Background technique
With the generally use of Internet technology, network security problem have become puzzlement one of network Development it is important becauseElement.For ordinary user, in order to use network safely, the verifying of client identity is had focused largely on medium and password,In this way to identifying whether it is that there are significant limitations for client itself, once medium loses and/or password leakage, network side can notThe true identity of the client for judging this operation accurately.Main problem is the net that safety excessively relies on user itself at presentNetwork knowledge, the user poor for security concept, password are easy to be stolen.Hacker obtains visitor possibly through illegal meansThe information such as the password at family, so that the private data of client, even some very important data are stolen.
Existing identity recognizing technology generallys use cryptographic technique (especially public key cryptography technology) and designs highly-safe associationView mainly includes following two:
(1) password mode: password is a kind of most widely used identification mode, usually length be 5 ~ 8 character string, byThe composition such as number, letter, spcial character, control character.If server will authenticate user using username & password,It must just safeguard the database of the username & password of legitimate user.
Several principles that the selection of password should meet:
1. being easy memory, it is not easy to guess, is not easy to analyze;
2. password management can be solved by individual event function, i.e., computer does not store password, only stores the individual event function of password,Its identification process is as follows: 1) user sends password to computer;2) computer completes the calculating of password one-way function value;3)Computer compares one-way function value and machine storage value.
Many www server systems all store the user name and password with the file of fixed format, avoid specially establishing oneA Database Systems only store user name or password.Regardless of by log-on message storage, wherein, most common is also most safeStorage method (method that unix system uses) be that user name is saved with plaintext version, and save password with cipher mode.In one group of new user name/password of system creation, generally password is encrypted using One-way encryption algorithm.
Under the user name of plaintext and the password mode of encryption, when users log on, system is stored according in databaseUser name inventory check user name to verify the legal bodily movement of practising Wushu of user.The password that user is inputted when to login system carries outThe encrypted result of user password is compared by encryption, system with the encrypted ones stored in database.If designated userTwo kinds of encrypted ones be mutually matched, just receive login.Here it is can not look for system manager in UNIX operating systemTo pass into silence password the reason of.At this moment, administrator can give you a new occasional password, and then you can be changed to oneself selected mouthIt enables.
(2) mark mode: label is that one kind holds object in one's own possession, its effect is similar to key, is set for starting electronicsIt is standby, the equipment such as the personal information for machine recognition, such as U-shield are record on label.
But identity identifying technology at this stage is primarily present following disadvantage:
1. the mode of server authentication, user inputs account, password, need to be submitted to background server by interface, be verified;Make to use server that could complete in this way.
2. user is inputted account, password and the local preset account number cipher file of progress and carried out by the mode of local authenticationIt compares, file easilys lead to the generation of Brute Force phenomenon after allowing illegal user to find this encryption, to cause peaceFull hidden danger.
In view of it is current the fact that, it is desirable to provide on the one hand a kind of effective ID authentication mechanism can hide user's bodyPart information, ordinary user or tool are not easy to find;It can solve the user identity under the conditions of non-networked on the other hand to testThe problem of card.
Summary of the invention
The main purpose of the present invention is to provide a kind of identity identifying method, identity authorization system and computer-readable storagesMedium, it is desirable to provide one kind can hide subscriber identity information, and ordinary user or tool are not easy to find;It on the other hand canTo solve the problems, such as the ID authentication mechanism of the subscriber authentication under the conditions of non-networked.
To achieve the above object, a kind of identity identifying method provided by the invention, comprising steps of
Obtain preset device code information and preset cryptography information;
The device code information is encrypted according to the cryptography information, obtained encryption string is passed through preset secondaryAfter Encryption Algorithm is encrypted, secondary encrypted encryption string is stored in preset encryption memory block, and by the equipmentCode information is stored in preset non-encrypted memory block;
The ID authentication request of user is responded, private key information is obtained;
The device code information is read from the non-encrypted memory block, and according to the private key and preset verification algorithm to instituteIt states device code information and carries out operation, obtain authentication password string;
The encryption string is read from the encrypted area by preset secondary decipherment algorithm, to obtain corresponding decryption string;
Judge whether the authentication password string matches with decryption string;
In the authentication password string and the decryption String matching, confirm that the ID authentication request of active user is legal.
Further, the preset cryptography information includes cryptography information and public key information, wherein described to addClose algorithm is non-reversible algorithm, for carrying out the irreversible encryption that operation is mapped one by one to the device code informationString.
Further, described to read the device code information from the non-encrypted memory block, and according to the private key andThe step of preset verification algorithm carries out operation to the device code information, obtains authentication password string, comprising:
Call special equipment interface to read the device code information from the non-encrypted memory block, and according to the private key andPreset verification algorithm carries out operation to the device code information, obtains authentication password string.
Further, described that the encryption string is read from the encrypted area by preset secondary decipherment algorithm, to obtainThe step of corresponding decryption is gone here and there, comprising:
Special equipment interface belonging to calling reads the encryption string from the encrypted area, and passes through preset secondary decipherment algorithmThe mostly described encryption string carries out secondary decryption, to obtain affiliated corresponding decryption string.
Further, the device code information includes the identification code of equipment, bar code, physical address, device address and equipmentCode in one or more.
Further, the preset secondary Encryption Algorithm is MD5 algorithm or DES algorithm.
Further, the password string is stored in storage hardware in the form of hiding and is closed.
Further, the encryption memory block and non-encrypted memory block are nonupdatable memory block.
The present invention also provides a kind of identity authorization system, including memory, processor and storage are on a memory and can beThe computer program run on processor, which is characterized in that the processor is realized when executing the computer program as above-mentionedThe step of described in any item identity identifying methods.
The present invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, which is characterized in that shouldThe step of identity identifying method as described in any one of the above embodiments is realized when computer program is executed by processor.
In the present invention, by the non-encrypted memory block of the model split of hardware partition and encryption memory block, non-add is realizedThe separate management of confidential information and encryption information is needed by calling special equipment interface to read the device code information and encryptionString information, then by carrying out operation to the device code information according to the private key and preset verification algorithm, authenticatedPassword string;The encryption string is read from the encrypted area by preset secondary decipherment algorithm, to obtain corresponding decryption string;SentenceWhether the authentication password string that breaks matches with decryption string;In the authentication password string and the decryption String matching, confirmationThe ID authentication request of active user is legal to carry out identity information verification.The present invention, which has made one, can not depend on serviceThe sufficiently hiding ID authentication mechanism of device, identity information has effectively evaded the risk that identity-based message file cracks;It can be withRealize that hardware, encryption string and three pieces of proof of identity program of separation, hardware vendor do not know identity verifying information, proof of identityPlatform can borrow hardware vendor and carry out Build Security operation architecture, and nothing before hardware vendor, proof of identity platform has been effectively ensuredThe docking of risk greatly guarantees the safety of identity information.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
In subsequent description, it is only using the suffix for indicating such as " module ", " component " or " unit " of elementBe conducive to explanation of the invention, itself there is no a specific meaning.Therefore, " module ", " component " or " unit " can mixGround uses.
Fig. 1 is please referred to, Fig. 1 is the hardware structural diagram of the identity authorization system 100 in each embodiment of the present invention.InstituteStating identity authorization system 100 can be server end 20 for authentication, be also possible to the mobile end for authenticationEnd 30.
The identity authorization system 100 includes the components such as communication module 11, memory 21 and processor 31.Wherein, describedProcessor 31 is connect with the memory 21 and the communication module 11 respectively, is stored with computer journey on the memory 21Sequence, the computer program are executed by processor 30 simultaneously.
Communication module 11 can be connect by network and external equipment, such as with remote scanners.Communication module 11 can connectThe request that external communications equipment issues is received, also transmittable event, instruction and information to the external equipment and/or other serversEnd.The external communications equipment can be other mobile terminals 30, server end 20 or block chain agent node 10.
Memory 20 can be used for storing software program and various data.Memory 20 can mainly include storing program areaThe storage data area and, wherein storing program area can storage program area etc.;Storage data area can be stored according to insurance business dataAnalysis system uses created data or information etc..In addition, memory 20 may include high-speed random access memory, alsoIt may include nonvolatile memory, a for example, at least disk memory, flush memory device or the storage of other volatile solid-statesDevice.
Processor 30 is the control centre of transaction record management system, is entirely traded using various interfaces and connectionThe various pieces of record management system, by running or execute the software program and/or module that are stored in memory 20, andThe data being stored in memory 20 are called, the various functions and processing data of transaction record management system are executed.Processor 30It may include one or more processing units;Preferably, processor 30 can integrate application processor and modem processor,In, the main processing operation system of application processor, user interface and application program etc., modem processor are mainly handled wirelesslyCommunication.It is understood that above-mentioned modem processor can not also be integrated into processor 30.
Although Fig. 1 is not shown, above-mentioned identity authorization system 100 can also include circuit control module, be used for and power supplyPower supply control is realized in connection.
It will be understood by those skilled in the art that the structure of identity authorization system shown in Fig. 1 does not constitute and recognizes identityThe restriction of card system may include perhaps combining certain components or different component cloth than illustrating more or fewer componentsIt sets.
Fig. 2 is please combined together, is the functional module structure signal of the identity authorization system 100 in one embodiment of the inventionFigure.
The identity authorization system 100 includes: identity information library module 12, authentication information acquisition module 22 and testsDemonstrate,prove module 32.
Wherein, the identity information library module 12 includes the non-encrypted memory block for being stored with preset device code information, withAnd it is stored with the encryption memory block of encryption string.
Preferably, the password string is stored in storage hardware in the form of hiding and is closed;The encryption memory block andNon-encrypted memory block is nonupdatable memory block.
Specifically, the identity information library module 12 is for obtaining preset device code information and preset Encryption AlgorithmInformation;And the device code information is encrypted according to the cryptography information, obtained encryption string is passed through presetAfter secondary Encryption Algorithm is encrypted, secondary encrypted encryption string is stored in preset encryption memory block, by the equipmentCode information is stored in preset non-encrypted memory block.
Further, the preset cryptography information includes cryptography information and public key information, wherein described to addClose algorithm is non-reversible algorithm, for carrying out the irreversible encryption that operation is mapped one by one to the device code informationString.
For example, the device code information is the device code (Device NO.) of current device in a specific example, thanSuch as Ae9999, and it is stored in non-encrypted memory block;After carrying out operation by preset Encryption Algorithm and according to public key, character is obtainedString:
Sdd80343244fgthjgfjo90751Asxf343244fgthjgfjo90751AsxfdfggfhfgSdd80343244fGthjgfjo, and encryption memory block is stored in by the encryption string is generated after the secondary encryption of character string progress.
In the present embodiment, pass through the non-encrypted memory block of the model split of hardware partition and encryption memory block.It realizes non-The separate management of encryption information and encryption information needs to read the identity information by the special equipment interface of calling, then leads toIt crosses checking routine and carries out identity information verification.
Wherein, the authentication information obtains the ID authentication request that module 22 is used to respond user, obtains private key letterBreath;The device code information is read from the non-encrypted memory block, and according to the private key and preset verification algorithm to instituteIt states device code information and carries out operation, obtain authentication password string;And it is read by preset secondary decipherment algorithm from the encrypted areaThe encryption is taken to go here and there, to obtain corresponding decryption string.
Call special equipment interface from the non-encrypted memory block specifically, the authentication information obtains module 22The device code information is read, and operation is carried out to the device code information according to the private key and preset verification algorithm,Obtain authentication password string;And special equipment interface belonging to calling reads the encryption string from the encrypted area, and by pre-If secondary decipherment algorithm encryption string carry out secondary decryption, gone here and there with corresponding decryption belonging to obtaining.
For example, the device code (Device NO.) of current device is put in non-encrypted area in a specific example, such asAe9999 obtains character string after carrying out operation by preset Encryption Algorithm and according to public keySdd80343244fgthjgfjo90751Asxf343244fgthjgfjo90751AsxfdfggfhfgSdd80343244fgthjGfjo, the encryption string most generated after secondary encryption afterwards are stored in encryption memory block;When the authentication information obtainsWhen module 22 calls affiliated special equipment interface to read encryption string from the encrypted area, the original string of moral encryption equipment is readFor 751AsxfdfggfhfgS, it is read as by corresponding secondary decryptionSdd80343244fgthjgfjo90751Asxf343244fgthjgfjo9。
Wherein, the authentication module 32 is for judging whether the authentication password string matches with decryption string;DescribedWhen authentication password string and the decryption String matching, confirm that the ID authentication request of active user is legal;In the authentication password stringWhen mismatching with decryption string, confirm that the ID authentication request of active user is illegal.
Using the identity authorization system 100 in this implementation, by the non-encrypted memory block of the model split of hardware partition andMemory block is encrypted, realizes the separate management of non-encrypted information and encryption information, is needed by calling special equipment interface to readThe device code information and encryption string information, then by being believed according to the private key and preset verification algorithm the device codeBreath carries out operation, obtains authentication password string;The encryption string is read from the encrypted area by preset secondary decipherment algorithm, withObtain corresponding decryption string;Judge whether the authentication password string matches with decryption string;In the authentication password string and instituteWhen stating decryption String matching, confirms that the ID authentication request of active user is legal and carry out identity information verification;The authenticationSystem 100, which has made one, can not depend on the sufficiently hiding ID authentication mechanism of server, identity information, effectively evadeThe risk that identity-based message file cracks;Hardware, encryption string and three pieces of proof of identity program of separation, hardware may be implementedManufacturer does not know that identity verifying information, proof of identity platform can borrow hardware vendor and carry out Build Security operation architecture, effectively protectsThe docking of devoid of risk before hardware vendor, proof of identity platform has been demonstrate,proved, has greatly guaranteed the safety of identity information.
Further, the device code information includes the identification code of equipment, bar code, physical address, device address and equipmentCode in one or more;The preset secondary Encryption Algorithm is MD5 algorithm or DES algorithm.
Referring to figure 3., comprising steps of
Step S1 obtains preset device code information and preset cryptography information;
It is understood that the preset cryptography information includes cryptography information and public key information, wherein described to addClose algorithm is non-reversible algorithm, for carrying out the irreversible encryption that operation is mapped one by one to the device code informationString.
Further, the device code information includes the identification code of equipment, bar code, physical address, device address and equipmentCode in one or more;The preset secondary Encryption Algorithm is MD5 algorithm or DES algorithm.
Step S2 encrypts the device code information according to the cryptography information, obtained encryption is ganged upIt crosses after preset secondary Encryption Algorithm encrypted, secondary encrypted encryption string is stored in preset encryption memory block, withAnd the device code information is stored in preset non-encrypted memory block;
Wherein, the identity information library module 12 includes the non-encrypted memory block for being stored with preset device code information, Yi JicunContain the encryption memory block of encryption string.
Preferably, the password string is stored in storage hardware in the form of hiding and is closed;The encryption memory block andNon-encrypted memory block is nonupdatable memory block.
Specifically, the identity information library module 12 is for obtaining preset device code information and preset Encryption AlgorithmInformation;And the device code information is encrypted according to the cryptography information, obtained encryption string is passed through presetAfter secondary Encryption Algorithm is encrypted, secondary encrypted encryption string is stored in preset encryption memory block, by the equipmentCode information is stored in preset non-encrypted memory block.
For example, the device code information is the device code (Device NO.) of current device in a specific example, thanSuch as Ae9999, and it is stored in non-encrypted memory block;After carrying out operation by preset Encryption Algorithm and according to public key, character is obtainedString:
Sdd80343244fgthjgfjo90751Asxf343244fgthjgfjo90751AsxfdfggfhfgSdd80343244fGthjgfjo, and encryption memory block is stored in by the encryption string is generated after the secondary encryption of character string progress.
Step S3 responds the ID authentication request of user, obtains private key information.
Step S4 reads the device code information from the non-encrypted memory block, and according to the private key and presetVerification algorithm carries out operation to the device code information, obtains authentication password string.
Step S5 reads the encryption from the encrypted area by preset secondary decipherment algorithm and goes here and there, corresponding to obtainDecryption string.
Call special equipment interface from the non-encrypted memory block specifically, the authentication information obtains module 22The device code information is read, and operation is carried out to the device code information according to the private key and preset verification algorithm,Obtain authentication password string;And special equipment interface belonging to calling reads the encryption string from the encrypted area, and by pre-If secondary decipherment algorithm encryption string carry out secondary decryption, gone here and there with corresponding decryption belonging to obtaining.
For example, the device code (Device NO.) of current device is put in non-encrypted area in a specific example, such asAe9999 obtains character string after carrying out operation by preset Encryption Algorithm and according to public keySdd80343244fgthjgfjo90751Asxf343244fgthjgfjo90751AsxfdfggfhfgSdd80343244fgthjGfjo, the encryption string most generated after secondary encryption afterwards are stored in encryption memory block;When the authentication information obtainsWhen module 22 calls affiliated special equipment interface to read encryption string from the encrypted area, the original string of moral encryption equipment is readFor 751AsxfdfggfhfgS, it is read as by corresponding secondary decryptionSdd80343244fgthjgfjo90751Asxf343244fgthjgfjo9。
Step S6, judges whether the authentication password string matches with decryption string;
Step S7 confirms that the ID authentication request of active user is legal in the authentication password string and the decryption String matching.
Using the identity identifying method 301 in this implementation, by the non-encrypted memory block of the model split of hardware partition andMemory block is encrypted, realizes the separate management of non-encrypted information and encryption information, is needed by calling special equipment interface to readThe device code information and encryption string information, then by being believed according to the private key and preset verification algorithm the device codeBreath carries out operation, obtains authentication password string;The encryption string is read from the encrypted area by preset secondary decipherment algorithm, withObtain corresponding decryption string;Judge whether the authentication password string matches with decryption string;In the authentication password string and instituteWhen stating decryption String matching, confirms that the ID authentication request of active user is legal and carry out identity information verification.Having made one canNot depend on the sufficiently hiding ID authentication mechanism of server, identity information, it is broken identity-based message file has effectively been evadedThe risk of solution;Hardware, encryption string and three pieces of proof of identity program of separation, hardware vendor may be implemented and do not know proof of identityInformation, proof of identity platform can borrow hardware vendor and carry out Build Security operation architecture, and hardware vendor, identity school has been effectively ensuredThe docking of devoid of risk before platform is tested, greatly guarantees the safety of identity information.
Fig. 1 please be recombine, the identity authorization system 100 in one embodiment of the invention includes memory 21 and processor31, computer program is stored on the memory 21, and the processor 31 realizes above-mentioned when executing the computer programThe step of identity identifying method in one embodiment.
Specifically, the processor 31 realizes step when executing the computer program:
Step S1 obtains preset device code information and preset cryptography information;
Step S2 encrypts the device code information according to the cryptography information, obtained encryption string is passed through pre-If secondary Encryption Algorithm encrypted after, secondary encrypted encryption string is stored in preset encryption memory block, and willThe device code information is stored in preset non-encrypted memory block;
Step S3 responds the ID authentication request of user, obtains private key information;
Step S4 reads the device code information from the non-encrypted memory block, and according to the private key and preset verifyingAlgorithm carries out operation to the device code information, obtains authentication password string;
Step S5 reads the encryption from the encrypted area by preset secondary decipherment algorithm and goes here and there, to obtain corresponding decryptionString;
Step S6, judges whether the authentication password string matches with decryption string;
Step S7 confirms that the ID authentication request of active user is legal in the authentication password string and the decryption String matching.
The present invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, and the program is processedThe step of identity identifying method in any of the above-described embodiment may be implemented when executing in device, specific steps, details are not described herein.
It is understood that in the description of this specification, reference term " embodiment ", " another embodiment ", " otherThe description of embodiment " or " first embodiment ~ N embodiment " etc. mean specific features described in conjunction with this embodiment or example,Structure, material or feature are included at least one embodiment or example of the invention.In the present specification, to above-mentioned termSchematic representation may not refer to the same embodiment or example.Moreover, description specific features, structure, material orFeature can be combined in any suitable manner in any one or more of the embodiments or examples.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-rowHis property includes, so that the process, method, article or the system that include a series of elements not only include those elements, andAnd further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsicElement.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to doThere is also other identical elements in the process, method of element, article or system.
By the description of above embodiment, those skilled in the art can be understood that above-described embodiment methodCan realize by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases beforePerson is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially makes tribute to the prior art in other wordsThe part offered can be embodied in the form of software products, which is stored in a storage as described aboveIn medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, calculateMachine, server or network equipment etc.) execute method described in each embodiment of the present invention.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.More than it is understood thatIt is merely a preferred embodiment of the present invention, is not intended to limit the scope of the invention, it is all using description of the invention and attachedEquivalent structure or equivalent flow shift made by figure content is applied directly or indirectly in other relevant technical fields, sameReason is included within the scope of the present invention.