon control, and a menu control.
The fingerprint sensor 1914 is used to collect a fingerprint of the user, and the processor 1901 identifies the identity of the user based on the fingerprint collected by the fingerprint sensor 1914, or the fingerprint sensor 1914 identifies the identity of the user based on the collected fingerprint. Upon recognizing that the user's identity is a trusted identity, the processor 1901 authorizes the user to perform relevant sensitive operations including unlocking the screen, viewing encrypted information, downloading software, paying for and changing settings, and the like. The fingerprint sensor 1914 may be disposed on the front, back, or side of the terminal 1900. When a physical key or vendor Logo is provided on terminal 1900, fingerprint sensor 1914 may be integrated with the physical key or vendor Logo.
The optical sensor 1915 is used to collect ambient light intensity. In one embodiment, the processor 1901 may control the display brightness of the display screen 1905 based on ambient light intensity collected by the optical sensor 1915. Specifically, the display luminance of the display screen 1905 is turned up when the ambient light intensity is high, and the display luminance of the display screen 1905 is turned down when the ambient light intensity is low. In another embodiment, the processor 1901 may also dynamically adjust the shooting parameters of the camera assembly 1906 based on the ambient light intensity collected by the optical sensor 1915.
A proximity sensor 1916, also referred to as a distance sensor, is typically provided on the front panel of terminal 1900. The proximity sensor 1916 serves to collect a distance between a user and the front of the terminal 1900. In one embodiment, the processor 1901 controls the display 1905 to switch from the on-screen state to the off-screen state when the proximity sensor 1916 detects a gradual decrease in the distance between the user and the front of the terminal 1900, and the processor 1901 controls the display 1905 to switch from the off-screen state to the on-screen state when the proximity sensor 1916 detects a gradual increase in the distance between the user and the front of the terminal 1900.
Those skilled in the art will appreciate that the configuration shown in fig. 19 is not limiting and that terminal 1900 may include more or fewer components than shown, or may combine certain components, or may employ a different arrangement of components.
Fig. 20 is a block diagram of a server according to an embodiment of the present application, where the server 2000 may have a relatively large difference due to different configurations or performances, and may include one or more processors (Central Processing Units, CPU) 2001 and one or more memories 2002, where the memories 2002 are used to store executable program codes, and the processors 2001 are configured to execute the executable program codes to implement the identity authority verification method provided in the foregoing method embodiments. Of course, the server may also have a wired or wireless network interface, a keyboard, an input/output interface, and other components for implementing the functions of the device, which are not described herein.
In an exemplary embodiment, a storage medium is also provided, such as a memory 2002, comprising program code executable by the processor 2001 of the server 2000 to perform the identity rights verification method described above. Alternatively, the storage medium may be a non-transitory computer-readable storage medium, for example, a ROM (Read-Only Memory), a RAM (Random Access Memory ), a CD-ROM (Compact Disc Read-Only Memory), a magnetic tape, a floppy disk, an optical data storage device, and the like.
The embodiment of the application also provides a computer readable storage medium, at least one program code is stored in the computer readable storage medium, and the at least one program code is loaded and executed by a processor to realize the identity authority verification method of any implementation mode.
Embodiments of the present application also provide a computer program product, where the computer program product includes at least one program code, where the at least one program code is loaded and executed by a processor to implement the identity authority checking method according to any one of the foregoing implementations.
In some embodiments, the computer program product according to the embodiments of the present application may be deployed to be executed on one server, or on a plurality of servers located at one site, or on a plurality of servers distributed at a plurality of sites and interconnected by a communication network, where the plurality of servers distributed at the plurality of sites and interconnected by the communication network may constitute a blockchain system.
The embodiment of the application provides an identity authority verification method, wherein the sixth hash value of a father node of a hash value tree in the method is generated based on the reference identity information and the reference authority information of an account, the reference identity information and the reference authority information are part of the identity information and part of the authority information of the account corresponding to the identity information to be verified and the authority information to be verified respectively, so that when the identity information to be verified and the authority information to be verified are verified, only the first hash value is required to be verified to be identical to the sixth hash value, whether the identity information to be verified and the authority information to be verified are identical to the reference identity information and the reference authority information respectively can be ensured, the process of verifying the identity authority based on the complete identity information and the complete authority information of the account is avoided, the exposure of the reference identity information and the reference authority information is avoided, the effective protection of the identity information and the authority information of the account is realized, and the safety of the authority verification is effectively improved.
The foregoing is illustrative of the present application and is not to be construed as limiting thereof, but rather as various modifications, equivalent arrangements, improvements, etc., which fall within the spirit and principles of the present application.