CN116436606B - Identity authority verification method, device, server, storage medium and product - Google Patents

Identity authority verification method, device, server, storage medium and product

Info

Publication number
CN116436606B
CN116436606B CN202210002257.5A CN202210002257A CN116436606B CN 116436606 B CN116436606 B CN 116436606B CN 202210002257 A CN202210002257 A CN 202210002257A CN 116436606 B CN116436606 B CN 116436606B
Authority
CN
China
Prior art keywords
hash value
node
information
identity information
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210002257.5A
Other languages
Chinese (zh)
Other versions
CN116436606A (en
Inventor
曾祯
骆伟明
张志东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202210002257.5A priority Critical patent/CN116436606B/en
Publication of CN116436606A publication Critical patent/CN116436606A/en
Application granted granted Critical
Publication of CN116436606B publication Critical patent/CN116436606B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • G06F16/2246Trees, e.g. B+trees
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • G06F16/2255Hash tables
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/04Real-time or near real-time messaging, e.g. instant messaging [IM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computational Linguistics (AREA)
  • Storage Device Security (AREA)

Abstract

本申请提供了一种身份权限校验方法、装置、服务器、存储介质及产品,属于信息处理技术领域。方法包括:接收终端的权限校验请求,权限校验请求携带基于待校验身份信息的第二哈希值和待校验权限信息的第三哈希值得到的第一哈希值,待校验身份信息和待校验权限信息分别为部分身份信息和部分权限信息;获取已生成的账号的哈希值树,哈希值树中的第三节点为第一节点和第二节点的父节点,且第一节点和第二节点分别存储基准身份信息对应的第四哈希值和基准权限信息对应的第五哈希值,第三节点存储基于第四哈希值和第五哈希值得到的第六哈希值;基于第一哈希值和第六哈希值,对终端进行身份权限的验证。该方法有效提高了身份权限校验的安全性。

The present application provides an identity authority verification method, device, server, storage medium and product, which belongs to the field of information processing technology. The method includes: receiving a permission verification request from a terminal, the permission verification request carries a first hash value obtained based on a second hash value of the identity information to be verified and a third hash value of the permission information to be verified, the identity information to be verified and the permission information to be verified are partial identity information and partial permission information respectively; obtaining a hash value tree of a generated account, the third node in the hash value tree is the parent node of the first node and the second node, and the first node and the second node respectively store a fourth hash value corresponding to the baseline identity information and a fifth hash value corresponding to the baseline permission information, and the third node stores a sixth hash value obtained based on the fourth hash value and the fifth hash value; based on the first hash value and the sixth hash value, verifying the identity authority of the terminal. This method effectively improves the security of identity authority verification.

Description

Identity authority verification method, device, server, storage medium and product
Technical Field
The present application relates to the field of information processing technologies, and in particular, to a method, an apparatus, a server, a storage medium, and a product for verifying identity authority.
Background
In some competition scenarios, it is generally necessary to establish information communication channels such as chat rooms or groups, so as to facilitate communication between members of the competition. When the event information such as the time and place of the event is required to be notified, the members are notified by means of group bulletins, and generally only management staff such as referees and captain have the authority to issue bulletins. Therefore, before the group bulletin is released, the authority of the user to be released bulletin needs to be verified, and when the verification result is that the user has the authority of releasing bulletin, the bulletin can be released.
In the related art, when verifying whether a user has the authority to issue an announcement, it is generally required to acquire complete identity information of the user, and acquire complete authority information based on the complete identity information, where the complete authority information includes all authority information such as chat authority and announcement authority of the user, and then verify whether the user has the authority to issue an announcement based on the complete authority information.
In the related art, the rights of the publishing notice are only part of the rights of the user, but when verifying the part of rights, the complete identity information and the complete rights information of the user are required to be obtained for verification, so that the privacy exposure degree of the user is higher, and the privacy protection degree of the user is lower.
Disclosure of Invention
The embodiment of the application provides an identity authority verification method, an identity authority verification device, a server, a storage medium and a product, which can effectively improve the safety of identity authority verification. The technical scheme is as follows:
In one aspect, there is provided an identity authority verification method, the method including:
Receiving a permission verification request of a terminal, wherein the permission verification request carries a first hash value, the first hash value is obtained based on a second hash value of identity information to be verified and a third hash value of permission information to be verified, the identity information to be verified is part of identity information in the identity information of a current login account, and the permission information to be verified is part of permission information in the permission information of the account;
The method comprises the steps that a generated hash value tree of an account is obtained, wherein the hash value tree comprises a first node, a second node and a third node, the third node is a father node of the first node and the second node, the first node stores a fourth hash value corresponding to reference identity information, the second node stores a fifth hash value corresponding to reference authority information, the third node stores a sixth hash value, and the sixth hash value is obtained based on the fourth hash value and the fifth hash value;
and based on the first hash value and the sixth hash value, verifying the identity authority of the terminal.
Optionally, the verifying the identity authority of the terminal based on the first hash value and the sixth hash value includes:
If the first hash value is the same as the sixth hash value, the second hash value is the same as the fourth hash value, the third hash value is the same as the fifth hash value, and the permission verification result is determined to pass verification;
and if the first hash value and the sixth hash value are different, indicating that the second hash value and the fourth hash value are different or the third hash value and the fifth hash value are different, and determining that the authority verification result is that verification is not passed.
Optionally, the hash value tree further includes a fourth node and a fifth node, where the fifth node is a parent node of the third node and the fourth node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, and the fifth node stores an eighth hash value, the eighth hash value is obtained based on the sixth hash value and the seventh hash value;
The verification of the identity authority of the terminal is performed based on the first hash value and the sixth hash value, and the verification comprises the following steps of;
If the first hash value is the same as the sixth hash value and a ninth hash value is the same as the eighth hash value, determining that the authority verification result is verification passing, wherein the ninth hash value is obtained based on the first hash value and the seventh hash value;
And if the first hash value is different from the sixth hash value or the ninth hash value is different from the eighth hash value, determining that the authority verification result is that verification is not passed.
Optionally, the permission verification request carries a hash value obtained by encrypting the first hash value based on a public key;
before the authentication of the identity authority of the terminal is performed based on the first hash value and the sixth hash value, the method further includes:
and decrypting the encrypted hash value based on a private key corresponding to the public key to obtain the first hash value.
Optionally, the method further comprises:
signing the sixth hash value based on the private key;
And sending a signature verification request to the terminal, wherein the signature verification request carries the public key, the sixth hash value and the signed sixth hash value, the signature verification request is used for indicating the terminal to decrypt the signed sixth hash value based on the public key, and if the decrypted hash value is the same as the sixth hash value, the public key is stored.
Optionally, the generating process of the hash value tree includes:
receiving an authorization request of the terminal, wherein the authorization request carries the reference identity information and the reference authority information;
respectively determining a hash value of the reference identity information and a hash value of the reference authority information to obtain a fourth hash value and a fifth hash value;
Determining the sixth hash value based on the fourth hash value and the fifth hash value;
the hash value tree is generated based on the fourth hash value, the fifth hash value, and the sixth hash value.
Optionally, the hash value tree further includes a fourth node and a fifth node, where the fifth node is a parent node of the fourth node and the third node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, and the eighth hash value is obtained based on the seventh hash value and the sixth hash value;
the generating the hash value tree based on the fourth hash value, the fifth hash value, and the sixth hash value includes:
Determining the seventh hash value based on the hash value of the identity information;
Determining the eighth hash value based on the sixth hash value and the seventh hash value;
the hash value tree is generated based on the fourth hash value, the fifth hash value, the sixth hash value, the seventh hash value, and the eighth hash value.
Optionally, the determining the seventh hash value based on the hash value of the identity information includes:
Acquiring hash value of the identity information and hash value of the current timestamp, determining the seventh hash value based on the hash value of the identity information and hash value of the current timestamp, or
And acquiring the hash value of the identity information, and determining the hash value of the identity information as the seventh hash value.
Optionally, the authorization request carries the reference identity information and the reference authority information after the reference identity information and the reference authority information are encrypted based on a symmetric key;
before the hash value of the reference identity information and the hash value of the reference authority information are respectively determined to obtain the fourth hash value and the fifth hash value, the method further includes:
and decrypting the encrypted reference identity information and the reference authority information based on the symmetric key to obtain the reference identity information and the reference authority information.
Optionally, the receiving the permission verification request of the terminal includes:
And receiving a permission verification request forwarded by an application server, wherein the permission verification request is sent to the application server by the terminal.
Optionally, the method further comprises:
receiving an announcement publishing request of the terminal, wherein the announcement publishing request carries announcement information of the current login account;
And if the authority verification result is that verification is passed, sending the notice information to a target group, wherein the target group is the group where the current login account is located.
In another aspect, there is provided an identity authority verification apparatus, the apparatus comprising:
The first receiving module is used for receiving a permission verification request of the terminal, wherein the permission verification request carries a first hash value, the first hash value is obtained based on a second hash value of identity information to be verified and a third hash value of permission information to be verified, the identity information to be verified is part of identity information in the identity information of a current login account, and the permission information to be verified is part of permission information in the permission information of the account;
The acquisition module is used for acquiring a generated hash value tree of the account, wherein the hash value tree comprises a first node, a second node and a third node, the third node is a father node of the first node and the second node, the first node stores a fourth hash value corresponding to the reference identity information, the second node stores a fifth hash value corresponding to the reference authority information, the third node stores a sixth hash value, and the sixth hash value is obtained based on the fourth hash value and the fifth hash value;
and the verification module is used for verifying the identity authority of the terminal based on the first hash value and the sixth hash value.
Optionally, the verification module is configured to:
If the first hash value is the same as the sixth hash value, the second hash value is the same as the fourth hash value, the third hash value is the same as the fifth hash value, and the permission verification result is determined to pass verification;
and if the first hash value and the sixth hash value are different, indicating that the second hash value and the fourth hash value are different or the third hash value and the fifth hash value are different, and determining that the authority verification result is that verification is not passed.
Optionally, the hash value tree further includes a fourth node and a fifth node, where the fifth node is a parent node of the third node and the fourth node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, and the fifth node stores an eighth hash value, the eighth hash value is obtained based on the sixth hash value and the seventh hash value;
the verification module is used for:
If the first hash value is the same as the sixth hash value and a ninth hash value is the same as the eighth hash value, determining that the authority verification result is verification passing, wherein the ninth hash value is obtained based on the first hash value and the seventh hash value;
And if the first hash value is different from the sixth hash value or the ninth hash value is different from the eighth hash value, determining that the authority verification result is that verification is not passed.
Optionally, the permission verification request carries a hash value obtained by encrypting the first hash value based on a public key, and the device further comprises:
And the first decryption module is used for decrypting the encrypted hash value based on the private key corresponding to the public key to obtain the first hash value.
Optionally, the apparatus further comprises:
A signature module for signing the sixth hash value based on the private key;
The first sending module is configured to send a signature verification request to the terminal, where the signature verification request carries the public key, the sixth hash value and the signed sixth hash value, and the signature verification request is configured to instruct the terminal to decrypt the signed sixth hash value based on the public key, and store the public key if the decrypted hash value is the same as the sixth hash value.
Optionally, the apparatus further includes:
The second receiving module is used for receiving an authorization request of the terminal, wherein the authorization request carries the reference identity information and the reference authority information;
The first determining module is used for respectively determining the hash value of the reference identity information and the hash value of the reference authority information to obtain the fourth hash value and the fifth hash value;
A second determining module configured to determine the sixth hash value based on the fourth hash value and the fifth hash value;
And the generation module is used for generating the hash value tree based on the fourth hash value, the fifth hash value and the sixth hash value.
Optionally, the hash value tree further includes a fourth node and a fifth node, where the fifth node is a parent node of the fourth node and the third node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, and the eighth hash value is obtained based on the seventh hash value and the sixth hash value;
the generating module comprises:
a first determining unit configured to determine the seventh hash value based on the hash value of the identity information;
a second determining unit configured to determine the eighth hash value based on the sixth hash value and the seventh hash value;
and a generating unit, configured to generate the hash value tree based on the fourth hash value, the fifth hash value, the sixth hash value, the seventh hash value, and the eighth hash value.
Optionally, the first determining unit is configured to:
Acquiring hash value of the identity information and hash value of the current timestamp, determining the seventh hash value based on the hash value of the identity information and hash value of the current timestamp, or
And acquiring the hash value of the identity information, and determining the hash value of the identity information as the seventh hash value.
Optionally, the authorization request carries the reference identity information and the reference authority information after the reference identity information and the reference authority information are encrypted based on a symmetric key, and the device further comprises:
And the second decryption module is used for decrypting the encrypted reference identity information and the reference authority information based on the symmetric key to obtain the reference identity information and the reference authority information.
Optionally, the first receiving module is configured to:
And receiving a permission verification request forwarded by an application server, wherein the permission verification request is sent to the application server by the terminal.
Optionally, the apparatus further comprises:
The third receiving module is used for receiving an announcement publishing request of the terminal, wherein the announcement publishing request carries announcement information of the current login account;
and the second sending module is used for sending the notice information to a target group if the authority verification result is that verification is passed, wherein the target group is the group where the current login account is located.
In another aspect, a server is provided, where the server includes one or more processors and one or more memories, where at least one program code is stored in the one or more memories, and the at least one program code is loaded and executed by the one or more processors to implement the identity authority checking method according to any of the above implementations.
In another aspect, a computer readable storage medium is provided, where at least one program code is stored, where the at least one program code is loaded and executed by a processor to implement the identity authority verification method according to any one of the above implementations.
In another aspect, a computer program product is provided, the computer program product comprising at least one piece of program code, the at least one piece of program code being loaded and executed by a processor to implement the identity authority verification method according to any one of the implementations described above.
The technical scheme provided by the embodiment of the application has the beneficial effects that at least:
The embodiment of the application provides an identity authority verification method, wherein the sixth hash value of a father node of a hash value tree in the method is generated based on the reference identity information and the reference authority information of an account, the reference identity information and the reference authority information are part of the identity information and part of the authority information of the account corresponding to the identity information to be verified and the authority information to be verified respectively, so that when the identity information to be verified and the authority information to be verified are verified, only the first hash value is required to be verified to be identical to the sixth hash value, whether the identity information to be verified and the authority information to be verified are identical to the reference identity information and the reference authority information respectively can be ensured, the process of verifying the identity authority based on the complete identity information and the complete authority information of the account is avoided, the exposure of the reference identity information and the reference authority information is avoided, the effective protection of the identity information and the authority information of the account is realized, and the safety of the authority verification is effectively improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic illustration of an implementation environment provided by an embodiment of the present application;
FIG. 2 is a flowchart of an identity authority verification method provided by an embodiment of the present application;
FIG. 3 is a flowchart of a hash value tree generation process provided by an embodiment of the present application;
FIG. 4 is a schematic diagram of a hash tree according to an embodiment of the present application;
FIG. 5 is a flowchart of an identity authority verification method provided by an embodiment of the present application;
FIG. 6 is a flowchart of a hash value tree generation process provided by an embodiment of the present application;
FIG. 7 is a schematic diagram of a hash tree according to an embodiment of the present application;
FIG. 8 is a flowchart of an identity authority verification method provided by an embodiment of the present application;
FIG. 9 is a flowchart of an identity authority verification method provided by an embodiment of the present application;
FIG. 10 is a schematic diagram of an interaction process between devices according to an embodiment of the present application;
FIG. 11 is a schematic diagram of an interface of an application according to an embodiment of the present application;
FIG. 12 is a schematic diagram of an interface of an application according to an embodiment of the present application;
FIG. 13 is a schematic diagram of an interface of an application according to an embodiment of the present application;
FIG. 14 is a schematic diagram of a dialog interface provided by an embodiment of the present application;
FIG. 15 is a schematic diagram of a dialog interface provided by an embodiment of the present application;
Fig. 16 is a schematic diagram of a chat information interface provided by an embodiment of the application;
FIG. 17 is a schematic diagram of a chat information interface provided by an embodiment of the application;
FIG. 18 is a block diagram of an identity rights verification apparatus provided by an embodiment of the present application;
fig. 19 is a block diagram of a terminal according to an embodiment of the present application;
fig. 20 is a block diagram of a server according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.
The terms "first," "second," "third," and "fourth" and the like in the description and in the claims and drawings are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprising," "including," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
It should be noted that, the user information (including, but not limited to, user equipment information, user personal information, user identity information, user authority information, etc.) related to the present application is information authorized by the user or sufficiently authorized by each party.
Blockchains are novel application modes of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanisms, encryption algorithms, and the like. The blockchain (Blockchain), essentially a de-centralized database, is a string of data blocks that are generated in association using cryptographic methods, each of which contains information from a batch of network transactions for verifying the validity (anti-counterfeit) of its information and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, and an application services layer.
The blockchain underlying platform may include processing modules for user management, basic services, smart contracts, and operational monitoring. The system comprises a user management module, a base service module, a public and private key generation (account management), a key management and a corresponding relation maintenance (authority management) of a user real identity and a blockchain address, and the like, wherein the user management module is responsible for identity information management of all blockchain participants, comprises maintenance of public and private key generation (account management), key management, maintenance of a corresponding relation between the user real identity and the blockchain address (authority management) and the like, and provides rule configuration (wind control audit) of risk control under the authorized condition, the base service module is deployed on all blockchain node devices and is used for verifying the validity of service requests, recording the valid requests after the valid requests are completed, for a new service request, the base service firstly carries out interface adaptation analysis and authentication processing (interface adaptation), then carries out encryption (consensus management) on the service information, and carries out recording and storage on a shared account book (network communication) after the encryption, the intelligent contract module is responsible for registration issuing of contracts and contract triggering and contract execution, developers can define contract logic through programming languages, issue contract logic on the blockchain (contract registering), call keys or other event triggering execution according to contract logic, and complete contract logic, and provide updating and upgrading main function monitoring and main contract updating function, and monitoring device in real-time monitoring and monitoring conditions in a cloud monitoring and monitoring device.
The platform product service layer provides basic capabilities and implementation frameworks of typical applications, and developers can complete the blockchain implementation of business logic based on the basic capabilities and the characteristics of the superposition business. The application service layer provides the application service based on the block chain scheme to the business participants for use.
Fig. 1 is a schematic view of an implementation environment provided in an embodiment of the present application, and referring to fig. 1, the implementation environment includes a terminal 10 and a server 20. The terminal 10 and the server 20 are connected by a wired or wireless network. The server 20 is a server, or at least one of a server cluster cloud server, a cloud computing platform and a virtualization center, which are formed by a plurality of servers, and optionally, the server 20 is a server of a trusted CA (Certification Authority, authentication center) or a server for providing a trusted third party service. The terminal 10 may be at least one of a smart phone, a tablet computer, a vehicle-mounted terminal, a notebook computer, a desktop computer, or the like. The terminal 10 has a target application installed thereon, and the terminal 10 can realize functions such as data transmission, information interaction, and the like through the target application. The target application is an application in the operating system of the terminal 10 or an application provided for a third party. For example, the target application is a chat application program, the terminal 10 can send the permission verification request to the server 20 through the target application program, and the server 20 is used for verifying the identity permission of the terminal 10 by adopting the method provided by the application.
In another implementation, the implementation environment includes a terminal 10, a server 20, and an application server. The application server is connected to the terminal 10 and the server 20 via a wired or wireless network, respectively. Optionally, the application server is a background server of the terminal 10, the target application installed on the terminal 10 is served by the application server, after the terminal 10 can send the permission verification request to the application server through the target application program, the application server forwards the permission verification request to the server 20, and the server 20 is used for verifying the identity permission of the terminal 10 by adopting the method provided by the application.
Fig. 2 is a flowchart of an identity authority verification method provided in an embodiment of the present application. The execution body of the embodiment of the present application is a server, referring to fig. 2, the method includes:
201. And receiving a permission verification request of the terminal, wherein the permission verification request carries a first hash value, the first hash value is obtained based on a second hash value of identity information to be verified and a third hash value of permission information to be verified, the identity information to be verified is part of identity information in the identity information of the current login account, and the permission information to be verified is part of permission information in the permission information of the account.
202. The method comprises the steps of obtaining a generated hash value tree of an account, wherein the hash value tree comprises a first node, a second node and a third node, the third node is a father node of the first node and the second node, the first node stores a fourth hash value corresponding to reference identity information, the second node stores a fifth hash value corresponding to reference authority information, the third node stores a sixth hash value, and the sixth hash value is obtained based on the fourth hash value and the fifth hash value.
203. And based on the first hash value and the sixth hash value, verifying the identity authority of the terminal.
Optionally, based on the first hash value and the sixth hash value, verifying the identity authority of the terminal includes:
if the first hash value is the same as the sixth hash value, the second hash value is the same as the fourth hash value, the third hash value is the same as the fifth hash value, and the permission verification result is determined to be verification passing;
if the first hash value and the sixth hash value are different, the second hash value and the fourth hash value are different or the third hash value and the fifth hash value are different, and the permission verification result is determined to be that verification is not passed.
Optionally, the hash value tree further includes a fourth node and a fifth node, the fifth node is a father node of the third node and the fourth node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, and the eighth hash value is obtained based on the sixth hash value and the seventh hash value;
based on the first hash value and the sixth hash value, verifying the identity authority of the terminal, including;
if the first hash value is the same as the sixth hash value and the ninth hash value is the same as the eighth hash value, determining that the permission verification result is verification passing, wherein the ninth hash value is obtained based on the first hash value and the seventh hash value;
if the first hash value is different from the sixth hash value or the ninth hash value is different from the eighth hash value, determining that the authority verification result is that verification is not passed.
Optionally, the permission verification request carries a hash value obtained by encrypting the first hash value based on the public key;
Before verifying the identity authority of the terminal based on the first hash value and the sixth hash value, the method further comprises:
And decrypting the encrypted hash value based on the private key corresponding to the public key to obtain a first hash value.
Optionally, the method further comprises:
signing the sixth hash value based on the private key;
And sending a signature verification request to the terminal, wherein the signature verification request carries the public key, the sixth hash value and the signed sixth hash value, the signature verification request is used for indicating the terminal to decrypt the signed sixth hash value based on the public key, and if the decrypted hash value is the same as the sixth hash value, the public key is stored.
Optionally, the generating process of the hash value tree includes:
receiving an authorization request of a terminal, wherein the authorization request carries reference identity information and reference authority information;
Respectively determining a hash value of the reference identity information and a hash value of the reference authority information to obtain a fourth hash value and a fifth hash value;
determining a sixth hash value based on the fourth hash value and the fifth hash value;
a hash value tree is generated based on the fourth hash value, the fifth hash value, and the sixth hash value.
Optionally, the hash value tree further includes a fourth node and a fifth node, the fifth node is a father node of the fourth node and the third node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, the eighth hash value is obtained based on the seventh hash value and the sixth hash value, and the authorization request further carries the identity information;
generating a hash value tree based on the fourth hash value, the fifth hash value, and the sixth hash value, comprising:
determining a seventh hash value based on the hash value of the identity information;
Determining an eighth hash value based on the sixth hash value and the seventh hash value;
a hash value tree is generated based on the fourth hash value, the fifth hash value, the sixth hash value, the seventh hash value, and the eighth hash value.
Optionally, determining the seventh hash value based on the hash value of the identity information includes:
acquiring hash value of identity information and hash value of current time stamp, determining seventh hash value based on hash value of identity information and hash value of current time stamp, or
And acquiring the hash value of the identity information, and determining the hash value of the identity information as a seventh hash value.
Optionally, the authorization request carries the reference identity information and the reference authority information after the reference identity information and the reference authority information are encrypted based on the symmetric key;
the method further comprises the steps of before the hash value of the reference identity information and the hash value of the reference authority information are respectively determined to obtain a fourth hash value and a fifth hash value:
And decrypting the encrypted reference identity information and the reference authority information based on the symmetric key to obtain the reference identity information and the reference authority information.
Optionally, receiving the permission verification request of the terminal includes:
and receiving a permission verification request forwarded by the application server, wherein the permission verification request is sent to the application server by the terminal.
Optionally, the method further comprises:
receiving an announcement publishing request of a terminal, wherein the announcement publishing request carries announcement information of a current login account;
If the authority verification result is that verification is passed, sending notice information to a target group, wherein the target group is the group where the current login account is located.
The embodiment of the application provides an identity authority verification method, wherein the sixth hash value of a father node of a hash value tree in the method is generated based on the reference identity information and the reference authority information of an account, the reference identity information and the reference authority information are part of the identity information and part of the authority information of the account corresponding to the identity information to be verified and the authority information to be verified respectively, so that when the identity information to be verified and the authority information to be verified are verified, only the first hash value is required to be verified to be identical to the sixth hash value, whether the identity information to be verified and the authority information to be verified are identical to the reference identity information and the reference authority information respectively can be ensured, the process of verifying the identity authority based on the complete identity information and the complete authority information of the account is avoided, the exposure of the reference identity information and the reference authority information is avoided, the effective protection of the identity information and the authority information of the account is realized, and the safety of the authority verification is effectively improved.
Fig. 3 is a flowchart of a hash value tree generation process according to an embodiment of the present application. The execution body of the embodiment of the present application is a server, referring to fig. 3, the method includes:
301. the terminal sends an authorization request to the server.
Wherein the authorization request carries reference identity information and reference rights information. The reference identity information is part of identity information of the current login account of the terminal, and the reference authority information is part of authority information of the account corresponding to the part of identity information.
In some embodiments, the authorization request is triggered by the terminal based on a target control on a target application that it installs, and the terminal is a terminal used by the user. In some embodiments, after the target application is started for the first time, the target application displays an information input interface, after the user inputs the identity information of the target application, the account of the user obtains a plurality of rights of the target application, the plurality of rights are respectively part rights of the account, each right corresponds to part of the identity information of the account, and each part of the right information and the corresponding part of the identity information are respectively used as reference identity information and reference right information of the right.
In one implementation, the terminal sequentially sends each piece of authority information and the partial identity information corresponding to each piece of authority information to the server, so that the subsequent server can generate a hash value tree directly based on the partial authority information and the partial identity information. In another implementation manner, the terminal simultaneously transmits the plurality of authority information and the corresponding partial identity information to the server, and the server determines each authority information and the corresponding partial identity information, so that the transmission times are reduced, and the transmission efficiency is improved. Optionally, the server determines the corresponding partial identity information based on the identification of the partial identity information carried by the authority information.
302. And the server receives the authorization request sent by the terminal.
In one implementation, the authorization request carries the reference identity information and the reference rights information after encrypting the reference identity information and the reference rights information based on the symmetric key. After receiving the authorization request, the server decrypts the encrypted reference identity information and the encrypted reference authority information based on the symmetric key to obtain the reference identity information and the reference authority information.
The symmetric key is a key agreed in advance by the terminal and the server, and the passwords of the symmetric key for encryption and decryption are the same. Optionally, the terminal generates the symmetric key and then sends the symmetric key to the server through the trusted channel or the server generates the symmetric key and then sends the symmetric key to the terminal through the trusted channel.
Optionally, the server is a server of a trusted CA or a server providing a trusted third party service, so that when identity authority verification is performed by the server later, the security of performing the identity authority verification can be improved, and the accuracy and the credibility of the authority verification result can be improved.
303. The server respectively determines a hash value of the reference identity information and a hash value of the reference authority information to obtain a fourth hash value and a fifth hash value.
The hash algorithm for determining the hash value by the server may be set and changed according to needs, which is not particularly limited in the embodiment of the present application.
304. The server determines a sixth hash value based on the fourth hash value and the fifth hash value.
Optionally, after the server splices the fourth hash value and the fifth hash value, the server carries out hash operation again on the spliced hash value to obtain a sixth hash value.
305. The server generates a hash value tree based on the fourth hash value, the fifth hash value, and the sixth hash value.
Referring to fig. 4, fig. 4 is a schematic diagram of a hash value tree generated based on a fourth hash value, a fifth hash value and a sixth hash value, where the hash value tree includes a first node, a second node and a third node, the third node is a parent node of the first node and the second node, the first node stores a fourth hash value corresponding to reference identity information, the second node stores a fifth hash value corresponding to reference authority information, the third node stores a sixth hash value, and the sixth hash value is obtained based on the fourth hash value and the fifth hash value. The first node and the second node are leaf nodes of a hash value tree respectively, the leaf nodes store a fourth hash value and a fifth hash value of the reference identity information and the reference authority information respectively, and the third node is a root node and is used for storing a root hash value, namely a sixth hash value, of the hash value tree.
In the embodiment of the application, the server generates the hash value tree based on the hash value of the reference identity information and the hash value of the reference authority information, and then based on the hash value of the reference identity information, the hash value of the reference authority information and the hash value of the sixth hash value, so that when the subsequent server receives the authority verification request, the server can verify based on the sixth hash value in the hash value tree and the first hash value obtained based on the hash value of the identity information to be verified and the hash value of the authority information to be verified, thereby avoiding the verification process based on the complete identity information and the complete authority information of the account, avoiding the exposure of the reference identity information and the reference authority information, realizing the effective protection of the identity information and the authority information of the account, and effectively improving the safety of the identity authority verification.
306. The server generates a public key and a private key corresponding to the hash value tree.
The private key is stored in the server, and the public key is stored in the terminal. When the public key is used for the subsequent terminal to send the permission verification request to the server, the information carried by the permission verification request is encrypted, and the private key is used for decrypting the information carried by the permission verification request, so that the safety of information transmission between the terminal and the server is ensured.
307. The server signs the sixth hash value based on the private key.
In the embodiment of the application, the signature is performed on the sixth hash value through the private key, so that the public key of the terminal is checked and signed based on the signed sixth hash value in the subsequent process, the matching between the public key and the private key can be ensured, and the effectiveness of subsequent encryption or decryption based on the public key and the private key is ensured.
308. And the server sends a signature verification request to the terminal.
The signature verification request carries a public key, a sixth hash value and a signed sixth hash value, the signature verification request is used for indicating a terminal to decrypt the signed sixth hash value based on the public key, and if the decrypted hash value is the same as the sixth hash value, the public key is stored.
309. The terminal receives the signature verification request, decrypts the signed sixth hash value based on the public key, and stores the public key if the decrypted hash value is the same as the sixth hash value.
In some embodiments, if the decrypted hash value is the same as the sixth hash value, the terminal further stores the sixth hash value, so that when the subsequent terminal sends the permission check request to the server, the sixth hash value is directly used as the first hash value, so that the permission check request is sent to the server with the sixth hash value, further, the acquisition efficiency of the first hash value is improved, and further, the sending efficiency of the permission check request is improved.
In the embodiment of the application, signature verification is realized by decrypting the signed sixth hash value based on the public key, verification of the sixth hash value sent by the server is realized, verification of the identity of the server sending the sixth hash value is realized, and the pairing property of the public key and the private key is verified, so that in the subsequent process, after the server receives the message sent by the terminal and based on public key encryption, the message can be accurately and smoothly decrypted based on the private key, and the decrypting effectiveness is ensured.
Fig. 5 is a flowchart of an identity authority verification method provided in an embodiment of the present application. The execution body of the embodiment of the present application is a server, referring to fig. 5, the method includes:
501. And the terminal sends a permission verification request to the server.
The permission verification request carries a first hash value, wherein the first hash value is obtained based on a second hash value of to-be-verified identity information and a third hash value of to-be-verified permission information, the to-be-verified identity information is part of identity information in the identity information of the current login account, and the to-be-verified permission information is part of permission information in the permission information of the account.
In one implementation, the first hash value is obtained based on a sixth hash value stored in advance by the terminal, the first hash value is the stored sixth hash value if the sixth hash value is not tampered, and the first hash value is the tampered sixth hash value if the sixth hash value is tampered. In another implementation manner, the identity information to be checked and the authority information to be checked are new identity information and new authority information, the first hash value is obtained based on the new identity information and the new authority information, the first hash value is not obtained based on a sixth hash value stored in advance, a hash value tree corresponding to the new identity information and the new authority information is not generated in the server, and the corresponding subsequent authority verification result is failed.
In some embodiments, the permission verification request is triggered by the terminal based on a target control on a target application installed by the terminal, and the terminal is a terminal used by a user. In some embodiments, the target application is a chat application, the authority information to be checked of the account is the authority information of the publishing notice in the target group, the identity information to be checked of the account is the identity information of the manager of the target group, and the terminal sends the authority checking request to the server in response to the triggering of the control of the publishing notice. Optionally, the terminal sends the permission verification request through a trusted channel.
In the embodiment of the application, the identity information to be checked and the authority information to be checked are checked through the first hash value of the part of the identity information and the first hash value of the part of the authority information, so that the exposure of redundant information is avoided, and the verification of the identity information and the authority information is realized through one-time verification, thereby improving the reliability and the efficiency of the verification.
502. And the server receives the permission verification request of the terminal.
In one implementation, the rights verification request carries a hash value after encrypting the first hash value based on the public key. After receiving the permission verification request, the server decrypts the encrypted hash value based on the private key corresponding to the public key to obtain a first hash value.
In the embodiment of the application, the first hash value is encrypted based on the public key, so that the first hash value is prevented from being tampered in the process of being sent to the server, and the safety of the transmission of the first hash value is ensured.
503. The server obtains a hash value tree of the generated account.
The hash value tree generation process is implemented through the steps 301-305, which are not described herein.
It should be noted that each account may correspond to a plurality of different hash value trees, each hash value tree corresponds to a different part of rights of the account, and each hash value tree is associated with not only the corresponding account but also the corresponding part of rights.
In one implementation, a plurality of hash value trees of each account are stored in a set, the set carries account identification of the account, and each hash value tree in the set carries authority identification of partial authority information corresponding to the hash value tree. The first hash value carries an account number identifier and a permission identifier, the server determines a target set matched with the account number identifier from a plurality of sets of a plurality of account numbers, and then determines a hash value tree matched with the permission identifier from the target set.
In another implementation, the same partial rights of the plurality of accounts are stored in a set, the set carries the rights identification, and each hash value tree in the set carries the account identification of the account corresponding to the hash value tree. The first hash value carries an account number identifier and a permission identifier, the server determines a target set matched with the permission identifier from a plurality of sets of a plurality of permissions, and then determines a hash value tree matched with the account number identifier from the target set.
504. And the server verifies the identity authority of the terminal based on the first hash value and the sixth hash value.
In one implementation, if the first hash value and the sixth hash value are the same, the second hash value and the fourth hash value are the same, the third hash value and the fifth hash value are the same, and the permission verification result is determined to be verification passing. In another implementation manner, if the first hash value and the sixth hash value are different, it indicates that the second hash value is different from the fourth hash value or the third hash value is different from the fifth hash value, and it is determined that the permission verification result is that verification is failed. Optionally, the second hash value being different from the fourth hash value or the third hash value being different from the fifth hash value includes the second hash value being different from the fourth hash value or the third hash value being different from the fifth hash value or the second hash value being different from the fourth hash value and the third hash value being different from the fifth hash value.
Optionally, after determining the authority verification result, the server sends the authority verification result to the terminal, and the terminal is used for carrying out the next process based on the authority verification result, wherein the authority verification result is returned by the trusted channel of the trusted CA or the trusted third party service, so that the credibility of the authority verification result is improved.
In another implementation manner, after determining the permission verification result, the server directly instructs the terminal to perform the next flow corresponding to the permission verification result. In some embodiments, the server receives an advertisement publishing request of the terminal, where the advertisement publishing request carries advertisement information of the current login account. If the authority verification result is that verification is passed, the server sends notice information to a target group, wherein the target group is the group where the current login account is located. In this embodiment, the advertisement information is carried in the advertisement publishing request, so that the advertisement information can be directly published to the target group after the verification is passed, thereby improving the efficiency of publishing the advertisement information.
The embodiment of the application provides an identity authority verification method, wherein the sixth hash value of a father node of a hash value tree in the method is generated based on the reference identity information and the reference authority information of an account, the reference identity information and the reference authority information are part of the identity information and part of the authority information of the account corresponding to the identity information to be verified and the authority information to be verified respectively, so that when the identity information to be verified and the authority information to be verified are verified, only the first hash value is required to be verified to be identical to the sixth hash value, whether the identity information to be verified and the authority information to be verified are identical to the reference identity information and the reference authority information respectively can be ensured, the process of verifying the identity authority based on the complete identity information and the complete authority information of the account is avoided, the exposure of the reference identity information and the reference authority information is avoided, the effective protection of the identity information and the authority information of the account is realized, and the safety of the authority verification is effectively improved.
Fig. 6 is a flowchart of a hash value tree generation process according to an embodiment of the present application. The execution body of the embodiment of the present application is a server, referring to fig. 6, the method includes:
601. The terminal sends an authorization request to the server.
The authorization request carries reference identity information, reference authority information and identity information. The reference identity information is part of identity information of the current login account of the terminal, the reference authority information is part of authority information of the account corresponding to the part of identity information, and the identity information is all complete identity information of the account.
In some embodiments, the authorization request is triggered by the terminal based on a target control on a target application that it installs, and the terminal is a terminal used by the user. In some embodiments, after the target application is started for the first time, the target application displays an information input interface, after the user inputs the identity information of the target application, the account of the user obtains a plurality of rights of the target application, the plurality of rights are respectively part of rights of the account, each right corresponds to part of the identity information of the account, and each right information and the corresponding part of the identity information are respectively used as reference identity information and reference right information of the rights.
In one implementation, the terminal sequentially transmits each piece of authority information, part of identity information corresponding to each piece of authority information and identity information to the server, so that a subsequent server can generate a hash value tree directly based on the authority information, part of identity information and identity information. In another implementation manner, the terminal simultaneously transmits the identity information, the plurality of authority information and the corresponding part of the identity information to the server, and the server determines each authority information and the corresponding part of the identity information, so that the transmission times are reduced, and the transmission efficiency is improved. Optionally, the server determines the corresponding partial identity information based on the identification of the partial identity information carried by the authority information.
602. And the server receives the authorization request sent by the terminal.
In one implementation, the authorization request carries reference identity information, reference rights information, and identity information after encrypting the reference identity information, reference rights information, and identity information based on the symmetric key. After receiving the authorization request, the server decrypts the encrypted reference identity information, the encrypted reference authority information and the encrypted identity information based on the symmetric key to obtain the reference identity information, the encrypted reference authority information and the encrypted identity information.
Optionally, the terminal encrypts the reference identity information, the reference authority information and the identity information respectively based on the symmetric key, or the terminal packages the reference identity information, the reference authority information and the identity information and encrypts the information once based on the symmetric key.
603. The server respectively determines a hash value of the reference identity information and a hash value of the reference authority information, obtains a fourth hash value and a fifth hash value, and determines a seventh hash value based on the hash value of the identity information.
In one implementation, the server obtains a hash value of the identity information and determines the hash value of the identity information as a seventh hash value. In another implementation mode, the server acquires the hash value of the identity information and the hash value of the current timestamp, determines a seventh hash value based on the hash value of the identity information and the hash value of the current timestamp, and optionally, after splicing the hash value of the identity information and the hash value of the current timestamp, the server carries out hash operation again on the spliced hash value to obtain the seventh hash value, so that the identity information to be verified and the authority information to be verified can be ensured to be within the validity period from the current timestamp when the identity authority is verified later, and the timeliness of the identity authority verification is ensured.
604. The server determines a sixth hash value based on the fourth hash value and the fifth hash value.
Optionally, after the server splices the fourth hash value and the fifth hash value, the server carries out hash operation again on the spliced hash value to obtain a sixth hash value.
605. The server determines an eighth hash value based on the sixth hash value and the seventh hash value.
Optionally, after the server splices the sixth hash value and the seventh hash value, the server carries out hash operation again on the spliced hash value to obtain an eighth hash value.
606. The server generates a hash value tree based on the fourth hash value, the fifth hash value, the sixth hash value, the seventh hash value, and the eighth hash value.
The hash value tree comprises a first node, a second node, a third node, a fourth node and a fifth node, wherein the third node is a father node of the first node and the second node, the fifth node is a father node of the third node and the fourth node, the first node stores a fourth hash value corresponding to the standard identity information, the second node stores a fifth hash value corresponding to the standard authority information, the third node stores a sixth hash value, the sixth hash value is obtained based on the fourth hash value and the fifth hash value, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, and the eighth hash value is obtained based on the seventh hash value and the sixth hash value.
In the embodiment of the application, the server generates the hash value tree based on the reference identity information, the reference authority information and the identity information, and because the identity information is the whole complete identity information of the account, the hash value of the identity information is used as the node of the hash value tree, so that the stability of the hash value tree and the accuracy of the hash value tree can be ensured, and in the subsequent verification based on the hash value tree, the double verification can be performed based on the sixth hash value and the eighth hash value in the hash value tree, thereby ensuring the verification accuracy.
In another implementation, the hash value tree further comprises a sixth node and a seventh node, wherein the sixth node stores the hash value of the identity information, the seventh node stores the hash value of the current timestamp, the fourth node is a father node of the sixth node and the seventh node, and the fourth node stores a seventh hash value obtained based on the identity information, the hash value and the hash value of the current timestamp. Referring to fig. 7, fig. 7 is a schematic diagram of the hash value tree, where the first node, the second node, the sixth node, and the seventh node are leaf nodes of the hash value tree, and store a fourth hash value of the reference identity information, a fifth hash value of the reference authority information, a hash value of the identity information, and a hash value of the current timestamp, respectively. The third node and the fourth node are intermediate nodes, the fifth node is a root node, and the fifth node stores a root hash value of the hash value tree, namely an eighth hash value. Optionally, the hash value tree is a merkel tree.
In the embodiment of the application, the server generates the Meckel tree based on the reference identity information, the reference authority information, the identity information and the current timestamp, so that the hash value of the current timestamp is used as a node of the hash value tree, and the identity information to be checked and the authority information to be checked in the validity period from the current timestamp in the subsequent verification of the identity authority can be ensured, thereby ensuring the timeliness of the verification of the identity authority.
607. The server generates a public key and a private key corresponding to the hash value tree.
608. The server signs the sixth hash value based on the private key.
609. And the server sends a signature verification request to the terminal.
610. The terminal receives the signature verification request, decrypts the signed sixth hash value based on the public key, and stores the public key if the decrypted hash value is the same as the sixth hash value.
Steps 607-610 are identical to steps 306-309 and are not described in detail herein.
Fig. 8 is a flowchart of an identity authority verification method provided in an embodiment of the present application. The execution body of the embodiment of the present application is a server, referring to fig. 8, the method includes:
801. And the terminal sends a permission verification request to the server.
This step is the same as step 501 and will not be described in detail here.
802. And the server receives the permission verification request sent by the terminal.
This step is the same as step 502 and will not be described in detail here.
803. The server obtains a hash value tree of the generated account.
The hash value tree generation process is implemented through steps 601-605, and the process of obtaining the hash value tree by the server is the same as that of step 503, which is not described herein.
804. And the server verifies the identity authority of the terminal based on the first hash value, the sixth hash value, the seventh hash value and the eighth hash value.
In the embodiment of the application, if the first hash value is the same as the sixth hash value and the ninth hash value is the same as the eighth hash value, the server determines that the permission verification result is verification passing, wherein the ninth hash value is obtained based on the first hash value and the seventh hash value, and if the first hash value is different from the sixth hash value or the ninth hash value is different from the eighth hash value, the server determines that the permission verification result is verification failing.
In one implementation, after the server verifies the first hash value and the sixth hash value and the ninth hash value and the eighth hash value simultaneously based on the first hash value and the seventh hash value, if the first hash value is the same as the sixth hash value and the ninth hash value is the same as the eighth hash value, the server determines that the authority verification result is passed. If the first hash value is different from the sixth hash value, or the ninth hash value is different from the eighth hash value, or the first hash value is different from the sixth hash value, and the ninth hash value is different from the eighth hash value, the server determines that the authority verification result is that verification is not passed. Therefore, by simultaneously verifying the first hash value and the ninth hash value, time waste caused by respectively verifying the first hash value and the ninth hash value is avoided, verification time is shortened, and verification efficiency is improved.
In another implementation manner, after the server verifies the first hash value and the sixth hash value based on the first hash value and the seventh hash value, the server directly determines that the authority verification result is not passed without verifying the ninth hash value and the eighth hash value if the first hash value and the sixth hash value are different. And under the condition that the first hash value is the same as the sixth hash value, verifying the ninth hash value and the eighth hash value, and if the ninth hash value is the same as the eighth hash value, determining that the authority verification result is verification passing by the server. The implementation method avoids the waste of resources and time caused by verifying the ninth hash value and the eighth hash value under the condition that the first hash value is different from the sixth hash value.
In the embodiment of the application, the first hash value is verified based on the sixth hash value and the eighth hash value respectively through verification, so that when any one of the first hash value and the sixth hash value and the ninth hash value and the eighth hash value is different through double verification, namely, the verification result of the authority is determined as that the verification is not passed, thereby ensuring the accuracy of verifying the identity authority.
Fig. 9 is a flowchart of an identity authority verification method provided in an embodiment of the present application. The execution body of the embodiment of the present application is a server, referring to fig. 9, the method includes:
901. And the terminal sends a permission verification request to the application server.
The permission verification request carries identity information to be verified and permission information to be verified.
The procedure of the step is the same as that of the step 501 in which the terminal sends the permission verification request to the server, and will not be described in detail here.
902. And the application server receives the permission verification request sent by the terminal.
The application server is a background server of a target application installed on the terminal. After receiving the permission verification request sent by the terminal, the server sends the permission verification request to the server.
903. The application server sends a permission verification request to the server.
In some embodiments, the rights verification request carries the identity information to be verified and the rights information to be verified after encrypting the identity information to be verified and the rights information to be verified based on the public key. In one implementation, the terminal encrypts identity information to be verified and authority information to be verified based on the public key, sends an authority verification request carrying the encrypted identity information to be verified and the authority information to be verified to the application server, and forwards the authority verification request to the server. In another implementation mode, after receiving the permission verification request, the application server encrypts the identity information to be verified and the permission information to be verified based on the public key, and sends the permission verification request carrying the encrypted identity information to be verified and the permission information to be verified to the server.
904. The server receives a permission verification request of the application server.
In one implementation, the permission verification request carries the identity information to be verified and the permission information to be verified after the identity information to be verified and the permission information to be verified are encrypted based on the public key. After receiving the permission verification request, the server decrypts the encrypted identity information to be verified and the encrypted permission information to be verified based on the private key corresponding to the public key to obtain the identity information to be verified and the permission information to be verified.
In the embodiment of the application, the identity information to be checked and the authority information to be checked are encrypted based on the public key, so that the identity information to be checked and the authority information to be checked are prevented from being tampered in the process of being sent to the server, and the safety of transmitting the identity information to be checked and the authority information to be checked is ensured.
905. The server generates a first hash value based on the identity information to be checked and the authority information to be checked.
The server respectively determines a second hash value of the identity information to be checked and a third hash value of the authority information to be checked, generates a first hash value based on the second hash value and the third hash value, and optionally, after the server splices the second hash value and the third hash value, carries out hash operation again on the spliced hash value to obtain the first hash value.
906. The server obtains a hash value tree of the generated account.
The hash value tree generation process is implemented through steps 601-605, and the process of obtaining the hash value tree by the server is the same as that of step 503, which is not described herein.
907. And the server verifies the identity authority of the terminal based on the first hash value, the sixth hash value, the seventh hash value and the eighth hash value.
This step is identical to step 904 and will not be described in detail here.
In the embodiment of the application, the permission verification request of the terminal is forwarded through the application server, and the requirements of the application server on stability, safety, performance and the like are higher than those of the terminal, so that the permission verification request of the terminal is forwarded through the application server, and the stability and the safety of information transmission can be improved.
Fig. 10 is a schematic diagram of an interaction process between devices according to an embodiment of the present application. Referring to fig. 10, the interaction process includes an authorization phase and a verification phase, and the hash value tree is a merkel tree. Steps 1001-1005 are the flow of the authorization phase and steps 1006-1009 are the flow of the verification phase. In step 1001, the terminal transmits partial identity information, partial authority information, and complete identity information to the server. In step 1002, the server receives partial identity information, partial rights information, and complete identity information, and generates a merkel tree based on the partial identity information, the partial rights information, and the complete identity information. In step 1003, the server generates a public-private key pair corresponding to the merkel tree. In step 1004, the server performs hash operation again after splicing the hash value of the partial identity information and the hash value of the partial authority information corresponding to the partial identity information based on the private key to obtain a hash value signature. In step 1005, the server transmits the public key, the re-hashed hash value, and the signed hash value to the terminal. In step 1006, the terminal signs the public key based on the hashed value after the re-hash operation and the signed hashed value. In step 1007, i.e. during the subsequent verification process, the terminal sends the hash value obtained by encrypting the hash value obtained by the re-hash operation based on the public key to the server. In step 1008, the server verifies the identity rights of the terminal based on the merkel tree. In step 1009, the server transmits the rights verification result to the terminal.
In some embodiments, the method provided by the embodiment of the application is applied to an electronic competition scene, and an electronic competition application program is provided on a terminal, wherein the application program is an application of a one-stop electronic competition platform with functions of competition, sightseeing and the like. In the application program, an information communication channel is required to be established to help the players of the game with successful registration to communicate with each other, the players need to communicate with the game time and related information of the event, and the team leader or the game referee needs to inform the players of the key information of the game, so the information communication channel is generally a chat-room group. The method comprises the steps of participating in FIG. 11, entering a chat room by triggering an "enter team chat room" control on an "event of me entry" interface of the application, or participating in FIG. 12, entering a chat room by triggering an "enter fight chat room" control on an "event of me entry" interface of the application, or entering a chat room by triggering an "my chat" control on a personal main page, see FIG. 13. FIG. 14 is a schematic diagram of a team's chat room dialog interface including head portrait, nickname, character, chat content, time of transmission, and distinguishing own and other dialog styles, character including team leader, team friend, I, referee, title of "team leader" or "referee" when it is "team leader" or "referee" and title of "I" otherwise. FIG. 15 is a schematic diagram of a dialog interface of chat rooms of two teams in a fight, including head portrait, nickname, character, chat content, sending time, etc., and distinguishing own and other people's dialog styles, the character including team leader, team mate, i'm, referee, opponents, when they are "team leader" or "referee", will show the title of "team leader" or "referee", otherwise show the title of "i". Fig. 16 is a schematic diagram of an interface for "chat information" that includes member roles for chat rooms, group chat names, and chat bulletin setup controls. Fig. 17 is a schematic diagram of an interface for "chat messages" after a chat room publication, the interface including the chat room's member roles, group chat names, and chat publication content. If no referee exists in the group, the team leader of each team can edit the publication, i.e. if a plurality of teams exist, the team leader of the plurality of teams can edit the publication.
The embodiment of the application can verify the chat identity authority in the chat room in the application program and verify the authority for publishing the bulletin. When the chat identity authority is verified through the embodiment of the application, the terminal sends a chat request to the server, wherein the chat request carries a first hash value obtained based on the hash value of the identity information of the current login account in the target group and the hash value of the authority information of the release session. The server acquires a hash value tree of the current login account, wherein the hash value tree is a hash value tree corresponding to the identity information of the target group and the authority information of the release session, if the first hash value is the same as the sixth hash value in the hash value tree, the terminal determines that the authority verification result passes the verification, the server sends the authority verification result to the terminal, and the terminal releases the session information of the current login account in the target group based on the authority verification result. In another implementation manner, the chat request carries session information of the current login account, after the server determines that the permission verification result is verification, the session information is issued to the target group, and the permission verification result is sent to the terminal, where the permission verification result is used to instruct the terminal to display the session information on the session interface.
When verifying the authority of the publishing notice by the method provided by the embodiment of the application, the terminal sends a notice publishing request to the server, wherein the notice publishing request carries a first hash value obtained based on the hash value of the identity information of the current login account in the target group and the hash value of the authority information of the publishing notice. The server acquires a hash value tree of the current login account, wherein the hash value tree is a hash value tree corresponding to the identity information of the target group and the authority information of the release notice, if the first hash value is the same as the sixth hash value in the hash value tree, the terminal determines that the authority verification result passes the verification, the server sends the authority verification result to the terminal, and the terminal releases the notice information of the current login account in the target group based on the authority verification result. In another implementation manner, the chat request carries the advertisement information of the current login account, after the server determines that the permission verification result is verification, the advertisement information is published to the target group, and the permission verification result is sent to the terminal, wherein the permission verification result is used for indicating the terminal to display the advertisement information on the chat information interface.
The embodiment of the application provides an identity authority verification method, wherein the sixth hash value of a father node of a hash value tree in the method is generated based on the reference identity information and the reference authority information of an account, the reference identity information and the reference authority information are part of the identity information and part of the authority information of the account corresponding to the identity information to be verified and the authority information to be verified respectively, so that when the identity information to be verified and the authority information to be verified are verified, only the first hash value is required to be verified to be identical to the sixth hash value, whether the identity information to be verified and the authority information to be verified are identical to the reference identity information and the reference authority information respectively can be ensured, the process of verifying the identity authority based on the complete identity information and the complete authority information of the account is avoided, the exposure of the reference identity information and the reference authority information is avoided, the effective protection of the identity information and the authority information of the account is realized, and the safety of the authority verification is effectively improved.
It should be noted that, the method provided by the embodiment of the application is not only suitable for checking the chat identity authority in the chat room and checking the identity authority when the notice is issued, but also suitable for any identity authority checking scene.
The embodiment of the application also provides an identity authority verification device, referring to fig. 18, the device comprises:
The first receiving module 1801 is configured to receive a permission verification request of the terminal, where the permission verification request carries a first hash value, where the first hash value is obtained based on a second hash value of identity information to be verified and a third hash value of permission information to be verified, the identity information to be verified is part of identity information in the identity information of the current login account, and the permission information to be verified is part of permission information in the permission information of the account;
The obtaining module 1802 is configured to obtain a hash value tree of the generated account, where the hash value tree includes a first node, a second node, and a third node, the third node is a parent node of the first node and the second node, the first node stores a fourth hash value corresponding to the reference identity information, the second node stores a fifth hash value corresponding to the reference authority information, and the third node stores a sixth hash value, where the sixth hash value is obtained based on the fourth hash value and the fifth hash value;
and the verification module 1803 is configured to verify the identity authority of the terminal based on the first hash value and the sixth hash value.
Optionally, a verification module 1803 is configured to:
if the first hash value is the same as the sixth hash value, the second hash value is the same as the fourth hash value, the third hash value is the same as the fifth hash value, and the permission verification result is determined to be verification passing;
if the first hash value and the sixth hash value are different, the second hash value and the fourth hash value are different or the third hash value and the fifth hash value are different, and the permission verification result is determined to be that verification is not passed.
Optionally, the hash value tree further includes a fourth node and a fifth node, the fifth node is a father node of the third node and the fourth node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, and the eighth hash value is obtained based on the sixth hash value and the seventh hash value;
a verification module 1803, configured to:
if the first hash value is the same as the sixth hash value and the ninth hash value is the same as the eighth hash value, determining that the permission verification result is verification passing, wherein the ninth hash value is obtained based on the first hash value and the seventh hash value;
if the first hash value is different from the sixth hash value or the ninth hash value is different from the eighth hash value, determining that the authority verification result is that verification is not passed.
Optionally, the permission verification request carries a hash value obtained by encrypting the first hash value based on the public key, and the device further comprises:
and the first decryption module is used for decrypting the encrypted hash value based on the private key corresponding to the public key to obtain a first hash value.
Optionally, the apparatus further comprises:
the signature module is used for signing the sixth hash value based on the private key;
The first sending module is used for sending a signature verification request to the terminal, the signature verification request carries a public key, a sixth hash value and the signed sixth hash value, the signature verification request is used for indicating the terminal to decrypt the signed sixth hash value based on the public key, and if the decrypted hash value is the same as the sixth hash value, the public key is stored.
Optionally, the apparatus further comprises:
The second receiving module is used for receiving an authorization request of the terminal, wherein the authorization request carries reference identity information and reference authority information;
The first determining module is used for respectively determining the hash value of the reference identity information and the hash value of the reference authority information to obtain a fourth hash value and a fifth hash value;
a second determining module, configured to determine a sixth hash value based on the fourth hash value and the fifth hash value;
and the generation module is used for generating a hash value tree based on the fourth hash value, the fifth hash value and the sixth hash value.
Optionally, the hash value tree further includes a fourth node and a fifth node, the fifth node is a father node of the fourth node and the third node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, the eighth hash value is obtained based on the seventh hash value and the sixth hash value, and the authorization request further carries the identity information;
A generation module, comprising:
a first determining unit configured to determine a seventh hash value based on the hash value of the identity information;
a second determination unit configured to determine an eighth hash value based on the sixth hash value and the seventh hash value;
and a generation unit configured to generate a hash value tree based on the fourth hash value, the fifth hash value, the sixth hash value, the seventh hash value, and the eighth hash value.
Optionally, the first determining unit is configured to:
acquiring hash value of identity information and hash value of current time stamp, determining seventh hash value based on hash value of identity information and hash value of current time stamp, or
And acquiring the hash value of the identity information, and determining the hash value of the identity information as a seventh hash value.
Optionally, the authorization request carries the reference identity information and the reference authority information after the reference identity information and the reference authority information are encrypted based on the symmetric key, and the device further comprises:
and the second decryption module is used for decrypting the encrypted reference identity information and the reference authority information based on the symmetric key to obtain the reference identity information and the reference authority information.
Optionally, the first receiving module 1801 is configured to:
and receiving a permission verification request forwarded by the application server, wherein the permission verification request is sent to the application server by the terminal.
Optionally, the apparatus further comprises:
the third receiving module is used for receiving an announcement release request of the terminal, wherein the announcement release request carries announcement information of the current login account;
And the second sending module is used for sending notice information to a target group if the authority verification result is that verification is passed, wherein the target group is the group where the current login account is located.
Fig. 19 shows a block diagram of a terminal 1900 according to an exemplary embodiment of the present application. The terminal 1900 may be a portable mobile terminal such as a smart phone, tablet, MP3 player (Moving Picture Experts Group Audio Layer III, MPEG audio layer 3), MP4 (Moving Picture Experts Group Audio Layer IV, MPEG audio layer 4) player, notebook, or desktop. Terminal 1900 may also be referred to by other names as user equipment, portable terminal, laptop terminal, desktop terminal, etc.
Terminal 1900 typically includes a processor 1901 and memory 1902.
Processor 1901 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 1901 may be implemented in at least one hardware form of DSP (DIGITAL SIGNAL Processing), FPGA (Field-Programmable gate array), PLA (Programmable Logic Array ). The processor 1901 may also include a main processor, which is a processor for processing data in the awake state, also referred to as a CPU (Central Processing Unit ), and a coprocessor, which is a low-power-consumption processor for processing data in the standby state. In some embodiments, the processor 1901 may be integrated with a GPU (Graphics Processing Unit, image processor) for rendering and drawing of content that is required to be displayed by the display screen. In some embodiments, the processor 1901 may also include an AI (ARTIFICIAL INTELLIGENCE ) processor for processing computing operations related to machine learning.
Memory 1902 may include one or more computer-readable storage media, which may be non-transitory. Memory 1902 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 1902 is used to store at least one program code for execution by processor 1901 to implement the identity rights verification method provided by the method embodiments of the present application.
In some embodiments, terminal 1900 may optionally include a peripheral interface 1903 and at least one peripheral. The processor 1901, memory 1902, and peripheral interface 1903 may be connected by a bus or signal line. The individual peripheral devices may be connected to the peripheral device interface 1903 via buses, signal lines, or circuit boards. In particular, the peripheral devices include at least one of radio frequency circuitry 1904, a display screen 1905, a camera assembly 1906, an audio circuit 1907, a positioning assembly 1908, and a power supply 1909.
Peripheral interface 1903 may be used to connect at least one Input/Output (I/O) related peripheral to processor 1901 and memory 1902. In some embodiments, the processor 1901, memory 1902, and peripheral interface 1903 are integrated on the same chip or circuit board, and in some other embodiments, either or both of the processor 1901, memory 1902, and peripheral interface 1903 may be implemented on separate chips or circuit boards, which is not limited in this embodiment.
The Radio Frequency circuit 1904 is configured to receive and transmit RF (Radio Frequency) signals, also referred to as electromagnetic signals. The radio frequency circuit 1904 communicates with a communication network and other communication devices via electromagnetic signals. The radio frequency circuit 1904 converts an electrical signal into an electromagnetic signal for transmission, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 1904 includes an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and the like. The radio frequency circuit 1904 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to, the world wide web, metropolitan area networks, intranets, various generations of mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or WiFi (WIRELESS FIDELITY ) networks. In some embodiments, the radio frequency circuit 1904 may also include NFC (NEAR FIELD Communication) related circuits, which is not limited by the present application.
The display 1905 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When display 1905 is a touch display, display 1905 also has the ability to collect touch signals at or above the surface of display 1905. The touch signal may be input as a control signal to the processor 1901 for processing. At this point, the display 1905 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display 1905 may be one, disposed on the front panel of the terminal 1900, in other embodiments, the display 1905 may be at least two, disposed on different surfaces of the terminal 1900 or in a folded design, respectively, and in other embodiments, the display 1905 may be a flexible display, disposed on a curved surface or a folded surface of the terminal 1900. Even more, the display screen 1905 may be arranged in a non-rectangular irregular pattern, i.e., a shaped screen. The display 1905 may be made of LCD (Liquid CRYSTAL DISPLAY), OLED (Organic Light-Emitting Diode), or other materials.
The camera assembly 1906 is used to capture images or video. Optionally, camera assembly 1906 includes a front camera and a rear camera. Typically, the front camera is disposed on the front panel of the terminal and the rear camera is disposed on the rear surface of the terminal. In some embodiments, the at least two rear cameras are any one of a main camera, a depth camera, a wide-angle camera and a tele camera, so as to realize that the main camera and the depth camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize a panoramic shooting and Virtual Reality (VR) shooting function or other fusion shooting functions. In some embodiments, camera assembly 1906 may also include a flash. The flash lamp can be a single-color temperature flash lamp or a double-color temperature flash lamp. The dual-color temperature flash lamp refers to a combination of a warm light flash lamp and a cold light flash lamp, and can be used for light compensation under different color temperatures.
The audio circuit 1907 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, inputting the electric signals to the processor 1901 for processing, or inputting the electric signals to the radio frequency circuit 1904 for realizing voice communication. For purposes of stereo acquisition or noise reduction, the microphone may be multiple, each disposed at a different location on the terminal 1900. The microphone may also be an array microphone or an omni-directional pickup microphone. The speaker is used to convert electrical signals from the processor 1901 or the radio frequency circuit 1904 into sound waves. The speaker may be a conventional thin film speaker or a piezoelectric ceramic speaker. When the speaker is a piezoelectric ceramic speaker, not only the electric signal can be converted into a sound wave audible to humans, but also the electric signal can be converted into a sound wave inaudible to humans for ranging and other purposes. In some embodiments, audio circuit 1907 may also include a headphone jack.
The location component 1908 is used to locate the current geographic location of the terminal 1900 for navigation or LBS (Location Based Service, location based services). The positioning component 1908 may be a positioning component based on the united states GPS (Global Positioning System ), the beidou system of china, or the galileo system of russia.
A power supply 1909 is used to power the various components in terminal 1900. The power supply 1909 may be an alternating current, a direct current, a disposable battery, or a rechargeable battery. When the power supply 1909 includes a rechargeable battery, the rechargeable battery may be a wired rechargeable battery or a wireless rechargeable battery. The wired rechargeable battery is a battery charged through a wired line, and the wireless rechargeable battery is a battery charged through a wireless coil. The rechargeable battery may also be used to support fast charge technology.
In some embodiments, terminal 1900 also includes one or more sensors 1910. The one or more sensors 1910 include, but are not limited to, an acceleration sensor 1911, a gyroscope sensor 1912, a pressure sensor 1913, a fingerprint sensor 1914, an optical sensor 1915, and a proximity sensor 1916.
The acceleration sensor 1911 may detect the magnitudes of accelerations on three coordinate axes of a coordinate system established with the terminal 1900. For example, the acceleration sensor 1911 may be used to detect components of gravitational acceleration in three coordinate axes. The processor 1901 may control the display screen 1905 to display a user interface in either a landscape view or a portrait view based on gravitational acceleration signals acquired by the acceleration sensor 1911. Acceleration sensor 1911 may also be used for the acquisition of motion data of a game or user.
The gyro sensor 1912 may detect a body direction and a rotation angle of the terminal 1900, and the gyro sensor 1912 may collect a 3D motion of the user on the terminal 1900 in cooperation with the acceleration sensor 1911. The processor 1901 can realize functions such as motion sensing (e.g., changing a UI according to a tilting operation by a user), image stabilization at the time of photographing, game control, and inertial navigation, based on data collected by the gyro sensor 1912.
Pressure sensor 1913 may be disposed on a side border of terminal 1900 and/or below display 1905. When the pressure sensor 1913 is disposed on the side frame of the terminal 1900, a grip signal of the terminal 1900 by the user can be detected, and the processor 1901 performs left-right hand recognition or quick operation according to the grip signal collected by the pressure sensor 1913. When the pressure sensor 1913 is disposed at the lower layer of the display screen 1905, the processor 1901 controls the operability control on the UI interface according to the pressure operation of the user on the display screen 1905. The operability controls include at least one of a button control, a scroll bar control, an icon control, and a menu control.
The fingerprint sensor 1914 is used to collect a fingerprint of the user, and the processor 1901 identifies the identity of the user based on the fingerprint collected by the fingerprint sensor 1914, or the fingerprint sensor 1914 identifies the identity of the user based on the collected fingerprint. Upon recognizing that the user's identity is a trusted identity, the processor 1901 authorizes the user to perform relevant sensitive operations including unlocking the screen, viewing encrypted information, downloading software, paying for and changing settings, and the like. The fingerprint sensor 1914 may be disposed on the front, back, or side of the terminal 1900. When a physical key or vendor Logo is provided on terminal 1900, fingerprint sensor 1914 may be integrated with the physical key or vendor Logo.
The optical sensor 1915 is used to collect ambient light intensity. In one embodiment, the processor 1901 may control the display brightness of the display screen 1905 based on ambient light intensity collected by the optical sensor 1915. Specifically, the display luminance of the display screen 1905 is turned up when the ambient light intensity is high, and the display luminance of the display screen 1905 is turned down when the ambient light intensity is low. In another embodiment, the processor 1901 may also dynamically adjust the shooting parameters of the camera assembly 1906 based on the ambient light intensity collected by the optical sensor 1915.
A proximity sensor 1916, also referred to as a distance sensor, is typically provided on the front panel of terminal 1900. The proximity sensor 1916 serves to collect a distance between a user and the front of the terminal 1900. In one embodiment, the processor 1901 controls the display 1905 to switch from the on-screen state to the off-screen state when the proximity sensor 1916 detects a gradual decrease in the distance between the user and the front of the terminal 1900, and the processor 1901 controls the display 1905 to switch from the off-screen state to the on-screen state when the proximity sensor 1916 detects a gradual increase in the distance between the user and the front of the terminal 1900.
Those skilled in the art will appreciate that the configuration shown in fig. 19 is not limiting and that terminal 1900 may include more or fewer components than shown, or may combine certain components, or may employ a different arrangement of components.
Fig. 20 is a block diagram of a server according to an embodiment of the present application, where the server 2000 may have a relatively large difference due to different configurations or performances, and may include one or more processors (Central Processing Units, CPU) 2001 and one or more memories 2002, where the memories 2002 are used to store executable program codes, and the processors 2001 are configured to execute the executable program codes to implement the identity authority verification method provided in the foregoing method embodiments. Of course, the server may also have a wired or wireless network interface, a keyboard, an input/output interface, and other components for implementing the functions of the device, which are not described herein.
In an exemplary embodiment, a storage medium is also provided, such as a memory 2002, comprising program code executable by the processor 2001 of the server 2000 to perform the identity rights verification method described above. Alternatively, the storage medium may be a non-transitory computer-readable storage medium, for example, a ROM (Read-Only Memory), a RAM (Random Access Memory ), a CD-ROM (Compact Disc Read-Only Memory), a magnetic tape, a floppy disk, an optical data storage device, and the like.
The embodiment of the application also provides a computer readable storage medium, at least one program code is stored in the computer readable storage medium, and the at least one program code is loaded and executed by a processor to realize the identity authority verification method of any implementation mode.
Embodiments of the present application also provide a computer program product, where the computer program product includes at least one program code, where the at least one program code is loaded and executed by a processor to implement the identity authority checking method according to any one of the foregoing implementations.
In some embodiments, the computer program product according to the embodiments of the present application may be deployed to be executed on one server, or on a plurality of servers located at one site, or on a plurality of servers distributed at a plurality of sites and interconnected by a communication network, where the plurality of servers distributed at the plurality of sites and interconnected by the communication network may constitute a blockchain system.
The embodiment of the application provides an identity authority verification method, wherein the sixth hash value of a father node of a hash value tree in the method is generated based on the reference identity information and the reference authority information of an account, the reference identity information and the reference authority information are part of the identity information and part of the authority information of the account corresponding to the identity information to be verified and the authority information to be verified respectively, so that when the identity information to be verified and the authority information to be verified are verified, only the first hash value is required to be verified to be identical to the sixth hash value, whether the identity information to be verified and the authority information to be verified are identical to the reference identity information and the reference authority information respectively can be ensured, the process of verifying the identity authority based on the complete identity information and the complete authority information of the account is avoided, the exposure of the reference identity information and the reference authority information is avoided, the effective protection of the identity information and the authority information of the account is realized, and the safety of the authority verification is effectively improved.
The foregoing is illustrative of the present application and is not to be construed as limiting thereof, but rather as various modifications, equivalent arrangements, improvements, etc., which fall within the spirit and principles of the present application.

Claims (15)

1.一种身份权限校验方法,其特征在于,所述方法包括:1. A method for verifying identity and authority, characterized in that the method comprises: 接收终端的权限校验请求,所述权限校验请求携带第一哈希值,所述第一哈希值为基于待校验身份信息的第二哈希值和待校验权限信息的第三哈希值得到的,所述待校验身份信息为当前登录账号的身份信息中的部分身份信息,所述待校验权限信息为所述账号的权限信息中的部分权限信息;Receiving a permission verification request from a terminal, the permission verification request carrying a first hash value, where the first hash value is obtained based on a second hash value of identity information to be verified and a third hash value of permission information to be verified, where the identity information to be verified is part of the identity information of the currently logged-in account, and the permission information to be verified is part of the permission information of the account; 获取已生成的所述账号的哈希值树,所述哈希值树中包括第一节点、第二节点和第三节点,所述第三节点为所述第一节点和所述第二节点的父节点,且所述第一节点存储基准身份信息对应的第四哈希值,所述第二节点存储基准权限信息对应的第五哈希值,所述第三节点存储第六哈希值,所述第六哈希值为基于所述第四哈希值和所述第五哈希值得到的;Obtaining a generated hash value tree for the account, the hash value tree including a first node, a second node, and a third node, the third node being a parent node of the first node and the second node, the first node storing a fourth hash value corresponding to baseline identity information, the second node storing a fifth hash value corresponding to baseline authority information, and the third node storing a sixth hash value, the sixth hash value being obtained based on the fourth hash value and the fifth hash value; 基于所述第一哈希值和所述第六哈希值,对所述终端进行身份权限的验证。Based on the first hash value and the sixth hash value, identity authority of the terminal is verified. 2.根据权利要求1所述的方法,其特征在于,所述基于所述第一哈希值和所述第六哈希值,对所述终端进行身份权限的验证,包括:2. The method according to claim 1, wherein the verifying the identity authority of the terminal based on the first hash value and the sixth hash value comprises: 若所述第一哈希值和所述第六哈希值相同,则表示所述第二哈希值与所述第四哈希值相同且所述第三哈希值与所述第五哈希值相同,确定所述权限验证结果为验证通过;If the first hash value and the sixth hash value are the same, it means that the second hash value and the fourth hash value are the same and the third hash value and the fifth hash value are the same, and the permission verification result is determined to be verification passed; 若所述第一哈希值和所述第六哈希值不同,则表示所述第二哈希值与所述第四哈希值不同或者所述第三哈希值与所述第五哈希值不同,确定所述权限验证结果为验证不通过。If the first Hash value and the sixth Hash value are different, it means that the second Hash value and the fourth Hash value are different or the third Hash value and the fifth Hash value are different, and the permission verification result is determined to be verification failure. 3.根据权利要求1或2所述的方法,其特征在于,所述哈希值树还包括第四节点和第五节点,所述第五节点为所述第三节点和所述第四节点的父节点,所述第四节点存储第七哈希值,所述第七哈希值为基于所述身份信息的哈希值得到的,所述第五节点存储第八哈希值,所述第八哈希值为基于所述第六哈希值和所述第七哈希值得到的;3. The method according to claim 1 or 2, characterized in that the hash value tree further includes a fourth node and a fifth node, the fifth node is a parent node of the third node and the fourth node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, and the fifth node stores an eighth hash value, the eighth hash value is obtained based on the sixth hash value and the seventh hash value; 所述基于所述第一哈希值和所述第六哈希值,对所述终端进行身份权限的验证,包括;The verifying the identity authority of the terminal based on the first hash value and the sixth hash value includes: 若所述第一哈希值与所述第六哈希值相同,且第九哈希值与所述第八哈希值相同,确定所述权限校验结果为验证通过,所述第九哈希值为基于所述第一哈希值和所述第七哈希值得到的;If the first hash value is the same as the sixth hash value, and the ninth hash value is the same as the eighth hash value, it is determined that the permission check result is verification passed, and the ninth hash value is obtained based on the first hash value and the seventh hash value; 若所述第一哈希值与所述第六哈希值不同,或所述第九哈希值与所述第八哈希值不同,确定所述权限验证结果为验证不通过。If the first hash value is different from the sixth hash value, or the ninth hash value is different from the eighth hash value, it is determined that the permission verification result is verification failure. 4.根据权利要求1所述的方法,其特征在于,所述权限验证请求携带基于公钥对所述第一哈希值加密后的哈希值;4. The method according to claim 1, wherein the permission verification request carries a hash value obtained by encrypting the first hash value based on a public key; 所述基于所述第一哈希值和所述第六哈希值,对所述终端进行身份权限的验证之前,所述方法还包括:Before verifying the identity authority of the terminal based on the first hash value and the sixth hash value, the method further includes: 基于所述公钥对应的私钥,对所述加密后的哈希值进行解密,得到所述第一哈希值。The encrypted hash value is decrypted based on the private key corresponding to the public key to obtain the first hash value. 5.根据权利要求4所述的方法,其特征在于,所述方法还包括:5. The method according to claim 4, further comprising: 基于所述私钥对所述第六哈希值进行签名;Signing the sixth hash value based on the private key; 向所述终端发送验签请求,所述验签请求携带所述公钥、所述第六哈希值和所述签名后的第六哈希值,所述验签请求用于指示所述终端基于所述公钥对所述签名后的第六哈希值进行解密,且若解密后得到的哈希值与所述第六哈希值相同,则存储所述公钥。Sending a signature verification request to the terminal, the signature verification request carrying the public key, the sixth hash value, and the signed sixth hash value, the signature verification request being used to instruct the terminal to decrypt the signed sixth hash value based on the public key, and if the hash value obtained after decryption is the same as the sixth hash value, storing the public key. 6.根据权利要求1所述的方法,其特征在于,所述哈希值树的生成过程,包括:6. The method according to claim 1, wherein the process of generating the hash value tree comprises: 接收所述终端的授权请求,所述授权请求携带所述基准身份信息和所述基准权限信息;receiving an authorization request from the terminal, the authorization request carrying the baseline identity information and the baseline authority information; 分别确定所述基准身份信息的哈希值和所述基准权限信息的哈希值,得到所述第四哈希值和所述第五哈希值;Determine the hash value of the reference identity information and the hash value of the reference authority information respectively to obtain the fourth hash value and the fifth hash value; 基于所述第四哈希值和所述第五哈希值,确定所述第六哈希值;Determining the sixth hash value based on the fourth hash value and the fifth hash value; 基于所述第四哈希值、所述第五哈希值和所述第六哈希值,生成所述哈希值树。The hash value tree is generated based on the fourth hash value, the fifth hash value, and the sixth hash value. 7.根据权利要求6所述的方法,其特征在于,所述哈希值树还包括第四节点和第五节点,所述第五节点为所述第四节点和所述第三节点的父节点,所述第四节点存储第七哈希值,所述第七哈希值为基于所述身份信息的哈希值得到的,所述第五节点存储第八哈希值,所述第八哈希值为基于所述第七哈希值和所述第六哈希值得到的;所述授权请求还携带所述身份信息;7. The method according to claim 6, characterized in that the hash value tree further includes a fourth node and a fifth node, the fifth node is a parent node of the fourth node and the third node, the fourth node stores a seventh hash value, the seventh hash value is obtained based on the hash value of the identity information, the fifth node stores an eighth hash value, the eighth hash value is obtained based on the seventh hash value and the sixth hash value; the authorization request also carries the identity information; 所述基于所述第四哈希值、所述第五哈希值和所述第六哈希值,生成所述哈希值树,包括:Generating the hash value tree based on the fourth hash value, the fifth hash value, and the sixth hash value includes: 基于所述身份信息的哈希值,确定所述第七哈希值;Determining the seventh hash value based on the hash value of the identity information; 基于所述第六哈希值和所述第七哈希值,确定所述第八哈希值;determining the eighth hash value based on the sixth hash value and the seventh hash value; 基于所述第四哈希值、所述第五哈希值、所述第六哈希值、所述第七哈希值和所述第八哈希值,生成所述哈希值树。The hash value tree is generated based on the fourth hash value, the fifth hash value, the sixth hash value, the seventh hash value, and the eighth hash value. 8.根据权利要求7所述的方法,其特征在于,所述基于所述身份信息的哈希值,确定所述第七哈希值,包括:8. The method according to claim 7, wherein determining the seventh Hash value based on the Hash value of the identity information comprises: 获取所述身份信息的哈希值和当前时间戳的哈希值,基于所述身份信息的哈希值和所述当前时间戳的哈希值,确定所述第七哈希值;或者,Obtaining a hash value of the identity information and a hash value of the current timestamp, and determining the seventh hash value based on the hash value of the identity information and the hash value of the current timestamp; or, 获取所述身份信息的哈希值,将所述身份信息的哈希值确定为所述第七哈希值。Obtain a hash value of the identity information, and determine the hash value of the identity information as the seventh hash value. 9.根据权利要求6所述的方法,其特征在于,所述授权请求携带基于对称密钥对所述基准身份信息和所述基准权限信息加密后的基准身份信息和基准权限信息;9. The method according to claim 6, wherein the authorization request carries the baseline identity information and the baseline authority information encrypted using a symmetric key; 所述分别确定所述基准身份信息的哈希值和所述基准权限信息的哈希值,得到所述第四哈希值和所述第五哈希值之前,所述方法还包括:Before respectively determining the hash value of the reference identity information and the hash value of the reference authority information to obtain the fourth hash value and the fifth hash value, the method further includes: 基于所述对称密钥对所述加密后的基准身份信息和基准权限信息进行解密,得到所述基准身份信息和所述基准权限信息。The encrypted reference identity information and reference authority information are decrypted based on the symmetric key to obtain the reference identity information and the reference authority information. 10.根据权利要求1所述的方法,其特征在于,所述接收终端的权限校验请求,包括:10. The method according to claim 1, wherein the receiving terminal's permission verification request comprises: 接收应用服务器转发的权限校验请求,所述权限校验请求为所述终端发送至所述应用服务器的。Receive a permission verification request forwarded by an application server, where the permission verification request is sent by the terminal to the application server. 11.根据权利要求1所述的方法,其特征在于,所述方法还包括:11. The method according to claim 1, further comprising: 接收所述终端的公告发布请求,所述公告发布请求携带所述当前登录账号的公告信息;receiving an announcement publishing request from the terminal, wherein the announcement publishing request carries announcement information of the currently logged-in account; 若权限验证结果为验证通过,则向目标群组中发送所述公告信息,所述目标群组为所述当前登录账号所在的群组。If the result of the permission verification is passed, the announcement information is sent to the target group, and the target group is the group where the current login account belongs. 12.一种身份权限校验装置,其特征在于,所述装置包括:12. An identity authority verification device, characterized in that the device comprises: 第一接收模块,用于接收终端的权限校验请求,所述权限校验请求携带第一哈希值,所述第一哈希值为基于待校验身份信息的第二哈希值和待校验权限信息的第三哈希值得到的,所述待校验身份信息为当前登录账号的身份信息中的部分身份信息,所述待校验权限信息为所述账号的权限信息中的部分权限信息;a first receiving module, configured to receive a permission verification request from a terminal, the permission verification request carrying a first hash value, the first hash value being obtained based on a second hash value of identity information to be verified and a third hash value of permission information to be verified, the identity information to be verified being part of the identity information of a currently logged-in account, and the permission information to be verified being part of the permission information of the account; 获取模块,用于获取已生成的所述账号的哈希值树,所述哈希值树中包括第一节点、第二节点和第三节点,所述第三节点为所述第一节点和所述第二节点的父节点,且所述第一节点存储基准身份信息对应的第四哈希值,所述第二节点存储基准权限信息对应的第五哈希值,所述第三节点存储第六哈希值,所述第六哈希值为基于所述第四哈希值和所述第五哈希值得到的;an acquisition module, configured to acquire a generated hash value tree for the account, the hash value tree including a first node, a second node, and a third node, the third node being a parent node of the first node and the second node, the first node storing a fourth hash value corresponding to baseline identity information, the second node storing a fifth hash value corresponding to baseline authority information, and the third node storing a sixth hash value, the sixth hash value being obtained based on the fourth and fifth hash values; 验证模块,用于基于所述第一哈希值和所述第六哈希值,对所述终端进行身份权限的验证。A verification module is used to verify the identity authority of the terminal based on the first hash value and the sixth hash value. 13.一种服务器,其特征在于,所述服务器包括一个或多个处理器和一个或多个存储器,所述一个或多个存储器中存储有至少一条程序代码,所述至少一条程序代码由所述一个或多个处理器加载并执行,以实现如权利要求1至权利要求11任一项所述的身份权限校验方法。13. A server, characterized in that the server includes one or more processors and one or more memories, at least one program code is stored in the one or more memories, and the at least one program code is loaded and executed by the one or more processors to implement the identity authority verification method according to any one of claims 1 to 11. 14.一种计算机可读存储介质,其特征在于,所述存储介质中存储有至少一条程序代码,所述至少一条程序代码由处理器加载并执行,以实现如权利要求1至权利要求11任一项所述的身份权限校验方法。14. A computer-readable storage medium, characterized in that at least one program code is stored in the storage medium, and the at least one program code is loaded and executed by a processor to implement the identity authority verification method according to any one of claims 1 to 11. 15.一种计算机程序产品,其特征在于,所述计算机程序产品包括至少一条程序代码,所述至少一条程序代码由处理器加载并执行,以实现如权利要求1至权利要求11任一项所述的身份权限校验方法。15. A computer program product, characterized in that the computer program product comprises at least one program code, and the at least one program code is loaded and executed by a processor to implement the identity authority verification method according to any one of claims 1 to 11.
CN202210002257.5A 2022-01-04 2022-01-04 Identity authority verification method, device, server, storage medium and product Active CN116436606B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210002257.5A CN116436606B (en) 2022-01-04 2022-01-04 Identity authority verification method, device, server, storage medium and product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210002257.5A CN116436606B (en) 2022-01-04 2022-01-04 Identity authority verification method, device, server, storage medium and product

Publications (2)

Publication Number Publication Date
CN116436606A CN116436606A (en) 2023-07-14
CN116436606B true CN116436606B (en) 2025-08-29

Family

ID=87085977

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210002257.5A Active CN116436606B (en) 2022-01-04 2022-01-04 Identity authority verification method, device, server, storage medium and product

Country Status (1)

Country Link
CN (1) CN116436606B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110569658A (en) * 2019-09-12 2019-12-13 腾讯科技(深圳)有限公司 User information processing method, device, electronic equipment and storage medium based on block chain network
CN113486307A (en) * 2021-07-23 2021-10-08 北京光启元数字科技有限公司 Data processing method, device, equipment and medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120071193A (en) * 2010-12-22 2012-07-02 주식회사 케이티 Hash tree based id federation system and technique for the user authentication
CN113055340B (en) * 2019-12-26 2023-09-26 华为技术有限公司 Authentication methods and equipment
CN111209596A (en) * 2020-04-21 2020-05-29 国网电子商务有限公司 A block chain-based industrial Internet identification resolution access control method
CN112422287B (en) * 2021-01-22 2021-04-13 杭州城市大数据运营有限公司 Cryptography-based multi-level role authority control method and device
CN113312597A (en) * 2021-07-29 2021-08-27 北京微芯感知科技有限公司 Digital identity verification method, device, system, equipment and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110569658A (en) * 2019-09-12 2019-12-13 腾讯科技(深圳)有限公司 User information processing method, device, electronic equipment and storage medium based on block chain network
CN113486307A (en) * 2021-07-23 2021-10-08 北京光启元数字科技有限公司 Data processing method, device, equipment and medium

Also Published As

Publication number Publication date
CN116436606A (en) 2023-07-14

Similar Documents

Publication Publication Date Title
CN110602089B (en) Block chain-based medical data storage method, device, equipment and storage medium
CN110245144B (en) Protocol data management method, device, storage medium and system
CN109615515B (en) Credit right certificate transfer method, device, electronic equipment and storage medium
CN110689460B (en) Traffic accident data processing method, device, equipment and medium based on block chain
CN110933113B (en) Block chain-based interactive behavior detection method, device, equipment and storage medium
CN110826103B (en) Method, device, equipment and storage medium for processing document authority based on blockchain
CN110597924B (en) Block chain-based user identification processing method, device, equipment and storage medium
CN110401648A (en) Method, device, electronic device and medium for obtaining cloud service
CN110581891A (en) Game data processing method, device, equipment and storage medium based on block chain
CN110598386B (en) Block chain-based data processing method, device, equipment and storage medium
CN111212074B (en) Blockchain-based qualification identification method, device, equipment and storage medium
CN112564908B (en) Device registration method and device, electronic device, server and readable storage medium
CN113630405B (en) Network access authentication method and device, electronic equipment and storage medium
CN110727894A (en) Target material setting method, device, equipment and storage medium
CN110569631B (en) Account number detection method, device, equipment and storage medium based on block chain
CN116436606B (en) Identity authority verification method, device, server, storage medium and product
CN116743351B (en) Key management method, device, equipment and storage medium
CN110597840A (en) Partner relationship establishing method, device, equipment and storage medium based on block chain
CN112905986B (en) Authorization authentication method, device, system and computer-readable storage medium
CN114124405B (en) Service processing method, system, computer equipment and computer readable storage medium
CN108683684B (en) Method, device and system for logging in to a target instant messaging application
CN114154099B (en) Routing information processing method, device, equipment and storage medium
CN116633611A (en) Information verification method, device, electronic device and storage medium
HK40049839B (en) Equipment registration method and apparatus, electronic equipment, server and readable storage medium
HK40049839A (en) Equipment registration method and apparatus, electronic equipment, server and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant